Changelog and tool added 20/05/2015:
Add SuiteShell : Exploit for SuiteCRM Post-Authentication Shell Upload.
Disclosure Timeline:
05/05/2015: Vulnerability discovered and validated. SuiteCRM contacted via twitter asking for a security contact.
06/05/2015: SuiteCRM provide security contact, vulnerability details sent.
06/05/2015: SuiteCRM respond and let me know I will be kept in the loop.
12/05/2015: No contact from SuiteCRM, automated PoC exploit written and provided along with notification of intent to request a CVE on 20/05/2015
20/05/2015: Deadline expires. Publish PoC and request CVE.
Miscellaneous proof of concept exploit code written at Xiphos Research for testing purposes.
Updates Exploits 27.04.2015 :
+ phpMoAdmin Remote Code Execution (CVE-2015-2208)
+ LotusCMS Remote Code Execution (OSVDB-75095)
+ ElasticSearch Remote Code Execution (CVE-2015-1427)
+ ShellShock (httpd) Remote Code Execution (CVE-2014-6271)
+ IISlap – http.sys Denial of Service/RCE PoC (DoS only). (MS-15-034)
+ se0wned – Seowintech Router diagnostic.cgi remote root
+ WPsh0pwn – WordPress WPShop eCommerce Shell Upload (WPVDB-7830)
+ nmediapwn – WordPress N-Media Website Contact Form with File Upload 1.3.4 Shell Upload
+ pwnflow – WordPress Work the flow file upload 2.5.2 Shell Upload
+ delusions – WordPress InfusionSoft Gravity Forms Shell Upload (CVE-2014-6446)
+ TBA
There is no changelogs here, as that would be too much effort, just git commits. Exploits may be updated regularly for greater stability, reliability or stealthiness, so check them for updates regularly
::Exploit for SuiteCRM Post-Authentication Shell Upload::
SuiteCRM suffers a post-authentication shell upload vulnerability in its “Upload Company Logo” functionality, wherin it uses a blacklist in an attempt to prevent the upload of executable code. Furthermore, its “check for valid image” test leaves uploaded files in a tempdir that is web accessible. It is possible to bypass the blacklist to upload executable PHP code with the “phtml” extension to this temporary directory and thus gain code execution under the context of the webserver user on the affected system. This vulnerability was discovered by Darren Martyn of Xiphos Research Ltd. while assessing the SuiteCRM software. The version tested was “suitecrm-7.2.1-max”, as available on the SuiteCRM website on the 5/5/2015.
Usage:
To use, simply select which payload you want to use (currently only back_python.php is available, but I plan on adding back_php.php and back_perl.php at a later date). This is the “payload.php”. You also must specify a callback host and port, along with the URL to the vulnerable SuiteCRM installation, and a valid username and password for an administrative user.
::Exploit for Seowintech Routers diagnostic.cgi Unauthenticated Remote Root Code Execution::
This is an exploit for an old bug, found the exploit code lurking around in one of my old hard drives, cleaned it up, and decided to release it. Basically, a long while back, a rather interesting exploit was disclosed which affected ALL Seowontech devices. Technically, it is two exploits. A remote root command injection bug, and a remote root file disclosure bug. In this, I only bother with the command injection bug. These vulnerabilities were found by one Todor Donev.
The bug we are abusing is quite simple. Like many router bugs, it exists in a CGI script, that is used for network diagnostics. It is the bit for pinging that is vulnerable to our abuse.
PoC:
http://target.com/cgi-bin/diagnostic.cgi?select_mode_ping=on&ping_ipaddr=-q -s 0 127.0.0.1;id;&ping_count=1&action=Apply&html_view=ping
Usage:
To use, simply specify the target routers base URL, and a MIPS executable to upload and execute.
Trojans~Princes$ python2 /tmp/se0wn.py
███████╗███████╗ ██████╗ ██╗ ██╗███╗ ██╗███████╗██████╗
██╔════╝██╔════╝██╔═████╗██║ ██║████╗ ██║██╔════╝██╔══██╗
███████╗█████╗ ██║██╔██║██║ █╗ ██║██╔██╗ ██║█████╗ ██║ ██║
╚════██║██╔══╝ ████╔╝██║██║███╗██║██║╚██╗██║██╔══╝ ██║ ██║
███████║███████╗╚██████╔╝╚███╔███╔╝██║ ╚████║███████╗██████╔╝
╚══════╝╚══════╝ ╚═════╝ ╚══╝╚══╝ ╚═╝ ╚═══╝╚══════╝╚═════╝
Exploit for Seowintech Routers, CVE-?. Version: 20150425.1
{+} Uploading our backdoor...
{*} Backdoor is in 237 chunks...
100% |#########################################################################################################################################################################################|
{+} Setting execute bit...
{+} Executing Payload...InfusionSoft Gravity Forms Shell Upload
This is an exploit for one of the most facepalmworthy exploits ever, hence, I had to add it to the reportoire. Just… Just read the advisory. You will die laughing.
Usage:
To use, simply select which payload you want to use (currently only back_python.php is available, but I plan on adding back_php.php and back_perl.php at a later date). This is the “payload.php”. You also must specify a callback host and port, along with the URL to the vulnerable WordPress installation.
Exploit for WordPress WPshop eCommerce 1.3.9.5 Shell Upload.
This is an exploit for a trivial shell upload vulnerability in the WPshop eCommerce plugin in versions 1.3.9.5 and below. Its a very trivial shell upload in “ajax.php”, preauth, that we use to upload a shell and then spawn a reverse connect shell. Nothing fancy, only reason I bothered writing an exploit for it is because I didn’t want to use Metasploit and happened to have use for it.
Usage:
To use, simply select which payload you want to use (currently only back_python.php is available, but I plan on adding back_php.php and back_perl.php at a later date). This is the “payload.php”. You also must specify a callback host and port, along with the URL to the vulnerable WordPress installation.
Exploit for WordPress N-Media Website Contact Form with File Upload 1.3.4 Shell Upload
This plugin comes with added backdoor upload features, so naturally, I had to quickly knock together an exploit for it. Basically another trivial shell upload, trying to burn through a few of these so I have non-MSF exploits for when needed.
Usage :
To use, simply select which payload you want to use (currently only back_python.php is available, but I plan on adding back_php.php and back_perl.php at a later date). This is the “payload.php”. You also must specify a callback host and port, along with the URL to the vulnerable WordPress installation.
Exploit for WordPress Work the flow file upload 2.5.2 Shell Upload
This plugin comes with added backdoor upload features, so naturally, I had to quickly knock together an exploit for it. Basically another trivial shell upload, trying to burn through a few of these so I have non-MSF exploits for when needed.
Usage :
To use, simply select which payload you want to use (currently only back_python.php is available, but I plan on adding back_php.php and back_perl.php at a later date). This is the “payload.php”. You also must specify a callback host and port, along with the URL to the vulnerable WordPress installation.
Usage Global SCript:
To use, simply select which payload you want to use (currently only back_python.php is available, but I plan on adding back_php.php and back_perl.php at a later date). This is the “payload.php”. You also must specify a callback host and port, along with the URL to the vulnerable LotusCMS installation.
Download : Master.zip | Clone Url | Our Post Before
Source : https://github.com/XiphosResearch | http://www.xiphosresearch.com/