what you don't know can hurt you

Register | Login

FilesNewsUsersAuthors

Home Files News &[SERVICES_TAB]About Contact Add New

Showing 1 - 3 of 3

Files from Ben Lincoln

Endian Firewall Proxy Password Change Command Injection

Posted Sep 7, 2015

Authored by Ben Lincoln | Site metasploit.com

This Metasploit module exploits an OS command injection vulnerability in a web-accessible CGI script used to change passwords for locally-defined proxy user accounts. Valid credentials for such an account are required. Command execution will be in the context of the "nobody" account, but this account had broad sudo permissions, including to run the script /usr/local/bin/chrootpasswd (which changes the password for the Linux root account on the system to the value specified by console input once it is executed). The password for the proxy user account specified will *not* be changed by the use of this module, as long as the target system is vulnerable to the exploit. Very early versions of Endian Firewall (e.g. 1.1 RC5) require HTTP basic auth credentials as well to exploit this vulnerability. Use the USERNAME and PASSWORD advanced options to specify these values if required. Versions >= 3.0.0 still contain the vulnerable code, but it appears to never be executed due to a bug in the vulnerable CGI script which also prevents normal use (http://jira.endian.com/browse/UTM-1002). Versions 2.3.x and 2.4.0 are not vulnerable because of a similar bug (http://bugs.endian.com/print_bug_page.php?bug_id=3083). Tested successfully against the following versions of EFW Community: 1.1 RC5, 2.0, 2.1, 2.2, 2.5.1, 2.5.2. Should function against any version from 1.1 RC5 to 2.2.x, as well as 2.4.1 and 2.5.x.

tags | exploit, web, local, cgi, root, php

systems | linux

advisories | CVE-2015-5082

SHA-256 | 93595333575588a0761fd710896979bd064097e42ff0603d14d9ecebcedd6cff

Download | Favorite | View

Otori 0.3

Posted Jul 21, 2014

Authored by Ben Lincoln | Site beneaththewaves.net

This is a Metasploit-style module system specifically for XXE exploit code. This allows a common interface, including the ability to automate downloads of numerous files, or automatically walk the directory structure if the vulnerable system is based on Java.

Changes: Includes a pair of generic XXE modules for copy/pasting from e.g. Burp Suite and then walking the target system's directory structure. Also included are some example files for doing blind reads of interesting files from the target if it does not support walking the filesystem.

tags | tool, java, scanner, xxe

systems | unix

SHA-256 | 2a7816d21a64e47351a2d07b9a62e0b2608e025ddb24e5a5ec4f745d5b82bbfb

Download | Favorite | View

Otori 0.2

Posted Jun 16, 2014

Authored by Ben Lincoln | Site beneaththewaves.net

This is a Metasploit-style module system specifically for XXE exploit code. This allows a common interface, including the ability to automate downloads of numerous files, or automatically walk the directory structure if the vulnerable system is based on Java.

Changes: This initial release includes a number of different modules for four different vulnerable software packages.

tags | tool, java, scanner, xxe

systems | unix

SHA-256 | 4e08b55a546faeff41068928bc3ca50a97d8ac5d5ac1c90754d365538b92d25d

Download | Favorite | View